Bug#756731: [DSE-Dev] Bug#756731: selinux-policy-default: Setting SELinux to enforce when using systemd some AVCs are logged during boot
Hello! As suggested, I retested this with Jessie: There are still some AVCs logged, but these differ from the ones logged in Wheezy. Aug 5 09:26:11 debselinux01 kernel: [1.197831] audit: type=1400 audit(1407223571.360:4): avc: denied { net_admin } for pid=166 comm=systemd-tmpfile capability=12 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=capability Aug 5 09:26:11 debselinux01 kernel: [1.199479] audit: type=1400 audit(1407223571.360:5): avc: denied { read } for pid=166 comm=systemd-tmpfile name=urandom dev=devtmpfs ino=1033 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file Aug 5 09:26:11 debselinux01 kernel: [1.199488] audit: type=1400 audit(1407223571.360:6): avc: denied { read } for pid=166 comm=systemd-tmpfile name=urandom dev=devtmpfs ino=1033 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file Aug 5 09:26:11 debselinux01 kernel: [1.199942] audit: type=1400 audit(1407223571.360:7): avc: denied { read } for pid=166 comm=systemd-tmpfile name=urandom dev=devtmpfs ino=1033 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file Aug 5 09:26:11 debselinux01 kernel: [1.202553] audit: type=1400 audit(1407223571.364:8): avc: denied { getcap } for pid=166 comm=systemd-tmpfile scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=process Aug 5 09:26:11 debselinux01 kernel: [1.202763] audit: type=1400 audit(1407223571.364:9): avc: denied { getattr } for pid=166 comm=systemd-tmpfile path=/dev/autofs dev=devtmpfs ino=5287 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:autofs_device_t:s0 tclass=chr_file Aug 5 09:26:11 debselinux01 kernel: [1.203130] audit: type=1400 audit(1407223571.364:10): avc: denied { getcap } for pid=166 comm=systemd-tmpfile scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=process Kind regards Andre -- System Information: Debian Release: jessie/sid APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.14-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages selinux-policy-default depends on: ii libpam-modules 1.1.8-3 ii libselinux1 2.3-1 ii libsepol12.3-1 ii policycoreutils 2.3-1 ii python 2.7.8-1 ii selinux-utils2.3-1 Versions of packages selinux-policy-default recommends: ii checkpolicy 2.3-1 ii setools 3.3.8-3 Versions of packages selinux-policy-default suggests: pn logchecknone pn syslog-summary none -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#756731: [DSE-Dev] Bug#756731: selinux-policy-default: Setting SELinux to enforce when using systemd some AVCs are logged during boot
Hi Andre, as you can see I set the severity of the cosmetic bug reports, where AVCs are logged but apparently no functional degradation happens to minor. Often programs will use different codepaths (or do not actually care) when something is denied (think of the equivalent of ls -la|grep etc [or something along the lines which actually makes sense] where stat'ing /dev will be prohibited. It will log an AVC, but the program doesn't actually care). Therefore, in policy we have dontaudit rules, which do deny access, but don't log AVCs. So if functionality is not degraded, this actually looks like a missing dontaudit rule, which is arguably only a minor error. Also please note that updates to Debian stable are only done for at least important bugs, so it is not really worth reporting minor bugs against versions in stable (other than for documentation purposes), we most likely will not actually fix them. If someone finds time, we will however try to test if they persist in testing/unstable to try to fix them in testing, such that the next stable release will have fewer bugs. If you could test minor/normal bugs you find in stable in testing/unstable (e.g. in a VM), that would actually help us a lot! If you need some help in setting up a test environment for that, I can help you with it (or even provide a vm to you which you can use for testing if you do not have necessary hardware). Cheers, Mika -- signature.asc Description: PGP signature
Bug#756731: [DSE-Dev] Bug#756731: selinux-policy-default: Setting SELinux to enforce when using systemd some AVCs are logged during boot
Hello Mika, thank you very much for your detailed explanation. Looks that I miss some basics here. I'll try to reproduce the bugs I found with Jessie. (It might take some time, because I start vacation in the next days...) Thanks for your offer about the VMs - but I am able to setup a VM on my own ;-) Kind regards Andre -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org