Common Issues

execheap, execmod, execstack booleans

The openSUSE SELinux policies have been tuned to provide as good protection as possible for most users. This means that potentially dangerous functionality not needed by the majority of users is disabled by default. The execheap, execmod, and execstack permissions are an example of this, since they are generally dangerous, and not needed by normal Linux applications.

You can refer to bug 1206292 for further information.

A list of applications that have been reported to possibly need these permissions is presented below. This list is not complete, but might help you to troubleshoot these or similar applications.

Steam Proton, Bottles, WINE, Lutris, not working from flatpaks

If you run into issues using WINE, and WINE based programs in flatpaks, it could be due to SELinux preventing execution of modified memory-mapped files (execmod). If you understand the risks, you can allow this on your system temporarily (resets on next boot) with

sudo setsebool selinuxuser_execmod 1

Or permanently with:

sudo setsebool -P selinuxuser_execmod 1

Team Fortress 2 missing audio

If you run into audio issues with Team Fortress 2, it could be due to SELinux preventing heap execution (execheap). If you understand the risks, you can allow this on your system temporarily (resets on next boot) with

sudo setsebool selinuxuser_execheap 1

Or permanently with:

sudo setsebool -P selinuxuser_execheap 1

Android Studio emulator not working from flatpak

If you run into issues using Android studio emulator in flatpaks, it could be due to SELinux preventing stack execution (execstack). If you understand the risks, you can allow this on your system temporarily (resets on next boot) with

sudo setsebool selinuxuser_execstack 1

Or permanently with:

sudo setsebool -P selinuxuser_execstack 1

virtualization denials (libvirt, xen, qemu,...)

xen: Allow qemu to run as daemon

xen runs qemu as daemon via systemd when used in xen as dom0 disk backend (see xen-qemu-dom0-disk-backend.service).

This is currently not allowed by default. To allow this, enable the boolean xen_use_qemu_for_dom0_disk_backend:

sudo semanage boolean -m --on xen_use_qemu_for_dom0_disk_backend
sudo restorecon -Rv /var/lib/xen/xenstore

Please refer to for more information.

Non-standard file locations

Especially when using btrfs filesystems, it may be desirable to store some data in non-standard locations. One cause for such a measure, is to optimise btrfs performance, such as to store virtual machines, containers or databases, in volumes without copy-on-write enabled. Another common cause, is to avoid certain data from being included in snapshots.

Common to all filesystems, it is very common for a user's directories to be relocated. For example, xdg-user-dirs-update exists for this purpose, but is not selinux-aware.

The system administrator who alters these locations, must take care of selinux file context labelling, to ensure correct functionality. It should be noted that some of the selinux tools will not function correctly across btrfs subvolume boundaries, instead treating them as separate filesystems, and failing to label files within them. See Bug 1228849 for detail.

One method to deal with this is to create an selinux file context equivalence. This is what it sounds like, we make one directory equivalent to another, for selinux purposes.

First, we can create an equivalence:

sudo semanage fcontext --add --equal "/path/to/stock/directory" "/path/to/custom/location/you/want/to/act/like/stock"

Test it out to see what would change, without changing anything:

sudo restorecon -Rvn "/path/to/custom/location/you/want/to/act/like/stock"

Apply the changes:

sudo restorecon -R "/path/to/custom/location/you/want/to/act/like/stock"

Mange equivalances we have created:

sepolicy gui

or

sudo semanage fcontext --list -C

An alternative to creating an equivalence is to specify the context directly, if it is known. The following sets selinux_foo_t labels on the directory /path/to/virtual/machine/images, and all of its contents:

sudo semanage fcontext -a -t selinux_foo_t "/path/to/virtual/machine/images(/.*)?"
sudo restorecon -Rvn /path/to/virtual/machine/images
sudo restorecon -R