Ask Your Question
0

Fedora 22, Sealert recommendations

asked 2015-09-26 02:57:38 -0600

jl gravatar image

updated 2015-09-26 03:04:54 -0600

This may be an issue that has always been there, but does sealert and it's recommendations work?

I seem to have a few Selinux issues with untampered with 'standard' applications (ie in this case postgresql) - my Selinux config is set to permissive so only warnings are issued, but I end up with quite a few entries again in /var/log/messages. If I use the selinux troubleshooter sealert to list the issues and then use the recommended correction commands, do they not just fix the first issue of that type found in the log? IE my sealert list has an entry (no 23 in the list) for postgresql: You should report this as a bug. You can generate a local policy module to allow this access. Allow this access for now by executing: # grep postgres /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp

But running the commands seems to pick up the first AVC for postgresql in the audit log - am I correct in thinking that? The mypo.te file always then seems to contain the same policy amendment for postgres if I run the above.

Presumably, the correct procedure is to list the alerts, potentially adopt the 'fix' or not, but in either case then delete the alert? Is that correct?

Edited: I've just deleted all the sealert entries using sealert, but the entries still appear in the audit log - so even after deleting the alerts, running the grep still gives the same mypol.te / mypol.pp files?

edit retag flag offensive close merge delete

Comments

I can't quite tell from what you've written and I'm sorry if you've done this but are you sure you did the "semodule -i mypol.pp" command, it's a separate command that loads the policy into the kernel until the next version of the selinux policy is released.

baggypants gravatar imagebaggypants ( 2015-10-01 03:23:16 -0600 )edit

1 Answer

Sort by ยป oldest newest most voted
1

answered 2015-10-04 05:54:18 -0600

m8ram gravatar image

Sealert's recommendations are just that: recommendations. The commands themselves will work and - usually - the one with the highest confidence is right but that's not always the case.

Before creating local modifications to the SELinux policy using audit2allow it is usually a good idea to check if there are SELinux booleans that manage what you are trying to achieve.

A quick search showed me that there are a number of booleans you need to set to allow users to connect to postgresql (see http://linux.die.net/man/8/postgresql... ).

Unfortunately there is no single answer to explain all AVC denials. Please post individual messages if you need specific help.

edit flag offensive delete link more

Question Tools

1 follower

Stats

Asked: 2015-09-26 02:57:38 -0600

Seen: 337 times

Last updated: Oct 04 '15