[DSE-Dev] Bug#977316: selinux-policy-default of Debian 10.7.0 gives 52 denials with minimal install

Debian bugs <-> IOPEN debian-bugs at iopen.net
Sun Dec 13 21:48:51 GMT 2020


Package: selinux-policy-default
Version: 2:2.20190201-2

Using debian-10.7.0-amd64-netinst.iso we installed minimal + SSH server
+ standard system utilities.

Kernel: 4.19.0-13-amd64

Upon first boot of the installed system we stopped and disabled apparmor.

Then we performed the steps in this :

> https://wiki.debian.org/SELinux/Setup

When the system rebooted following the relabelling we executed
audit2why -al  and found 52 denials.

We expected zero denials. We expect the problem to occur with any such
installation.

The output of "audit2why -al" is attached, because the long lines make
the pasted version very messy.

Regards,
The IOPEN Team


-------------- next part --------------
type=AVC msg=audit(1607611437.896:7): avc:  denied  { getattr } for  pid=346 comm="mkdir" path="/run/console-setup" dev="tmpfs" ino=11449 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611437.896:8): avc:  denied  { create } for  pid=295 comm="cached_setup_fo" name="font-loaded" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611437.896:8): avc:  denied  { add_name } for  pid=295 comm="cached_setup_fo" name="font-loaded" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611437.896:8): avc:  denied  { write } for  pid=295 comm="cached_setup_fo" name="console-setup" dev="tmpfs" ino=11449 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611438.920:15): avc:  denied  { read } for  pid=229 comm="systemd-timesyn" name="dbus" dev="tmpfs" ino=12202 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611438.920:16): avc:  denied  { read } for  pid=229 comm="systemd-timesyn" name="system_bus_socket" dev="tmpfs" ino=12205 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611448.324:34): avc:  denied  { add_name } for  pid=399 comm="login" name="motd.dynamic" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611448.324:34): avc:  denied  { rename } for  pid=399 comm="login" name="motd.dynamic.new" dev="tmpfs" ino=13733 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611448.324:34): avc:  denied  { remove_name } for  pid=399 comm="login" name="motd.dynamic.new" dev="tmpfs" ino=13733 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611448.324:34): avc:  denied  { write } for  pid=399 comm="login" name="/" dev="tmpfs" ino=1128 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611448.324:35): avc:  denied  { open } for  pid=399 comm="login" path="/run/motd.dynamic" dev="tmpfs" ino=13733 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611448.324:35): avc:  denied  { read } for  pid=399 comm="login" name="motd.dynamic" dev="tmpfs" ino=13733 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611448.324:36): avc:  denied  { getattr } for  pid=399 comm="login" path="/run/motd.dynamic" dev="tmpfs" ino=13733 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611448.364:37): avc:  denied  { signull } for  pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611448.364:38): avc:  denied  { signull } for  pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611448.364:39): avc:  denied  { signull } for  pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611448.364:40): avc:  denied  { signull } for  pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611448.364:41): avc:  denied  { signull } for  pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611448.364:42): avc:  denied  { signull } for  pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611466.098:52): avc:  denied  { signull } for  pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611466.098:53): avc:  denied  { signull } for  pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611466.098:54): avc:  denied  { signull } for  pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611466.098:55): avc:  denied  { signull } for  pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611466.098:56): avc:  denied  { signull } for  pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611466.098:57): avc:  denied  { signull } for  pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611466.098:58): avc:  denied  { signull } for  pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611466.098:51): avc:  denied  { signull } for  pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611749.308:7): avc:  denied  { getattr } for  pid=340 comm="mkdir" path="/run/console-setup" dev="tmpfs" ino=11360 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611749.308:8): avc:  denied  { create } for  pid=301 comm="cached_setup_fo" name="font-loaded" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611749.308:8): avc:  denied  { add_name } for  pid=301 comm="cached_setup_fo" name="font-loaded" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611749.308:8): avc:  denied  { write } for  pid=301 comm="cached_setup_fo" name="console-setup" dev="tmpfs" ino=11360 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611759.128:32): avc:  denied  { add_name } for  pid=376 comm="login" name="motd.dynamic" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611759.128:32): avc:  denied  { rename } for  pid=376 comm="login" name="motd.dynamic.new" dev="tmpfs" ino=14476 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611759.128:32): avc:  denied  { remove_name } for  pid=376 comm="login" name="motd.dynamic.new" dev="tmpfs" ino=14476 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611759.128:32): avc:  denied  { write } for  pid=376 comm="login" name="/" dev="tmpfs" ino=8491 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611759.128:33): avc:  denied  { open } for  pid=376 comm="login" path="/run/motd.dynamic" dev="tmpfs" ino=14476 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611759.128:33): avc:  denied  { read } for  pid=376 comm="login" name="motd.dynamic" dev="tmpfs" ino=14476 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611759.128:34): avc:  denied  { getattr } for  pid=376 comm="login" path="/run/motd.dynamic" dev="tmpfs" ino=14476 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611759.168:35): avc:  denied  { signull } for  pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611759.168:36): avc:  denied  { signull } for  pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611759.168:37): avc:  denied  { signull } for  pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611759.168:38): avc:  denied  { signull } for  pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611759.168:39): avc:  denied  { signull } for  pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611759.168:40): avc:  denied  { signull } for  pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611777.024:50): avc:  denied  { signull } for  pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611777.024:51): avc:  denied  { signull } for  pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611777.024:52): avc:  denied  { signull } for  pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611777.024:53): avc:  denied  { signull } for  pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611777.024:54): avc:  denied  { signull } for  pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611777.024:55): avc:  denied  { signull } for  pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611777.024:56): avc:  denied  { signull } for  pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1607611777.024:49): avc:  denied  { signull } for  pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=process permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.



More information about the SELinux-devel mailing list