[DSE-Dev] Bug#756731: selinux-policy-default: Setting SELinux to enforce when using systemd some AVCs are logged during boot

Andreas Florath andre at flonatel.org
Fri Aug 1 05:19:20 UTC 2014 

Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: normal

Dear Maintainer,

when SELinux is enabled (set to enforced) and when using systemd some AVCs are logged:

Jul 31 16:02:42 debtest kernel: [    3.292205] type=1400 audit(1406815358.096:4): avc:  denied  { write } for  pid=214 comm="mount" name="/" dev=securityfs ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir
Jul 31 16:02:42 debtest kernel: [    3.292228] type=1400 audit(1406815358.096:5): avc:  denied  { setattr } for  pid=214 comm="mount" name="/" dev=securityfs ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir
Jul 31 16:02:42 debtest kernel: [    3.362846] type=1400 audit(1406815358.164:6): avc:  denied  { setattr } for  pid=224 comm="mount" name="/" dev=debugfs ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
Jul 31 16:02:42 debtest kernel: [    3.850978] type=1400 audit(1406815358.652:7): avc:  denied  { mounton } for  pid=237 comm="mount" path="/run/user" dev=tmpfs ino=1948 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_auth_t:s0 tclass=dir
Jul 31 16:02:42 debtest kernel: [    3.851420] type=1400 audit(1406815358.652:8): avc:  denied  { mounton } for  pid=237 comm="mount" path="/run/user" dev=tmpfs ino=1948 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_auth_t:s0 tclass=dir

type=AVC msg=audit(1406815362.316:10): avc:  denied  { read } for  pid=723 comm="dmesg" name="locale.alias" dev=dm-0 ino=522685 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file

Please note that the stable (V44) systemd is used.

Andre


# dpkg -l | grep systemd
ii  libpam-systemd:amd64               44-11+deb7u4              amd64        system and service manager - PAM module
ii  libsystemd-daemon0:amd64           44-11+deb7u4              amd64        systemd utility library
ii  libsystemd-id128-0:amd64           44-11+deb7u4              amd64        systemd 128 bit ID utility library
ii  libsystemd-journal0:amd64          44-11+deb7u4              amd64        systemd journal utility library
ii  libsystemd-login0:amd64            44-11+deb7u4              amd64        systemd login utility library
ii  systemd                            44-11+deb7u4              amd64        system and service manager
ii  systemd-sysv                       44-11+deb7u4              amd64        system and service manager - SysV links

-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.3-7.1
ii  libselinux1      2.1.9-5
ii  libsepol1        2.1.4-3
ii  policycoreutils  2.1.10-9
ii  python           2.7.3-4+deb7u1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.1.8-2
pn  setools      <none>

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information

More information about the SELinux-devel mailing list