I'm running Fedora 23. I have SELinux enabled and enforced. I know that you can change a file's labels with restorecon and chcon (and possibly other programs). This is no doubt an avenue by which a file's security can be bypassed. How can I make it so SELinux labels cannot be changed. [This](https://wiki.gentoo.org/wiki/SELinux/Tutorials/How_SELinux_controls_file_and_directory_accesses) Gentoo documentation page says that SELinux can be used to do that, but it doesn't say how. Fedora's targeted policy provides three particular booleans: + secure_mode — "Do not allow transition to sysadm_t, sudo and su effected" + secure_mode_insmod — "Do not allow any processes to load kernel modules" + secure_mode_policyload — "Do not allow any processes to modify kernel SELinux policy" Does Fedora policy come with some way to prevent user space processes from modifying SELinux labels?

SElinux is preventing a custom service of mine from getting picked up by systemd at boot. > MESSAGE=SELinux is preventing systemd from read access on the file custom.service #### before rebooting

[root@box opt]# systemctl daemon-reload
[root@box opt]# systemctl enable --now custom
[root@box opt]# systemctl status custom.service
● custom.service - foo
   Loaded: loaded (/opt/foo/bar/systemd/custom.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2022-10-07 12:18:27 EDT; 1min 28s ago
...
...

#### after reboot

[root@box opt]# systemctl status custom.service
Unit custom.service could not be found.

So I disabled selinux and rebooted but it didn’t seem to help anything. I then changed the selinux user, role, and type of the service file and tried a reboot again.

[root@box opt]# chcon -R -u unconfined_u -r object_r -t systemd_unit_file_t foo/bar/systemd/

Still nothing... Then I noticed that the symlink I placed in /etc/systemd/system was showing a ? for the secontext. The same thing happens if I cp the service file into the /etc/systemd/system directory too.

[root@box opt]# ls -Z /etc/systemd/system/custom.service
? /etc/systemd/system/custom.service

Anyone know what needs to be done here to fix this? **TLDR** - SElinux is preventing systemd from reading an enabled custom systemd unit even though selinux is disabled.

*New note with important details* I just ran a few version tests and resulted in the following: Alright, here’s my latest update: - 10.5 works - 10.6 doesn’t - 10.7 works - 10.8 work - etc. I was hoping to use 10.6 since it is the LTS release…clearly there is something wrong with it though. I’m on the MariaDB slack channel at the moment, but for now I’ll revert to 10.5 from the MariaDB repo, since that has support for 2 years-ish. Am I missing something else? I didn't change anything but the MariaDB version and restarting the process. *Edit note for reference* Installing the EL Repo MariaDB 10.5 installs a package "mysql-selinux" and the default repo (epel-release?) allows the necessary communications and php-fpm can connect to mariadb fine. It seems like maybe the MariaDB repo package is missing this functionality. I would have installed the EL repo MariaDB on my AL 8.6 system, but removed it and went with the MariaDB repo for regular operation. I found the source for "mysql-selinux" here and it's not trivial like my "fix": https://github.com/devexp-db/mysql-selinux/blob/master/mysql.te this package is NOT installed on my 8.6 system which works... ***** I have a system running fine with SELinux enabled on AlmaLinux 8.6. I'm using stock AL 8.6 Apache/httpd (2.4.37 I think) and php from Remi's Repo: https://rpms.remirepo.net/wizard/ I initially installed MariaDB 10.4 directly from the MariaDB repo using these instructions: https://mariadb.com/resources/blog/how-to-install-mariadb-on-rhel8-centos8/ SELinux is enabled and I don't believe I made any customizations specifically for php-fpm to connect to the mysql.sock socket/process. I recently upgraded to MariaDB 10.6, again from the MariaDB repo, and everything continued working as it always did. For reference my "working" validation is using phpMyAdmin configured to connect through a local socket. I've installed my AlmaLinux 9 VM with stock Apache/httpd (2.4.51 I think). I installed MariaDB 10.6 from the same repo with the same instructions. Now, I'm getting a denial from SELinux for php-fpm (running as httpd_t) trying to connect to the /var/lib/mysql/mysql.sock process (running as unconfinsed_service_t). This denial prevents the connection and subsequent login from phpMyAdmin (running under the php-fpm service):

time->Mon Sep 26 22:14:07 2022
type=PROCTITLE msg=audit(1664244847.002:83): proctitle=7068702D66706D3A20706F6F6C20777777
type=SYSCALL msg=audit(1664244847.002:83): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffc156c46b0 a2=1b a3=557032b785a0 items=0 ppid=706 pid=738 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/remi/php74/root/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1664244847.002:83): avc:  denied  { connectto } for  pid=738 comm="php-fpm" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0

This ONLY shows up on my AL 9 install, AL 8.6 does not report this denial and allows the connection and subsequent login. I checked the file and process SELinux contexts and they are the same between 8.6 and 9. I've also tried different php-fpm versions, including the same between my 8.6 install and 9 (both php 7.4 from Remi). I've tried running the fpm pool under apache:apache and under my phpMyAdmin user with group apache. Any advice on how to track this down? I can "fix" the SELinux denial with the following policy, but it allows httpd to connect to any unconfined process:

module phpfpm_mariadb_socket 1.0;

require {
        type httpd_t;
        type unconfined_service_t;
        class unix_stream_socket connectto;
}

#============= httpd_t ==============
allow httpd_t unconfined_service_t:unix_stream_socket connectto;

I see two obvious differences: Apache 2.4.37 vs 2.4.51 (and potential related SELinux policy changes which I couldn't track down) and EL 8.6 vs EL 9 SELinux core changes (both had "latest" available updates applied). I copied the phpMyAdmin install from my 8.6 system into my 9 system, under the same usernames with the same permissions. I don't think that the php-fpm user:group configuration is relevant to the process contexts, or is it?

I am currently migrating from Ubuntu 20.04 to Fedora 34. Following backup script has worked fine so far:

rsync                        \
  -avixXEH                   \
  --stats                    \
  --delete                   \
  --numeric-ids              \
  --log-file="$LOG_FILE"     \
  --link-dest "$LATEST"      \
  --exclude '/some/exclude'  \
  admin@nas:/{a,b,c}         \ # source is remote nas (via ssh)
  "$TARGET"                  \ # $TARGET is ext. USB disk on fedora OS desktop

Unfortunately on Fedora, every copied path now results in a warning, polluting the log: > rsync_xal_set: lremovexattr("/my/path/file.zPXUj1","security.selinux") failed: Permission denied (13) ## Research This seems to be an issue with rsync wanting to preserve/erase extended attributes (-X) and SELinux. Recent quote from Michal Ruprich, Red Hat: > This was 'fixed' in RHEL5 by suppressing the error message so that it does not disrupt running systems. [...] > > "rsync-2.6 does not remove extended attribute of target file in the case that this attribute has been erased in the source file. Lets call it bug. > > rsync-3.0 correctly tries to remove erased extended attributes. > > If the selinux is present on the target system, rsync can't erase security context of file and it outputs mentioned error. The behaviour of 2.6 and 3.0 is therefore identical except the informational error message." Using rsync 3.2.3 with a non-SELinux source, my interpretation is - please correct me otherwise: Copying files from a source without SELinux to a target using this security feature is interpreted as deleting the extended "security.selinux" file attribute. And rsync cannot remove it due to SELinux security restrictions on the target. Which raises the question: ## How to suppress these warnings? I still would like to copy extended attributes with -X and *not* temporarily disable complete SELinux as suggested here . Also, stumbled over an alternative that suggests setsebool -P rsync_full_access 1 - not sure, what that does exactly. It really would be nice to solve the problem at its root only for this particular case: Given USB disk mount point /run/media/user/, is there some way to grant necessary permissions in SELinux just for this path or similar? Thanks in advance

I want to restrict write access to certain files so that only specific process types (domains) can modify them. For this, I need to create a custom file label and assign it to those files. Following [this answer](https://unix.stackexchange.com/a/329677/620385) , I used:

type ;
files_type();

But files_type() seems to implicitly allow access to all process types. If I skip files_type() and just declare:

type ;

then semanage fcontext -a -t "/some/path" fails with:

ValueError: Type  is invalid, must be a file or device type

Question: What is the correct way to declare a file label that: - Can be assigned to paths via semanage fcontext. - Doesn’t allow access to any processes types except those explicitly granted via allow rules?

For context, I am using cake-qos-simple on my router which is a QoS script to prioritize certain traffic between my LAN and WAN. On my Windows machine, I can DSCP tag all packets for any particular application by EXE name (such as a game) and my router will ensure that my game packets will always be prioritized to the WAN over all other traffic. This ensures I never see any latency spikes for my game. I'm looking to achieve a similar setup on Linux. On [reddit](https://old.reddit.com/r/networking/comments/bkki89/application_based_ip_packet_filtering_with_ubuntu/) , someone mentioned a potential solution: > One thing I can think of is SELinux. Theoretically, if you were to assign network security context to each application, you could use the SECMARK module in iptables to shove all packets originating from a particular security context into a specific chain (for example, have a chain just for Firefox). Then the Firefox chain sets the DSCP field, does any other filtering you want, and forwards. Is this feasible? I don't know as much about SELinux so I was wondering if anyone had more insight before I spend time learning SELinux.

My machine:

# uname -r
2.6.18-92.el5

# cat /etc/redhat-release
CentOS release 5.2 (Final)

# yum list | grep selinux
libselinux.i386                          1.33.4-5.el5           installed
libselinux.x86_64                        1.33.4-5.el5           installed
libselinux-python.x86_64                 1.33.4-5.el5           installed
selinux-policy.noarch                    2.4.6-137.el5          installed
selinux-policy-targeted.noarch           2.4.6-137.el5          installed

I have such a statement in my myname.te file:

optional {
    require {
        class capability setfcap;
    }

    allow myname_t self : capability setfcap;
}

And I get the error:

# checkmodule -M -m  myname.te  -o myname.mod ; semodule_package --module myname.mod --outfile myname.pp ; semodule -v --install myname.pp
checkmodule:  loading policy configuration from myname.te
checkmodule:  policy configuration loaded
checkmodule:  writing binary representation (version 6) to myname.mod
Attempting to install module 'myname.pp':
Ok: return value of 0.
Committing changes:
libsepol.permission_copy_callback: Module myname depends on permission setfcap in class capability, not satisfied
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!

How can this be helped, please?

The Mandatory Access Controls or MAC labels are different for NFS which are different for httpd, and different yet again for SaMBa. What is the proper way nowadays to label a SINGLE shared filesystem hierarchy on the server such that it is properly re-labelled by restorecon, can be accessed successfully server-side by all three services, and survives system updates? In other words, when the server side fs hierarchy is labelled for sharing over NFS, then that breaks access by httpd and smb daemons on the same server. If labelled for httpd, then NFS and SMB services stop sharing because the files are labelled httpd only, so are denied rw. And finally, SMB Labels break both NFS and httpd services. Is their a modern devops approach to this such as an Ansible playlist? I had made custom labels before but having to remake them after system updates caused too much friction. Wondering if custom labels are still the way, but now with automation?

I am new to SELiunx concept and as per the [RHEL7 > SELinux User's and Administrator's Guide > 3.2. UNCONFINED PROCESSES](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-targeted_policy-unconfined_processes) **Audit log** type=IPC msg=audit(1624375715.312:4225): ouid=0 ogid=0 mode=0666 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 type=PROCTITLE msg=audit(1624375715.312:4225): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 type=AVC msg=audit(1624375724.580:4226): avc: denied { unix_read unix_write } for pid=25626 comm="httpd" key=1392707921 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm permissive=0 type=SYSCALL msg=audit(1624375724.580:4226): arch=c000003e syscall=29 success=no exit=-13 a0=53030951 a1=4338 a2=1b6 a3=6b items=0 ppid=25612 pid=25626 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) I have changed the httpd to run in unconfind_t domain but now I am not able to change back the httpd to httpd_t domain. I made httpd to unconfined_t domain to make shmget function to work, called by one php process hosted by httpd. [user@rhel7 ~]$ sudo chcon -t bin_t /usr/sbin/httpd [user@rhel7 ~]$ ls -Z /usr/sbin/httpd -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/sbin/httpd [user@rhel7 ~]$ systemctl start httpd.service ..... [root@rhel7 user]# chcon -r system_r -t httpd_t /usr/sbin/httpd chcon: failed to change context of ‘/usr/sbin/httpd’ to ‘system_u:system_r:httpd_t:s0’: Permission denied [root@rhel7 user]#

I’m seeking practical recommendations and tools to improve the security of my Linux server (CentOS) and minimize unauthorized access. I’m interested in both fundamental and advanced solutions that can be easily integrated and configured. Specifically, I need: * Protection Against Unauthorized Access: What tools and practices are most effective for preventing hacking and intrusion into the server? This includes authentication methods (e.g., two-factor authentication) and tools for monitoring activity and detecting suspicious behavior. What I’ve Tried: I experimented with SELinux, but when attempting to set the strictest security level (“military level”), the server failed to boot after rebooting. I likely made a configuration error. I would appreciate detailed guidance on correctly configuring SELinux, or alternative approaches to kernel-level security hardening. What Kind of Answers I’m Looking For: * Recommendations for specific tools, including open-source alternatives. * Detailed instructions on how to configure and use these tools. * Example configurations for different security levels (from basic to advanced). * Alternatives to SELinux for kernel-level security enhancement.

I have shared my home folder over samba as follows: when i try to create folders from windows I get error "cant create" but folder is created. But permissions are all messed up. file is also created but permissions are messed up. As a result I am not able to open/edit these files or folders from windows. $ ls -lZ total 48 d-------w-. 2 sar sar system_u:object_r:samba_share_t:s0 4096 May 27 02:01 'New folder' d-------w-. 2 sar sar system_u:object_r:samba_share_t:s0 4096 May 27 02:01 'New folder (2)' d-------w-. 2 sar sar system_u:object_r:samba_share_t:s0 4096 May 27 02:01 'New folder (3)' --------w-. 1 sar sar system_u:object_r:samba_share_t:s0 0 May 27 02:01 'New Text Document.txt' setup process: # setsebool samba_enable_home_dirs=1 # chcon -R -t samba_share_t /home/sar cfg: [global] workgroup = mywg security = user server string = Samba Server %v netbios name = myserver map to guest = bad user passdb backend = tdbsam # interfaces = 192.168.xx.xx/255.255.255.0 # bind interfaces only = yes # Debug logging information #log level 0 none, 3=HUGE log level = 1 log file = /var/log/samba/%m.samba.log max log size = 50 debug timestamp = yes # security setup server min protocol = SMB3 # server max protocol = SMB3 # SMB3_00: Windows 8, SMB3_02: Windows 8.1, SMB3_10: early Windows 10, SMB3_11: Windows 10 default is SMB3_11 ntlm auth = yes lanman auth = no printing = cups printcap name = cups load printers = yes cups options = raw [homes] comment = Home Directories valid users = %S, %D%w%S read only = No inherit acls = Yes browseable = yes path = /home/%S create mask = 0644 #0002 directory mask = 0755 #002 I want users to be able to create, add/edit files and folders in their home folders freely. which should not be be accessible to others.

I use a monitoring tool and on one of my systems that is checked remotely, it calls up a script, which in turn runs systemctl to check the status of a service. This was not working until I put SELinux in permissive mode. However I will not be able to leave this system in permissive mode. I need to use semanage for the exception and place the system back into an enforcing state. I have used semanage before for a process but never for a file. I have been looking over the man page and googling around but I can't seem to figure out the exact command I need to use. So say I need to allow a script called "run_this_script" in the /usr/lib64/application/plugin folder, what is the command I would use with semanage? EDIT - just to give more context around what I was seeing in the audit logs, here is a snippet. type=AVC msg=audit(1446051455.169:3313): avc: denied { execute } for pid=15388 comm="check_init_serv" name="systemctl" dev="dm-1" ino=2101040 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file type=SYSCALL msg=audit(1446051455.169:3313): arch=c000003e syscall=59 success=no exit=-13 a0=2098450 a1=209ba50 a2=209c680 a3=7fff573ff5b0 items=0 ppid=15386 pid=15388 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty= (none) ses=4294967295 comm="check_init_serv" exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null) type=AVC msg=audit(1446051455.169:3314): avc: denied { getattr } for pid=15388 comm="check_init_serv" path="/usr/bin/systemctl" dev="dm-1" ino=2101040 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file type=SYSCALL msg=audit(1446051455.169:3314): arch=c000003e syscall=4 success=no exit=-13 a0=2098450 a1=7fff573ff780 a2=7fff573ff780 a3=7fff573ff5b0 items=0 ppid=15386 pid=15388 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="check_init_serv" exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null) type=AVC msg=audit(1446051455.169:3315): avc: denied { getattr } for pid=15388 comm="check_init_serv" path="/usr/bin/systemctl" dev="dm-1" ino=2101040 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file type=SYSCALL msg=audit(1446051455.169:3315): arch=c000003e syscall=4 success=no exit=-13 a0=2098450 a1=7fff573ff760 a2=7fff573ff760 a3=7fff573ff5b0 items=0 ppid=15386 pid=15388 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="check_init_serv" exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null) type=AVC msg=audit(1446053257.457:3401): avc: denied { read } for pid=15647 comm="systemctl" name="journal" dev="tmpfs" ino=11584 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir

I was playing around with user_u in the targeted policy on RHEL 6.5. I'm logged in as root in the unconfined context, so I have full ability to change anything I want. I've also switched to permissive mode just in case. I originally had user_u set up to have the MLS/MCS settings "s0:c0.c50". This state was functioning properly with no issues(that I'm aware of). To test changing this with commands, I typed in this: semanage user -m -r s0:c0.c51 user_u This ran without any problems, and I was able to verify that it worked correctly with semanage user -l. user_u now has the MLS/MCS of "s0:c0.c51". However, if I try to modify user_u or either of the users tied to user_u(named bob and alice), I get an error that looks like this: > libsemanage.validate_handler: MLS range s0:c0.c50 for Unix user bob exceeds allowed range s0:c0.c51 for SELinux user user_u(No such file or directory). > libsemanage.validate_handler: seuser mapping [bob -> (user_u, s0:c0-c50)] is invalid (No such file or directory). > libsemanage.dbase_llist_iterate: could not iterate over records(No such file or directory). The confusing part is that s0:c0.c50 'exceeds' s0:c0.c51. If I try to modify user_u, it complains about bob. If I try to delete bob, it complains about alice. If I try to delete alice, it complains about bob. I effectively can't change any of them(through the GUI tools or the command line). Initially I tried backing out the changes from semanage and going back to user_u with s0:c0.c50, but that didn't work, so I tried s0-s0:c0.c1023, which also didn't work. I noticed the errors never mentioned s0-s0:c0.c1023 so it's like they're failing before really changing user_u's MCS/MLS. I could only find a few examples that were similar online, and the only one that I found with advice said to delete the user mappings from /etc/selinux/targeted/seusers and to run semodule -B. I tried that, and semodule -B fails with the same error messages. I have also replaced the deleted portions of seusers and tried semodule -B to no avail. Any thoughts on how to fix this? This was a sandbox environment so it's easy to just go back to the original image, but I won't have that luxury in a deployed environment.

Doing this on a **RHEL8.10** distro. I've created a user with *staff_u* role: # useradd -Z staff_u testadm
And provided this user elevated permissions, for which did following steps:
1. created mysudoers file: /etc/sudoers.d/mysudoers 2. added this in it: %testadm ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL
Did reboot. Installed my app's selinux policy module *(rpm)*. Then logged in with this *testadm* user, and ran this command to elevate to *sysadm_r:sysadm_t*: # sudo runcon -r sysadm_r -t sysadm_t -- su -
Now, on this console, with selinux **Enforcing**, I try running my application's executable (*maconfig*, which is internally running */etc/init.d/ma* which is my app's script) and I'm getting this permission denied error:

[root@6H0RHEL810 ~]# /opt/McAfee/agent/bin/maconfig -stop
2025-04-25 11:43:12.768 (50811.50811) maconfig.Info: Stopping Trellix agent.
sh: /etc/init.d/ma: /bin/sh: bad interpreter: Permission denied
2025-04-25 11:43:12.770 (50811.50811) maconfig.Info: configuration finished

So naturally, I looked for denials in */var/log/audit/audit.log* but got this kind of log instead:

type=SELINUX_ERR msg=audit(1745581392.769:2056): op=security_compute_sid invalid_context="staff_u:system_r:initrc_t:s0" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1745581392.769:2056): arch=c000003e syscall=59 success=no exit=-13 a0=5587d7a7b540 a1=5587d7a7c700 a2=5587d7a79e40 a3=0 items=0 ppid=50811 pid=50812 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=8 comm="sh" exe="/usr/bin/bash" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=execve AUID="testadm" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1745581392.769:2056): proctitle=7368002D63002F6574632F696E69742E642F6D612073746F70

..which is not a straighforward avc denial. So searched for ways to tackle this.
Found the explanation for the log - a process running as sysadm_t (maconfig) tried to run a file labeled initrc_exec_t (*/etc/init.d/ma*), and SELinux said "nope" because it would result in an invalid context transition to initrc_t.
So tried a couple of other things: 1. Switched selinux to **Permissive** mode (setenforce 0), ran my app's command, it worked fine. Got some user_avc denials. Added rules in policy for allowing those, *but didn't work* after setenforce 1 again 2. Added this *domain transition* rule to my policy *(didn't work)*: domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t); 3. Tried adding these **role-type statements** in policy (*which I thought would work for sure but nope*):

require {
	role system_r, sysadm_r;
    type initrc_t;
}
role system_r types initrc_t;
#AND
role sysadm_r types initrc_t;

4. Added this rule (didn't work): allow sysadm_t initrc_exec_t:process transition;
Also got to know some more stuff from these pages: - https://wiki.gentoo.org/wiki/SELinux/Tutorials/Linux_services_and_the_system_u_SELinux_user#:~:text=warrants%20proper%20control.-,Linux%20service%20scripts,-Most%20Linux%20service - https://github.com/SELinuxProject/selinux-notebook/blob/main/src/auditing.md#general-selinux-audit-events ..but still not sure how to proceed. Pls help out if u can. Thanks in advance!

So I am trying to setup a kickstart server with pxeboot and dhcp server (for ks) on RHEL 8 VM. When I capture network traffic I do not see any pxe/tftp traffic coming to the VM or the host.... I tried following: host: RHEL 8.10 kickstart server: RHEL 8.10 VM client: RHEL 7 physical host on other subnet using pxeboot on server side, I opened ports as follows on kvm host and VM both: # firewall-cmd --add-service dhcp --perm # firewall-cmd --add-service tftp --perm # firewall-cmd --permanent --new-policy tftp-client-data # firewall-cmd --permanent --policy tftp-client-data --add-ingress-zone HOST # firewall-cmd --permanent --policy tftp-client-data --add-egress-zone ANY # firewall-cmd --permanent --policy tftp-client-data --add-service tftp # firewall-cmd --reload All config is on KVM VM acting as kickstart server. Only reason i included/mentioned KVM host in this post is - I suspect we need some config there too... I am not sure. dhcp and tftpserver service is enabled and running just fine. dhcp.conf file has 2 subnets defined. 1 for local VM (to get the dhcp server up and running) and one for client. (If you do not have subnet for dhcp server itself server will not start) When I boot the client with PXE boot option. I can see it is waiting for pxe / tftp server but I do not see any traffic on the host or VM. and eventually client times out. from client: What can I check on host and VM side? Thank you.

So I've got three files I need rsyslog to open in order to forward the entries to another server. SELinux is preventing this with the following error: type=AVC msg=audit(1371186588.768:1324460): avc: denied { open } for pid=3714 comm="rsyslogd" name="named.debug.log" dev=dm-0 ino=1180551 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:named_cache_t:s0 tclass=file type=SYSCALL msg=audit(1371186588.768:1324460): arch=c000003e syscall=2 success=no exit=-13 a0=7fb254001b30 a1=80100 a2=180 a3=2e67756265642e64 items=0 ppid=1 pid=3714 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7926 comm="rsyslogd" exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null) Running this through audit2allow, I get the following: module rsysloglocal 1.0; require { type named_cache_t; type syslogd_t; class file { read write }; } #============= syslogd_t ============== allow syslogd_t named_cache_t:file { read write }; Unfortunately, this doesn't work. I'm still getting the message above from SELinux. The files I need to watch with rsyslog are in /var/named/data/log/, which is why SELinux is referencing the named_cache_t thing (I think). Any thoughts? Edit: semodule -l output: abrt 1.2.0 accountsd 1.0.0 ada 1.4.0 afs 1.5.3 aiccu 1.0.0 aide 1.5.0 aisexec 1.0.0 amanda 1.12.0 amavis 1.10.3 amtu 1.2.0 apache 2.1.2 apcupsd 1.6.1 arpwatch 1.8.1 asterisk 1.7.1 audioentropy 1.6.0 automount 1.12.1 avahi 1.11.2 awstats 1.2.0 bind 1.10.2 bitlbee 1.2.1 bluetooth 3.2.2 boinc 1.0.0 bugzilla 1.0 cachefilesd 1.0.17 calamaris 1.5.1 canna 1.10.0 ccs 1.4.1 cdrecord 2.2.1 certmaster 1.0.2 certmonger 1.0.0 certwatch 1.5.0 cfengine 1.0.0 cgroup 1.0.0 chrome 1.0.0 chronyd 1.0.1 cipe 1.5.0 clamav 1.7.1 clogd 1.0.0 cloudform 1.0 cmirrord 1.0.0 cobbler 1.1.0 comsat 1.7.0 condor 1.0.0 consolekit 1.5.1 corosync 1.0.0 courier 1.8.1 cpufreqselector 1.1.0 ctdbd 1.0.0 cups 1.13.0 cvs 1.8.0 cyphesis 1.2.0 cyrus 1.9.1 daemontools 1.2.0 dbskk 1.5.0 dcc 1.8.2 denyhosts 1.0.0 devicekit 1.0.0 dhcp 1.8.1 dictd 1.7.0 dirsrv-admin 1.0.0 dirsrv 1.0.0 dnsmasq 1.8.1 dovecot 1.11.1 drbd 1.0.0 ethereal 2.0.0 execmem 1.0.0 exim 1.4.2 fail2ban 1.3.2 fcoemon 1.0.0 fetchmail 1.9.2 finger 1.9.0 firewallgui 1.0.0 fprintd 1.0.1 ftp 1.11.0 games 2.1.0 git 1.0.3 gitosis 1.0.1 glance 1.0.0 gnome 2.0.0 gnomeclock 1.0.0 gpg 2.2.1 gpm 1.7.1 gpsd 1.0.2 guest 1.0.1 hal 1.12.1 hddtemp 1.0.0 howl 1.8.1 icecast 1.0.0 inn 1.9.0 ipsec 1.10.2 irc 2.1.0 iscsi 1.6.2 jabber 1.8.0 java 2.2.1 kdump 1.0.1 kdumpgui 1.0.0 kerberos 1.10.2 kerneloops 1.3.1 keystone 1.0.0 kismet 1.4.2 ksmtuned 1.0.0 ktalk 1.7.1 ldap 1.10.0 likewise 1.0.0 lircd 1.0.1 livecd 1.0.0 lldpad 1.0.0 lockdev 1.3.0 logadm 1.0.0 lpd 1.12.0 mailman 1.7.2 matahari 1.0.0 mediawiki 1.0.0 memcached 1.1.2 milter 1.1.1 modemmanager 1.0.1 mono 1.6.1 mozilla 2.1.1 mpd 1.0.0 mplayer 2.1.0 mrtg 1.8.0 munin 1.7.0 mysql 1.11.3 nagios 1.8.0 namespace 1.0.0 ncftool 1.0.0 netlabel 1.3.0 nis 1.10.0 nova 1.0.0 nslcd 1.0.1 nsplugin 1.0.0 ntop 1.8.1 ntp 1.9.1 nut 1.0.1 nx 1.4.0 oddjob 1.7.0 openct 1.4.0 openoffice 1.0.0 openvpn 1.9.1 pads 1.0.0 passenger 1.0.0 pcscd 1.5.2 pegasus 1.8.0 permissivedomains 1.0.0 pingd 1.0.0 piranha 1.0.0 plymouthd 1.0.0 podsleuth 1.2.1 policykit 1.1.0 portmap 1.9.0 portreserve 1.1.1 postfix 1.11.0 postgresql 1.12.1 postgrey 1.7.0 ppp 1.11.2 prelude 1.1.2 privoxy 1.9.1 procmail 1.11.0 psad 1.0.0 ptchown 1.0.1 publicfile 1.1.0 pulseaudio 1.1.2 puppet 1.0.0 pyzor 2.1.0 qemu 1.3.2 qmail 1.5.0 qpidd 1.0.0 quantum 1.0.0 radius 1.11.0 radvd 1.11.2 razor 2.1.0 rdisc 1.7.1 remotelogin 1.7.0 rgmanager 1.0.0 rhcs 1.1.0 rhev 1.0 rhgb 1.9.0 rhsmcertd 1.0.0 ricci 1.6.0 rlogin 1.9.0 roundup 1.7.0 rpcbind 1.4.1 rshd 1.7.0 rssh 2.0.0 rsync 1.9.1 rsysloglocal 1.0 rtkit 1.0.1 rwho 1.6.0 samba 1.12.0 sambagui 1.0.0 sandbox 1.0.0 sanlock 1.0.0 sasl 1.12.1 sblim 1.0.0 screen 2.2.2 sectoolm 1.0.0 seunshare 1.1.0 sge 1.0.0 shutdown 1.0.0 slocate 1.9.0 smartmon 1.9.1 smokeping 1.0.0 smoltclient 1.0.0 snmp 1.10.2 snort 1.8.1 sosreport 1.0.0 soundserver 1.8.0 spamassassin 2.2.0 squid 1.9.0 sssd 1.0.2 staff 2.0.1 stunnel 1.9.0 sysadm_secadm 1.0.0 sysstat 1.5.1 tcpd 1.4.0 telepathy 1.0.0 telnet 1.9.1 tftp 1.12.0 tgtd 1.0.1 tmpreaper 1.4.0 tor 1.6.1 tuned 1.0.1 tvtime 2.0.0 ulogd 1.1.0 uml 2.1.0 unconfined 3.1.1 unconfineduser 1.0.0 unlabelednet 1.0 unprivuser 2.0.1 usbmodules 1.2.0 usbmuxd 1.0.0 userhelper 1.5.0 usernetctl 1.5.0 uucp 1.10.2 uuidd 1.0.0 varnishd 1.1.0 vdagent 1.0.0 vhostmd 1.0.0 virt 1.4.0 vmware 2.2.0 vpn 1.12.0 w3c 1.0.0 wdmd 1.0.0 webadm 1.1.0 webalizer 1.10.0 wine 1.6.1 xen 1.9.2 xfs 1.6.0 xguest 1.0.1 zabbix 1.2.0 zarafa 1.0.0 zebra 1.10.1 zosremote 1.1.0 Edit 2: I've also tried this using only read permissions (allow syslogd_t named_cache_t:file read;) rather than read / write. No dice.

I'm migrating our existing Amazon Linux 2 servers to Amazon Linux 2023. One of the changes is that the AL2023 now uses journald for it's logging. I have the requirement to have all logging in AWS Cloudwatch. I've already enabled the normal cloudwatch agent for metrics and a few logfiles. This is working as expected. For journald I've checked various options and decided to implement [journald-cloudwatch-logs](https://github.com/saymedia/journald-cloudwatch-logs) , as it looked the most promising. I've configured it but I have a problem: * The service starts successful, but I simply do not see any logging in cloudwatch. This is the config:

aws_region = "eu-central-1"
ec2_instance_id = "i-xxxxxxxxxx"
log_group = "LogGroup"
log_stream = "server01-systemctl"
state_file = "/var/lib/journald-cloudwatch-logs/state"
log_priority = "INFO"

I've checked journalctl but no errors or any other indication something is wrong. Also, because the normal cloudwatch agent logs successfully to another log stream I know the IAM permissions are fine. My questions: * How can I make journald-cloudwatch-logs to actually log to cloudwatch? Any help is greatly appreciated. Edit: I'm also open for other approached to log journald messages to cloudwatch

I am trying to configure smartd to send mails via s-nail on Fedora 41. I created a .mailrc file (in which I have set the mta variable to directly send via smtps, there is no sendmail installed) in roots home directory and can successfully send mails via: echo "Test" | mail -s Test I also managed to send mails in a bash script started by a custom systemd service. But smartd isn't able to send mails. The following error is shown in the log: Executing test of /usr/libexec/smartmontools/smartdnotify to ... Test of /usr/libexec/smartmontools/smartdnotify to produced unexpected output (163 bytes) to STDOUT/STDERR: s-nail: Cannot start /usr/sbin/sendmail: executable not found (adjust *mta* variable) s-nail: Cannot save to $DEAD: Permission denied s-nail: ... message not sent Selinux is blocking the access to the .mailrc file (therefore s-nail is trying /usr/sbin/sendmail as a default fallback): type=AVC msg=audit(1744370186.375:606): avc: denied { read } for pid=42644 comm="mail" name=".mailrc" dev="nvme0n1p3" ino=140324 scontext=system_u:system_r:smartdwarn_t:s0 tcontext=unconfined_u:object_r:mail_home_t:s0 tclass=file permissive=0 I tried the suggested ausearch -c 'mail' --raw | audit2allow -M my-mail semodule -X 300 -i my-mail.pp systemctl restart smartd.service a couple of times until no new selinux errors appeared. Now I get the following error: Test of /usr/libexec/smartmontools/smartdnotify to produced unexpected output (130 bytes) to STDOUT/STDERR: s-nail: could not initiate TLS connection: error:00000000:lib(0)::reason(0) /root/dead.letter 23/578 s-nail: ... message not sent s-nail now can access the .mailrc file and can connect to the server. But no successfull communication with the server (Error 0 ?). The content of the mail is written to the dead.letter file instead. What could be the reason for this? Is it an improper selinux config? Am I missing an selinux option? Do I have to switch mta client?

**Problem:** I'm facing an issue where SELinux is blocking certain actions of my application, which runs as a plugin for auditd. I've been trying to generate the necessary SELinux policy using audit2allow, but some actions still aren't resolved. Even after enabling ghost denial logs, the problem persists. I want to run my application without setting SELinux or auditd to permissive mode, as I need to maintain security features. **Steps taken so far:** 1. Generated custom SELinux policies using audit2allow based on the logs. 2. Enabled ghost denials to capture more detailed logs. 3. Tried running the application while SELinux is in enforcing mode, but some actions are still blocked. **What I'm looking for:** Are there any alternative approaches or best practices to allow my application to run smoothly without disabling SELinux or switching to permissive mode? Any insights or suggestions would be greatly appreciated!

**Background** I am setting up an rsync backup over SSH service via SystemD. This is ultimately failing to run due to local SElinux; minimum reproducible example:

[Unit]
Description=Rsync backup service

[Service]
Type=oneshot
User=myuser
ExecStart=/usr/bin/ssh -vvv 192.168.1.10 "ls -lah"

If I setenforce 0 before starting the service, everything works as expected and I get the requested directory listing. If SElinux is enforcing, I instead get an error from SystemD:

Starting backup.service - Rsync backup service...
backup.service: Main process exited, code=exited, status=203/EXEC
backup.service: Failed with result 'exit-code'.
Failed to start backup.service - Rsync backup service

Likewise, if I run via SystemD with rsync, I see the child process terminated with -13:

rsync: [sender] Failed to exec /usr/bin/ssh: Permission denied (13)

**Things I Have Checked** - All commands work as expected when run from a terminal, regardless of SElinux enforcing state. - I am running as my user (ExecStart=/usr/bin/whoami):

whoami: myuser

- I can access the ssh binary (ExecStart=/usr/bin/which ssh):

which: /usr/bin/ssh

- I can access my user .ssh directory (not posting logs of that for obvious reasons). - Per this SO post, SElinux can block non-standard ports. I have only the standard port allowed (does rsync use a different port?) but this should be fine as the base test case doesn't use a different port:

# semanage port -l | grep ssh
   ssh_port_t                     tcp      22

**Question** What would cause SElinux to block SSH attempts from SystemD only, despite using standard ports and having full permissions to the files involved? **Edit 1** Checking for denial messages explicitly:

# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR
...
type=AVC msg=audit(1743626691.891:17160): avc:  denied  { execute } for  pid=728337 comm="(ssh)" name="ssh" dev="dm-0" ino=3077371 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=0
# journalctl -t setroubleshoot
-- No entries --
# dmesg | grep -i -e type=1300 -e type=1400
#

I admit, my SElinux isn't great and I am not entirely sure what to do with this. Pawing through the documentation but it is...voluminous...at times.