Issue #3347
closedAdvise users to use `setsebool` to set pulp_manage_rsync
Description
On Fedora 27, the semanage
executable can be used to set the default state of a boolean, but not its current state. To wit:
# semanage boolean --list | head -n 1
SELinux boolean State Default Description
# semanage boolean --modify --off pulp_manage_rsync
# semanage boolean --list | grep pulp_manage_rsync
pulp_manage_rsync (off , off) Allow pulp to manage rsync
# semanage boolean --modify --on pulp_manage_rsync
# semanage boolean --list | grep pulp_manage_rsync
pulp_manage_rsync (off , on) Allow pulp to manage rsync
Notice how semanage
sets a policy's "default" state, but not its current state? In prior versions of Fedora, both the "state" and "default" fields would be updated by this command. To set the current state of a boolean, the setsebool
command now has to be used:
# semanage boolean --list | grep pulp_manage_rsync
pulp_manage_rsync (off , off) Allow pulp to manage rsync
# setsebool pulp_manage_rsync on
# semanage boolean --list | grep pulp_manage_rsync
pulp_manage_rsync (on , off) Allow pulp to manage rsync
Note that this behaviour applies to other policies on F27, too. Here's another arbitrary policy that I arbitrarily picked out:
# semanage boolean --modify --on zoneminder_run_sudo
# semanage boolean --list | grep zoneminder_run_sudo
zoneminder_run_sudo (off , on) Allow zoneminder to run sudo
# semanage boolean --modify --off zoneminder_run_sudo
# semanage boolean --list | grep zoneminder_run_sudo
zoneminder_run_sudo (off , off) Allow zoneminder to run sudo
The docs currently advise using semanage
here. Let's tell readers about setsebool
too.
This change appears to be intentional. The system journal shows no errors. Here's the output of journalctl --follow
for the time period in which semanage boolean --modify --on
is executed:
-- Logs begin at Wed 2018-02-07 11:10:04 EST. --
Feb 07 12:26:07 fedora-27-pulp-2-16-nightly kernel: SELinux: policy capability open_perms=1
Feb 07 12:26:07 fedora-27-pulp-2-16-nightly kernel: SELinux: policy capability extended_socket_class=0
Feb 07 12:26:07 fedora-27-pulp-2-16-nightly kernel: SELinux: policy capability always_check_network=0
Feb 07 12:26:07 fedora-27-pulp-2-16-nightly kernel: SELinux: policy capability cgroup_seclabel=1
Feb 07 12:26:07 fedora-27-pulp-2-16-nightly kernel: SELinux: policy capability nnp_nosuid_transition=1
Feb 07 12:26:07 fedora-27-pulp-2-16-nightly audit[710]: USER_AVC pid=710 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=21)
exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Feb 07 12:26:07 fedora-27-pulp-2-16-nightly audit: MAC_POLICY_LOAD policy loaded auid=0 ses=11
Feb 07 12:26:07 fedora-27-pulp-2-16-nightly dbus-daemon[710]: [system] Reloaded configuration
Feb 07 12:26:08 fedora-27-pulp-2-16-nightly audit[3829]: USER_START pid=3829 uid=0 auid=0 ses=11 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.101.1 terminal=/dev/pts/1 res=success'
Feb 07 12:26:08 fedora-27-pulp-2-16-nightly audit[3829]: CRYPTO_KEY_USER pid=3829 uid=0 auid=0 ses=11 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:0f:7f:33:2b:ba:6c:3a:16:47:19:de:04:1f:f7:1e:e1:61:53:9c:34:cd:0b:ea:dd:80:8d:30:66:1c:e4:a1:e9 direction=? spid=8428 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: 32768 avtab hash slots, 108540 rules.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: 32768 avtab hash slots, 108540 rules.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: 8 users, 14 roles, 5094 types, 318 bools, 1 sens, 1024 cats
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: 97 classes, 108540 rules
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Permission getrlimit in class process not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class sctp_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class icmp_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class ax25_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class ipx_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class netrom_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class atmpvc_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class x25_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class rose_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class decnet_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class atmsvc_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class rds_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class irda_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class pppox_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class llc_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class can_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class tipc_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class bluetooth_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class iucv_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class rxrpc_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class isdn_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class phonet_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class ieee802154_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class caif_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class alg_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class nfc_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class vsock_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class kcm_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class qipcrtr_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: Class smc_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: the above unknown classes and permissions will be allowed
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly kernel: SELinux: policy capability network_peer_controls=1
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly kernel: SELinux: policy capability open_perms=1
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly kernel: SELinux: policy capability extended_socket_class=0
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly kernel: SELinux: policy capability always_check_network=0
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly kernel: SELinux: policy capability cgroup_seclabel=1
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly kernel: SELinux: policy capability nnp_nosuid_transition=1
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly audit[710]: USER_AVC pid=710 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=22)
exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly audit: MAC_POLICY_LOAD policy loaded auid=0 ses=11
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly dbus-daemon[710]: [system] Reloaded configuration
</code>
Advise users on using setsebool to set pulp_manage_rsync selinux boolean
F27+ changed the behavior of semanage to set a selinux boolean by default, but not change its current state.
re #3347 https://pulp.plan.io/issues/3347