/run/resolvconf/resolv.conf was dennied to access under SELinux Enforcing mode in Ubuntu 16.04

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP








up vote
0
down vote

favorite












I'm running Ubuntu Xenial 16.04 in AWS EC2, I installed SELinux and change its mode to Enforcing. I've configured selinux type ssh_port_t to port 22. While I created port forwarding via ssh, I found the tunnel was not work properly.



In log file /var/log/syslog, it outputs



kernel: [ 311.860046] audit: type=1400 audit(1519664302.158:506): avc: denied getattr for pid=1367 comm="sshd" path="/run/resolvconf/resolv.conf" dev="tmpfs" ino=267 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=0


SELinux prohibited command sshd to access file /run/resolvconf/resolv.conf, this file is a soft link of /etc/resolv.conf



$ readlink -f /etc/resolv.conf
/run/resolvconf/resolv.conf

$ ls -Z /etc/resolv.conf
unconfined_u:object_r:etc_t:SystemLow /etc/resolv.conf

$ ls -Z /run/resolvconf/resolv.conf
system_u:object_r:init_var_run_t:SystemLow /run/resolvconf/resolv.conf


File /run/resolvconf/resolv.conf default type is init_var_run_t, I've tried changing it to type default_t, var_run_t, sshd_var_run_t via command



# sudo semanage fcontext -a -t $TYPE /var/run/resolvconf/resolv.conf
sudo semanage fcontext -m -t $TYPE /var/run/resolvconf/resolv.conf

sudo restorecon -F -R /run/resolvconf/resolv.conf


When I changed it to sshd_var_run_t, the tunnel works. But other utility also need to use file /run/resolvconf/resolv.conf, e.g. chronyd, this solution is not well.



If I change SELinux mode to permissive, the tunnel worked well, SELinux just logged dennied info into system log.



But my requirement is make the system work well in Enforcing mode. How should I deal with file /run/resolvconf/resolv.conf or what should I do to solve the problem.






server amazon-ec2 resolv.conf resolvconf selinux







share|improve this question

















  • 1




    Just going to ask an obvious question, but is there a reason you need SELinux that the already-bundled AppArmor system isn't good enough for?
    – Thomas Ward♦
    Feb 26 at 19:15






  • 1




    Selinux is not well maintained on Ubuntu you will have to write policy yourself. I suggest you use apparmor or if you want selinux a ton system RHEL , Centos, or Fedora
    – Panther
    Feb 26 at 19:37














up vote
0
down vote

favorite












I'm running Ubuntu Xenial 16.04 in AWS EC2, I installed SELinux and change its mode to Enforcing. I've configured selinux type ssh_port_t to port 22. While I created port forwarding via ssh, I found the tunnel was not work properly.



In log file /var/log/syslog, it outputs



kernel: [ 311.860046] audit: type=1400 audit(1519664302.158:506): avc: denied getattr for pid=1367 comm="sshd" path="/run/resolvconf/resolv.conf" dev="tmpfs" ino=267 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=0


SELinux prohibited command sshd to access file /run/resolvconf/resolv.conf, this file is a soft link of /etc/resolv.conf



$ readlink -f /etc/resolv.conf
/run/resolvconf/resolv.conf

$ ls -Z /etc/resolv.conf
unconfined_u:object_r:etc_t:SystemLow /etc/resolv.conf

$ ls -Z /run/resolvconf/resolv.conf
system_u:object_r:init_var_run_t:SystemLow /run/resolvconf/resolv.conf


File /run/resolvconf/resolv.conf default type is init_var_run_t, I've tried changing it to type default_t, var_run_t, sshd_var_run_t via command



# sudo semanage fcontext -a -t $TYPE /var/run/resolvconf/resolv.conf
sudo semanage fcontext -m -t $TYPE /var/run/resolvconf/resolv.conf

sudo restorecon -F -R /run/resolvconf/resolv.conf


When I changed it to sshd_var_run_t, the tunnel works. But other utility also need to use file /run/resolvconf/resolv.conf, e.g. chronyd, this solution is not well.



If I change SELinux mode to permissive, the tunnel worked well, SELinux just logged dennied info into system log.



But my requirement is make the system work well in Enforcing mode. How should I deal with file /run/resolvconf/resolv.conf or what should I do to solve the problem.






server amazon-ec2 resolv.conf resolvconf selinux







share|improve this question

















  • 1




    Just going to ask an obvious question, but is there a reason you need SELinux that the already-bundled AppArmor system isn't good enough for?
    – Thomas Ward♦
    Feb 26 at 19:15






  • 1




    Selinux is not well maintained on Ubuntu you will have to write policy yourself. I suggest you use apparmor or if you want selinux a ton system RHEL , Centos, or Fedora
    – Panther
    Feb 26 at 19:37












up vote
0
down vote

favorite









up vote
0
down vote

favorite











I'm running Ubuntu Xenial 16.04 in AWS EC2, I installed SELinux and change its mode to Enforcing. I've configured selinux type ssh_port_t to port 22. While I created port forwarding via ssh, I found the tunnel was not work properly.



In log file /var/log/syslog, it outputs



kernel: [ 311.860046] audit: type=1400 audit(1519664302.158:506): avc: denied getattr for pid=1367 comm="sshd" path="/run/resolvconf/resolv.conf" dev="tmpfs" ino=267 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=0


SELinux prohibited command sshd to access file /run/resolvconf/resolv.conf, this file is a soft link of /etc/resolv.conf



$ readlink -f /etc/resolv.conf
/run/resolvconf/resolv.conf

$ ls -Z /etc/resolv.conf
unconfined_u:object_r:etc_t:SystemLow /etc/resolv.conf

$ ls -Z /run/resolvconf/resolv.conf
system_u:object_r:init_var_run_t:SystemLow /run/resolvconf/resolv.conf


File /run/resolvconf/resolv.conf default type is init_var_run_t, I've tried changing it to type default_t, var_run_t, sshd_var_run_t via command



# sudo semanage fcontext -a -t $TYPE /var/run/resolvconf/resolv.conf
sudo semanage fcontext -m -t $TYPE /var/run/resolvconf/resolv.conf

sudo restorecon -F -R /run/resolvconf/resolv.conf


When I changed it to sshd_var_run_t, the tunnel works. But other utility also need to use file /run/resolvconf/resolv.conf, e.g. chronyd, this solution is not well.



If I change SELinux mode to permissive, the tunnel worked well, SELinux just logged dennied info into system log.



But my requirement is make the system work well in Enforcing mode. How should I deal with file /run/resolvconf/resolv.conf or what should I do to solve the problem.






server amazon-ec2 resolv.conf resolvconf selinux







share|improve this question













I'm running Ubuntu Xenial 16.04 in AWS EC2, I installed SELinux and change its mode to Enforcing. I've configured selinux type ssh_port_t to port 22. While I created port forwarding via ssh, I found the tunnel was not work properly.



In log file /var/log/syslog, it outputs



kernel: [ 311.860046] audit: type=1400 audit(1519664302.158:506): avc: denied getattr for pid=1367 comm="sshd" path="/run/resolvconf/resolv.conf" dev="tmpfs" ino=267 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=0


SELinux prohibited command sshd to access file /run/resolvconf/resolv.conf, this file is a soft link of /etc/resolv.conf



$ readlink -f /etc/resolv.conf
/run/resolvconf/resolv.conf

$ ls -Z /etc/resolv.conf
unconfined_u:object_r:etc_t:SystemLow /etc/resolv.conf

$ ls -Z /run/resolvconf/resolv.conf
system_u:object_r:init_var_run_t:SystemLow /run/resolvconf/resolv.conf


File /run/resolvconf/resolv.conf default type is init_var_run_t, I've tried changing it to type default_t, var_run_t, sshd_var_run_t via command



# sudo semanage fcontext -a -t $TYPE /var/run/resolvconf/resolv.conf
sudo semanage fcontext -m -t $TYPE /var/run/resolvconf/resolv.conf

sudo restorecon -F -R /run/resolvconf/resolv.conf


When I changed it to sshd_var_run_t, the tunnel works. But other utility also need to use file /run/resolvconf/resolv.conf, e.g. chronyd, this solution is not well.



If I change SELinux mode to permissive, the tunnel worked well, SELinux just logged dennied info into system log.



But my requirement is make the system work well in Enforcing mode. How should I deal with file /run/resolvconf/resolv.conf or what should I do to solve the problem.






server amazon-ec2 resolv.conf resolvconf selinux




server amazon-ec2 resolv.conf resolvconf selinux






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Feb 26 at 19:12









Gorgon

1




1







  • 1




    Just going to ask an obvious question, but is there a reason you need SELinux that the already-bundled AppArmor system isn't good enough for?
    – Thomas Ward♦
    Feb 26 at 19:15






  • 1




    Selinux is not well maintained on Ubuntu you will have to write policy yourself. I suggest you use apparmor or if you want selinux a ton system RHEL , Centos, or Fedora
    – Panther
    Feb 26 at 19:37












  • 1




    Just going to ask an obvious question, but is there a reason you need SELinux that the already-bundled AppArmor system isn't good enough for?
    – Thomas Ward♦
    Feb 26 at 19:15






  • 1




    Selinux is not well maintained on Ubuntu you will have to write policy yourself. I suggest you use apparmor or if you want selinux a ton system RHEL , Centos, or Fedora
    – Panther
    Feb 26 at 19:37







1




1




Just going to ask an obvious question, but is there a reason you need SELinux that the already-bundled AppArmor system isn't good enough for?
– Thomas Ward♦
Feb 26 at 19:15




Just going to ask an obvious question, but is there a reason you need SELinux that the already-bundled AppArmor system isn't good enough for?
– Thomas Ward♦
Feb 26 at 19:15




1




1




Selinux is not well maintained on Ubuntu you will have to write policy yourself. I suggest you use apparmor or if you want selinux a ton system RHEL , Centos, or Fedora
– Panther
Feb 26 at 19:37




Selinux is not well maintained on Ubuntu you will have to write policy yourself. I suggest you use apparmor or if you want selinux a ton system RHEL , Centos, or Fedora
– Panther
Feb 26 at 19:37















active

oldest

votes











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1010065%2frun-resolvconf-resolv-conf-was-dennied-to-access-under-selinux-enforcing-mode-i%23new-answer', 'question_page');

);

Post as a guest






















active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1010065%2frun-resolvconf-resolv-conf-was-dennied-to-access-under-selinux-enforcing-mode-i%23new-answer', 'question_page');

);

Post as a guest
































































-

Popular posts from this blog

pylint3 and pip3 broken

Image
Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I have tried sudo apt remove --purge on various packages. I get the same when I reinstall. I have also tried reinstall using aptitude. This does not work. My current workaround is to run pylint3 as root, which works, but is bad practice. pip3 $ pip3 Traceback (most recent call last): File "/usr/lib/python3/dist-packages/pip/_vendor/__init__.py", line 33, in vendored __import__(vendored_name, globals(), locals(), level=0) ImportError: No module named 'pip._vendor.pkg_resources' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/bin/pip3", line 9, in <module> from pip import main File "/usr/lib/python3/dist-packages/pip/__init__.py", line 13, in <module> from pip.exceptions import InstallationError, CommandError, PipError File "/usr/lib/python3/dist-packages/pip/exceptions.py", line 6, ...
Read more

Missing snmpget and snmpwalk

Image
Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I have installed Zabbix appliance, directly preinstalled and found that there is missing snmpwalk and snmpget commands. I tried to install it with: apt-get install net-snmp-utils but I have error message: Unable to locate package. I have also check what from SNMP is preinstalled and there is: libsnmp-base libsnmp30:amd64 snmp-mibs-downloader snmpd snmptrapd snmptrapfmt How can I install snmpget and snmpwalk ? snmp zabbix share | improve this question edited Jan 29 at 10:10 Yaron 8,552 7 18 38 asked Jan 29 at 9:51 Alfista 1 apt install snmp perhaps ? If named differently - apt cache snmp – fugitive Jan 29 at 10:00 add a comment  |  up vote 0 down vote favorite I have installed Zabbix appliance, directly preinstalled and found that there is missing snmpwalk and snmpget commands. I tried...
Read more

How to enroll fingerprints to Ubuntu 17.10 with VFS491

Image
Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I decided to switch from Windows to Ubuntu 17.10, I meet it like 8 years ago and I didn't decided to switch until now (haha). Well, my actual device is an HP Probook 4540s with a Validity fingerprint sensor (VFS491). The fingerprint sensor worked fine on Windows but I can't get it to work in Ubuntu. The device is recognized as 138a:003d but is not detected as a fingerprint scanner by some apps like Fingerprint GUI. I want to use the fingerprint scanner to log in into my user account in Ubuntu but it doesn't supports fingerprints without special software and the drivers of the fingerprint scanner are available for Windows but not for any Linux distribution. I found something on GitHub (https://github.com/eekpie/libfprint) about the integration of the VFS491 in libfprint and I think it can help but I don't know what to do with it, so that's why I need the help of the community to do it since I am...
Read more