openSUSE:Bugreport SELinux

Jump to: navigation, search

To report an issue with SELinux, please open a bug in Bugzilla. Please make sure you follow the guidelines below so that the bug can be found and processed quickly. We will then get back to you and request more information from you if needed.

You can use the bug creation template to open a bug quickly: SELinux bug creation template for Tumbleweed in Bugzilla at openSUSE.org or SUSE.com

Summary line

Write a summary line that contains a [SELinux] prefix tag. An example for a valid summary line can be:

[SELinux] transactional-update can't run with selinux=permissive under cloud-init

Description

Please state the following information in your bug's description:

  • Operating System: you can find this with for example by running:  hostnamectl | grep "Operating System"
  • SELinux status, mode and policy name: you can find this by running: sestatus
  • SELinux policy version and repository: you can find this for example by running: zypper info selinux-policy
  • The software (incl. version) that is affected by the SELinux issue and the error message
  • SELinux Audit log: you can retrieve the audit log using ausearch.
    The list of AVCs is fundamental! Please always provide this information in the bug.
    E.g. to retrieve all SELinux violations since boot:
 $ ausearch -ts boot -m avc,user_avc,selinux_err,user_selinux_err
  • The exact steps to reproduce, i.e. how to configure and use the system to trigger the AVC
  • Any other important details: e.g. what you were trying to accomplish when the error happened, other logs
 NOTE: The output of setroubleshoot does not add any value, you do not have to provide it.

Common pitfalls

Before opening a bug, please check if your issue might be caused by a common pitfall and easily fixed. These common pitfalls include:

  • Setting the system from "permissive" mode to "enforcing" mode, without relabelling: In case you recently switched from "permissive" to "enforcing" mode, please check if you have triggered a relabel as well with: touch /.autorelabel. Otherwise the labels on the filesystem might have shifted during the time in "permissive" mode and can cause issues when running in "enforcing" mode.
  • SELinux denies a common workload: In case you run a very common workload and SELinux denies parts of the workload, this might be because you need to enable the SELinux boolean for it. Check the ausearch -m avc -ts today | audit2allow for suggested booleans. If there is none suggested, then your issue is likely a bug and you should report it. If a boolean is suggested, you can investigate if that is the correct boolean by installing selinux-policy-doc and checking the SELinux man page for that specific service man SERVICENAME_selinux. Booleans can be permanently enabled them with setsebool -P BOOLEANNAME=1.

When in doubt, please still open a bug.

Retrieved from "https://en.opensuse.org/index.php?title=openSUSE:Bugreport_SELinux&oldid=200410"