fedora-selinux / selinux-policy Goto Github PK
View Code? Open in Web Editor NEWselinux-policy for Fedora is a large patch off the mainline
License: GNU General Public License v2.0
selinux-policy's People
Contributors
Stargazers
Watchers
Forkers
lzap lhh bachradsusi jsegitz lkundrak gkarakou wtogami rthallisey major cgwalters besser82 jasontibbitts rubenk hogarthj raging-dwarf bengal vmojzis 1dot75cm rhatdan trosten fale piotr1212 berrange vote539 bowlofeggs sileht networkmanager garyttierney mscherer t-woerner lslebodn keszybz xavloose ssekidde psypete xiaoxiangfu sigalrm jakuje martinezjavier konradwilk teg annfry nicki-krizek msekletar tmzullinger stlaz zhizhouzh pcmoore filbranden kubco2 untosten rfairley dustymabe zpytela lorbuschris praiskup wonder93 jlebon benjaminlefoul mike-nguyen adamwill fengxingwei369 5umm3r15 polarina mikhailnov koncpa tiran richard-filo jtlayton secureworkstation mgrepl travier sohankunkerkar demimarie tasleson mlichvar duritong nertpinx terryburton dridi lveyde hansborr patsoffice litew luk1337 im-0 harmth ljavorsk maage rkothiya lnussel masatake xuyang0410 marusak huaxinlu qiankehan quanah jirihnidek zdohnal lujievselinux-policy's Issues
denying read for systemd-sysctl on file in /run/sysctl.d
I'm creating a file in /run/sysctl.d to be picked up by systemd-sysctl
and it's failing with an selinux denial. On Fedora 32:
$ sudo mkdir -p /run/sysctl.d
$ echo 'kernel.printk=4' | sudo tee /run/sysctl.d/20-printk.conf
kernel.printk=4
$ ls -lZ /run/sysctl.d/20-printk.conf
-rw-r--r--. 1 root root unconfined_u:object_r:var_run_t:s0 16 Apr 15 21:15 /run/sysctl.d/20-printk.conf
$
$ matchpathcon /run/sysctl.d/20-printk.conf
/run/sysctl.d/20-printk.conf system_u:object_r:var_run_t:s0
$
$ sudo systemctl restart systemd-sysctl
Job for systemd-sysctl.service failed because the control process exited with error code.
See "systemctl status systemd-sysctl.service" and "journalctl -xe" for details.
$
$ sudo journalctl --since '60 seconds ago' | grep AVC
Apr 15 21:16:14 vanilla-f32-beta audit[2454]: AVC avc: denied { read } for pid=2454 comm="systemd-sysctl" name="20-printk.conf" dev="tmpfs" ino=27667 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=0
Should we update the policy to allow systemd-sysctl to read var_run_t or update the policy such that files created under /run/sysctl.d get a different file content by default?
$ rpm -qa | grep selinux
selinux-policy-targeted-3.14.5-28.fc32.noarch
libselinux-3.0-3.fc32.x86_64
selinux-policy-3.14.5-28.fc32.noarch
libselinux-utils-3.0-3.fc32.x86_64
python3-libselinux-3.0-3.fc32.x86_64
rpm-plugin-selinux-4.15.1-2.fc32.1.x86_64
neverallow violated by allow sandbox_* unlabeled_t:file { entrypoint };
commit ef3466f
Author: Miroslav Grepl [email protected]
Date: Tue Mar 22 09:49:22 2016 +0100
Add neverallow assertion for unlabaled_t to increase policy security.
This commits violated this errors:
libsepol.report_failure: neverallow violated by allow sandbox_x_client_t unlabeled_t:file { entrypoint };
libsepol.report_failure: neverallow violated by allow sandbox_net_client_t unlabeled_t:file { entrypoint };
libsepol.report_failure: neverallow violated by allow sandbox_x_t unlabeled_t:file { entrypoint };
libsepol.report_failure: neverallow violated by allow sandbox_web_client_t unlabeled_t:file { entrypoint };
libsepol.report_failure: neverallow violated by allow sandbox_min_t unlabeled_t:file { entrypoint };
libsepol.report_failure: neverallow violated by allow sandbox_net_t unlabeled_t:file { entrypoint };
libsepol.report_failure: neverallow violated by allow sandbox_web_t unlabeled_t:file { entrypoint };
libsepol.report_failure: neverallow violated by allow sandbox_min_client_t unlabeled_t:file { entrypoint };
libsepol.report_failure: neverallow violated by allow sandbox_t unlabeled_t:file { entrypoint };
libsepol.report_failure: neverallow violated by allow svirt_kvm_net_t unlabeled_t:file { entrypoint };
libsepol.report_failure: neverallow violated by allow svirt_lxc_net_t unlabeled_t:file { entrypoint };
libsepol.report_failure: neverallow violated by allow openshift_initrc_t unlabeled_t:file { entrypoint };
libsepol.report_failure: neverallow violated by allow svirt_qemu_net_t unlabeled_t:file { entrypoint };
libsepol.report_failure: neverallow violated by allow virtd_lxc_t unlabeled_t:file { entrypoint };
PS: ... and the second winner is ....
systemd-hwdb should be confined
$ ls -lZ /usr/bin/systemd-hwdb
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 70512 Dec 10 14:09 /usr/bin/systemd-hwdb
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/systemd-hwdb update
Merging insmod_t and depmod_t types together
Based on upstream communication we should merge these types together and have kmod_t. There is no security benefit to have have them as separate types. Even depmod is a symlink to kmod.
See
http://oss.tresys.com/pipermail/refpolicy/2015-October/007758.html
for more details.
RFE: Review and turn mozilla_plugin_can_network_connect boolean on
dnsmasq needs leases files in /var/lib/NetworkManager/dnsmasq-.*\.leases
When dnsmasq is run by network manager (for network sharing), the lease file is placed into /var/lib/NetworkManager/. This results in errors like:
Jan 07 15:04:18 ben-x1 NetworkManager[22928]: dnsmasq: cannot open or create lease file /var/lib/NetworkManager/dnsmasq-p2p-wlp4s0-10.leases: Permission denied
This changed in Network Manager with commit https://gitlab.freedesktop.org/NetworkManager/NetworkManager/commit/b4116a6fe6a5cfc05c0b81f71dd44b59c7ca0c43
GNOME session managed by user systemd instance non-functional
NOTE: The upstream patchset is not yet merged. I am opening the bug as an advanced notice.
With https://gitlab.gnome.org/GNOME/gnome-session/merge_requests/13 we are going to start the GNOME session. This patchset currently fails to work with selinux enabled, because /usr/libexec/gnome-session-binary and the new /usr/libexec/gnome-session-ctl binaries are not allowed to start/stop user services.
Note that we will get more applications starting/stopping services in the future (one example is a target that is started when Xwayland is available, but that will not happen for a while).
I'll update this ticket once it is clear which binaries need to start/stop services for GNOME to work.
some domains miss the dac_override capability
Reboot of my Fedora26 VM (with fc27 selinux-policy and fc27 SELinux user-space) revealed that following rules are missing:
allow NetworkManager_t self:capability dac_override;
allow cupsd_t self:capability dac_override;
allow systemd_logind_t self:capability dac_override;
allow systemd_networkd_t self:capability dac_override;
$ rpm -qa selinux*
selinux-policy-3.13.1-277.fc27.no_dac_override.100.noarch
selinux-policy-mls-3.13.1-277.fc27.no_dac_override.100.noarch
selinux-policy-devel-3.13.1-277.fc27.no_dac_override.100.noarch
selinux-policy-targeted-3.13.1-277.fc27.no_dac_override.100.noarch
selinux-policy-minimum-3.13.1-277.fc27.no_dac_override.100.noarch
selinux-policy-sandbox-3.13.1-277.fc27.no_dac_override.100.noarch
selinux-policy-doc-3.13.1-277.fc27.no_dac_override.100.noarch
$
Changelog not updated.
This makes it hard to figure out the association between a particular release and a particular state in github.
SELinux blocking DynamicUser cache dir creation
W/ selinux-policy-3.14.2-40.fc29
The issue is SELinux blocking DynamicUser cache dir creation:
type=AVC msg=audit(1541174465.681:2046): avc: denied { create } for pid=2655 comm="(pt-proxy)" name="dnscrypt-proxy" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0
localhost systemd[13460]: dnscrypt-proxy.service: Failed to set up special execution directory in /var/cache: Permission denied
localhost systemd[13460]: dnscrypt-proxy.service: Failed at step CACHE_DIRECTORY
@wrabcak , could you have a look on this, this is related to systemd/systemd#9583 (comment) I didn't notice it before because the dir was already created on my system but users are reporting errors: https://bugzilla.redhat.com/show_bug.cgi?id=1645598
SELinux blocking StrongSwan from dropping privileges
SELinux denies StrongSwan CAP_SETUID and CAP_SETGID. This prevents StrongSwan from switching to a non-root user after startup.
Policy tweaks for Courier's webmail
The contributed courier package is missing a couple of permissions for courier's webmail cgi binary.
I was able to get the cgi binary working on F30 with the following local policy:
policy_module(courier_webmail, 1.0)
require {
type httpd_sys_script_t;
type courier_spool_t;
};
allow httpd_sys_script_t courier_spool_t:dir search_dir_perms;
allow httpd_sys_script_t courier_spool_t:sock_file manage_sock_file_perms;
`/run/motd` and `/run/motd.d` paths not getting context `etc_t`
The changes in #230 and #232 gave /run/motd and /run/motd.d(/.*)? paths the context etc_t, which allows sshd to read these paths and display MOTD messages here.
Trying out the MOTD functionality (in a Fedora 29 cloud base Vagrant box), the paths still have the context var_run_t despite the setting to change the context to etc_t being present.
# dnf upgrade -y
...
# rpm -qa | grep "selinux-policy"
selinux-policy-targeted-3.14.2-46.fc29.noarch
selinux-policy-3.14.2-46.fc29.noarch
# ls -Z /run | grep motd
system_u:object_r:var_run_t:s0 motd.d
# semanage fcontext -l | grep motd
...
/run/motd regular file system_u:object_r:etc_t:s0
/run/motd.d(/.*)? all files system_u:object_r:etc_t:s0
...
Doing the following gives the /run/motd.d path the etc_t context as desired, and the rule appears in the file contexts:
# semanage fcontext -a -t etc_t "/var/run/motd.d(/.*)?"
# restorecon -Rnv /run
Would relabel /run/motd.d from system_u:object_r:var_run_t:s0 to system_u:object_r:etc_t:s0
...
# semanage fcontext -l | grep motd
...
/run/motd regular file system_u:object_r:etc_t:s0
/run/motd.d(/.*)? all files system_u:object_r:etc_t:s0
...
/var/run/motd.d(/.*)? all files system_u:object_r:etc_t:s0
If adding a rule with the path /run/motd.d(/.*)?, the following error is given:
# semanage fcontext -a -t etc_t "/run/motd.d(/.*)?"
ValueError: File spec /run/motd.d(/.*)? conflicts with equivalency rule '/run /var/run'; Try adding '/var/run/motd.d(/.*)?' instead
It seems that adding the context for a path under /run is causing a conflict, and is why the change to give /run/motd and /run/motd.d context etc_t is not being propagated. I haven't verified this by building the policy with the changed settings on my system yet, though.
Would the best convention here be to change the paths in policy/modules/kernel/files.fc to /var/run/motd and /var/run/motd.d(/.*)?, in order to successfully label /run/motd and /run/motd.d(/.*)? with etc_t?
Thanks!
cc @dustymabe, @lucab, @LorbusChris
Fedora 32 SELinux prompt "SELinux is preventing unbound-anchor from name_bind access on the udp_socket port 61000" after hibernation.
Hi Guys,
After hibernation of my Fedora 32 desktop, I got these message or prompt from SELinux:
SELinux is preventing unbound-anchor from name_bind access on the udp_socket port 61000.
Plugin: bind_ports
SELinux has denied the unbound-anchor from binding to a network port 61000
which does not have an SELinux type associated with it. If unbound-anchor should
be allowed to listen on 61000, use the semanage command to assign 61000 to a
port type that named_t can bind to (%s). If unbound-anchor is not supposed to
bind to 61000, this could signal an intrusion attempt.
If you want to allow unbound-anchor to bind to network port 61000
you need to modify the port type.
semanage port -a -t PORT_TYPE -p udp 61000
where PORT_TYPE is one of the following: afs3_callback_port_t, afs_bos_port_t, afs_fs_port_t, afs_ka_port_t, afs_pt_port_t, afs_vl_port_t, amanda_port_t, amavisd_recv_port_t, amavisd_send_port_t, amqp_port_t, aol_port_t, apc_port_t, apcupsd_port_t, appswitch_emp_port_t, asterisk_port_t, babel_port_t, bacula_port_t, bctp_port_t, bfd_control_port_t, bgp_port_t, boinc_client_port_t, boinc_port_t, brlp_port_t, certmaster_port_t, clamd_port_t, clockspeed_port_t, cluster_port_t, cma_port_t, cobbler_port_t, collectd_port_t, commplex_link_port_t, commplex_main_port_t, condor_port_t, conman_port_t, connlcli_port_t, conntrackd_port_t, couchdb_port_t, ctdb_port_t, cvs_port_t, cyphesis_port_t, cyrus_imapd_port_t, daap_port_t, dbskkd_port_t, dcc_port_t, dccm_port_t, dey_keyneg_port_t, dey_sapi_port_t, dhcpc_port_t, dict_port_t, distccd_port_t, dns_port_t, dnssec_port_t, dogtag_port_t, embrace_dp_c_port_t, ephemeral_port_t, epmd_port_t, fac_restore_port_t, firepower_port_t, flash_port_t, fmpro_internal_port_t, freeipmi_port_t, gatekeeper_port_t, gds_db_port_t, gear_port_t, geneve_port_t, giftd_port_t, git_port_t, glance_port_t, glance_registry_port_t, gluster_port_t, gpsd_port_t, hadoop_datanode_port_t, hadoop_namenode_port_t, hddtemp_port_t, howl_port_t, hplip_port_t, http_cache_port_t, i18n_input_port_t, ibm_dt_2_port_t, imaze_port_t, intermapper_port_t, interwise_port_t, ionixnetmon_port_t, ipp_port_t, ipsecnat_port_t, ircd_port_t, iscsi_port_t, isns_port_t, jabber_client_port_t, jabber_interserver_port_t, jabber_router_port_t, jacorb_port_t, jboss_debug_port_t, jboss_management_port_t, jboss_messaging_port_t, kerberos_port_t, keystone_port_t, kubernetes_port_t, l2tp_port_t, lirc_port_t, llmnr_port_t, lltng_port_t, lsm_plugin_port_t, luci_port_t, mail_port_t, mailbox_port_t, matahari_port_t, memcache_port_t, milter_port_t, mmcc_port_t, mongod_port_t, monopd_port_t, mountd_port_t, movaz_ssc_port_t, mpd_port_t, ms_streaming_port_t, msnp_port_t, mssql_port_t, munin_port_t, mxi_port_t, mysqld_port_t, mysqlmanagerd_port_t, mythtv_port_t, nessus_port_t, netport_port_t, netsupport_port_t, neutron_port_t, nfs_port_t, nmea_port_t, nodejs_debug_port_t, nsca_port_t, nsd_control_port_t, ntop_port_t, oa_system_port_t, ocsp_port_t, openflow_port_t, openhpid_port_t, openqa_port_t, openqa_websockets_port_t, openvpn_port_t, openvswitch_port_t, oracle_port_t, osapi_compute_port_t, ovsdb_port_t, pdps_port_t, pegasus_http_port_t, pegasus_https_port_t, pgpkeyserver_port_t, pingd_port_t, pki_kra_port_t, pki_ocsp_port_t, pki_ra_port_t, pki_tks_port_t, pki_tps_port_t, pktcable_cops_port_t, postfix_policyd_port_t, postgresql_port_t, postgrey_port_t, pptp_port_t, prelude_port_t, presence_port_t, preupgrade_port_t, priority_e_com_port_t, prosody_port_t, ptal_port_t, pulp_port_t, pulseaudio_port_t, puppet_port_t, pxe_port_t, pyzor_port_t, qpasa_agent_port_t, rabbitmq_port_t, radacct_port_t, radius_port_t, radsec_port_t, razor_port_t, redis_port_t, repository_port_t, ricci_modcluster_port_t, ricci_port_t, rkt_port_t, rtp_media_port_t, rtsclient_port_t, rtsp_port_t, salt_port_t, sap_port_t, saphostctrl_port_t, servistaitsm_port_t, sge_port_t, shellinaboxd_port_t, sieve_port_t, sip_port_t, sixxsconfig_port_t, smntubootstrap_port_t, soundd_port_t, speech_port_t, squid_port_t, ssdp_port_t, statsd_port_t, svn_port_t, swift_port_t, sype_transport_port_t, syslog_tls_port_t, tangd_port_t, tcs_port_t, tor_port_t, traceroute_port_t, tram_port_t, transproxy_port_t, trisoap_port_t, trivnet1_port_t, unreserved_port_t, ups_port_t, us_cli_port_t, varnishd_port_t, versa_tek_port_t, virt_migration_port_t, virt_port_t, virtual_places_port_t, vnc_port_t, wap_wsp_port_t, wccp_port_t, websm_port_t, whois_port_t, winshadow_port_t, wsdapi_port_t, wsicopy_port_t, xen_port_t, xfs_port_t, xinuexpansion3_port_t, xinuexpansion4_port_t, xodbc_connect_port_t, xserver_port_t, zabbix_agent_port_t, zabbix_port_t, zebra_port_t, zented_port_t, zookeeper_client_port_t, zookeeper_election_port_t, zookeeper_leader_port_t, zope_port_t.
Anything I should do? I have already updated my Fedora 32 desktop.
Sorry. I am new to SELinux.
Thanks.
SELinux prevents systemd from relabeling after loading the policy
Sorry if this is the wrong place.
Systemd 240 introduced /run/systemd/relabel-extra.d (doc). Unfortunately the SELinux policy appears to be denying everything it's trying to do.
This is on Fedora CoreOS, which uses the normal Fedora systemd package.
Steps to reproduce:
- Boot fedora or fedora coreos with rd.break on the kernel command line
- wait for the shell in the initrd
echo '/etc' > /run/systemd/relabel-extra.d/foo.relabel- continue booting (exit the shell)
- observe AVC denials in the logs
unable to use machinectl with selinux in enforcing mode
Hallo,
I am using Fedora Silverblue 31 and i cannot use machinectl with selinux in enforcing mode.
Does anyone know how i can change the SELinux policy to allow it?
Thank you!
[gui@localhost ~]$ sudo machinectl shell gui@Fedora31 Failed to get shell PTY: Input/output error [gui@localhost ~]$ sudo setenforce 0 [sudo] password for gui: [gui@localhost ~]$ sudo machinectl shell gui@Fedora31 Connected to machine Fedora31. Press ^] three times within 1s to exit session. [gui@Fedora31 ~]$
Consider changing default branch
It's really useful to have a searchable repository, and unfortunately GitHub only allows search of the default branch.
As the default branch is master, with nothing but a README, this means the extremely useful search features are completely unusable.
Would you consider changing the default branch, to, perhaps, rawhide? It would then allow search functionality of the latest revisions. My use case is generally to lookup macro definitions to learn underlying functionalities, as I'm generally unable to find reliable documentation.
Systemd-modules-load cannot load kernel modules with 'install' command in /etc/modprobe.d
How to reproduce:
echo 'install dummy echo nope' > /etc/modprobe.d/test-install-selinux.conf
echo 'dummy' > /etc/modules-load.d/test-install-selinux.conf
systemctl restart systemd-modules-load
rm /etc/modprobe.d/test-install-selinux.conf
rm /etc/modules-load.d/test-install-selinux.conf
ausearch -i -m avc --just-one
----
type=PROCTITLE msg=audit(13.07.2018 15:22:14.554:212) : proctitle=/usr/lib/systemd/systemd-modules-load
type=SYSCALL msg=audit(13.07.2018 15:22:14.554:212) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x7f3ec8ddd897 a1=0x7ffe0608ff10 a2=0x563ff1c6ffe0 a3=0x8 items=0 ppid=977 pid=978 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-modules exe=/usr/lib/systemd/systemd-modules-load subj=system_u:system_r:systemd_modules_load_t:s0 key=(null)
type=AVC msg=audit(13.07.2018 15:22:14.554:212) : avc: denied { execute } for pid=978 comm=systemd-modules name=bash dev="vda3" ino=4194473 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
I have found this while trying to load ip_vs in Fedora Atomic Host (wanted to try out IPVS in Kubernetes on FAH). /etc/modprobe.d/firewalld-sysctls.conf has this:
install nf_conntrack /sbin/modprobe --ignore-install nf_conntrack $CMDLINE_OPTS && /sbin/sysctl --quiet --pattern 'net[.]netfilter[.]nf_conntrack.*' --systemWhich results in a whole bunch of denials for nf_conntrack in permissive mode:
----
type=PROCTITLE msg=audit(13.07.2018 15:35:52.284:80) : proctitle=/sbin/modprobe --ignore-install nf_conntrack
type=SYSCALL msg=audit(13.07.2018 15:35:52.284:80) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x56248e19a8d0 a1=0x56248e19a9b0 a2=0x56248e1986e0 a3=0x56248e18e010 items=0 ppid=650 pid=651 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=modprobe exe=/usr/bin/kmod subj=system_u:system_r:systemd_modules_load_t:s0 key=(null)
type=AVC msg=audit(13.07.2018 15:35:52.284:80) : avc: denied { map } for pid=651 comm=modprobe path=/usr/bin/kmod dev="vda3" ino=4194843 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(13.07.2018 15:35:52.284:80) : avc: denied { execute_no_trans } for pid=651 comm=sh path=/usr/bin/kmod dev="vda3" ino=4194843 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(13.07.2018 15:35:52.284:80) : avc: denied { read open } for pid=651 comm=sh path=/usr/bin/kmod dev="vda3" ino=4194843 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(13.07.2018 15:35:52.284:80) : avc: denied { execute } for pid=651 comm=sh name=kmod dev="vda3" ino=4194843 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(13.07.2018 15:35:52.282:79) : proctitle=sh -c /sbin/modprobe --ignore-install nf_conntrack && /sbin/sysctl --quiet --pattern 'net[.]netfilter[.]nf_conntrack.*' --syste
type=SYSCALL msg=audit(13.07.2018 15:35:52.282:79) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7f5649996897 a1=0x7fff677883a0 a2=0x562d7a1f2050 a3=0x8 items=0 ppid=649 pid=650 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sh exe=/usr/bin/bash subj=system_u:system_r:systemd_modules_load_t:s0 key=(null)
type=AVC msg=audit(13.07.2018 15:35:52.282:79) : avc: denied { map } for pid=650 comm=sh path=/usr/bin/bash dev="vda3" ino=4194473 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(13.07.2018 15:35:52.282:79) : avc: denied { execute_no_trans } for pid=650 comm=systemd-modules path=/usr/bin/bash dev="vda3" ino=4194473 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(13.07.2018 15:35:52.282:79) : avc: denied { execute } for pid=650 comm=systemd-modules name=bash dev="vda3" ino=4194473 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(13.07.2018 15:35:52.297:81) : proctitle=sh -c /sbin/modprobe --ignore-install nf_conntrack && /sbin/sysctl --quiet --pattern 'net[.]netfilter[.]nf_conntrack.*' --syste
type=SYSCALL msg=audit(13.07.2018 15:35:52.297:81) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x56248e19ae20 a1=0x56248e198c90 a2=0x56248e1986e0 a3=0x8 items=0 ppid=649 pid=650 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sysctl exe=/usr/sbin/sysctl subj=system_u:system_r:systemd_modules_load_t:s0 key=(null)
type=AVC msg=audit(13.07.2018 15:35:52.297:81) : avc: denied { map } for pid=650 comm=sysctl path=/usr/sbin/sysctl dev="vda3" ino=4819127 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
type=AVC msg=audit(13.07.2018 15:35:52.297:81) : avc: denied { execute_no_trans } for pid=650 comm=sh path=/usr/sbin/sysctl dev="vda3" ino=4819127 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
type=AVC msg=audit(13.07.2018 15:35:52.297:81) : avc: denied { execute } for pid=650 comm=sh name=sysctl dev="vda3" ino=4819127 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
(In order to get those into the audit log, I also had to add ExecStartPre=/usr/bin/sleep 5 to systemd-modules-load.service.)
[Silverblue] RPMs that install to `/opt` have incorrect SELinux context type.
I believe there is a subtle SELinux policy bug that comes from the fact that RPMs that install to /opt instead get installed to /usr/lib/opt in Silverblue (for ostree reasons).
This causes a subtle policy bug because the expected SELinux context type for files installed to /opt is usr_t:
# semanage fcontext -l | grep -E '^/opt(/\.\* | )'
/opt all files system_u:object_r:usr_t:s0
/opt/.* all files system_u:object_r:usr_t:s0
However, since they get installed to /usr/lib instead, they pick up this rule:
# semanage fcontext -l | grep '^/usr/lib/\.\* '
/usr/lib/.* all files system_u:object_r:lib_t:s0
This causes RPMs which have files that install to /opt and rely on them having a usr_t context type to run into issues.
The solution, I think, would be to add a rule like so:
/usr/lib/opt all files system_u:object_r:usr_t:s0
/usr/lib/opt/.* all files system_u:object_r:usr_t:s0
Locally, I work around it by calling:
semanage fcontext -a -t usr_t '/usr/lib/opt(/.*)?'
Support for systemd /run/systemd/transient directory
systemd/systemd@3959135139 added a new directory for unit files /run/systemd/transient. It should be labelled system_u:object_r:systemd_unit_file_t:s0, the same as /run/systemd/system, PID 1 will write units there.
I'm seeing the following avc:
Apr 14 19:41:22 rawhide audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/run/systemd/transient/user-0.slice" cmdline="/usr/lib/systemd/systemd-logind" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Not able to remove unwanted domain transition to abrt_helper_t
I have created a new highly restricted SELinux user, role and domain. Let's call it foo, it is based on guest_u on Fedora Linux 28.
I have minimized allowed domain transitions almost to the point that I want, but analysis using
sedta --source foo_t
still shows something bad:
###################################
Transition 4: foo_t -> abrt_helper_t
Domain transition rule(s):
allow domain abrt_helper_t:process transition;
Set execution context rule(s):
allow foo_t foo_t:process { dyntransition fork getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setcurrent setexec setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share sigchld siginh sigkill signal signull sigstop transition };
Entrypoint abrt_helper_exec_t:
Domain entrypoint rule(s):
allow abrt_helper_t abrt_helper_exec_t:file { entrypoint execute getattr ioctl lock map open read };
File execute rule(s):
allow domain abrt_helper_exec_t:file { execute getattr ioctl map open read };
Type transition rule(s):
type_transition foo_t abrt_helper_exec_t:process abrt_helper_t;
###################################
I have traced the origin of this to file policy/modules/kernel/domain.te.
Is there any chance of getting rid of this unwanted abrt_helper_t domain transition that is automatically allowed to domains?
I guess I could just copy domain.fc, domain.te and domain.if, rename them and remove the transition right, but could this transition be removed from the official base policy? Or would it break too much?
SELinux prevents using systemd RootImage= on Fedora CoreOS
On Fedora CoreOS, out of the box, a systemd unit using RootImage= pointing to an image that contains a squashfs file system cannot be started with SELinux enabled. I was advised to report a bug about that here.
Steps to reproduce
-
Acquire a Fedora CoreOS Qemu image from here. I got
fedora-coreos-32.20200601.3.0-qemu.x86_64.qcow2and renamed it tofedora-coreos-qemu.qcow2. Extract the attached zip archive to the same directory that contains the qcow2 image. The archive also contains the source for the Ignition config. -
Boot in Qemu with the attached Ignition config and squashfs image:
qemu-system-x86_64 \ -m 2048 \ -nographic \ -snapshot \ -drive if=virtio,file=fedora-coreos-qemu.qcow2 \ -fw_cfg name=opt/com.coreos/config,file=config.ign \ -drive file=sleep.img,format=raw,if=virtio -
Log in with user
pocand passwordpoc. -
(Optional) stop Zincati to prevent the spammy audit logs:
sudo systemctl stop zincati.service -
Copy the squashfs image from the virtio device to a file:
sudo cp /dev/vdb sleep.imgThis image is used with
RootImage=. We pass it in through Qemu virtio because it’s an easy way to get the file in, and inlining it in the Ignition config makes the initial boot too slow. -
Try to start the service:
sudo systemctl start sleep.service sudo systemctl status sleep.servicedmesgprints:audit: type=1400 audit(1592847151.125:243): avc: denied { read write } for pid=2867 comm="(sleep)" name="sleep.img" dev="vda4" ino=7300003 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0 audit: type=1400 audit(1592847151.163:244): avc: denied { read } for pid=2867 comm="(sleep)" name="sleep.img" dev="vda4" ino=7300003 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0The journal says:
systemd[2086]: sleep2.service: Failed to set up mount namespacing: Permission denied systemd[2086]: sleep2.service: Failed at step NAMESPACE spawning /usr/bin/sleep: Permission denied systemd[1]: sleep2.service: Main process exited, code=exited, status=226/NAMESPACE -
Repeat the above steps, but passing
config-no-selinux.ignto Qemu instead ofconfig.ign. This uses a slightly different Ignition config, which ensures that/etc/selinux/configcontainsSELINUX=disabled SELINUXTYPE=targeted -
Observe how the service starts successfully now.
Contents of the systemd service file
[Unit]
Description=Proof of concept sleep service
[Service]
ExecStart=/usr/bin/sleep 300s
RootImage=/home/poc/sleep.imgOutput of rpm-ostree status
State: idle
Warning: failed to query journal: Cannot assign requested address (os error 99)
Deployments:
● ostree://fedora:fedora/x86_64/coreos/stable
Version: 32.20200601.3.0 (2020-06-16T08:52:21Z)
Commit: b51037798e93e5aae5123633fb596c80ddf30302b5110b0581900dbc5b2f0d24
GPGSignature: Valid signature by 97A1AE57C3A2372CCA3A4ABA6C13026D12C944D0
Systemd version
systemd 245 (v245.4-1.fc32)
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified
userdom_change_password_template allows user to change shell
Based on the template's name, one assumes that
userdom_change_password_template()
would allow user to change his or her password. It does that.
But this template also allows executing files of type:
chfn_exec_t
And those include not only /usr/bin/chfn, but also /usr/bin/chsh:
[untosten@localhost]$ ls -lZ /usr/bin/{chfn,chsh}
-rws--x--x. 1 root root system_u:object_r:chfn_exec_t:s0 30256 Jul 16 14:56 /usr/bin/chfn
-rws--x--x. 1 root root system_u:object_r:chfn_exec_t:s0 25696 Jul 16 14:56 /usr/bin/chsh
This is quite bad.
I want to make sure confined users run only my highly restricted custom shell, and it must not be changed by the user. So I replaced the template call with:
usermanage_run_passwd($1_t, $1_r)
Gotchas like this are not nice or good to security.
Interface is called `usedom` instead of `userdom`
policy/modules/contrib points at a dead repo
[RFE] Add boolean to toggle the state of (some) policy capabilities
I think it would provide a nice enhancement to alter the state of policy capabilities like always_check_network with a simple but effective boolean. That way one would not have to recompile the entire policy.
Reopen issue #12
It seems that .gitmodules still point to the wrong repo on rawhide-base.
user_u can execute setuid binaries
According to the Fedora 25 SELinux documentation, users assigned with the SELinux user_u user should not be able to execute setuid binaries.
This is no longer the case at least on Fedora 31. Creating a confined user with:
$ sudo useradd test
$ sudo passwd test
$ sudo semanage login --add -s user_u -r s0 test
# Login as test
$ su -
# Accepts a valid root password and proceeds with setuid root
$ sudo -i
# Execute sudo
I have not yet found which commit undid this. This used to work until at least Fedora 29. I have not yet tested with Fedora 30.
The name of the lircd module is not correct
The lircd module describes permissions for the /dev/lirc[0-9] devices, defining the type lirc_device_t. All this looks fine.
However, I think the module name lircd is, well, "not ideal".lircd is a user space daemon which basically isn't related to the kernel devices in any specific way (although it is the primary user of this interface). IMHO, the kernel selinux module should be named lirc, leaving the lircd name free for the lircd user space daemon.
While I think we agree on that the module name is wrong, I have no idea if it is worth the hassles of actually changing it. I could name the lircd module e. g., lircd_daemon and live with that. IMHO we need some kind of decision, though.
mandb_cache_t only allowed to staff_r why?
I don't understand why mandb_cache_t is only allowed to staff_r.
selinux-policy]$ git grep mandb_map_cache
policy/modules/roles/staff.te: mandb_map_cache_files(staff_t)
When I have user role sysadm_r or user_r I am not able to access mandb_cache_t when I try to get manua of command that does not exits like:
man foo-does-not-existI think at least sysadm_r and unprivuser (user_r) should be able to use mandb.
# audit(1543950713.000:7399):
# scontext="user_u:user_r:user_t:s0" tcontext="system_u:object_r:mandb_cache_t:s0"
# class="file" perms="map"
# comm="man" exe="" path=""
# message="type=AVC msg=audit(1543950713.000:7399): avc: denied { map } for
# pid=28717 comm="man" path="/var/cache/man/index.db" dev="sdc3" ino=20992383
# scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:mandb_cache_t:s0
# tclass=file permissive=0"
Another issue is why there is something that is allowed to staff_r but not sysadm_r or am I understanding something wrong?
My system is:
Fedora 29 x86_64
$ rpm -q selinux-policy
selinux-policy-3.14.2-42.fc29.noarch
$ rpm -q selinux-policy-targeted
selinux-policy-targeted-3.14.2-42.fc29.noarch
This commit does not help to diagnose but it allows staff_t to use mandb_cache_t:
Scary looking allow rules for guest_usertype and xguest_usertype
I have created a new restricted SELinux user. It is based it on existing guest_u.
Now what are these scary looking rules?
[root@localhost]# sesearch --allow|grep guest_usertype|grep admin
allow guest_usertype admin_home_t:dir { add_name getattr ioctl lock open read remove_name search write };
allow guest_usertype admin_home_t:lnk_file { getattr read };
allow xguest_usertype admin_home_t:dir { add_name getattr ioctl lock open read remove_name search write };
allow xguest_usertype admin_home_t:lnk_file { getattr read };
[root@localhost]# find / -type d -context 'admin_home_t'
/root
Yes, DAC rules should prevent access to /root, but really, what is going on here?
Use allowxperm to filter ioctls
Currently, ioctls are either entirely allowed or entirely forbidden. Instead, they should be whitelisted, as is done in Android.
Label flatpak installations appropriately
Flatpak installs applications in a few places:
- System-wide applications: below /var/lib/flatpak/app
- System-wide runtimes: below /var/lib/flatpak/runtime
- Per-user applications: below $HOME/.local/share/flatpak/app
- Per-user runtimes: below $HOME/.local/share/flatpak/runtime
E.g.
/var/lib/flatpak/app/org.gnome.PortalTest/current/active/files/
is the root of the tree that gets mounted readonly at /app inside the sandbox when running the org.gnome.PortalTest application, and
$HOME/.local/share/flatpak/runtime/org.freedesktop.Platform/x86_64/1.4/active/files
is the root of the tree that gets mounted readonly at /usr inside the sandbox of apps using version 1.4 of the org.freedesktop.Platform runtime.
These should get suitable selinux labels.
See flatpak/flatpak#189 for proposed flatpak changes that will assign unique exec and file labels during sandbox setup.
Issue 41 is not visible
For some odd reason #41 is not visible as an open issue. Any hint?
Summary for userdom_user_tmp_content seems incorrect
The summary for userdom_user_tmp_content doesn't seem correct.
Allow domain to attach to TUN devices created by administrative users.
userdom_attach_admin_tun_iface has exactly the same summary.
Allow systemd to read efivars
Apr 14 20:42:21 rawhide audit[1]: AVC avc: denied { read } for pid=1 comm="systemd" name="LoaderTimeInitUSec-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f" dev="efivarfs" ino=9245 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0
systemd tries to read a bunch of efi vars: LoaderTimeInitUSec, LoaderTimeExecUSec, LoaderDevicePartUUID. It's probably reasonable to allow it to read any system_u:object_r:efivarfs_t:s0.
Wrong label on /var/spool/cron
/var/spool/cron is labelled user_cron_spool_t, which is incorrect and gives all daemons access to it. It should be labeled cron_spool_t.
systemd-rfkill runs as init_t instead of own domain
DESCRIPTION
systemd-rfkill.service is a service that restores the RF
kill switch state at early boot and saves it on each
change. On disk, the RF kill switch state is stored in
/var/lib/systemd/rfkill/.
lircd needs some new permissions.
since 0.9.2 (f22) lircd's default mode is to drop the root privileges and run as the system user 'lirc'. This causes AVC denials, muted by the following .te file:
policy_module(lircd, 2)
gen_require(`
type lircd_t;
type passwd_file_t;
')
#============= lircd_t ==============
allow lircd_t passwd_file_t:file { read getattr open };
allow lircd_t self:capability { setuid setgid dac_override };
No idea what to do with this...
EDIT: lirc lives in fedora + EPEL.
dotnet exe under /usr/lib64 should have bin_t context
Hi, .NET Core packages from Fedora .NET SIG install an executable at /usr/lib64/dotnet/dotnet. A symlink is added to /usr/bin/dotnet which links to that executable.
The dotnet executable isn't usable from a systemd system service: SELinux blocks it because it has the lib_t context.
Changing to bin_t makes it work:
sudo semanage fcontext -a -t bin_t /usr/lib/dotnet/dotnet
sudo restorecon -R -v /usr/lib64/dotnet/dotnet
Can you please update the Fedora SELinux policy so the executable gets the bin_t label by default?
In the selinux policy.29 of fedora, can "httpd" access to "passwd_file_t"?
Hello,everyone!
I have followed the link "https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/chap-Security-Enhanced_Linux-Targeted_Policy.html#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes" to examin the effect of selinux on fedora 23.
It did work. And "httpd" can't access to "samba_share_t".
However "httpd" can access to "passwd_file_t" Besides there are not any rules between "httpd" and "passwd_file_t" when I use apol to search.
I don't know why?
Is there anybody can tell me the reasons?
Thank you!
Add typebounds for user domains
Many optional elements are hiddenly disabled in policies
I have recently found that in semodule utility and in libsepol in general it is impossible to turn on maximal debug level. See SELinuxProject/selinux#176
When Fedora's selinux-policy and fedora-policy-contrib are built with libsepol with that patch applied, libsepol thows a lot of warnings about depreceated and unresolvable statements.
I think policy developers did not see them due to libsepol not telling about them by default (or meybe it does tell it?)
Github does not allow to post full log here (it is too long), bellow is a fragment. Full log is attached as a file.
Failed to resolve typeattributeset statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/abrt/cil:1105
Disabling optional 'abrt_optional_5' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/abrt/cil:1102
Failed to resolve typeattributeset statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/abrt/cil:1106
Disabling optional 'abrt_optional_5' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/abrt/cil:1102
Failed to resolve typeattributeset statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/abrt/cil:1107
Disabling optional 'abrt_optional_5' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/abrt/cil:1102
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/abrt/cil:1113
Disabling optional 'abrt_optional_5' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/abrt/cil:1102
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/abrt/cil:1114
Disabling optional 'abrt_optional_5' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/abrt/cil:1102
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/abrt/cil:1115
Disabling optional 'abrt_optional_5' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/abrt/cil:1102
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/abrt/cil:1116
Disabling optional 'abrt_optional_5' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/abrt/cil:1102
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/abrt/cil:1117
Disabling optional 'abrt_optional_5' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/abrt/cil:1102
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/abrt/cil:1118
Disabling optional 'abrt_optional_5' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/abrt/cil:1102
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/abrt/cil:1119
Disabling optional 'alsa_optional_2' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/alsa/cil:198
Failed to resolve typeattributeset statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/alsa/cil:200
Disabling optional 'alsa_optional_2' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/alsa/cil:198
Failed to resolve typeattributeset statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/alsa/cil:201
Disabling optional 'alsa_optional_2' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/alsa/cil:198
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/alsa/cil:203
Disabling optional 'alsa_optional_2' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/alsa/cil:198
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/alsa/cil:206
Disabling optional 'alsa_optional_2' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/alsa/cil:198
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/alsa/cil:207
Disabling optional 'apache_optional_43' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3109
Failed to resolve typeattributeset statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3111
Disabling optional 'apache_optional_43' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3109
Failed to resolve typeattributeset statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3112
Disabling optional 'apache_optional_43' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3109
Failed to resolve typeattributeset statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3113
Disabling optional 'apache_optional_43' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3109
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3115
Disabling optional 'apache_optional_43' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3109
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3116
Disabling optional 'apache_optional_43' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3109
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3117
Disabling optional 'apache_optional_43' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3109
Failed to resolve typetransition statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3118
Disabling optional 'apache_optional_43' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3109
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3119
Disabling optional 'apache_optional_43' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3109
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3120
Disabling optional 'apache_optional_43' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3109
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3121
Disabling optional 'apache_optional_43' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3109
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3122
Disabling optional 'apache_optional_43' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3109
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3123
Disabling optional 'apache_optional_43' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3109
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3124
Disabling optional 'apache_optional_60' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3376
Failed to resolve typeattributeset statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3377
Disabling optional 'apache_optional_60' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3376
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3378
Disabling optional 'apache_optional_60' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3376
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3379
Disabling optional 'apache_optional_60' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3376
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3380
Disabling optional 'apache_optional_60' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3376
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3381
Disabling optional 'apache_optional_60' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3376
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apache/cil:3382
Disabling optional 'apcupsd_optional_8' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apcupsd/cil:469
Failed to resolve typeattributeset statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apcupsd/cil:486
Disabling optional 'apcupsd_optional_8' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apcupsd/cil:469
Failed to resolve typeattributeset statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apcupsd/cil:487
Disabling optional 'apcupsd_optional_8' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apcupsd/cil:469
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apcupsd/cil:493
Disabling optional 'apcupsd_optional_8' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apcupsd/cil:469
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apcupsd/cil:494
Disabling optional 'apcupsd_optional_8' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apcupsd/cil:469
Failed to resolve typetransition statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apcupsd/cil:495
Disabling optional 'apcupsd_optional_8' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apcupsd/cil:469
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apcupsd/cil:496
Disabling optional 'apcupsd_optional_8' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apcupsd/cil:469
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apcupsd/cil:497
Disabling optional 'apcupsd_optional_8' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apcupsd/cil:469
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apcupsd/cil:498
Disabling optional 'apcupsd_optional_8' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apcupsd/cil:469
Failed to resolve dontaudit statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apcupsd/cil:617
Disabling optional 'apm_optional_17' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:725
Failed to resolve typeattributeset statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:742
Disabling optional 'apm_optional_17' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:725
Failed to resolve typeattributeset statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:743
Disabling optional 'apm_optional_17' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:725
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:749
Disabling optional 'apm_optional_17' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:725
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:750
Disabling optional 'apm_optional_17' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:725
Failed to resolve typetransition statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:751
Disabling optional 'apm_optional_17' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:725
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:752
Disabling optional 'apm_optional_17' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:725
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:753
Disabling optional 'apm_optional_17' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:725
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:754
Disabling optional 'apm_optional_17' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:725
Failed to resolve dontaudit statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:873
Disabling optional 'apm_optional_24' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:1155
Failed to resolve typeattributeset statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:1157
Disabling optional 'apm_optional_24' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:1155
Failed to resolve typeattributeset statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:1158
Disabling optional 'apm_optional_24' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:1155
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:1163
Disabling optional 'apm_optional_24' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:1155
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:1164
Disabling optional 'apm_optional_24' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:1155
Failed to resolve typetransition statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:1165
Disabling optional 'apm_optional_24' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:1155
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:1166
Disabling optional 'apm_optional_24' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:1155
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:1167
Disabling optional 'apm_optional_24' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:1155
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/apm/cil:1168
Disabling optional 'application_optional_3' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/application/cil:26
Failed to resolve typeattributeset statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/application/cil:27
Disabling optional 'application_optional_3' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/application/cil:26
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/application/cil:30
Disabling optional 'auditadm_optional_5' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/auditadm/cil:266
Failed to resolve typeattributeset statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/auditadm/cil:268
Disabling optional 'auditadm_optional_5' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/auditadm/cil:266
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/auditadm/cil:273
Disabling optional 'authlogin_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/authlogin/cil:1313
Failed to resolve typeattributeset statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/authlogin/cil:1314
Disabling optional 'authlogin_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/authlogin/cil:1313
Failed to resolve typeattributeset statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/authlogin/cil:1315
Disabling optional 'authlogin_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/authlogin/cil:1313
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/authlogin/cil:1316
Disabling optional 'authlogin_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/authlogin/cil:1313
Failed to resolve dontaudit statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/authlogin/cil:1317
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve typeattributeset statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13037
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve typeattributeset statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13039
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve typeattributeset statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13040
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve typeattributeset statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13041
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve typeattributeset statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13042
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13072
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13073
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13074
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13075
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13076
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13077
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13078
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13079
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13080
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13081
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13082
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13083
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13084
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve allow statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13085
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve typetransition statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13088
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve typetransition statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13089
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve typetransition statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13090
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve typetransition statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13091
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve typetransition statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13092
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve typetransition statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13093
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve typetransition statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13094
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve typetransition statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13095
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve typetransition statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13096
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve typetransition statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13097
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve typetransition statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13098
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve typetransition statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13099
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve typetransition statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13100
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve typetransition statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13101
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve typetransition statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13102
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve typetransition statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13103
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve typetransition statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13104
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
Failed to resolve typetransition statement at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13105
Disabling optional 'base_optional_12' at /builddir/build/BUILDROOT/selinux-policy-3.14.5-48-rosa2019.0.noarch-buildroot/var/lib/selinux/targeted/tmp/modules/100/base/cil:13032
<...>
Full log:
script_output.zip
Default snapd installation causes avc failures upon installation
Output of snap version:
snap 2.36.3-1.fc29
snapd 2.36.3-1.fc29
series 16
fedora 29
kernel 4.19.13-300.fc29.x86_64
Steps to reproduce:
- Ensure SELinux is enforcing
sudo dnf install snapdsnap version
Expected results:
The snap version is printed with zero AVC denials.
Actual results:
The following AVC denials occur:
----
type=AVC msg=audit(01/07/2019 08:27:58.993:858) : avc: denied { read write } for pid=24514 comm=mount name=loop-control dev="devtmpfs" ino=18081 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1
----
type=AVC msg=audit(01/07/2019 08:27:58.993:859) : avc: denied { open } for pid=24514 comm=mount path=/dev/loop-control dev="devtmpfs" ino=18081 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1
----
type=AVC msg=audit(01/07/2019 08:27:58.993:860) : avc: denied { ioctl } for pid=24514 comm=mount path=/dev/loop-control dev="devtmpfs" ino=18081 ioctlcmd=0x4c82 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1
----
type=AVC msg=audit(01/07/2019 08:27:58.993:861) : avc: denied { read write } for pid=24514 comm=mount name=loop0 dev="devtmpfs" ino=173360 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
type=AVC msg=audit(01/07/2019 08:27:58.993:862) : avc: denied { open } for pid=24514 comm=mount path=/dev/loop0 dev="devtmpfs" ino=173360 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
type=AVC msg=audit(01/07/2019 08:27:58.993:863) : avc: denied { ioctl } for pid=24514 comm=mount path=/dev/loop0 dev="devtmpfs" ino=173360 ioctlcmd=0x4c00 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
type=AVC msg=audit(01/07/2019 08:27:59.006:864) : avc: denied { mounton } for pid=24514 comm=mount path=/tmp/sanity-mountpoint-212486593 dev="tmpfs" ino=346409 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
----
type=AVC msg=audit(01/07/2019 08:27:59.013:865) : avc: denied { getattr } for pid=24516 comm=umount name=/ dev="loop0" ino=2 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
Please let me know if you need any other details.
/usr/libexec/abrt-hook-ccpp should have own domain
We labeled /usr/libexec/abrt-hook-ccpp as abrt_dump_oops_exec_t to have it running in abrt_dump_t if it invoked by kernel. The problem is it want to access/create random files on a system. So it should go with a new domain which will be probably also unconfined domain.
init_t domain should be running without unconfined_domain attribute
Currently, init_t domain is a default domain for systemd and runs as unconfined domain by default. It causes issues like
https://bugzilla.redhat.com/show_bug.cgi?id=1274345
and also it can mask possible security flaws.
We should have init_t running correctly without unconfined_domain attribute by default:t.
type syntax error
@doverride
I found some the "type" error in interface(.if).
type syntax:
type TypeName [alias {alias1 alias2}] [,attribute1,attribute2];
require syntax:require { component1; component2; }
available component:class, user, role, type, attribute, bool
(Book: SELinux by Example Using Security Enhanced Linux)
But I see the following statement. The "urandom_device_t" is the attribute or the second type? I have seen hundreds of such an approach in the interface.
# vi policy/modules/kernel/devices.if
4892 interface(`dev_read_urand',`
4893 gen_require(`
4894 type device_t, urandom_device_t;
4895 ')
# grep -R "type.*,.*_t;" policy/modules/ | wc -l
465
The gen_require macro definition:
# vi policy/support/loadable_module.spt
36 define(`gen_require',`
37 ifdef(`self_contained_policy',`
38 ifdef(`__in_optional_policy',`
39 require {
40 $1
41 } # end require
42 ')
43 ',`
44 require {
45 $1
46 } # end require
47 ')
48 ')
So, This is the correct wording.
gen_require(`
type device_t; type urandom_device_t;
')
some domains miss the map permission
# ausearch -m avc,user_avc,selinux_err | grep " map " | audit2allow
#============= auditctl_t ==============
allow auditctl_t auditd_etc_t:file map;
#============= gpg_pinentry_t ==============
allow gpg_pinentry_t user_tmp_t:file map;
#============= insmod_t ==============
allow insmod_t modules_object_t:file map;
#============= lvm_t ==============
allow lvm_t lvm_etc_t:file map;
#============= pulseaudio_t ==============
allow pulseaudio_t pulseaudio_home_t:file map;
allow pulseaudio_t user_tmp_t:file map;
#============= staff_t ==============
allow staff_t cert_t:file map;
allow staff_t v4l_device_t:chr_file map;
#============= sysadm_t ==============
allow sysadm_t auditd_etc_t:file map;
allow sysadm_t auditd_log_t:file map;
#============= xserver_t ==============
allow xserver_t dri_device_t:chr_file map;
allow xserver_t user_tmp_t:file map;
allow xserver_t xserver_tmpfs_t:file map;
systemd-nspawn userns container with MCS constraints
I am working through containing a Fedora OS container in a user-namespaced, MCS constrained systemd-nspawn container and am looking for clarification or potential bug fixes. Inside the container, I expect to use systemd services such as systemd-networkd, and systemd-resolved and move up to useful services such as FreeIPA, etc.
I had originally posted this to the https://github.com/containers/container-selinux project and was directed here as a more appropriate place for this work.
Please review containers/container-selinux#93.
I plan to continue work based on the container_userns_t context in the container-selinux project, as I've had about B+ success basing rules around that.
Split contrib and base in 2 git repository
I do not know why things arelike this, but that's something that do surprise lots of people, and that make things a bit more difficult to do (for example, you need to think about opening a PR on the right branch because master is not working, the default page show just a readme, etc, etc)
Any reason on keeping things this way ? (as I never found the reason for this setup)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.