# Hardened SELinux: how to resolve denials?

## Shiru

Hello guys,

I read the documentation and tutorials on the Gentoo Wiki but still, it's really hard for me to understand the way to resolve avc denials.

First question:

Setting SELINUX variable to permissive gave me a lot of denials in dmesg. I thought, following the tutorials that setting SELinux for the first time should automatically avoid those denials. I was wrong but I wonder why i have tons of denials.

Second question:

Setting SELINUX variable to enforcingm i was unable to log in tty the first time, but now i can. My display manager (lightdm) cannot run. In tty, it says that it's already running (weird). I looked at dmesg and here are the denials related to xdm (lightdm).

```
[   33.408231] audit: type=1400 audit(1629168773.668:83): avc:  denied  { search } for  pid=2391 comm="lightdm" name=".cache" dev="sda4" ino=39321604 scontext=system_u:system_r:xdm_t tcontext=root:object_r:xdg_cache_t tclass=dir permissive=1

[   33.447963] audit: type=1107 audit(1629168773.708:84): pid=1426 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=ListSeats dest=org.freedesktop.login1 spid=2391 tpid=1455 scontext=system_u:system_r:xdm_t tcontext=system_u:system_r:initrc_t tclass=dbus permissive=1

[   33.448257] audit: type=1107 audit(1629168773.708:85): pid=1426 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.2 spid=1455 tpid=2391 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:xdm_t tclass=dbus permissive=1

[  128.433353] audit: type=1400 audit(1629168868.693:241): avc:  denied  { net_admin } for  pid=2593 comm="lightdm" capability=12  scontext=system_u:system_r:xdm_t tcontext=system_u:system_r:xdm_t tclass=capability permissive=1
```

Even i can see those types of errors, i am still unable to resolve by myself. I don't want to give up on Hardened SELinux, so if someone can give its time to me, i would greatly appreciate it.

Shiru

----------

## alamahant

The reason this is happening is because selinux behaves and it should as the mean nanny.

There are three ways to manage selinux denials

1. use selinux booleans

```

getsebool -a

setsebool <-P> <boolean-name> <true|false>

```

2.Via changing fcontext

```

semanage fcontext -l

semeanage fcontext -a -t <context_type> <file|directory>

restorecon -R <file|directory>

```

semeange can also be used for ports.

Ports and fcontext are the most common usages of semanage

3.create policy modules to deal with denials

```

ausearch -m AVC  | audit2allow -a -M my_policy

semodule -i my_policy.pp

```

In fedora there is a wonderful package setroubleshoot-server that advices the user on the proper action to take to resolve denials.

Unfortunately this is not available in Gentoo.

Maybe by all means should.

If you plan to use DE just avoid selinux.Or set it permissive.

For headless server is okeyish.

----------

## Shiru

Hey alamahant,

Thanks you for your reply and sorry to be late. 

You are right: it is sound difficult with a desktop. Since i am really new to it, i will install an headless Gentoo on a VM. I really need to understand how SELinux works.

Thanks again for your information.

Shiru

----------

