Common Issues

The openSUSE SELinux policies have been tuned to provide as good protection as possible for most users. This means that potentially dangerous functionality not needed by the majority of users is disabled by default.

Sometimes, however, it is needed to tweak your SELinux policy for a specific workload. This is a general design principle of SELinux, which means it is encouraged to adapt the rules when needed.

This list provides an overview of common "issues", that can be solved by adapting the SELinux policy on the user's end.

SELinux booleans

SELinux booleans provide a simple way for the user to toggle some optional functionality in the SELinux policy, without having to add or modify policy modules. Booleans make it easy for policy writers to account for and support situations which are only needed by specific users for specific workloads, without compromising the security of all other users in the general case.

execheap, execmod, execstack booleans

The execheap, execmod, and execstack booleans are an example of this, in the sense that they allow behaviour which is generally dangerous, and not needed by normal Linux applications. As such, they are disabled by default. However, there are specific applications, workloads and circumstances where they can be useful or necessary. In these cases, the user can evaluate the risks and decide to enable the boolean on their system.

You can refer to bug 1206292 for further information.

A list of applications that have been reported to possibly need these permissions is presented below. This list is not complete, but might help you to troubleshoot these or similar applications.

Steam Proton, Bottles, WINE, Lutris, not working

NOTE(for steam, lutris and Bottles rpm): The SELinux team introduced a new dependency to the steam, lutris and Bottles software as it is packaged in openSUSE, which should fix the below problem automatically on SELinux enabled systems. The change automatically installs a package called selinux-policy-targeted-gaming. For the flatpak versions a manual fix is still needed, as we can not add dependencies onto them. Manually installing selinux-policy-targeted-gaming should fix problems with the flatpak versions as well. If you encounter issues with this solution please open a bug.

All necessary changes are available in the repositories.

NOTE(for wine rpm): For wine there are improvements introduced with the selinux-policy version 20250312 or later, which may mean that the use of 'selinuxuser_execmod' is not needed anymore and wine might work out of the box. If setting 'selinuxuser_execmod' is still needed please consider open a bug, if the selinux team has a reproducer they might be able to improve the situation further.

If you run into issues using WINE, and WINE based programs (installed via flatpak or RPM), it could be due to SELinux preventing execution of modified memory-mapped files (execmod).

You can find out if this is the case by checking if the audit log contains AVCs like:

 type=AVC msg=audit(...): avc:  denied  { execmod } for  pid=... comm="wineboot.exe" 
 type=AVC msg=audit(...): avc:  denied  { execmod } for  pid=... comm="steam.exe" 
 ...

If you understand the risks, you can allow this on your system temporarily (resets on next boot) with

sudo setsebool selinuxuser_execmod 1

Or permanently with:

sudo setsebool -P selinuxuser_execmod 1

As an alternative you can also just install the RPM:

sudo zypper install selinux-policy-targeted-gaming

Team Fortress 2 missing audio

If you run into audio issues with Team Fortress 2, it could be due to SELinux preventing heap execution (execheap).

You can find out if this is the case by checking if the audit log contains AVCs like:

 type=AVC msg=audit(...): avc:  denied  { execheap } for  pid=... comm="..." 
 ...

If you understand the risks, you can allow this on your system temporarily (resets on next boot) with

sudo setsebool selinuxuser_execheap 1

Or permanently with:

sudo setsebool -P selinuxuser_execheap 1

Android Studio emulator not working from flatpak

If you run into issues using Android studio emulator in flatpaks, it could be due to SELinux preventing stack execution (execstack).

You can find out if this is the case by checking if the audit log contains AVCs like:

 type=AVC msg=audit(...): avc:  denied  { execstack } for  pid=... comm="..."
 ...

If you understand the risks, you can allow this on your system temporarily (resets on next boot) with

sudo setsebool selinuxuser_execstack 1

Or permanently with:

sudo setsebool -P selinuxuser_execstack 1

xen: Allow qemu to run as daemon

xen runs qemu as daemon via systemd when used in xen as dom0 disk backend (see xen-qemu-dom0-disk-backend.service).

This is currently not allowed by default. To allow this, enable the boolean xen_use_qemu_for_dom0_disk_backend:

sudo semanage boolean -m --on xen_use_qemu_for_dom0_disk_backend
sudo restorecon -Rv /var/lib/xen/xenstore

Please refer to bug 1228540 for more information.

Non-standard file locations

Especially when using btrfs filesystems, it may be desirable to store some data in non-standard locations. One cause for such a measure, is to optimise btrfs performance, such as to store virtual machines, containers or databases, in volumes without copy-on-write enabled. Another common cause, is to avoid certain data from being included in snapshots.

Common to all filesystems, it is very common for a user's directories to be relocated. For example, xdg-user-dirs-update exists for this purpose, but is not SELinux-aware.

The system administrator who alters these locations, must take care of SELinux file context labeling, to ensure correct functionality. It should be noted that some of the SELinux tools will not function correctly across btrfs subvolume boundaries, instead treating them as separate filesystems, and failing to label files within them. See Bug 1228849 for details.

One method to deal with this is to create an SELinux file context equivalence. This means telling SELinux to consider one directory equivalent to another for labeling purposes.

First, we can create an equivalence:

sudo semanage fcontext --add --equal "/path/to/stock/directory" "/path/to/custom/location/you/want/to/act/like/stock"

Test it out to see what would change, without changing anything:

sudo restorecon -Rvn "/path/to/custom/location/you/want/to/act/like/stock"

Apply the changes:

sudo restorecon -R "/path/to/custom/location/you/want/to/act/like/stock"

Manage equivalances we have created:

sepolicy gui

or

sudo semanage fcontext --list -C

An alternative to creating an equivalence is to specify the context directly, if it is known. The following sets selinux_foo_t labels on the directory /path/to/virtual/machine/images, and all of its contents:

sudo semanage fcontext -a -t selinux_foo_t "/path/to/virtual/machine/images(/.*)?"
sudo restorecon -Rvn /path/to/virtual/machine/images
sudo restorecon -R

Below are common examples on how to fix these issues.

snapper does not work on non-standard snapshot location

snapper needs a specific type for its snapshot location (see openQA test issue 168583). For example, when adding the snapshot to a directory /test, the file context needs to be set like this:

 semanage fcontext -a -t 'snapperd_data_t' -s system_u '/test(/.*)?'
 semanage fcontext -a -t '<<none>>' -s system_u '/test/[^/]*/snapshot(/.*)?'

quota does not work on non-standard location

quota needs a specific type for its database location (see openQA test issue 175338). For example, when adding the database to a directory /test, the file context needs to be set like this:

 semanage fcontext -a -t quota_db_t /test/quota/aquota.user
 semanage fcontext -a -t quota_db_t /test/quota/aquota.group

rsync does not work with SELinux

When using a non-standard path for rsync (e.g. /srv/rsync_test), you will need to set the file context for the directory (see openQA test issue 175890):

 semanage fcontext -a -t rsync_data_t "/srv/rsync_test(/.*)"

samba/cifs does not work with SELinux

When using samba shares (e.g. in /srv/samba), you will need to set the file context for the share as there is no default location (see openQA test issue 175839):

 semanage fcontext -a -t samba_share_t "/srv/samba(/.*)"

Non-standard port

When running services that are listening on a non-standard port, the system administrator needs to set a SELinux rule to allow connections on that port.

SELinux denials for webserver with non-standard port

When running a webserver on a non-standard port, you will need to tweak the SELinux policy by allowing the port:

 sudo semanage port -a -t http_port_t -p tcp 444

(see openQA test issue 168580)

MicroOS only

/var/lib/selinux module removal issue

On MicroOS, the SELinux tooling can run into some issues when there was a rollback from a policy with a dropped module to one that still contains the module. There will be a workaround in place for newer versions and a proper fix is being worked on. However, this could occur in older snapshots.

The symptom of this problem can be seen when setting booleans or rebuilding the policy:

 libsemanage.semanage_direct_get_module_info: Unable to open aiccu module lang ext file at /var/lib/selinux/targeted/active/modules/100/aiccu/lang_ext. (No such file or directory).
 semodule:  Failed on list!

To fix this problem run:

 find /var/lib/selinux/targeted/active/modules/100 -type d -empty -delete && semodule -B

Afterwards you should be able to set the booleans again.