[DSE-Dev] Bug#756542: selinux-policy-default: Installation of systemd from wheezy-backports results in many AVCs

Andreas Florath andre at flonatel.org
Wed Jul 30 19:01:19 UTC 2014 

Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: normal

Dear Maintainer,

using systemd from backports (version see below) many AVCs appear in the logging.
The system is (partially) unusable - e.g. eth0 works not reliable.

This is needed to reproduce the problem:

Install a new (minimal) Debian 7.6.

Install selinux.

During the installation of systemd I have to set SELinux to
permissive, because there is a problem with groupadd:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756468

# getenforce
Enforcing
# setenforce 0
# se_apt-get install -t wheezy-backports systemd
# setenforce 1
# reboot

When the system comes up, it has some 'hickups' - like eth0 is not reliable.
The audit.log is full of AVCs - and even there are some in the /var/log/messages (because IMHO they occur when the auditd is not up and running.)

/var/log/messages

Jul 30 13:31:05 debselinux kernel: [    3.995920] type=1400 audit(1406719861.688:4): avc:  denied  { setattr } for  pid=224 comm="mount" name="/" dev=debugfs ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
Jul 30 13:31:05 debselinux kernel: [    4.381726] type=1400 audit(1406719862.076:5): avc:  denied  { read } for  pid=239 comm="systemd-journal" name="kmsg" dev=devtmpfs ino=1034 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file
Jul 30 13:31:05 debselinux kernel: [    4.381773] type=1400 audit(1406719862.076:6): avc:  denied  { write } for  pid=239 comm="systemd-journal" name="journal" dev=tmpfs ino=1351 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir
Jul 30 13:31:05 debselinux kernel: [    6.214468] type=1400 audit(1406719863.908:7): avc:  denied  { mounton } for  pid=502 comm="mount" path="/run/user" dev=tmpfs ino=4987 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_auth_t:s0 tclass=dir
Jul 30 13:31:05 debselinux kernel: [    6.214861] type=1400 audit(1406719863.908:8): avc:  denied  { mounton } for  pid=502 comm="mount" path="/run/user" dev=tmpfs ino=4987 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_auth_t:s0 tclass=dir
Jul 30 13:31:05 debselinux kernel: [    6.748974] type=1400 audit(1406719864.444:9): avc:  denied  { getattr } for  pid=587 comm="systemd-tmpfile" path="/dev/xconsole" dev=devtmpfs ino=4500 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:xconsole_device_t:s0 tclass=fifo_file
Jul 30 13:31:05 debselinux kernel: [    6.765430] type=1107 audit(1406719864.460:10): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=-1 uid=0 gid=0 path="/lib/systemd/system/ifup at .service" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service
Jul 30 13:31:05 debselinux kernel: [    6.824456] type=1400 audit(1406719864.520:11): avc:  denied  { name_bind } for  pid=708 comm="dhclient" src=9131 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
Jul 30 13:31:05 debselinux kernel: [    6.824535] type=1400 audit(1406719864.520:12): avc:  denied  { name_bind } for  pid=708 comm="dhclient" src=10664 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
Jul 30 13:31:05 debselinux kernel: [    7.214021] type=1107 audit(1406719864.908:13): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { stop } for auid=-1 uid=0 gid=0 path="/lib/systemd/system/systemd-journald.service" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service

/var/log/audit/audit.log

type=AVC msg=audit(1406719814.627:15): avc:  denied  { use } for  pid=3117 comm="groupadd" path="/dev/pts/2" dev=devpts ino=5 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd
type=AVC msg=audit(1406719814.635:16): avc:  denied  { search } for  pid=3117 comm="groupadd" name="files" dev=dm-0 ino=522863 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=dir
type=AVC msg=audit(1406719814.635:16): avc:  denied  { read } for  pid=3117 comm="groupadd" name="file_contexts.subs_dist" dev=dm-0 ino=522865 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1406719814.635:16): avc:  denied  { open } for  pid=3117 comm="groupadd" name="file_contexts.subs_dist" dev=dm-0 ino=522865 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1406719814.635:17): avc:  denied  { getattr } for  pid=3117 comm="groupadd" path="/etc/selinux/default/contexts/files/file_contexts.subs_dist" dev=dm-0 ino=522865 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1406719865.856:17): avc:  denied  { read } for  pid=1275 comm="systemd-logind" name="cpu" dev=tmpfs ino=3353 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=lnk_file
type=AVC msg=audit(1406719866.004:26): avc:  denied  { read } for  pid=1351 comm="dmesg" name="locale.alias" dev=dm-0 ino=522685 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=USER_AVC msg=audit(1406719866.260:31): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=-1 uid=0 gid=0 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1406719866.280:32): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=-1 uid=0 gid=0 path="/lib/systemd/system/graphical.target" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1406719866.280:33): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=-1 uid=0 gid=0 path="/lib/systemd/system/multi-user.target" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1406719866.284:34): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=-1 uid=0 gid=0 path="/lib/systemd/system/multi-user.target" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1406719866.284:35): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=-1 uid=0 gid=0 path="/lib/systemd/system/multi-user.target" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1406719866.284:36): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=-1 uid=0 gid=0 path="/lib/systemd/system/rescue.target" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)'
type=AVC msg=audit(1406719885.267:39): avc:  denied  { name_bind } for  pid=1370 comm="dhclient" src=14083 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
type=AVC msg=audit(1406719885.291:40): avc:  denied  { read write } for  pid=1373 comm="ip" path="socket:[10651]" dev=sockfs ino=10651 scontext=unconfined_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket
type=AVC msg=audit(1406719885.392:41): avc:  denied  { read write } for  pid=1377 comm="hostname" path="socket:[10651]" dev=sockfs ino=10651 scontext=unconfined_u:system_r:hostname_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket
type=AVC msg=audit(1406719885.396:42): avc:  denied  { read write } for  pid=1378 comm="ip" path="socket:[10651]" dev=sockfs ino=10651 scontext=unconfined_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket
type=AVC msg=audit(1406719885.396:43): avc:  denied  { read write } for  pid=1379 comm="ip" path="socket:[10651]" dev=sockfs ino=10651 scontext=unconfined_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket
type=USER_AVC msg=audit(1406719885.484:44): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=0 uid=0 gid=0 path="/etc/init.d/ssh" cmdline="systemctl -p CanReload show ssh.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=service : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1406719885.488:45): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=0 uid=0 gid=0 path="/etc/init.d/ssh" cmdline="systemctl -p LoadState show ssh.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=service : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1406719885.496:46): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=0 uid=0 gid=0 path="/etc/init.d/ssh" cmdline="/bin/systemctl restart ssh.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=service : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)'

Kind regards

Andre



# dpkg -l | grep systemd
ii  libpam-systemd:amd64               204-14~bpo70+1            amd64        system and service manager - PAM module
ii  libsystemd-daemon0:amd64           204-14~bpo70+1            amd64        systemd utility library
ii  libsystemd-journal0:amd64          204-14~bpo70+1            amd64        systemd journal utility library
ii  libsystemd-login0:amd64            204-14~bpo70+1            amd64        systemd login utility library
ii  systemd                            204-14~bpo70+1            amd64        system and service manager
ii  systemd-sysv                       204-14~bpo70+1            amd64        system and service manager - SysV links

-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.3-7.1
ii  libselinux1      2.1.9-5
ii  libsepol1        2.1.4-3
ii  policycoreutils  2.1.10-9
ii  python           2.7.3-4+deb7u1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.1.8-2
pn  setools      <none>

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information

More information about the SELinux-devel mailing list