Questions tagged [selinux]
SELinux (Security-Enhanced Linux) is an implementation of a flexible role-based, mandatory access control (MAC) architecture on Linux through kernel modifications and user-tools. It is primarily used to confine system processes and users beyond the basic Discretionary Access Controls (DAC) mechanism or access-control list found on *nix systems.
603
questions
0
votes
1
answer
18
views
Adding a fresh zfs sub-dataset pri_zp/Z1/Z99-future to pri_zp/Z1, and resuming recursive replication to sec_zp/Z1
I have set up and replicated the OpenZFS dataset pri_zp/Z1 (with pri_zp/Z1/Z00-initial) to sec_zp/Z1 using a zfs send -R.
But then (months later) when I try to create (and replicate) a newer data set, ...
0
votes
0
answers
20
views
Selinux seems to be blocking but no denied message appearing in audit log
I have a script executed by a Java app with testmod_t context. This script does
chage -M -1 user
to set a user to no expiry. However, when SELinux is enforcing, the command does not seem to do ...
0
votes
0
answers
57
views
How do I create an SElinux policy to allow php-fpm to execute optipng?
I am running Wordpress in Rocky Linux 9 and need optipng for some image transformation tasks, but it is being blocked:
SELinux is preventing /usr/sbin/php-fpm from execute access on the file optipng.
...
0
votes
0
answers
27
views
Android SELinux: start dnsmasq on startup
I have had this question on android.stackexchange.com for more than a month, but I just realised that my problem isn't related to Android as much as it is related to SELinux and Android security.
I’m ...
1
vote
0
answers
26
views
Setting custom SELinux policy for a systemd service
In AlmaLinux9 I have a small ExectStart systemd service which runs a java process (Java Temurin 21). I am getting SELinux errors due to the service not having the execmem permission (already checked ...
1
vote
1
answer
31
views
Confined user (staff_u) can use sudo to transition to unconfined_r even though there is no sudoers entry that permits it
I've created a user that is mapped to the staff_u SELinux user:
# semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u ...
0
votes
1
answer
69
views
geoclue redhat selinux annoyance
on a clean install of RHEL-8.9 from iso, with selinux in its default state of enforcing, geoclue shows up via sealert -a /var/log/audit/audit.log
SELinux is preventing /usr/libexec/geoclue from search ...
1
vote
0
answers
31
views
SELINUX issue running systemctl from script invoked by rsyslogd
We have a constant issue where sssd is getting itself in failed state when an oom-killer event happens and kills a user's memory hog job. No idea why this happens as the oom-killer is not touching ...
0
votes
0
answers
63
views
Set SELinux labels in Docker build
I'm trying to produce a squashfs image with labeled files for SELinux. I'm building this using docker buildx. Both of the ideas I tried failed:
setfattr and chcon do not work on SELinux-enforcing ...
0
votes
1
answer
70
views
Fine-tune selinux constraints on nginx without semanage?
I'm setting up nginx on a Rocky 8.9 server, and ran into SELinux problems trying to listen on ports other than 80 and 443. The recommended solutions across the internet all seem to recommend semanage,...
1
vote
1
answer
38
views
How do I automatically set the target context for a .sock file to be **httpd_var_run_t** so that nginx can connect to and write to the socket?
The original file context for /run/unicorn.sock is tcontext=system_u:object_r:var_run_t:s0
How do I have the file context automatically be system_u:object_r:httpd_var_run_t:s0 when I start the socket ...
4
votes
1
answer
377
views
Can I use SELinux to add an extra layer of protection against 0-day VM escape exploits in KVM/QEMU?
My host is Fedora, and I want to add an extra layer of protection against 0day KVM/QEMU exploits that execute code on the host. For example there have been CVEs where if we run a specially crafted ...
0
votes
1
answer
92
views
Error when rebuilding SELinux policy after adding rule to type enforcement (.te) file
I am going through this guide which allows me to create a custom SELinux policy for an application and restrict unconfined access to the kernel system files.
On Step 9, I need to add a rule to the ...
0
votes
1
answer
83
views
Recreate selinux .te file from loaded policy
I don't have the original .te file or .mod or .pp files for a custom pp I created from audit2allow -a output. The policy is currently running on the server and I would like to get the original te ...
0
votes
2
answers
73
views
how to modify the selinux labels of a file
In RHEL 8.9,
in /etc/systemd/system/ I created a custom.service file, using vi as root. In doing so it has these labels by default as shown by ls -ldZ
-rw-r--r--. 1 root root unconfined_u:object_r:...