* [gentoo-user] SELinux errors
@ 2021-04-26 2:07 Dan Egli
0 siblings, 0 replies; only message in thread
From: Dan Egli @ 2021-04-26 2:07 UTC (permalink / raw
To: gentoo-user
I just finished putting a new test box after the old one finally gave up
the ghost. Everything seems to be working okay, EXCEPT for selinux. To
be safe, I started with selinux in permissive mode. And I'm glad I did
because of all the errors showing up for things that had BETTER not show
errors. Things like auth, sshd, etc...
Here's a sample of the errors I'm seeing
Apr 25 19:36:09 jupiter kernel: audit: type=1400
audit(1619400969.224:485): avc: denied { getattr } for pid=8100
comm="auth" path="/etc/mysql/mariadb.d" dev="vda1" ino=271985181
scontext=system_u:system_r:dovecot_auth_t
tcontext=system_u:object_r:mysqld_etc_t tclass=dir permissive=1
Apr 25 19:36:09 jupiter kernel: audit: type=1400
audit(1619400969.224:486): avc: denied { search } for pid=8100
comm="auth" name="mysqld" dev="tmpfs" ino=160
scontext=system_u:system_r:dovecot_auth_t
tcontext=system_u:object_r:mysqld_runtime_t tclass=dir permissive=1
Apr 25 19:36:09 jupiter kernel: audit: type=1400
audit(1619400969.224:487): avc: denied { write } for pid=8100
comm="auth" name="mysqld.sock" dev="tmpfs" ino=161
scontext=system_u:system_r:dovecot_auth_t
tcontext=system_u:object_r:mysqld_runtime_t tclass=sock_file permissive=1
Apr 25 19:36:09 jupiter kernel: audit: type=1400
audit(1619400969.224:488): avc: denied { connectto } for pid=8100
comm="auth" path="/run/mysqld/mysqld.sock"
scontext=system_u:system_r:dovecot_auth_t
tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket permissive=1
Apr 25 19:36:50 jupiter kernel: audit: type=1400
audit(1619401010.244:490): avc: denied { create } for pid=8172
comm="smbd" name="8172" scontext=system_u:system_r:smbd_t
tcontext=system_u:object_r:var_lock_t tclass=file permissive=1
Apr 25 19:36:50 jupiter kernel: audit: type=1400
audit(1619401010.244:491): avc: denied { read write open } for
pid=8172 comm="smbd" path="/run/lock/samba/msg.lock/8172" dev="tmpfs"
ino=669 scontext=system_u:system_r:smbd_t
tcontext=system_u:object_r:var_lock_t tclass=file permissive=1
Apr 25 19:36:50 jupiter kernel: audit: type=1400
audit(1619401010.244:492): avc: denied { lock } for pid=8172
comm="smbd" path="/run/lock/samba/msg.lock/8172" dev="tmpfs" ino=669
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t
tclass=file permissive=1
Apr 25 19:36:50 jupiter kernel: audit: type=1400
audit(1619401010.444:493): avc: denied { unlink } for pid=8175
comm="smbd" name="8175" dev="tmpfs" ino=670
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t
tclass=file permissive=1
Apr 25 19:38:35 jupiter kernel: audit: type=1400
audit(1619401115.314:494): avc: denied { connectto } for pid=4350
comm="apache2" path="/run/mysqld/mysqld.sock"
scontext=system_u:system_r:httpd_t tcontext=system_u:system_r:initrc_t
tclass=unix_stream_socket permissive=1
Apr 25 19:39:44 jupiter kernel: audit: type=1400
audit(1619401184.815:495): avc: denied { read } for pid=8450
comm="smbd" name="lock" dev="vda1" ino=492466
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t
tclass=lnk_file permissive=1
Apr 25 19:42:00 jupiter kernel: audit: type=1400
audit(1619401320.875:496): avc: denied { write } for pid=8852
comm="lpqd" name="msg.lock" dev="tmpfs" ino=516
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t
tclass=dir permissive=1
Apr 25 19:42:00 jupiter kernel: audit: type=1400
audit(1619401320.875:497): avc: denied { remove_name } for pid=8852
comm="lpqd" name="8852" dev="tmpfs" ino=697
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t
tclass=dir permissive=1
Apr 25 19:42:00 jupiter kernel: audit: type=1400
audit(1619401320.875:498): avc: denied { sendto } for pid=5984
comm="lpqd" path="/var/lib/samba/private/msg.sock/5797"
scontext=system_u:system_r:smbd_t tcontext=system_u:system_r:initrc_t
tclass=unix_dgram_socket permissive=1
Apr 25 19:42:00 jupiter kernel: audit: type=1400
audit(1619401320.875:499): avc: denied { sendto } for pid=5984
comm="lpqd" path="/var/lib/samba/private/msg.sock/5919"
scontext=system_u:system_r:smbd_t tcontext=system_u:system_r:winbind_t
tclass=unix_dgram_socket permissive=1
Apr 25 19:42:12 jupiter kernel: audit: type=1400
audit(1619401332.945:500): avc: denied { add_name } for pid=8865
comm="smbd" name="8865" scontext=system_u:system_r:smbd_t
tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1
Apr 25 19:44:31 jupiter kernel: audit: type=1400
audit(1619401471.206:501): avc: denied { read } for pid=9056
comm="winbindd" name="lock" dev="vda1" ino=492466
scontext=system_u:system_r:winbind_t
tcontext=system_u:object_r:var_lock_t tclass=lnk_file permissive=1
Apr 25 19:44:31 jupiter kernel: audit: type=1400
audit(1619401471.206:502): avc: denied { search } for pid=9056
comm="winbindd" name="lock" dev="tmpfs" ino=454
scontext=system_u:system_r:winbind_t
tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1
Apr 25 19:44:31 jupiter kernel: audit: type=1400
audit(1619401471.206:503): avc: denied { getattr } for pid=9056
comm="winbindd" path="/run/lock/samba" dev="tmpfs" ino=462
scontext=system_u:system_r:winbind_t
tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1
Apr 25 19:44:31 jupiter kernel: audit: type=1400
audit(1619401471.206:504): avc: denied { write } for pid=9056
comm="winbindd" name="msg.lock" dev="tmpfs" ino=516
scontext=system_u:system_r:winbind_t
tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1
Apr 25 19:44:31 jupiter kernel: audit: type=1400
audit(1619401471.206:505): avc: denied { add_name } for pid=9056
comm="winbindd" name="9056" scontext=system_u:system_r:winbind_t
tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1
Apr 25 19:44:31 jupiter kernel: audit: type=1400
audit(1619401471.206:506): avc: denied { create } for pid=9056
comm="winbindd" name="9056" scontext=system_u:system_r:winbind_t
tcontext=system_u:object_r:var_lock_t tclass=file permissive=1
Apr 25 19:44:31 jupiter kernel: audit: type=1400
audit(1619401471.206:507): avc: denied { read write open } for
pid=9056 comm="winbindd" path="/run/lock/samba/msg.lock/9056"
dev="tmpfs" ino=709 scontext=system_u:system_r:winbind_t
tcontext=system_u:object_r:var_lock_t tclass=file permissive=1
Apr 25 19:44:31 jupiter kernel: audit: type=1400
audit(1619401471.206:508): avc: denied { lock } for pid=9056
comm="winbindd" path="/run/lock/samba/msg.lock/9056" dev="tmpfs" ino=709
scontext=system_u:system_r:winbind_t
tcontext=system_u:object_r:var_lock_t tclass=file permissive=1
Apr 25 20:00:11 jupiter kernel: audit: type=1400
audit(1619402411.709:509): avc: denied { search } for pid=10897
comm="sshd" name="root" dev="vda1" ino=996517
scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:default_t
tclass=dir permissive=1
Apr 25 20:00:11 jupiter kernel: audit: type=1400
audit(1619402411.709:510): avc: denied { read } for pid=10897
comm="sshd" name="authorized_keys" dev="vda1" ino=272988282
scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:default_t
tclass=file permissive=1
First thing I tried was restorecon. I did restorecon -r / to ensure that
the entire directory tree was updated correctly. The errors above are
AFTER restorecon. I am using the targeted policy right now. I figured
it would work for the first tests and I could upgrade to strict later.
But if I can't even get targeted to work correctly, then I'm really in
trouble.
Any tips?
--
Dan Egli
From my Test Server
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-04-26 2:08 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-04-26 2:07 [gentoo-user] SELinux errors Dan Egli
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox