Mastodawn

RE: https://mastodon.social/@connel/115323672457296682

It turns out this issue was caused by #SELinux

I'm going to try and spend some time learning how it works to see if I can get it fixed.

There's a few other SE Linux violations that are logged on start up that I hadn't noticed.

Switching it off is also an option but I'll do some learning first. Not the first time I've found out this was the root cause of something not working that I've spent a lot of time debugging. Seems overkill for my little homelab.

openSUSE Linux 5d ago

#openSUSE Leap 16.0 is here; a new web-based #installer, #SELinux by default, and support through 2032. #openSUSE #Leap16 https://distrowatch.com/weekly.php?issue=20251013#opensuse

Show thread

Fiona 5d ago

Today the last #Buildroot patch I needed to get a fully working #SELinux build with Busybox init was merged, which allows setting policy booleans at build time (only persistent way to set them with monolithic policy).

My experiment build is fairly minimal, and I have a custom module with a few policy adjustments, but that's something that should be fixed upstream in refpolicy. SELinux with Busybox init is probably not a common setup, to say the least.

(And there's still the overlayfs issue, but my priority is understanding how SELinux policy works.)

Show thread

CryptGoat 6d ago

@centopus Nah, not the first time for me. It took me a few minutes as I know these kind of troubles from RHEL and Rocky Linux as part of my job.

I am just afraid that a casual user would have been scared away from Linux when this would have been their first Linux encounter. Up until now I though Fedora could be recommended as an entry level distribution. 🤔

#AppArmor on Ubuntu seems to be less troublesome but I also guess that its default setup is way less strict than #Fedora's #SELinux configuration.

Martin G 6d ago

Was macht man denn so am freien Sonntag: Ersten Laptop mit #opensuse leap auf #opensuse16 lupfen.
Erster Versuch mithilfe von "opensuse-migration-tool" hat nichts gemacht, außer #apparmor weg und #SElinux hin.
Jetzt läuft ein "zypper dup" und aktualisiert 2500 Pakete.

Morten Linderud 6d ago

Set scene.
At the Hackerspace.

Him: "I installed Fedora to test selinux."

Me: "Do you regret it yet?"

Him: "Well, it has failed so hard now that it refuses to boot."

Him: "I can't remember the last time I fucked up Linux so hard it refuses to boot."

#Linux #selinux #security

CryptGoat Oct 11

Judging by the amount I have run into #SELinux related issues while working with #RHEL based servers and my current #Fedora workstation setup I start to wonder if the enhanced security is worth all the trouble... 😮‍💨

Example: SELinux blocked my private key file for my OpenVPN config. OpenVPN resfused to start without giving a helpful error message. journalctl was helpful and I could then create a specific SELInux rule. It takes some experience to figure this out.

How is a "normal" computer / #Linux user supposed to figure this out without spending several hours? 😅

Show thread

Fiona Oct 11

Somehow refpolicy was missing the default locations for SSH split binaries in its file context definitions, which say which labels files (file system objects, to be precise) at certain paths should have. Well, easy first patch I suppose.

https://github.com/SELinuxProject/refpolicy/pull/1032 #SELinux

ssh: set file context for default locations of split binaries by airtower-luna · Pull Request #1032 · SELinuxProject/refpolicy

The upstream default install location for sshd-auth, sshd-session, and ssh-keysign is /usr/libexec. Add those paths to the module so they are labeled correctly.

GitHub

openSUSE Linux Oct 11

See how the #openSUSE migration tool handles upgrades, repo changes, #SELinux defaults, 32-bit options and more in this demo. #opensource #Linux https://youtu.be/N-pKs8KJW48?si=hvUG0URx5ayRF88m

openSUSE Migration Tool is awesome. Use it for upgrading to Leap16 releasing soon.

YouTube

Show thread

Fiona Oct 10

Got two more #Buildroot patches to send out once tests pass, and then… a bugfix that should probably got right to #SELinux refpolicy. Maybe a little extension, too.