Why there are SELinux errors in permissive mode?

Boppity Bop

3/25/23, 6:26 PM

I have set CentOS 8 Stream with SELinux set to permissive but I still have bunch of red lines in the log e.g.:

SELinux is preventing /usr/lib/systemd/systemd from name_connect access on the tcp_socket port 80

Are these real or its just printing - what would be happening if it was in restrictive mode?

0 + 0

selinux

centos8

Valentin Bajrami

3/25/23, 8:13 PM

Disabling or setting `SELinux` to `permissive` mode is not recommended. It is there for a reason. A better approach would be to look into the problem and solve it with `SELinux` enabled.

Score:3

Server

Bert

3/25/23, 6:36 PM

Per the documentation:

When SELinux is running in permissive mode, SELinux policy is not enforced. The system remains operational and SELinux does not deny any operations but only logs AVC messages, which can be then used for troubleshooting, debugging, and SELinux policy improvements.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux

Also see /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=permissive

0 + 0

Boppity Bop

3/26/23, 2:54 PM

yes this is why I asked because these bits of log are printed as if they were errors not warnings and I dont really know were these actions stopped or let through with the print in the log.. they could have made it more clear in the log text

utdrmac

12/13/23, 1:51 PM

Even in Permissive mode, SELinux is blocking/denying file access. I am directly experiencing this in CentOS8 and RL8 as are others: https://github.com/jellyfin/jellyfin/issues/8114