Today, I decided to have a quick revision on SELinux as it’s been a long while that I worked on any projects that required my attention to fiddling with SELinux.
While I was looking for an sealert in /var/log/messages on my Fedora based desktop, I found a real issue that I need to fix.
Like most of my blog posts, I’d like to start writing the post while I was about to solve the issue.
To check the most recent sealert message, run:
[root@watkor ~]# grep -w sealert /var/log/messages | tail -n 1
Jul 19 09:39:57 watkor setroubleshoot[2075]: SELinux is preventing systemd-resolve
from watch access on the directory /. For complete SELinux messages run: sealert -l f4eb99e6-4abc-4748-8796-82c00292a502
Run the suggested sealert command.
[root@watkor ~]# sealert -l f4eb99e6-4abc-4748-8796-82c00292a502
No protocol specified
No protocol specified
SELinux is preventing systemd-resolve from watch access on the directory /.
***** Plugin catchall_labels (83.8 confidence) suggests *******************
If you want to allow systemd-resolve to have watch access on the directory
Then you need to change the label on /
Do
# semanage fcontext -a -t FILE_TYPE '/'
where FILE_TYPE is one of the following: init_var_run_t, root_t, system_dbusd_var_run_t, systemd_networkd_var_run_t, systemd_resolved_var_run_t, var_run_t.
Then execute:
restorecon -v '/'
***** Plugin catchall (17.1 confidence) suggests **************************
If you believe that systemd-resolve should be allowed watch access on the directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-resolve' --raw | audit2allow -M my-systemdresolve
# semodule -X 300 -i my-systemdresolve.pp
Additional Information:
Source Context system_u:system_r:systemd_resolved_t:s0
Target Context system_u:object_r:usr_t:s0
Target Objects / [ dir ]
Source systemd-resolve
Source Path systemd-resolve
Port <Unknown>
Host watkor.local
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-40.23-1.fc40.noarch
Local Policy RPM selinux-policy-targeted-40.23-1.fc40.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name watkor.local
Platform Linux watkor.local 6.9.9-200.fc40.x86_64
#1 SMP PREEMPT_DYNAMIC Thu Jul 11 19:29:01 UTC
2024 x86_64
Alert Count 107
First Seen 2022-10-09 19:19:42 AEDT
Last Seen 2024-07-19 09:39:42 AEST
Local ID f4eb99e6-4abc-4748-8796-82c00292a502
Raw Audit Messages
type=AVC msg=audit(1721345982.397:85): avc: denied { watch } for pid=1391 comm="systemd-resolve" path="/" dev="dm-0" ino=2 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
Hash: systemd-resolve,systemd_resolved_t,usr_t,dir,watch
It can be observed from the above output that the systemd-resolve process was denied to access the path / due to the file context for / being `usr_t’. This file context context does not look correct for the root directory. Let’s verify further.
[root@watkor ~]# ls -Zd /
system_u:object_r:usr_t:s0 /
[root@watkor ~]# semanage fcontext -l | grep '^/ '
/ directory system_u:object_r:root_t:s0
It looks like the file context for / should be root_t, there is no need to add or update the fcontext for /. However, I need to apply or restore the file context as the following:
[root@watkor ~]# restorecon -v /
Relabeled / from system_u:object_r:usr_t:s0 to system_u:object_r:root_t:s0
[root@watkor ~]# ls -Zd /
system_u:object_r:root_t:s0 /
The file context for / has been restored. I think, it would be a good idea to create a file called /.autorelabel to autorelabel SELinux for the entire file system.