Of course the process of writing the request answers the question:
To disable donotaudit:
semodule -DB
to re-enable it:
semodule -B
This leads to the missing rule:
allow virtd_t http_port_t:tcp_socket { name_bind name_connect };
which presumably can be modified to allow connections on any outbound port
(not just 80).
Antonio
On 10/22/24 07:30, Antonio Russo wrote:
Hello!
I'm trying to use selinux in enforcing mode ON THE HOST while using passt for
networking. I'm using Debian sid, kvm, and qemu on the SYSTEM bus (I could
not make any progress using the session bus).
What I'm running into is that `apt update` in the guest does not connect (it
just sits there at "connecting to deb.debian.org") for a long time. curl-ing
either v4 or v6 addresses fails in the same way in the guest.
With `setenforce 0` (on the host, obviously), everything works fine. With
setenforce 0 I can just ctrl-c the connection attempt on the guest, retry,
and it will work. Similarly, setenforce 1 immediately breaks any subsequent
connection attempts.
The problem is that `audit2why -al` is EMPTY. I'll emphasize that I've needed
to iterate running audit2allow multiple times to get to this point. If someone
wants to see the module source that I've managed to create up to this point,
I can send it.
What I really need to know is: is there a way to somehow silence audit2why
entries? Can I disable that? And, is there anywhere else I can find any
denials?
Best,
Antonio
