Living with SELinux

Since I’ve installed Fedora 34, I’m being constantly spammed by SELinux warnings. I tried editing the config file in /etc/selinux, which resulted in an unbootable system. Research showed that unlike in the past, I actually had to pass the kernel an option to get SElinux to stop yammering. That ‘worked’, in that the system booted, but was also unstable. So I had to turn SELinux back on.

Anyway I don’t want this to be a rant, but a solicitation for practical advice. How do I get rid of these errors? Is it OK to just ignore the messages, and suppress them forever? Or is there some way to tell SELinux, “Hey the system is doing what it’s supposed to do”? Some of these error messages are pretty cryptic…

For an example of what I’m going through: SELinux is teh suck – I’ve given up. | False and misleading information

What kind of system is this? What do you have running on it?

You can always just disable it if it’s making the OS unusable. Ideally you don’t of course but sometimes you have to…

1 Like

My knowledge is based on RHCE, OEL and CentOS.

Disabling SELINUX should not cause any kind of instability.

SELINUX and audits are indeed chatty. They log system calls and whatnot.

You can control SELINUX without rebooting the system or passing arguments to the kernel. These are the commands:

setenforce enforcing → SELINUX is enabled.

setenforce permissive → SELINUX is enabled but will not enforce anything. It will log what it would do in case it was enforcing.

setenforce disabled → SELINUX is disabled and will log anything.

There should be a file named /etc/sysconfig/selinux where you can set one of these modes. Even if this file doesn’t exist on Fedora the above commands should help you debug and determine if your problems are indeed related to SELINUX.

2 Likes

This.

Can you elaborate?

1 Like

some examples might be nice to see…

i run Fedora (33/34 currently) as my desktop for years.

Always left it in enforcing mode… havent noticed anything wrong.

2 Likes

OK, here’s the most recent example:

Summary

SELinux is preventing usbmuxd from getattr access on the filesystem /.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that usbmuxd should be allowed getattr access on the filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:

ausearch -c ‘usbmuxd’ --raw | audit2allow -M my-usbmuxd

semodule -X 300 -i my-usbmuxd.pp

Additional Information:
Source Context system_u:system_r:usbmuxd_t:s0
Target Context system_u:object_r:fs_t:s0
Target Objects / [ filesystem ]
Source usbmuxd
Source Path usbmuxd
Port
Host fedora
Source RPM Packages
Target RPM Packages filesystem-3.14-5.fc34.x86_64
SELinux Policy RPM selinux-policy-targeted-34.16-1.fc34.noarch
Local Policy RPM selinux-policy-targeted-34.16-1.fc34.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name fedora
Platform Linux fedora 5.14.0-60.rog.fc34.x86_64 #1 SMP Tue
Aug 31 11:32:47 UTC 2021 x86_64 x86_64
Alert Count 5
First Seen 2021-09-08 18:48:56 CDT
Last Seen 2021-09-09 20:59:26 CDT
Local ID 8c075117-f1a7-4cfe-9c98-775750a1df40

Raw Audit Messages
type=AVC msg=audit(1631239166.668:370): avc: denied { getattr } for pid=2768 comm=“usbmuxd” name="/" dev=“sda2” ino=2 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0

Hash: usbmuxd,usbmuxd_t,fs_t,filesystem,getattr

Apparently ‘usbmuxd’ is trying to ‘getattr’ on the root filesystem, which doesn’t sound like a huge security problem…

Not unusable, just annoying popups. Disabling it did lock up the system, though it’s possible I put a bad option in /etc/selinux/selinux.conf In the past I’ve tried to follow the directions and make exceptions and the like, but the errors just keep coming.

This is a gaming laptop, an Asus ROG Zephyrus M15 (i7-10750H + Nvidia 2070 Max-Q, 2020 vintage) with a custom kernel and control utility from http://asus-linux.org running Fedora 34.

As for disabling SELinux on the fly, according to this article on Phoronix that functionality has been disabled in Fedora 34: Fedora 34 Aims To Further Enhance Security But Will Lose Runtime Disabling Of SELinux - Phoronix

You shouldn’t really be getting any selinux warnings if any at all unless your seriously screwing the system up with non standard software installs.

I wouldn’t advise installing random kernels from the internet either. Also worth noting that their FAQ says they don’t support F34.

F34 is fully supported according to their Discord and the custom kernel indicates it was built against the F34 codebase. I suspect they simply haven’t updated the website.

$ uname -r
5.14.0-60.rog.fc34.x86_64

I take your point about not trusting ‘random’ kernels, but without this kernel and associated utilities I lose a lot of functionality (fan control, power levels, RGB, graphics switching, etc.)

1 Like

Have you got any other third party applications installed?

It’s generally the case that anything outside of the official and fedora focused repositories tend to be pretty poor when it comes to fedora support and lack things like selinux profiles.

You can add your own or add exceptions if you really need extra applications but they may break again in the future.

You can put selinux into permission mode to capture all the events and then make a profile based on them. Worth making sure that your got a clean system with just the repositories you need if you’ve added any other thing that you might not really need. I can understand the kernel issue.

1 Like

The only other non-official software/repository I have installed is ‘Heroic’, an open source replacement for the Epic Games launcher. You might well be right about the custom kernel causing issues; AFAIK it’s a pretty small team trying to cope with a fast moving distro and a variety of different Asus laptops. It’s actually impressive what they’ve accomplished, and I imagine SELinux profiles are not at the top of their list given the gaming focus.

Things like this will set off a lot of selinux alerts and will likely never be integrated into the profiles unless their behavior can be generalized.

based on a quick internet search

usbmuxd is for macOS
and handles traffic b/t ios devices and itunes

Not sure if this helps at all, but a talk on youtube really helped me see some of the benefits of SElinux, even tho it is long.

Feel free to bash me, as you already know everything he says, but I’m sure he mentions about setting it to be less intrusive, and moire helpful

1 Like

@Trooper_ish Thanks! Now at least I know Red Hat isn’t just trying to mess with my head.

On a more serious note…I made it about 30 minutes in before it got a little too deep in the weeds. I would note that this seems like overkill for a system whose use case is…gaming. But it really helped me understand that it’s sort of a security overlay placed over *nix file permissions. I only had a vague idea of what mandatory access control was before watching.

BTW I thought this was mostly the job of PAM. PAM is undoubtedly more primitive, but it was also better at staying out of the way. Is it still in there somewhere?

He laid out a lot of commands that seem like they’d be very helpful in this scenario. But it also sounds like a potentially very deep rabbit hole. I may try to figure this one out, but just turning SELinux off is by far the easier option.

1 Like

To be fair, as a single user on a system, you could probably just disable SELinux, but there are ways around it, and if you ain’t gonna use one of the benefits of the system, is the system the right one for the use case?

I only dabbled in Fed for a bit, and SE was one thing that groused on me, but that vid in particular made me realise it is a really good thing, just too much for my needs.

I ended up going back to Ubu for compatibility; the Canonicle guys like to compromise on the freedom side to just get things done, so it is a bit easier for dummies like me who just want to get on and game at times, and dabble when I have time.

I love linux, and been using it daily/main for over 5 years now, but I will not judge anyone who decides to just go back to windows for it;s “just works” gaming, or multi-boot, or dual system.

I ran a VM for games, but took out the extra GPU a while ago for another PCI card, and COD:Warzone was getting properly bloated

2 Likes

I hear you as far as Ubuntu is concerned, but I also have issues with how Canonical tried to slip in Amazon spyware. So I remain suspicious of Ubuntu to this day. (I know they have to make a buck somehow, but surely there are less insidious ways to do it.)

PopOS seems like a popular solution for gaming, and is an Ubuntu derivative as well. I may give that a try at some point. My main reason for using Fedora is that while it’s not bleeding edge, most packages are reasonably up to date and it was specifically supported by the dev team behind those Asus laptop tools that are so helpful.

1 Like

that is fair, and as I said,

they might not play nice in the FLOSS side all the time either.

This is not me trying championing ubu for you, more feeling your struggle.

stay strong where I faltered :slight_smile:

OTOH, RH is a tool in the space, and the more one knows about it, the more familiar, the stronger one is in general.

2 Likes

This is very true, and I do deal with RHEL occasionally on a professional basis, so its good to know what’s going on under the hood.

1 Like

Do this, read the warnings and make the correct entries into SELinux. Once the warnings go away, turn SELinux on. Report them back to the custom kernel crew and help them get better.

I use AppArmor because, Debian shill. I like the feature set of SELinux better, but it was not designed for use by mere mortals. You could run AppArmor as a drop in replacement, but in the real world rpm based systems are going to use SELinux.

In general, I try to run the default stuff that comes with the distro so that I am forced to learn how to use the new technologies. In regards to SELinux, it really is best served on internet facing servers. On a desktop system that does not critical things, it is overkill and can at time be a burden. At the very least, run it in permissive mode and leave it at that.

3 Likes