[DSE-Dev] Run gnome-terminal as 'user_u'

Russell Coker russell at coker.com.au
Mon Jan 23 14:52:10 UTC 2017

On Monday, 23 January 2017 12:54:35 PM AEDT Reis, Alberto Silos wrote:
> I'm writing a type enforcement file to allow a selinux user 'user_u' start a
> gnome-session but I've got stuck on gnome-terminal. I have spent a couple
> of hours to give permissions as it claimed in AVC, however, now
> the ausearch does not report anything even disabling dontaudit rules. 

I'm surprised at this, I had KDE working well and I didn't think that GNOME 
required much more access.

> My current SELinux type is default (refpolicy
> selinux-policy-default_2:2.20140421-16_all) running on a Jessie 8.5 and my
> ruleset is at the following link.

Yay people are using that!  ;)

> http://paste.debian.net/hidden/66e06cf5​
> Is there anything else I could do to debug this issue?

What version of systemd are you using?  The version from Jessie or something 
newer?  Systemd has been changing a lot and you can't expect good results from 
trying to use Jessie policy with a newer systems.  However you can expect the 
policy from Stretch to work with Jessie (any ways in which it fails to do so 
can be considered as bugs - but I won't promise to fix all such bugs).  The 
systemd_logind_t access to tmpfs_t suggests to me that you are running a newer 
systemd than comes with Jessie.

The standard procedure for upgrading a SE Linux system to a new release of 
Debian should be to put it in permissive mode (in single-user mode if 
appropriate), upgrade the kernel, policy, and utilities, then touch 
/.autorelabel and reboot.  Then once you have a working system with the new 
policy and kernel you can upgrade daemons at your leisure.

Also you should try the -R and -v options to audit2allow.  The policy you get 
will often be clearer and more useful if you use the interfaces.  The -v 
option is handy because sometimes audit2allow gives an inappropriate 

As for the original issue of having no messages reported, sometimes there are 
dontaudit rules that stop them.  If you run "semodule -DB" to build a policy 
without dontaudit rules it can help find such things.  Then you have to run 
"semodule -B" later to go back to the usual configuration.

My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

More information about the SELinux-devel mailing list