[DSE-Dev] Bug#756542: selinux-policy-default: Installation of systemd from wheezy-backports results in many AVCs
Andreas Florath
andre at flonatel.org
Wed Jul 30 19:01:19 UTC 2014
Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: normal
Dear Maintainer,
using systemd from backports (version see below) many AVCs appear in the logging.
The system is (partially) unusable - e.g. eth0 works not reliable.
This is needed to reproduce the problem:
Install a new (minimal) Debian 7.6.
Install selinux.
During the installation of systemd I have to set SELinux to
permissive, because there is a problem with groupadd:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756468
# getenforce
Enforcing
# setenforce 0
# se_apt-get install -t wheezy-backports systemd
# setenforce 1
# reboot
When the system comes up, it has some 'hickups' - like eth0 is not reliable.
The audit.log is full of AVCs - and even there are some in the /var/log/messages (because IMHO they occur when the auditd is not up and running.)
/var/log/messages
Jul 30 13:31:05 debselinux kernel: [ 3.995920] type=1400 audit(1406719861.688:4): avc: denied { setattr } for pid=224 comm="mount" name="/" dev=debugfs ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
Jul 30 13:31:05 debselinux kernel: [ 4.381726] type=1400 audit(1406719862.076:5): avc: denied { read } for pid=239 comm="systemd-journal" name="kmsg" dev=devtmpfs ino=1034 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file
Jul 30 13:31:05 debselinux kernel: [ 4.381773] type=1400 audit(1406719862.076:6): avc: denied { write } for pid=239 comm="systemd-journal" name="journal" dev=tmpfs ino=1351 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir
Jul 30 13:31:05 debselinux kernel: [ 6.214468] type=1400 audit(1406719863.908:7): avc: denied { mounton } for pid=502 comm="mount" path="/run/user" dev=tmpfs ino=4987 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_auth_t:s0 tclass=dir
Jul 30 13:31:05 debselinux kernel: [ 6.214861] type=1400 audit(1406719863.908:8): avc: denied { mounton } for pid=502 comm="mount" path="/run/user" dev=tmpfs ino=4987 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_auth_t:s0 tclass=dir
Jul 30 13:31:05 debselinux kernel: [ 6.748974] type=1400 audit(1406719864.444:9): avc: denied { getattr } for pid=587 comm="systemd-tmpfile" path="/dev/xconsole" dev=devtmpfs ino=4500 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:xconsole_device_t:s0 tclass=fifo_file
Jul 30 13:31:05 debselinux kernel: [ 6.765430] type=1107 audit(1406719864.460:10): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=-1 uid=0 gid=0 path="/lib/systemd/system/ifup at .service" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service
Jul 30 13:31:05 debselinux kernel: [ 6.824456] type=1400 audit(1406719864.520:11): avc: denied { name_bind } for pid=708 comm="dhclient" src=9131 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
Jul 30 13:31:05 debselinux kernel: [ 6.824535] type=1400 audit(1406719864.520:12): avc: denied { name_bind } for pid=708 comm="dhclient" src=10664 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
Jul 30 13:31:05 debselinux kernel: [ 7.214021] type=1107 audit(1406719864.908:13): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { stop } for auid=-1 uid=0 gid=0 path="/lib/systemd/system/systemd-journald.service" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service
/var/log/audit/audit.log
type=AVC msg=audit(1406719814.627:15): avc: denied { use } for pid=3117 comm="groupadd" path="/dev/pts/2" dev=devpts ino=5 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd
type=AVC msg=audit(1406719814.635:16): avc: denied { search } for pid=3117 comm="groupadd" name="files" dev=dm-0 ino=522863 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=dir
type=AVC msg=audit(1406719814.635:16): avc: denied { read } for pid=3117 comm="groupadd" name="file_contexts.subs_dist" dev=dm-0 ino=522865 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1406719814.635:16): avc: denied { open } for pid=3117 comm="groupadd" name="file_contexts.subs_dist" dev=dm-0 ino=522865 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1406719814.635:17): avc: denied { getattr } for pid=3117 comm="groupadd" path="/etc/selinux/default/contexts/files/file_contexts.subs_dist" dev=dm-0 ino=522865 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1406719865.856:17): avc: denied { read } for pid=1275 comm="systemd-logind" name="cpu" dev=tmpfs ino=3353 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=lnk_file
type=AVC msg=audit(1406719866.004:26): avc: denied { read } for pid=1351 comm="dmesg" name="locale.alias" dev=dm-0 ino=522685 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=USER_AVC msg=audit(1406719866.260:31): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=-1 uid=0 gid=0 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1406719866.280:32): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=-1 uid=0 gid=0 path="/lib/systemd/system/graphical.target" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1406719866.280:33): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=-1 uid=0 gid=0 path="/lib/systemd/system/multi-user.target" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1406719866.284:34): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=-1 uid=0 gid=0 path="/lib/systemd/system/multi-user.target" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1406719866.284:35): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=-1 uid=0 gid=0 path="/lib/systemd/system/multi-user.target" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1406719866.284:36): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=-1 uid=0 gid=0 path="/lib/systemd/system/rescue.target" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)'
type=AVC msg=audit(1406719885.267:39): avc: denied { name_bind } for pid=1370 comm="dhclient" src=14083 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
type=AVC msg=audit(1406719885.291:40): avc: denied { read write } for pid=1373 comm="ip" path="socket:[10651]" dev=sockfs ino=10651 scontext=unconfined_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket
type=AVC msg=audit(1406719885.392:41): avc: denied { read write } for pid=1377 comm="hostname" path="socket:[10651]" dev=sockfs ino=10651 scontext=unconfined_u:system_r:hostname_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket
type=AVC msg=audit(1406719885.396:42): avc: denied { read write } for pid=1378 comm="ip" path="socket:[10651]" dev=sockfs ino=10651 scontext=unconfined_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket
type=AVC msg=audit(1406719885.396:43): avc: denied { read write } for pid=1379 comm="ip" path="socket:[10651]" dev=sockfs ino=10651 scontext=unconfined_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket
type=USER_AVC msg=audit(1406719885.484:44): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=0 uid=0 gid=0 path="/etc/init.d/ssh" cmdline="systemctl -p CanReload show ssh.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=service : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1406719885.488:45): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=0 uid=0 gid=0 path="/etc/init.d/ssh" cmdline="systemctl -p LoadState show ssh.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=service : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1406719885.496:46): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=0 uid=0 gid=0 path="/etc/init.d/ssh" cmdline="/bin/systemctl restart ssh.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=service : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)'
Kind regards
Andre
# dpkg -l | grep systemd
ii libpam-systemd:amd64 204-14~bpo70+1 amd64 system and service manager - PAM module
ii libsystemd-daemon0:amd64 204-14~bpo70+1 amd64 systemd utility library
ii libsystemd-journal0:amd64 204-14~bpo70+1 amd64 systemd journal utility library
ii libsystemd-login0:amd64 204-14~bpo70+1 amd64 systemd login utility library
ii systemd 204-14~bpo70+1 amd64 system and service manager
ii systemd-sysv 204-14~bpo70+1 amd64 system and service manager - SysV links
-- System Information:
Debian Release: 7.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages selinux-policy-default depends on:
ii libpam-modules 1.1.3-7.1
ii libselinux1 2.1.9-5
ii libsepol1 2.1.4-3
ii policycoreutils 2.1.10-9
ii python 2.7.3-4+deb7u1
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.1.8-2
pn setools <none>
Versions of packages selinux-policy-default suggests:
pn logcheck <none>
pn syslog-summary <none>
-- no debconf information
More information about the SELinux-devel
mailing list