From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 86DBD1382C5 for ; Mon, 26 Apr 2021 02:08:10 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9B6B0E0885; Mon, 26 Apr 2021 02:08:04 +0000 (UTC) Received: from eglifamily.name (jupiter.newideatest.site [209.141.58.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id CCDBEE0878 for ; Mon, 26 Apr 2021 02:08:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=newideatest.site; s=key1; h=Content-Transfer-Encoding:Content-Type: MIME-Version:Date:Message-ID:Subject:From:To:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ayAISeAFlASBxKjTDUDvUkIpiNdFRzO1/3NR1FkfnUI=; b=DTrNYFcWVsx9vfXa8wMX0kWPxq 0vZVU65k4RvSoG1pxo/2F5LuHxs3PIIcOpeRHkObezJGhc4L4A14sA86kJz3yriZJfjj997s/45JF TF3M9xZeiwWZCyNv3J63OqUzPJivCMHLkO6AOsc3hpQG8jXbQq8dZcH200wwLK/x3g40=; Received: from mobile-166-170-49-202.mycingular.net ([166.170.49.202] helo=[172.20.10.4]) by eglifamily.name with esmtpsa (TLS1.3:TLS_AES_128_GCM_SHA256:128) (Exim 4.93.0.4) (envelope-from ) id 1laqfK-0003Kl-5y for gentoo-user@lists.gentoo.org; Sun, 25 Apr 2021 20:08:02 -0600 To: gentoo-user@lists.gentoo.org From: Dan Egli Subject: [gentoo-user] SELinux errors Message-ID: Date: Sun, 25 Apr 2021 20:07:59 -0600 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.9.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Scanned-By: unscanned primary on eglifamily.name (209.141.58.25); Sun, 25 Apr 2021 20:08:02 -0600 X-Archives-Salt: 0be416d6-e8ef-4a32-9495-118f2a9e523e X-Archives-Hash: 41ba67dcb2134cb844222a511c9bbebf I just finished putting a new test box after the old one finally gave up the ghost. Everything seems to be working okay, EXCEPT for selinux. To be safe, I started with selinux in permissive mode. And I'm glad I did because of all the errors showing up for things that had BETTER not show errors. Things like auth,  sshd, etc... Here's a sample of the errors I'm seeing Apr 25 19:36:09 jupiter kernel: audit: type=1400 audit(1619400969.224:485): avc:  denied  { getattr } for  pid=8100 comm="auth" path="/etc/mysql/mariadb.d" dev="vda1" ino=271985181 scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:object_r:mysqld_etc_t tclass=dir permissive=1 Apr 25 19:36:09 jupiter kernel: audit: type=1400 audit(1619400969.224:486): avc:  denied  { search } for  pid=8100 comm="auth" name="mysqld" dev="tmpfs" ino=160 scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:object_r:mysqld_runtime_t tclass=dir permissive=1 Apr 25 19:36:09 jupiter kernel: audit: type=1400 audit(1619400969.224:487): avc:  denied  { write } for  pid=8100 comm="auth" name="mysqld.sock" dev="tmpfs" ino=161 scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:object_r:mysqld_runtime_t tclass=sock_file permissive=1 Apr 25 19:36:09 jupiter kernel: audit: type=1400 audit(1619400969.224:488): avc:  denied  { connectto } for pid=8100 comm="auth" path="/run/mysqld/mysqld.sock" scontext=system_u:system_r:dovecot_auth_t tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket permissive=1 Apr 25 19:36:50 jupiter kernel: audit: type=1400 audit(1619401010.244:490): avc:  denied  { create } for  pid=8172 comm="smbd" name="8172" scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t tclass=file permissive=1 Apr 25 19:36:50 jupiter kernel: audit: type=1400 audit(1619401010.244:491): avc:  denied  { read write open } for pid=8172 comm="smbd" path="/run/lock/samba/msg.lock/8172" dev="tmpfs" ino=669 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t tclass=file permissive=1 Apr 25 19:36:50 jupiter kernel: audit: type=1400 audit(1619401010.244:492): avc:  denied  { lock } for  pid=8172 comm="smbd" path="/run/lock/samba/msg.lock/8172" dev="tmpfs" ino=669 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t tclass=file permissive=1 Apr 25 19:36:50 jupiter kernel: audit: type=1400 audit(1619401010.444:493): avc:  denied  { unlink } for  pid=8175 comm="smbd" name="8175" dev="tmpfs" ino=670 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t tclass=file permissive=1 Apr 25 19:38:35 jupiter kernel: audit: type=1400 audit(1619401115.314:494): avc:  denied  { connectto } for pid=4350 comm="apache2" path="/run/mysqld/mysqld.sock" scontext=system_u:system_r:httpd_t tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket permissive=1 Apr 25 19:39:44 jupiter kernel: audit: type=1400 audit(1619401184.815:495): avc:  denied  { read } for  pid=8450 comm="smbd" name="lock" dev="vda1" ino=492466 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t tclass=lnk_file permissive=1 Apr 25 19:42:00 jupiter kernel: audit: type=1400 audit(1619401320.875:496): avc:  denied  { write } for  pid=8852 comm="lpqd" name="msg.lock" dev="tmpfs" ino=516 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1 Apr 25 19:42:00 jupiter kernel: audit: type=1400 audit(1619401320.875:497): avc:  denied  { remove_name } for pid=8852 comm="lpqd" name="8852" dev="tmpfs" ino=697 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1 Apr 25 19:42:00 jupiter kernel: audit: type=1400 audit(1619401320.875:498): avc:  denied  { sendto } for  pid=5984 comm="lpqd" path="/var/lib/samba/private/msg.sock/5797" scontext=system_u:system_r:smbd_t tcontext=system_u:system_r:initrc_t tclass=unix_dgram_socket permissive=1 Apr 25 19:42:00 jupiter kernel: audit: type=1400 audit(1619401320.875:499): avc:  denied  { sendto } for  pid=5984 comm="lpqd" path="/var/lib/samba/private/msg.sock/5919" scontext=system_u:system_r:smbd_t tcontext=system_u:system_r:winbind_t tclass=unix_dgram_socket permissive=1 Apr 25 19:42:12 jupiter kernel: audit: type=1400 audit(1619401332.945:500): avc:  denied  { add_name } for pid=8865 comm="smbd" name="8865" scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1 Apr 25 19:44:31 jupiter kernel: audit: type=1400 audit(1619401471.206:501): avc:  denied  { read } for  pid=9056 comm="winbindd" name="lock" dev="vda1" ino=492466 scontext=system_u:system_r:winbind_t tcontext=system_u:object_r:var_lock_t tclass=lnk_file permissive=1 Apr 25 19:44:31 jupiter kernel: audit: type=1400 audit(1619401471.206:502): avc:  denied  { search } for  pid=9056 comm="winbindd" name="lock" dev="tmpfs" ino=454 scontext=system_u:system_r:winbind_t tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1 Apr 25 19:44:31 jupiter kernel: audit: type=1400 audit(1619401471.206:503): avc:  denied  { getattr } for  pid=9056 comm="winbindd" path="/run/lock/samba" dev="tmpfs" ino=462 scontext=system_u:system_r:winbind_t tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1 Apr 25 19:44:31 jupiter kernel: audit: type=1400 audit(1619401471.206:504): avc:  denied  { write } for  pid=9056 comm="winbindd" name="msg.lock" dev="tmpfs" ino=516 scontext=system_u:system_r:winbind_t tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1 Apr 25 19:44:31 jupiter kernel: audit: type=1400 audit(1619401471.206:505): avc:  denied  { add_name } for pid=9056 comm="winbindd" name="9056" scontext=system_u:system_r:winbind_t tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1 Apr 25 19:44:31 jupiter kernel: audit: type=1400 audit(1619401471.206:506): avc:  denied  { create } for  pid=9056 comm="winbindd" name="9056" scontext=system_u:system_r:winbind_t tcontext=system_u:object_r:var_lock_t tclass=file permissive=1 Apr 25 19:44:31 jupiter kernel: audit: type=1400 audit(1619401471.206:507): avc:  denied  { read write open } for pid=9056 comm="winbindd" path="/run/lock/samba/msg.lock/9056" dev="tmpfs" ino=709 scontext=system_u:system_r:winbind_t tcontext=system_u:object_r:var_lock_t tclass=file permissive=1 Apr 25 19:44:31 jupiter kernel: audit: type=1400 audit(1619401471.206:508): avc:  denied  { lock } for  pid=9056 comm="winbindd" path="/run/lock/samba/msg.lock/9056" dev="tmpfs" ino=709 scontext=system_u:system_r:winbind_t tcontext=system_u:object_r:var_lock_t tclass=file permissive=1 Apr 25 20:00:11 jupiter kernel: audit: type=1400 audit(1619402411.709:509): avc:  denied  { search } for  pid=10897 comm="sshd" name="root" dev="vda1" ino=996517 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:default_t tclass=dir permissive=1 Apr 25 20:00:11 jupiter kernel: audit: type=1400 audit(1619402411.709:510): avc:  denied  { read } for  pid=10897 comm="sshd" name="authorized_keys" dev="vda1" ino=272988282 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:default_t tclass=file permissive=1 First thing I tried was restorecon. I did restorecon -r / to ensure that the entire directory tree was updated correctly. The errors above are AFTER restorecon.  I am using the targeted policy right now. I figured it would work for the first tests and I could upgrade to strict later. But if I can't even get targeted to work correctly, then I'm really in trouble. Any tips? -- Dan Egli From my Test Server