Description of problem: had the selinux complain about a security matter. i follow the directions like i always have to add the module to allow. this case is openvpn. but when i try to import the module, it get the message in the summary. Bad boolean declaration at line 148 of /var/lib/selinux/targeted/tmp/modules/100/virt/cil Version-Release number of selected component (if applicable): fedora 24 Installed Packages libselinux.x86_64 2.5-3.fc24 @@commandline libselinux-devel.x86_64 2.5-3.fc24 @@commandline libselinux-python3.x86_64 2.5-3.fc24 @@commandline libselinux-utils.x86_64 2.5-3.fc24 @@commandline rpm-plugin-selinux.x86_64 4.13.0-0.rc1.27.fc24 @@commandline selinux-policy.noarch 3.13.1-190.fc24 @@commandline selinux-policy-targeted.noarch 3.13.1-190.fc24 @@commandline How reproducible: right now, i cannot execute the semodule command without the following occurring: [root ~]# ausearch -c 'openvpn' --raw | audit2allow -M my-openvpn ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i my-openvpn.pp [root ~]# semodule -X 300 -i my-openvpn.pp Re-declaration of boolean virt_sandbox_use_fusefs Failed to create node Bad boolean declaration at line 148 of /var/lib/selinux/targeted/tmp/modules/100/virt/cil semodule: Failed! Steps to Reproduce: 1. ausearch -c 'openvpn' --raw | audit2allow -M my-openvpn 2. semodule -X 300 -i my-openvpn.pp Actual results: Re-declaration of boolean virt_sandbox_use_fusefs Failed to create node Bad boolean declaration at line 148 of /var/lib/selinux/targeted/tmp/modules/100/virt/cil semodule: Failed! Expected results: added permissions Additional info: i'm not seeing anything in journalctl -xe or journalctl -xf when i run the commands. i've finally setenforce to 0 to get my vpn to connect. been having trouble with a bluetooth module as well.
Please attach a complete setroubleshoot report or at least AVC denial message you see in your logs, and also my-openvpn.te file generated by audit2allow.
This is a conflict between docker-selinux or docker-engine-selinux and the selinux policy installed on the box. If you are using docker-selinux please update to latest package. If you are using docker-engine-selinux, then their is an open issue on this at github.con/docker
i don't have either of the docker packages installed. these are my installed packages related to selinux: ---- [root ~]# rpm -qa *selinux* selinux-policy-3.13.1-191.fc24.3.noarch libselinux-2.5-3.fc24.x86_64 rpm-plugin-selinux-4.13.0-0.rc1.27.fc24.x86_64 libselinux-python3-2.5-3.fc24.x86_64 selinux-policy-targeted-3.13.1-191.fc24.3.noarch libselinux-devel-2.5-3.fc24.x86_64 libselinux-utils-2.5-3.fc24.x86_64 ---- here is my-openvpn.te file: ---- [root ~]# cat my-openvpn.te module my-openvpn 1.0; require { type user_home_t; type ssh_home_t; type openvpn_t; class file open; } #============= openvpn_t ============== allow openvpn_t ssh_home_t:file open; #!!!! The file '/home/mock/.ssh/mockmanor.com.pem' is mislabeled on your system. #!!!! Fix with $ restorecon -R -v /home/mock/.ssh/mockmanor.com.pem allow openvpn_t user_home_t:file open; ---- on the date in question, i find this in the journalctl for setroubleshoot: ---- [root ~]# journalctl -t setrbouleshoot Jun 24 07:44:33 liberia setroubleshoot[1399]: cannot chmod /var/lib/setroubleshoot/setroubleshoot_database.xml to 600 [Operation not permitted] Jun 24 07:44:33 liberia setroubleshoot[1399]: cannot chown /var/lib/setroubleshoot/setroubleshoot_database.xml to setroubleshoot:setroubleshoot [Operation not permitted] Jun 24 07:44:33 liberia setroubleshoot[1399]: read_xml_file() libxml2.parserError: xmlParseFile() failed Jun 24 07:44:33 liberia setroubleshoot[1399]: cannot chmod /var/lib/setroubleshoot/email_alert_recipients to 600 [Operation not permitted] Jun 24 07:44:33 liberia setroubleshoot[1399]: cannot chown /var/lib/setroubleshoot/email_alert_recipients to setroubleshoot:setroubleshoot [Operation not permitted] Jun 24 07:44:33 liberia setroubleshoot[1399]: could not write /var/lib/setroubleshoot/setroubleshoot_database.xml: [Errno 13] Permission denied: '/var/lib/setroubleshoot/setroubleshoot_d Jun 24 07:44:33 liberia setroubleshoot[1399]: SELinux is preventing (uetoothd) from mounton access on the directory /etc. For complete SELinux messages. run sealert -l 82d494f5-551b-499d ---- i did find the user label for the files in the /var/lib/setroubleshoot directory were owned by chrony:openvpn. i changed these to setroubleshoot:setroubleshoot to match the directory. i also had to adjust /var/lib/selinux/target user label from system_u to unconfined_u. (i was matching these with a clean vm install of fedora 24.) after making all these changes, i am still getting the same error. i have not rebooted yet. i cannot restart the audit.service. (i tried a reload with no difference.) i will check again after i get it restarted.
i tried to run semodule again after a reboot with no change.
Could you run this command. # semodule -l | grep docker docker # semanage module --list | grep docker docker 400 pp
certainly. [root ~]# semodule -l | grep docker docker [root ~]# semanage module --list | grep docker docker 400 pp
Looks like you have docker-selinux or docker-engine-selinux installed, or did at one point?
i did when i had f23 installed. i did an dnf system-upgrade to f24 about a month ago. i have not installed docker since the upgrade.
dnf remove docker-selinux Should remove these policy packages.
tried that... [root ~]# dnf remove docker-selinux No match for argument: docker-selinux Error: No packages marked for removal. the policies are still in place. would semodule -r docker work instead?
Yes that should work. I wonder if we had a bug removing it rpm -q --scripts docker-selinux Shows the following scriptlet postuninstall scriptlet (using /bin/sh): if [ $1 -eq 0 ]; then /usr/sbin/semodule -n -r docker &> /dev/null || : if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy /usr/sbin/restorecon -R /usr/bin/docker /var/run/containerd.sock /var/run/docker.sock /var/run/docker.pid /etc/docker /var/log/docker /var/log/lxc /var/lock/lxc /usr/lib/systemd/system/docker.service /usr/lib/systemd/system/docker-containerd.service /etc/docker &> /dev/null || : fi fi
success! [root ~]# semodule -n -r docker libsemanage.semanage_direct_remove_key: Removing last docker module (no other docker module exists at another priority). [root ~]# ausearch -c '(uetoothd)' --raw | audit2allow -M my-uetoothd ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i my-uetoothd.pp [root ~]# semodule -i my-uetoothd.pp [root ~]# ...and... [root ~]# ausearch -c 'openvpn' --raw | audit2allow -M my-openvpn ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i my-openvpn.pp [root ~]# semodule -i my-openvpn.pp [root ~]# thanks, dan. i've been making more of an effort to learn selinux rather than knee-jerk disabling. this exercise, which i'm sure has taxed you a bit, has been helpful to me. i can't speak to the removal bit of the script you posted, but i had to --allowerasing for my dnf system-upgrade from f23 to f24. i had started the long upgrade process and walked away, so i didn't pay enough attention to what it was upgrading. since i was technically pre-release installing, i accepted certain packages wouldn't make the upgrade bit until the rpmfusion repos were approved for f24 gold. it wasn't until later that i ran into this situation. if you need me to check anything else to help you do some debugging/forensics to this case, let me know. otherwise, i'm calling this a close on my end.
Just for grins do a dnf install docker-selinux And see if it succeeds. It should have the updated policy that works.
seems to work. and for the record, i was grinning as i did this. :D [root ~]# dnf install docker-selinux Failed to synchronize cache for repo 'google-chrome', disabling. Last metadata expiration check: 0:17:40 ago on Mon Jul 11 09:00:22 2016. Dependencies resolved. ======================================================================================================================== Package Arch Version Repository Size ======================================================================================================================== Installing: docker-selinux x86_64 2:1.10.3-23.git971d3bf.fc24 updates-testing 73 k Transaction Summary ======================================================================================================================== Install 1 Package Total download size: 73 k Installed size: 27 k Is this ok [y/N]: y Downloading Packages: docker-selinux-1.10.3-23.git971d3bf.fc24.x86_64.rpm 152 kB/s | 73 kB 00:00 ------------------------------------------------------------------------------------------------------------------------ Total 56 kB/s | 73 kB 00:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Installing : docker-selinux-2:1.10.3-23.git971d3bf.fc24.x86_64 1/1 Verifying : docker-selinux-2:1.10.3-23.git971d3bf.fc24.x86_64 1/1 Installed: docker-selinux.x86_64 2:1.10.3-23.git971d3bf.fc24 Complete!