[DSE-Dev] Bug#756731: Bug#756731: selinux-policy-default: Setting SELinux to enforce when using systemd some AVCs are logged during boot

Andreas Florath andre at flonatel.org
Tue Aug 5 07:43:40 UTC 2014 

Hello!

As suggested, I retested this with Jessie:
There are still some AVCs logged, but these differ from the ones logged in Wheezy.

Aug  5 09:26:11 debselinux01 kernel: [    1.197831] audit: type=1400 audit(1407223571.360:4): avc:  denied  { net_admin } for  pid=166 comm="systemd-tmpfile" capability=12  scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=capability
Aug  5 09:26:11 debselinux01 kernel: [    1.199479] audit: type=1400 audit(1407223571.360:5): avc:  denied  { read } for  pid=166 comm="systemd-tmpfile" name="urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Aug  5 09:26:11 debselinux01 kernel: [    1.199488] audit: type=1400 audit(1407223571.360:6): avc:  denied  { read } for  pid=166 comm="systemd-tmpfile" name="urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Aug  5 09:26:11 debselinux01 kernel: [    1.199942] audit: type=1400 audit(1407223571.360:7): avc:  denied  { read } for  pid=166 comm="systemd-tmpfile" name="urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Aug  5 09:26:11 debselinux01 kernel: [    1.202553] audit: type=1400 audit(1407223571.364:8): avc:  denied  { getcap } for  pid=166 comm="systemd-tmpfile" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=process
Aug  5 09:26:11 debselinux01 kernel: [    1.202763] audit: type=1400 audit(1407223571.364:9): avc:  denied  { getattr } for  pid=166 comm="systemd-tmpfile" path="/dev/autofs" dev="devtmpfs" ino=5287 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:autofs_device_t:s0 tclass=chr_file
Aug  5 09:26:11 debselinux01 kernel: [    1.203130] audit: type=1400 audit(1407223571.364:10): avc:  denied  { getcap } for  pid=166 comm="systemd-tmpfile" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=process

Kind regards

Andre


-- System Information:
Debian Release: jessie/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.8-3
ii  libselinux1      2.3-1
ii  libsepol1        2.3-1
ii  policycoreutils  2.3-1
ii  python           2.7.8-1
ii  selinux-utils    2.3-1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.3-1
ii  setools      3.3.8-3

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information

More information about the SELinux-devel mailing list