From Fedora Project Wiki

Revision as of 19:51, 9 May 2023 by Zpytela (talk | contribs) (Create a new wiki page to help with debugging SELinux issues)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

How to debug SELinux issues

This page is a draft.

Install packages useful for debugging

dnf -y install setools-console selinux-policy-devel policycoreutils-newrole strace /usr/sbin/service

Enable full auditing

For performance reasons, full auditing is not enabled by default. Instructions:

1. Open the /etc/audit/rules.d/audit.rules file in an editor.

2. Remove the following line if it exists:

-a task,never

3. Add the following line to the end of the file:

-w /etc/shadow -p w

4. Restart the audit daemon using the legacy service command, or reboot the system:

$ sudo service auditd restart

5. Re-run the scenario which effects in SELinux denials.

6. Collect AVC denials:

$ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

Setting up confined users

Create new users assigned to a particular SELinux user

PWD="my_p4ss-w0rd"
for username in guest xguest user staff
do
  adduser -Z ${username}_u ${username}
  echo "${PWD}" | passwd --stdin "${username}"
done

Assign SELinux user to an existing user

Assign default admin roles to Linux users when using sudo

cat > /etc/sudoers.d/admin-roles << EOF
staff        ALL=(ALL)       ROLE=sysadm_r TYPE=sysadm_t NOPASSWD: m
staff        ALL=(ALL)       ROLE=sysadm_r TYPE=sysadm_t NOPASSWD: ALL
EOF