Hi Tony, I already tried to run SELinux in permissive mode and it works as expected but when I enforce it, the program reports that error and there are not AVC denied. Il 02/12/22 12:04, Tony Albers ha scritto:

Hello,

First, try setting SELinux in permissive mode globally to see if that changes anything:

root@host:# setenforce 0

The run your program and let it do what it wants to do. If you still get errors, then SELinux is not the issue(at least not the whole issue).

HTH

/tony

On Fri, 2 Dec 2022 11:24:53 +0100 Alessandro Baggi wrote:

...

Hi,

I'm running AlmaLinux 9.1 on VM to play with SELinux and trying to create a custom policy for an app. This app is written in Python and wait files to be processed (uploaded via sftp from another host). It read data from this file and then save them on postgresql DB. If something is wrong with the data, it will send an email.

I followed this:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...

Generating a custom policy, a permissive line is inserted in the policy:

permissive example_t;

that, if I'm not wrong, also if denials are found it runs the policy as permissive.

Commenting this line and reload the policy my program does not work anymore and I receive this error:

psycopg2.connect(127.0.0.1): could not receive data from server: Permission denied could not send SSL negotiation packet: Permission denied

The strange thing is that if I run:

# ausearch -m AVC -ts recent

I don't receive new denied AVC.

I tried also to read PostgreSQL side logs but nothing useful.

Can someone point me in the right direction?

Thank you in advance.

_______________________________________________ AlmaLinux Users mailing list -- users@lists.almalinux.org To unsubscribe send an email to users-leave@lists.almalinux.org

Hi Tony, reading using tail -f /var/log/audit/audit.log during the error occours, I obtain only this types but nothing about errors: type=CRYPTO_KEY_USER type=CRYPTO_SESSION type=CRYPTO_SESSION type=USER_AUTH type=CRYPTO_KEY_USER type=USER_ACCT type=CRYPTO_KEY_USER type=CRED_ACQ type=LOGIN type=SYSCALL type=PROCTITLE type=USER_ROLE_CHANGE type=SERVICE_START type=USER_ACCT type=CRED_ACQ type=USER_ROLE_CHANGE type=LOGIN type=SYSCALL type=PROCTITLE type=USER_START type=ANOM_ABEND type=SERVICE_START type=USER_START type=CRYPTO_KEY_USER type=CRED_ACQ type=USER_LOGIN type=USER_START type=CRYPTO_KEY_USER type=CRYPTO_KEY_USER type=CRYPTO_KEY_USER type=USER_END type=CRED_DISP type=USER_END type=USER_LOGOUT type=CRYPTO_KEY_USER type=SERVICE_STOP The same is running 'ausearch -m ALL -ts recent' but with more lines. I don't understand why, a permission denied is issued by my app, there is no an AVC denial. Il 02/12/22 12:36, Tony Albers ha scritto:

Hi Alessandro,

Ok, then you should try to tail /var/log/audit/audit.log to see what happens in there. Your ausearch command migth have the wrong flags set and therefore does not show you the errors. You might want to try 'ausearch -m ALL -ts recent' too.

HTH

/tony

On Fri, 2 Dec 2022 12:18:46 +0100 Alessandro Baggi wrote:

...

Hi Tony,

I already tried to run SELinux in permissive mode and it works as expected but when I enforce it, the program reports that error and there are not AVC denied.

Il 02/12/22 12:04, Tony Albers ha scritto:

...

Hello,

First, try setting SELinux in permissive mode globally to see if that changes anything:

root@host:# setenforce 0

The run your program and let it do what it wants to do. If you still get errors, then SELinux is not the issue(at least not the whole issue).

HTH

/tony

On Fri, 2 Dec 2022 11:24:53 +0100 Alessandro Baggi wrote:

...

Hi,

I'm running AlmaLinux 9.1 on VM to play with SELinux and trying to create a custom policy for an app. This app is written in Python and wait files to be processed (uploaded via sftp from another host). It read data from this file and then save them on postgresql DB. If something is wrong with the data, it will send an email.

I followed this:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...

Generating a custom policy, a permissive line is inserted in the policy:

permissive example_t;

that, if I'm not wrong, also if denials are found it runs the policy as permissive.

Commenting this line and reload the policy my program does not work anymore and I receive this error:

psycopg2.connect(127.0.0.1): could not receive data from server: Permission denied could not send SSL negotiation packet: Permission denied

The strange thing is that if I run:

# ausearch -m AVC -ts recent

I don't receive new denied AVC.

I tried also to read PostgreSQL side logs but nothing useful.

Can someone point me in the right direction?

Thank you in advance.

_______________________________________________ AlmaLinux Users mailing list -- users@lists.almalinux.org To unsubscribe send an email to users-leave@lists.almalinux.org

_______________________________________________ AlmaLinux Users mailing list -- users@lists.almalinux.org To unsubscribe send an email to users-leave@lists.almalinux.org

Hi list, I solve the problem. I matched some dontaudit rules running semanage -DB that help me to solve the problem. Thank you Il 02/12/22 15:23, Alessandro Baggi ha scritto:

Hi Tony,

reading using tail -f /var/log/audit/audit.log during the error occours, I obtain only this types but nothing about errors:

type=CRYPTO_KEY_USER type=CRYPTO_SESSION type=CRYPTO_SESSION type=USER_AUTH type=CRYPTO_KEY_USER type=USER_ACCT type=CRYPTO_KEY_USER type=CRED_ACQ type=LOGIN type=SYSCALL type=PROCTITLE type=USER_ROLE_CHANGE type=SERVICE_START type=USER_ACCT type=CRED_ACQ type=USER_ROLE_CHANGE type=LOGIN type=SYSCALL type=PROCTITLE type=USER_START type=ANOM_ABEND type=SERVICE_START type=USER_START type=CRYPTO_KEY_USER type=CRED_ACQ type=USER_LOGIN type=USER_START type=CRYPTO_KEY_USER type=CRYPTO_KEY_USER type=CRYPTO_KEY_USER type=USER_END type=CRED_DISP type=USER_END type=USER_LOGOUT type=CRYPTO_KEY_USER type=SERVICE_STOP

The same is running 'ausearch -m ALL -ts recent' but with more lines.

I don't understand why, a permission denied is issued by my app, there is no an AVC denial.

Il 02/12/22 12:36, Tony Albers ha scritto:

...

Hi Alessandro,

Ok, then you should try to tail /var/log/audit/audit.log to see what happens in there. Your ausearch command migth have the wrong flags set and therefore does not show you the errors. You might want to try 'ausearch -m ALL -ts recent' too.

HTH

/tony

On Fri, 2 Dec 2022 12:18:46 +0100 Alessandro Baggi wrote:

...

Hi Tony,

I already tried to run SELinux in permissive mode and it works as expected but when I enforce it, the program reports that error and there are not AVC denied.

Il 02/12/22 12:04, Tony Albers ha scritto:

...

Hello,

First, try setting SELinux in permissive mode globally to see if that changes anything:

root@host:# setenforce 0

The run your program and let it do what it wants to do. If you still get errors, then SELinux is not the issue(at least not the whole issue).

HTH

/tony

On Fri, 2 Dec 2022 11:24:53 +0100 Alessandro Baggi wrote:

...

Hi,

I'm running AlmaLinux 9.1 on VM to play with SELinux and trying to create a custom policy for an app. This app is written in Python and wait files to be processed (uploaded via sftp from another host). It read data from this file and then save them on postgresql DB. If something is wrong with the data, it will send an email.

I followed this:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...

Generating a custom policy, a permissive line is inserted in the policy:

permissive example_t;

that, if I'm not wrong, also if denials are found it runs the policy as permissive.

Commenting this line and reload the policy my program does not work anymore and I receive this error:

psycopg2.connect(127.0.0.1): could not receive data from server: Permission denied could not send SSL negotiation packet: Permission denied

The strange thing is that if I run:

# ausearch -m AVC -ts recent

I don't receive new denied AVC.

I tried also to read PostgreSQL side logs but nothing useful.

Can someone point me in the right direction?

Thank you in advance.

_______________________________________________ AlmaLinux Users mailing list -- users@lists.almalinux.org To unsubscribe send an email to users-leave@lists.almalinux.org

_______________________________________________ AlmaLinux Users mailing list -- users@lists.almalinux.org To unsubscribe send an email to users-leave@lists.almalinux.org