SELinux AVC denials coming in Centos7.3

Support for security such as Firewalls and securing linux
Post Reply
vyshnav
Posts: 60
Joined: 2017/09/12 03:37:54

SELinux AVC denials coming in Centos7.3

Post by vyshnav » 2017/11/21 11:12:00

I'm getting Selinux AVC denials with new Centos7.3 due to which services are not coming up. We have tried loading policies related to denials ,but still observing those denials .? Can you please help to identify the reason?
Last edited by vyshnav on 2017/11/21 11:47:49, edited 1 time in total.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux AVC denials coming in Centos7.3

Post by TrevorH » 2017/11/21 11:26:30

New and CentOS 7.3 are mutually contradictory - 7.4 is out, 7.3 is out of date.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

vyshnav
Posts: 60
Joined: 2017/09/12 03:37:54

Re: SELinux AVC denials coming in Centos7.3

Post by vyshnav » 2017/11/21 11:42:27

TrevorH wrote:New and CentOS 7.3 are mutually contradictory - 7.4 is out, 7.3 is out of date.
Sorry am working in Centos7.3 , am hitting issue in CentOS7.3

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux AVC denials coming in Centos7.3

Post by TrevorH » 2017/11/21 14:32:38

Yes but the point is, 7.3 is no more, you should be using 7.4.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

vyshnav
Posts: 60
Joined: 2017/09/12 03:37:54

Re: SELinux AVC denials coming in Centos7.3

Post by vyshnav » 2017/11/23 08:38:41

TrevorH wrote:Yes but the point is, 7.3 is no more, you should be using 7.4.
In Centos 6.8 i was not getting these avc denial issue, but when i updated to centos 7 i was getting this issue ,
after loading policy also these avc denials are persisting. After loading policy its locally allowing those denials ,but when i do fresh installation again its coming.can you please help me to find the reason behind this.

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: SELinux AVC denials coming in Centos7.3

Post by hunter86_bg » 2017/11/26 08:01:29

As Trevor mentioned - updating is highly recommended.
As a dirty workaround:
1.Set SELinux in permissive mode to log as much as possible.
2.Run 'sealert -a /var/log/audit/audit.log |less' to view what's blocked and how to create your policy.
3.Set SELinux in enforcing to test the policy.If needed -repeat again.

vyshnav
Posts: 60
Joined: 2017/09/12 03:37:54

Re: SELinux AVC denials coming in Centos7.3

Post by vyshnav » 2017/11/27 05:19:39

hunter86_bg wrote:As Trevor mentioned - updating is highly recommended.
As a dirty workaround:
1.Set SELinux in permissive mode to log as much as possible.
2.Run 'sealert -a /var/log/audit/audit.log |less' to view what's blocked and how to create your policy.
3.Set SELinux in enforcing to test the policy.If needed -repeat again.
ok , thanks for the reply. But its not working for my case.using sepolicy generate and audit2allow i have generated policies and loaded to rpm,but again after fresh installation getting the same denial.

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: SELinux AVC denials coming in Centos7.3

Post by hunter86_bg » 2017/11/27 20:02:04

Maybe you should provide a sample.

What do you mean - after fresh install ?

vyshnav
Posts: 60
Joined: 2017/09/12 03:37:54

Re: SELinux AVC denials coming in Centos7.3

Post by vyshnav » 2017/11/28 09:10:20

hunter86_bg wrote:Maybe you should provide a sample.

What do you mean - after fresh install ?
I have added all these policies to an rpm and ,created a new iso .When i installed this newly created iso , I'm facing problem

Post Reply