mock won’t work with staff_selinux mode in RHEL 7. The instruction from Fedora is mostly correct, but insufficient for staff_selinux. This is because:
/usr/bin/mock is now a sym-link to
/usr/bin/consolehelper, thus consolehelper permission should be also allowed.
- The Fedora mock policy module does not have the types like
There are a lot more reasons, but long story short, I have edited a policy file (PackageMaintainers_MockTricks_mock.te) that should covered the most mock usage. My SELinux skill quickly build up by editing that file. 🙂
Time for script that setup the mock, assuming you are running as root:
# getting dependencies
yum -y install selinux-policy-devel policycoreutils-python mock
# Download policy files
# Build and install
make -f /usr/share/selinux/devel/Makefile
semodule -i PackageMaintainers_MockTricks_mock.pp
But just in case you are still getting SELinux AVC denials, you can get around yourself by using following scripts:
grep -E -e "(mock|consolehelper)" /var/log/audit/audit.log | audit2allow -M my_mock
semodule -i my_mock.pp
If you enforcing your SELinux and set your user to non
unconfined_u, like either
staff_u. You may found that your synergy or other tcp/udp service stop working. That is because your role cannot listen the ports that your services required.
To allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users), run:
sudo setsebool selinuxuser_tcp_server 1
and for UDP:
sudo setsebool selinuxuser_udp_server 1
- user SELinux Policy documentation (8)
Do you have a valid key and the public key is ~/.ssh/authoried_keys of target ssh server, but you still need to type password? Here is the checklist you can refer:
- ~/.ssh and its content should not have read/write permission for other users
cd ; chmod og-rw .ssh
- Same goes with your remote directory ~/.ssh
- Your server home directory should not have read/write permission for other users
cd ~/..; chmod o-rw <homeDir>
- If SELinux is enforced in server, make sure the SELinux type of ~/.ssh in server is user_ssh_home_tcd; ls -dZ .ssh # to list the SELinux type of ~/.ssh
chcon -R -t user_ssh_home_t .ssh
- ssh -vvv <login@server> to get more information on the local side.
- See server log /var/log/secure for sshd output. Change LogLevel to DEBUG3 in /etc/ssh/sshd_config and restart sshd to get more detail debugging messages.
- See server log /var/log/audit/audit.log for SELinux log.
Note that this checking is for Fedora and RHEL. Yet you can change the path of files to accommodate your system.