GNUNet/SELinux

From LinuxReviews
Jump to navigationJump to search

GNUnet will not start without a SELinux policy on Fedora, CentOS and RHEL systems. It does not come with one so you will want to make one following the typical steps for making such a policy.

echo > /var/log/audit/audit.log

Then turn SELinux enforcement off (Doing so is bad if you forget to turn it on again):

setenforce 0

Next, start GNUNet wand wait a while:

systemctl start gnunet 
sleep 10s
systemctl stop gnunet

You may want to actually check that GNUNet started and that there are some SELinux errors (there would be if it actually started on a SELinux enabled system).

Next, re-enable SELinux enforcement:

setenforce 1

Make sure you have policycoreutils-python-utils (provides audit2allow) installed and run:

grep gnu /var/log/audit/audit.log | audit2allow -m gnunet-policy > gnunet-policy.te

You should now have a gnunet-policy.te policy file similar to:

File: gnunet-policy.te
module gnunet-policy 1.0;

require {
        type net_conf_t;
        type unreserved_port_t;
        type http_port_t;
        type init_t;
        class tcp_socket name_connect;
        class file map;
        class rawip_socket create;
}

#============= init_t ==============

#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow init_t http_port_t:tcp_socket name_connect;

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow init_t net_conf_t:file map;
allow init_t self:rawip_socket create;

#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow init_t unreserved_port_t:tcp_socket name_connect;

That policy file is overly broad since since it applies to init_t. Perhaps some wizards can make one that is tighter than what audit2allow generates.

That, or a similar, policy file can be compiled into a module and inserted with:

checkmodule -M -m -o gnunet-policy.mod gnunet-policy.te
semodule_package -o gnunet-policy.pp -m gnunet-policy.mod
semodule -i gnunet-policy.pp

Note that the above policy file was created with a default GNUnet configuration only listening on TCP port 2086. You will likely need additional policies if you enable HTTP and HTTPS transports and things like that.

Back to GNUnet

Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.