Table of Contents

Fedora 30 SELinux issues

There were some outstanding minor SELinux issues with Fedora 30 on x86_64 architecture soon before release date. These can easily be fixed using a SELinux module.

Fedora 30 has long been released and these issues may or may not have been fixed. Double-check by watching your syslogs before you apply this. If you think this article is obsolete then leave a comment.

Hotfix: SELinux module

I've created an SELinux module which you can compile on your own or download and install from here. Once loaded your Fedora 30 installation will have these SELinux issues fixed. This module has some extra rules for postfix, dovecot, vnstat, iptables-services and openssh-server, nothing that will hurt if you do not have this software installed.

Module details

module fc30-generic 1.0;
 
require {
        type vnstatd_var_lib_t;
        type postfix_showq_t;
        type iptables_t;
        type init_t;
        type postfix_pickup_t;
        type postfix_smtpd_t;
        type postfix_local_t;
        type postfix_qmgr_t;
        type plymouthd_t;
        type initrc_t;
        type dovecot_t;
        type postfix_cleanup_t;
        type postfix_master_t;
        type unconfined_service_t;
        type sshd_t;
        type NetworkManager_t;
        type dovecot_auth_t;
        type unconfined_t;
        type chkpwd_t;
        type postfix_smtp_t;
        type kmod_t;
        class process { noatsecure rlimitinh siginh };
        class dir mounton;
        class unix_stream_socket { connectto read write };
}
 
#============= NetworkManager_t ==============
allow NetworkManager_t initrc_t:process { noatsecure rlimitinh siginh };
 
#============= dovecot_auth_t ==============
allow dovecot_auth_t chkpwd_t:process { noatsecure rlimitinh siginh };
allow dovecot_auth_t init_t:unix_stream_socket { read write };
 
#============= dovecot_t ==============
allow dovecot_t dovecot_auth_t:process { noatsecure rlimitinh siginh };
 
#============= init_t ==============
allow init_t chkpwd_t:process siginh;
allow init_t initrc_t:process siginh;
allow init_t unconfined_service_t:process siginh;
allow init_t unconfined_t:process siginh;
allow init_t vnstatd_var_lib_t:dir mounton;
 
#============= iptables_t ==============
allow iptables_t kmod_t:process { noatsecure rlimitinh siginh };
allow iptables_t plymouthd_t:unix_stream_socket connectto;
 
#============= postfix_master_t ==============
allow postfix_master_t postfix_cleanup_t:process { noatsecure rlimitinh siginh };
allow postfix_master_t postfix_local_t:process { noatsecure rlimitinh siginh };
allow postfix_master_t postfix_pickup_t:process { noatsecure rlimitinh siginh };
allow postfix_master_t postfix_qmgr_t:process { noatsecure rlimitinh siginh };
allow postfix_master_t postfix_showq_t:process { noatsecure rlimitinh siginh };
allow postfix_master_t postfix_smtp_t:process { noatsecure rlimitinh siginh };
allow postfix_master_t postfix_smtpd_t:process { noatsecure rlimitinh siginh };
 
#============= sshd_t ==============
allow sshd_t chkpwd_t:process { noatsecure rlimitinh siginh };

Download

fc30-x86_64-selinux.tar.bz2

-rw-r--r--. 1 root root   4414 24. Apr 18:19 fc30-generic.pp
-rw-r--r--. 1 root root   2132 24. Apr 18:19 fc30-generic.te

Install hotfix module and enable SELinux

First of all, edit /etc/sysconfig/selinux and make sure the following is set:

SELINUX=enforcing

Then transfer the downloaded module to your device and do as follows:

tar -jxvf fc30-x86_64-selinux.tar.bz2
semodule -i fc30-generic.pp
fixfiles onboot
sync
reboot

This will install the SELinux module, set the Raspberry Pi3 to relabel the filesystem during next boot (this may take quite a while depending on the amount of files on your system, could be more than 30 minutes) and then issue a reboot. Afterwards double-check that SELinux is active on your system:

# getenforce
Enforcing