WikiTable of Contents
Fedora 30 with SELinux on Raspberry Pi 3
Many of you may not have noticed, but Fedora is releasing for ARMv7 architecture and delivers an absolutely outstanding Fedora release for Raspberry Pi since Fedora 25 or so. The key bonus of running Fedora 30 on Raspberry Pi is having SELinux.
Major issues with NetworkManager
As you may have guessed, I've long been running Fedora 30 on Raspberry Pi 3/3b and I've found a showstopper with the current (April 25) default SELinux context that will keep your Raspberry from bringing up the network, due to issues with NetworkManager being unable to access files due to SELinux issues with /dev filesystem. It seems that the installer labels the /dev filesystem after devtmpfs is mounted on /dev.
Hotfix: Change SELinux context
mount --bind / /mnt && chcon system_u:object_r:device_t:s0 /mnt/dev umount /mnt
Using chcon? Would that survive relabelling at a later point? Devtmpfs should already be mounted on /dev at the point of filesystem relabelling so the underlying /dev directory is not relabelled.
Hotfix: SELinux module
I've created an SELinux module which you can compile on your own or download and install from here. Once loaded your Raspberry Pi 3 will have this and some other SELinux issues fixed. This module has some extra rules for fail2ban, vnstat and iptables-services, nothing that will hurt if you do not have this installed.
Module details
module fc30-generic 1.0; require { type plymouthd_t; type chkpwd_t; type NetworkManager_t; type initrc_t; type tty_device_t; type getty_t; type vnstatd_var_lib_t; type sshd_t; type fail2ban_t; type unconfined_service_t; type kmod_t; type unlabeled_t; type init_t; type local_login_t; type iptables_t; type unconfined_t; class process { noatsecure rlimitinh siginh }; class dir mounton; class unix_stream_socket connectto; class chr_file { read write }; } #============= NetworkManager_t ============== allow NetworkManager_t initrc_t:process { noatsecure rlimitinh siginh }; #============= chkpwd_t ============== allow chkpwd_t tty_device_t:chr_file { read write }; #============= fail2ban_t ============== allow fail2ban_t iptables_t:process { noatsecure rlimitinh siginh }; #============= getty_t ============== allow getty_t local_login_t:process { noatsecure rlimitinh siginh }; #============= init_t ============== allow init_t chkpwd_t:process siginh; allow init_t initrc_t:process siginh; allow init_t unconfined_service_t:process siginh; allow init_t unconfined_t:process siginh; allow init_t unlabeled_t:dir mounton; allow init_t vnstatd_var_lib_t:dir mounton; #============= iptables_t ============== allow iptables_t kmod_t:process { noatsecure rlimitinh siginh }; allow iptables_t plymouthd_t:unix_stream_socket connectto; #============= local_login_t ============== allow local_login_t chkpwd_t:process { noatsecure rlimitinh siginh }; allow local_login_t unconfined_t:process { noatsecure siginh }; #============= sshd_t ============== allow sshd_t chkpwd_t:process { noatsecure rlimitinh siginh };
Download
-rw-r--r--. 1 root root 3670 Apr 25 12:33 fc30-generic.pp -rw-r--r--. 1 root root 1644 Apr 25 12:33 fc30-generic.te
Install hotfix module and enable SELinux
First of all, edit /etc/sysconfig/selinux and make sure the following is set:
SELINUX=enforcing
Then transfer the downloaded module to your device and do as follows:
tar -jxvf fc30-pi3-selinux.tar.bz2 semodule -i fc30-generic.pp fixfiles onboot sync reboot
This will install the SELinux module, set the Raspberry Pi3 to relabel the filesystem during next boot (this may take quite a while depending on the amount of files on your system, could be more than 30 minutes) and then issue a reboot. Afterwards double-check that SELinux is active on your system:
# getenforce
Enforcing