SELinux errors with RStudio Server

Trying to log in at localhost:8787 in a browser fails, with RStudio Server running on Fedora 30 with SELinux in enforcing mode, starting with the following alert:

AVC avc: denied { setpgid } for pid=32444 comm="rserver" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=process permissive=0

Setting SELinux to permissive mode allows logging in to succeed, but sets of a long chain of alerts:

I'm no expert on SELinux but I'm guessing a policy is needed for RStudio Server?

Is anyone running it successfully with SELinux enabled?

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Woops! Totally missed this one! There are some meanderings here: https://stackoverflow.com/questions/56711147/how-to-run-rstudio-server-with-selinux-enabled

Also, I thought I remember running into some SELinux problems when I upgraded RStudio Server relatively recently (in the last year). Which version are you using? I thought some of the newer 1.2 builds had a fix for this, but I could be mistaken! It's definitely something we would be interesting to hear more on if you continue to have trouble!

The partial solution is to fix the selinux context as I noted on stackoverflow and github. But the real solution needs to be a selinux policy. Ideally that would be created with input from RStudio developers who understand its functionality.

Fedora acknowledged my github request for a targetted selinux policy, but given how niche RStudio Server is, I think it needs to be driven by its users' and developers' initiative for any real chance of being implemented.

Ah I'm sorry to hear about the difficulty you have run into here! I can definitely resonate with the desire to have a less-than-completely-open SELinux policy specifically for RStudio Server. Am I correct in understanding that this would be a policy that articulates exactly what system access the RStudio Server needs to function? (minimally sufficient)

Do you have any examples handy of how other software vendors provide this type of policy? Is it operating system agnostic, or specific to each linux distro?

Sorry for all the questions - I know very little about SELinux in practice :slight_smile: I think it would be really nice to have this type of thing, but I'm not sure how much work it is / what its priority is / how technically involved it is / etc. I think scoping those types of things could be helpful to a resolution!

EDIT: Related GitHub issue: https://github.com/rstudio/rstudio/issues/4937

Thanks for reopening this thread @cole.

Since the solution posted on github and stackoverflow is just a workaround, there are two main goals to getting a permanent solution:

  1. Get RStudio Server working out of the box with SELinux.

    • The source of the problem is that RStudio Server is packaged with binaries in a library directory usr/lib.
    • This results in binaries having the SELinux type lib_t instead of bin_t. Not following Filesystem Hierarchy Standards is the cause of the SELinux errors.
    • The solution might be as simple as to install the binaries found in /usr/lib/rustudio-server/bin into /usr/bin or /usr/sbin or /usr/libexec as needed.
  2. Create a targeted SELinux policy for RStudio Server.


I'll try to answer your questions though I'm no expert on SELinux. Much of what I've learned around this issue (including the workaround posted) is thanks to #selinux user "grift" who has been exceptionally helpful, available, and patient.

Yes.

Perhaps looking through the existing policies for many software will give an idea: https://github.com/fedora-selinux/selinux-policy-contrib

From grift at #selinux IRC:

they could but they aren't, although most distributions base their policy on a common base policy called reference policy

1 Like