Containers your time is now. Lets look at Namespaces.
Lately I have been spending a lot of time working on Containers.  Containers are a mechanism for controlling what a process does on a system.

Resource Constraints can be considered a form of containerment.

In Fedora and RHEL we use cgroups for this, and with the new systemd controls in Fedora and RHEL7, managing cgroups has gotten a lot easier.  Out of the box all of your processes are put into a cgroup based on whether they are a user, system service or a Machine (VMs).  These processes are grouped at the unit level, meaning two users logged into a system will get and "Fair Share" of the system, even if one user forks off thousands of processes.  Similarly if you run an httpd service and a mariadb service, they each get an equal share of the system, meaning that httpd can not fork 1000 process while mariadb only runs three, the httpd 1000 processes can not dominate the machine leaving no memory of cpu for mariadb.  Of course you can go into the unit files for httpd or mariadb and add a couple of simple resource constraints to further limit them


MemoryLimit: 500m

to httpd.service  unit file

For example will limit the service to only use 500 megabytes to httpd processes.

Security Containment

Some could say I have been working on containers for years since SELinux is a container technology for controlling what a process does on the system.  I will talk about SELinux and advanced containers in my next blog.

Process Separation Containment

The last component of containers is Namespaces.  The linux kernel implements a few namespaces for process separation.  There are currently 6 namespaces.

Namespaces can be used to Isolate processes. They can create a new environment where changes to the process are not reflected in other namespace.
Once set up, namespaces are transparent for processes.

Red Hat Enterprise Linux  and Fedora currently support 5 namespace

  • ipc

  • ipc namespace allows you to have shared memory, semaphores with only processes within the namespace.

  • pid

  • pid namespace eliminates the view of other processes on the system and restarts pids at pid 1.

  • mnt

  • mnt namespace allows processes within the container to mount file systemd over existing files/directories without affecting file systems outside the namespace

  • net

  • net namespace creates network devices that can have IP Addresses assigned to them, and even configure iptables rules and routing tables

  • uts

  • uts namespace allows you to assign a different hostname to processes within the container. Often useful with the network namespace

Rawhide also supports the user namespace.  We hope to add the user namespace support to a  future Red Hat Enterprise Linux 7.

User namespace allows you to map real user ids on the host to container uids.  For example you can map UID 5000-5100 to 0-100 within the container.  This means you could have uid=0 with rights to manipulate other namespaces within the container.  You could for example set the IP Address on the network namespaced ethernet device.  Outside of the container your process would be treated as a non privileged process.  User namespace is fairly young and people are just starting to use it.

I have put together a video showing namespaces in Red Hat Enterprise Linux 7.

file_t we hardly new you...
file_t disappeared as a file type in Rawhide today.  It is one of the oldest types in SELinux policy.  It has been aliased to unlabeled_t.

Why did we remove it?

Let's look at the comments written in the policy source to describe file_t.

# file_t is the default type of a file that has not yet been
# assigned an extended attribute (EA) value (when using a filesystem
# that supports EAs).

Now lets look at the description of unlabeled_t

# unlabeled_t is the type of unlabeled objects.
# Objects that have no known labeling information or that
# have labels that are no longer valid are treated as having this type.

Notice the conflict.

If a file object does not have a labeled assigned to it, then it would be labeled unlabeled_t.  Unless it is on a file system that supports extended attributes then it would be file_t?

I always hated explaining this, and we have finally removed the conflict for future Fedora's.  Sadly this change has not been made in RHEL7 or any older RHELs or Fedoras.

We also added a type alias for unlabeled_t to file_t.

Note: Seandroid made this change when the policy was first being written.

One other conflict I would like to fix is that a file with a label that the kernel does not understand, is labeled unlabeled_t. (IE It has a label but it is invalid.)  I have argued for having the kernel differentiate the two situations.

  • No label -> unlabeled_t

  • Invalid Label -> invalid_t.

Upstream has pointed out from a practical/security point of view you really need to treat them both as the same thing.  Confined domains are not allowed to use unlabeled_t objects.  And if it is a file system object you should run restorecon on it.  Putting a legitimate label on the object.  Probably I will not get this change, but I can always hope. 

How come somethings get blocked by SELinux in permissive mode?
SELinux can be setup to run in three modes.

* Enforcing (My favorite)
* Permissive
* Disabled

Often permissive is described as the same as enforcing except everything is allowed and logged.

For the most part this is true, except when their are bugs or a "Access Control Manager" does not respect the permissive flag.

Most of SELinux is written where the kernel control's access, and it would be very strange for the kernel to block an access in permissive mode. 

But there are several situations where we want to check access outside the kernel.  For example.

  • Can an application connect to a particular dbus daemon?

  • Can a service start a particular systemd daemon?

  • Can a root process change the password of something?

  • Will sshd allow dwalsh to login as unconfined_t?

All of these checks are not seen by the kernel.  We implement SELinux checks in places like dbus daemon, systemd, X Server, sshd, passwd ...  When one of these services denies access you will see a USER_AVC generated rather then an AVC.  If these SELinux checks are not written correctly to check the permissive flag when an access is denied, you could get a real denial in permissive mode.

Usually we see these as bugs, but in certain situations the upstream does not want to accept patches to check the permissive flag.

If you know of a situation where this happens, open a bugzilla on it and we can work with the packager to fix the problem.

When you see an AVC or USER_AVC that is generated in permissive mode, you should see a flag that states "success=yes" in the AVC record, this indicates that the AVC was generated but still allowed.  If it says "success=no" in permissive mode then that should be considered a bug.

Awesome new coreutils with improved SELinux support

When I first started working on SELinux over 10 years ago, one of the first packages I worked on was coreutils.    We were adding SELinux support to insure proper handling of labeling.  After that we did not touch it for several years.

Last year, I decided to investigate if I could improve coreutils handling of labels on initial content creation.   Well it took a while but my patches were finally accepted, with lots of fixes from the upstream, and coreutils-8.22 just showed up today in  Rawhide.

I am very excited about this release.  I believe it can allow Administrators to fix one of the biggest problems users have with SELinux, objects getting created with the incorrect context.

My patches basically standardized "-Z" with no options to indicate you wanted the target directory to get the "default" label.


# touch /tmp/foobar
# mv /tmp/foobar /etc
# ls -lZ /etc/foobar
# -rw-r--r--. root root staff_u:object_r:user_tmp_t:s0   /etc/foobar

As opposed to:

# touch /tmp/foobar
# mv -Z /tmp/foobar /etc
# ls -lZ /etc/foobar
# -rw-r--r--. root root staff_u:object_r:etc_t:s0   /etc/foobar

The traditional use of a command like mv was to maintain the "Security" of an object you are moving.  mv command would maintain the ownership, permissions, and SELinux Labels.  The problem with this is users/administrators would not expect this, by adding the "-Z" to the mv command, the administrator guarantees that the object will get he correct label based on the destination path, which over the years, I believe is what the administrator would expect.  The "-Z" option in coreutils now indicates the equivalent of running restorecon on the target, except in most cases the label is correct on creation of the content.

"mv -Z /tmp/foobar /etc/foobar" == "mv /tmp/foobar /etc/foobar; restorecon /tmp/foobar"

One of the reasons we did not do this sooner, was the speed of reading in the labeling database.  The latest SELinux toolchain loads the labeling database in a fraction of the previous time, allowing us to make these changes.

Setting up coreutils alias

I would even suggest that it would be a good idea to alias

alias mv='mv -Z'

for most users.

A common mistake is to mv content around in the homedir.   A mistake I have made in the past was to an html file to a my account on and then to ssh into the machine and then mv it to the public_html directory.  ~/public_html is labeled httpd_user_content_t which is readable by default from the apache server, while the default label of my homedir is not, user_home_t.

mv ~/content.html ~/public_html/

This command would end up with the ~/public_html/content.html being labeled user_home_t, and the page would not show up on the web site.  Users would not know why, and would probably not no about SELinux.  But if the admistrator changed the alias for the mv command, everything would just work.

Other Commands

Similarly the -Z option has been implemented for all of the commands that create content in coreutils.

mknod -Z, mkdir -Z, mkfifo -Z, install -Z

Currently in init scripts we have lots of code that does; \

mkdir /run/myapp; restorecon /run/myapp

Which can be replaced with

mkdir -Z /run/myapp

What about Disabled Machines, or machines that do not support SELinux?

On an SELinux disabled system, the -Z option will be ignored.


Getting the Label correct at file creation has been improved greatly in the current Fedora's with the introduction of file name transitions.  Fixing coreutils to allow administrators to change the default of standard tools to set default labels on object creation is nice.

alias mv='mv -iZ'
alias cp='cp -iZ'
alias mkdir='mkdir -Z"
alias mknod='mknod -Z"
alias install='install -Z"

I hope to get this new coreutils backported into RHEL7...


One thing to remember about this from a security point of view.  A calling confined domain would still be prevented from creating content with the default label, if it was not allowed by SELinux policy to create content with that label.  The change to coreutils, just allows the process to attempt to create the content with the correct label.

Thanks to coreutils upstream for working on these patches with us.

golang support for libselinux in Rawhide.
Every so often I get to spend a couple of days working on a new computer language, but it has been a while.

I am working on a project to bring SELinux support to docker.

The basic idea is to launch containers with a specific SELinux type and Random MCS label.  Using pretty much the same technology as we use with sVirt.  We do this using libvirt and virt-sandbox-service in Fedora now, but we want to implement similar support for docker.

One problem I had when I first starting working on this project was that docker is written in the go programming language. I did not know the go language and there were no libselinux bindings for go.

Luckily go is fairly easy to bind to the C Language using cgo.  After a couple of weeks work, I put together selinux.go which implements all of the functions that I needed to get containers running with SELinux labels.  Going forward it would be nice to hook up all of the libselinux functions. (Patches welcomed).

Package will show up in libselinux-2.2.1-3.fc21


Any input for improvements to go code would be welcome.

SELinux Halloween Release
Red Hat had the famous Halloween Release.

Coincidentally a major release of SELinux tool chain went out yesterday.  It should be showing up in the Rawhide mirrors now.  Most of these code was already in Fedora, and RHEL7,  but we were able to upstream some very large patches, and I just thought I would point out the changes that went into this release.  The last release of the tool chain April 4, 2013.  We still have some small patches in Fedora but most of our code is now upstream.    The change logs below give you some idea of what changes have been made.

2.2 2013-10-30
    * Allow constraint denial cause to be determined from Richard Haines.
      - Add kernel policy version 29.
      - Add modular policy version 17.
      - Add sepol_compute_av_reason_buffer(), sepol_string_to_security_class(), sepol_string_to_av_perm().
    * Support overriding Makefile RANLIB from Sven Vermeulen.
    * Fix man pages from Laurent Bigonville.

2.2 2013-10-30
    * Fix hyphen usage in man pages from Laurent Bigonville.
    * handle-unknown / -U required argument fix from Laurent Bigonville.
    * Support overriding Makefile PATH and LIBDIR from Laurent Bigonville.
    * Support space and : in filenames from Red Hat.

    * Return additional constraint information.
    * Fix bug in calls to attributes from Red Hat.
    * Add support for filename transitions from Red Hat.
    * Fix sepolgen tests from Red Hat.

2.2 2013-10-30
    * Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.
    * Support overriding Makefile RANLIB from Sven Vermeulen.
    * Update pkgconfig definition from Sven Vermeulen.
    * Mount sysfs before trying to mount selinuxfs from Sven Vermeulen.
    * Fix man pages from Laurent Bigonville.
    * Support overriding PATH  and LIBBASE in Makefiles from Laurent Bigonville.
    * Fix LDFLAGS usage from Laurent Bigonville
    * Avoid shadowing stat in load_mmap from Joe MacDonald.
    * Support building on older PCRE libraries from Joe MacDonald.
    * Fix handling of temporary file in sefcontext_compile from Red Hat.
    * Fix procattr cache from Red Hat.
    * Define python constants for getenforce result from Red Hat.
    * Fix label substitution handling of / from Red Hat.
    * Add selinux_current_policy_path from Red Hat.
    * Change get_context_list to only return good matches from Red Hat.
    * Support udev-197 and higher from Sven Vermeulen and Red Hat.
    * Add support for local substitutions from Red Hat.
    * Change setfilecon to not return ENOSUP if context is already correct from Red Hat.
    * Python wrapper leak fixes from Red Hat.
    * Export SELINUX_TRANS_DIR definition in selinux.h from Red Hat.
    * Add selinux_systemd_contexts_path from Red Hat.
    * Add selinux_set_policy_root from Red Hat.
    * Add man page for sefcontext_compile from Red Hat.


2.2 2013-10-30
    * Avoid duplicate list entries from Red Hat.
    * Add audit support to libsemanage from Red Hat.
    * Remove policy.kern and replace with symlink from Red Hat.
    * Apply a MAX_UID check for genhomedircon from Laurent Bigonville.
    * Fix man pages from Laurent Bigonville.

2.2 2013-10-30
    * Properly build the swig exception file from Laurent Bigonville.
    * Fix man pages from Laurent Bigonville.
    * Support overriding PATH and INITDIR in Makefile from Laurent Bigonville.
    * Fix LDFLAGS usage from Laurent Bigonville.
    * Fix init_policy warning from Laurent Bigonville.
    * Fix semanage logging from Laurent Bigonville.
    * Open newrole stdin as read/write from Sven Vermeulen.
    * Fix sepolicy transition from Sven Vermeulen.
    * Support overriding CFLAGS from Simon Ruderich.
    * Create correct man directory for run_init from Russell Coker.
    * restorecon GLOB_BRACE change from Michal Trunecka.
    * Extend audit2why to report additional constraint information.
    * Catch IOError errors within audit2allow from Red Hat.
    * semanage export/import fixes from Red Hat.
    * Improve setfiles progress reporting from Red Hat.
    * Document setfiles -o option in usage from Red Hat.
    * Change setfiles to always return -1 on failure from Red Hat.
    * Improve setsebool error r eporting from Red Hat.
    * Major overhaul of gui from Red Hat.
    * Fix sepolicy handling of non-MLS policy from Red Hat.
    * Support returning type aliases from Red Hat.
    * Add sepolicy tests from Red Hat.
    * Add org.selinux.config.policy from Red Hat.
    * Improve range and user input checking by semanage from Red Hat.
    * Prevent source or target arguments that end with / for substitutions from Red Hat.
    * Allow use of <<none>> for semanage fcontext from Red Hat.
    * Report customized user levels from Red Hat.
    * Support deleteall for restoring disabled modules from Red Hat.
    * Improve semanage error reporting from Red Hat.
    * Only list disabled modules for module locallist from Red Hat.
    * Fix logging from Red Hat.
    * Define new constants for file type character codes from Red Hat.
    * Improve bash completions from Red Hat.
    * Convert semanage to argparse from Red Hat (originally by Dave Quigley).
    * Add semanage tests from Red Hat.
    * Split semanage man pages from Red Hat.
    * Move bash completion scripts from Red Hat.
    * Replace genhomedircon script with a link to semodule from Red Hat.
    * Fix fixfiles from Red Hat.
    * Add support for systemd service for restorecon from Red Hat.
    * Spelling corrections from Red Hat.
    * Improve sandbox support for home dir symlinks and file caps from Red Hat.
    * Switch sandbox to openbox window manager from Red Hat.
    * Coalesce audit2why and audit2allow from Red Hat.
    * Change audit2allow to append to output file from Red Hat.
    * Update translations from Red Hat.
    * Change audit2why to use selinux_current_policy_path from Red Hat.

Mistaking a Process label type for a File label type.
Yesterday there was an email from an administrator complaining about semanage.

The administrator was attempting to setup a new directory with a label for cgi scripts.

# semanage fcontext -a -t httpd_sys_script_t "///cgi-bin/.*\.cgi"
ValueError: Type httpd_sys_script_t is invalid, must be a file or device type.

The tool told the administrator that he had made a mistake and attempted to assign a type to a file that was neither a file or device type.

This is a fairly common mistake with SELinux.  httpd_sys_script_t is a process label, and SELinux prevents process labels from being placed on files systems.  His valid complaint was it is not easy to know whether a particular type was a process type or a file type.

He then suggested that we should have coded something in the name of the type to indicate the type of the type. For example httpd_sys_script_p_t and httpd_sys_script_exec_f_t.  This might not be a bad idea, and should be brought up for discussion on the SELinux Policy list.

I looked at semanage code and saw that the tool was checking a list of valid file types against the type field on the command.   I saw a fairly easy enhancement would be to strip the "_t" off the type and search the list of "file types" that matched the prefix.

This change would at least help the administrator a little.

# semanage fcontext -a -t httpd_sys_script_t "///cgi-bin/.*\.cgi"
ValueError: Type httpd_sys_script_t is invalid, must be a file or device type.
Alternative: httpd_sys_script_exec_t.

Another example.

# semanage fcontext -a -t apcupsd_t /etc/dan
ValueError: Type apcupsd_t is invalid, must be a file or device type.
Alternatives: apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_log_t, apcupsd_exec_t, apcupsd_lock_t, apcupsd_unit_file_t, apcupsd_tmp_t.

One problem with this change would be Apache (httpd_t), which comes out with 146 matches.  :^(

The new semanage will show up in Rawhide and will be back ported to RHEL7 and Fedora 20.

The seinfo command from the setools-cmdline package can list all file types on a system using the file_type attribute and all process types using the domain attribute.

> seinfo -afile_type -x | wc -l  
> seinfo -adomain -x | wc -l

File System Equivalance

The administrator could have made a better labeling decision by using file equivalence labeling.

# semanage fcontext -a -e /var/www "/<pathtowebsite>/<website>"

Which would have told SELinux to label everything under "/<pathtowebsite>/<website>" as if it was under /var/www

Difference between a Confined User (staff_u) and a Confined Administrator.
Confined users have been around for a while, and several people have used them.  I use the staff_u user for my logins.


One common mistake people make when they use confined users is they expect them to work when running as root.

Which of course the don't!!!  They are CONFINED.

The idea of a confined user is to control the access is available to a logged in user.  If the user needs to do administrative tasks as root, he needs to become a Confined Administrator.

This means if you are logged in as a confined user SELinux will prevent you from running most programs that will make you root including "su".

In SELinux we have the concept of a process transition.  When we use confined users we like to transition the Confined User process to a Confined Administrator when the process needs to run as root.    Another way to look at this is Roles Based Access Control (RBAC).  Which means that when I log into a machine I have one Role, but if I want to administrate the machine I need to switch to a different Role.

In SELinux we currently have two different ways to change Roles, or to switch from a Confined User to a Confined Administrator.

  1. newrole - This command can be executed by a user and will request to the SELinux Kernel to change its role, if allowed by policy.  The problem with this tool is you still need to change to root, via su or sudo.

  2. sudo - We allow you to change both your SELinux Role/Type in sudo as well as become root.

In my case I run my login as staff_u:staff_r:staff_t:s0-s0:c0.c1023, and when I execute a command through sudo, sudo transitions my process to staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023.  If you want to run with a slightly confined administrator you could setup a transition to staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023, which I like to call the drunken unconfined_t, it can do everything unconfined_t can do, but stumbles around alot.

We also have a few other confined administrators like:

  1. webadm_t, which can only administrate apache types.

  2. dbadm_t which can administrate types associated with mysql and postgresql.

  3. logadm_t which can administrate types associated with syslog and auditlog

  4. secadm_t which can only administrate SELinux controls

  5. auditadm_t which can only administrate the audit subsystem.

It is fairly easy to add additional confined administrator types using sepolicy/sepolgen.

To configure an Confined User/Confined Administrator pair, you need to do a few steps.

Note: You could skip the first two steps and just use staff_u

Step 1:  Create a Brand New SELinux User Definition confined_u

# semanage user -a -r s0-s0:c0.c1023 -R "staff_r unconfined_r webadm_r sysadm_r system_r" confined_u

Note: I added roles staff_r which will be the role of the confined user when he logs in.  The other roles are potential roles that the user will use when he is an administrator.  Only one of these roles is required "unconfined_r webadm_r sysadm_r " but I added them all to give you options.  system_r is in there to allow you to restart system services.  You would not need this on a systemd system, or if you were going to user run_init.  But if you want to just use "service restart foobar" on a system V system like RHEL6 you need to have this role.

Step 2:  We need to setup the default context file to tell programs like sshd or xdm which one of the roles/types we would like to use by default.  We are simply going to copy the staff_u context file.  You could also use IPA to override this selection.

# cp /etc/selinux/targeted/contexts/users/staff_u /etc/selinux/targeted/contexts/users/confined_u

Step 3: Now we want to configure our Linux Account to use the SELinux User
# semanage login -a -s confined_u -rs0:c0.c1023 dwalsh

Note: In stead of using a user name you could use a linux group like wheel, by specifying %wheel.  Also if you want to modify the default for all users that are not specified you could use the name __default__.

Step 4:  Now you need to configure sudo to transition your Confined User process to a Confined Administrator
You can either modify the /etc/sudoers file with a line like the following.

echo "%wheel    ALL=(ALL)  TYPE=unconfined_t ROLE=unconfined_r    ALL" >> /etc/sudoers

Or add a file to /etc/sudoers.d

echo "dwalsh   ALL=(ALL)  TYPE=webadm_t ROLE=webadm_r   /bin/sh " > /etc/sudoers.d/dwalsh

It would not hurt to relabel your homedir at this point.

# restorecon -R -v /home/dwalsh

Now if you were already logged in as you user account, you were probably running processes as unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023, so you might want to reboot to make sure everything is cleaned up.

After reboot, when you login you should see your processes running as

> id -Z

Now you should not be allowed to run the su command (unless you newrole to an admin role), but if you execute

> sudo -i
# id -Z

Setroubleshoot does a nice job nowadays but do people read it?
Getting a bugzillas with an setroubleshoot alert mesage that tells the user user exactly 
what the problem and solution is, and yet the user goes through the GUI looking for the 
Report the Bug button.  

I call this the Bug Dan Walsh Button, although I guess I could call it the Bug Miroslav Grepl 
Button now. 

Then the user waits for a response from a human saying to say 

"Did you read the alert?  It told you what to do." Bugzilla Closed NotABug

All the time the user sits with a broken tool or in permissive mode, when the user could 
have fixed the problem in seconds.  Lots of bugzillas say, XYZ is mislabeled just run restorecon XYZ  :^(


Setroubleshoot did a great job of diagnosing this problem.  

It gave the user two good solutions, and one fall back.

Bottom Line, Please read the alert information before reporting a bugzilla.

Of course the tooling in NetworkManager should have done this automatically, but we have a 
bugzilla open for that.

Description of problem:
Upon trying to activate the VPN interface, I received the pop-up advising me that it was blocked. 
SELinux is preventing /usr/sbin/openvpn from 'open' accesses on the file /home/dwalsh/personalVPN/CN00318823.crt.

*****  Plugin openvpn (47.5 confidence) suggests  ****************************

If you want to mv CN00318823.crt to standard location so that openvpn can have open access
Then you must move the cert file to the ~/.cert directory
# mv /home/dwalsh/personalVPN/CN00318823.crt ~/.cert
# restorecon -R -v ~/.cert

*****  Plugin openvpn (47.5 confidence) suggests  ****************************

If you want to modify the label on CN00318823.crt so that openvpn can have open access on it
Then you must fix the labels.
# semanage fcontext -a -t home_cert_t /home/dwalsh/personalVPN/CN00318823.crt
# restorecon -R -v /home/dwalsh/personalVPN/CN00318823.crt

*****  Plugin catchall (6.38 confidence) suggests  ***************************

If you believe that openvpn should be allowed open access on the CN00318823.crt file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep openvpn /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:openvpn_t:s0
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /home/dwalsh/personalVPN/CN00318823.crt [ file ]
Source                        openvpn
Source Path                   /usr/sbin/openvpn
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           openvpn-2.3.2-1.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-73.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.10.10-200.fc19.x86_64 #1 SMP Thu
                              Aug 29 19:05:45 UTC 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-09-03 16:46:59 EDT
Last Seen                     2013-09-05 17:57:28 EDT
Local ID                      f008846c-ad32-4676-925c-4a86a1b87a2b

Raw Audit Messages
type=AVC msg=audit(1378418248.924:702): avc:  denied  { open } for  pid=1996 comm="openvpn" path="/home/dwalsh/personalVPN/CN00318823.crt" dev="dm-2" ino=11141302 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

type=SYSCALL msg=audit(1378418248.924:702): arch=x86_64 syscall=open success=no exit=EACCES a0=7fffcf992f0e a1=0 a2=1b6 a3=7fffcf990410 items=0 ppid=1992 pid=1996 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=openvpn exe=/usr/sbin/openvpn subj=system_u:system_r:openvpn_t:s0 key=(null)

Hash: openvpn,openvpn_t,user_home_t,file,open

New MLS videos at

We no how much you like SELinux!!!

Well if you really want to turn up the enjoyment, why not try Multi Level Security (MLS) policy?

Well you probably only want to do this if you need to store data on a machine that is truly multi level. 

MLS Policy (selinux-policy-mls)

We have been shipping MLS policy since RHEL5, and Fedora 6.

RHEL5 and RHEL6 have achieved a government certification of EAL4+/LSPP.  This certification basically says that these Operating Systems are able to store and handle data that  has different Security levels, like Top Secret/Secret/Unclassified.  It is the same certification that Trusted Solaris achieved.  Bottom line is the Defense Organisations are using SELinux MLS on RHEL5 and RHEL6  in the most sensitive places.   If you are an administrator of these types of machines, you need to see some new videos on

Dave Egts is at it again.

I absolutely loved Dave's videos on confined users.  Whenever I teach SELinux Roles Based Access Control (RBAC), I show the videos.

They are Must See TV

Dave does a great job of explaining complex technology  in short easy to consume videos.

Now Dave and the folks who build the content on have put together 8 MLS Videos.

Multilevel Security with Red Hat Enterprise Linux and SELinux

Check it out.


Log in