Bug#756731: [DSE-Dev] Bug#756731: selinux-policy-default: Setting SELinux to enforce when using systemd some AVCs are logged during boot
Hello!
As suggested, I retested this with Jessie:
There are still some AVCs logged, but these differ from the ones logged in
Wheezy.
Aug 5 09:26:11 debselinux01 kernel: [1.197831] audit: type=1400
audit(1407223571.360:4): avc: denied { net_admin } for pid=166
comm=systemd-tmpfile capability=12
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=capability
Aug 5 09:26:11 debselinux01 kernel: [1.199479] audit: type=1400
audit(1407223571.360:5): avc: denied { read } for pid=166
comm=systemd-tmpfile name=urandom dev=devtmpfs ino=1033
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Aug 5 09:26:11 debselinux01 kernel: [1.199488] audit: type=1400
audit(1407223571.360:6): avc: denied { read } for pid=166
comm=systemd-tmpfile name=urandom dev=devtmpfs ino=1033
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Aug 5 09:26:11 debselinux01 kernel: [1.199942] audit: type=1400
audit(1407223571.360:7): avc: denied { read } for pid=166
comm=systemd-tmpfile name=urandom dev=devtmpfs ino=1033
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Aug 5 09:26:11 debselinux01 kernel: [1.202553] audit: type=1400
audit(1407223571.364:8): avc: denied { getcap } for pid=166
comm=systemd-tmpfile scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=process
Aug 5 09:26:11 debselinux01 kernel: [1.202763] audit: type=1400
audit(1407223571.364:9): avc: denied { getattr } for pid=166
comm=systemd-tmpfile path=/dev/autofs dev=devtmpfs ino=5287
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:autofs_device_t:s0 tclass=chr_file
Aug 5 09:26:11 debselinux01 kernel: [1.203130] audit: type=1400
audit(1407223571.364:10): avc: denied { getcap } for pid=166
comm=systemd-tmpfile scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=process
Kind regards
Andre
-- System Information:
Debian Release: jessie/sid
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.14-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages selinux-policy-default depends on:
ii libpam-modules 1.1.8-3
ii libselinux1 2.3-1
ii libsepol12.3-1
ii policycoreutils 2.3-1
ii python 2.7.8-1
ii selinux-utils2.3-1
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.3-1
ii setools 3.3.8-3
Versions of packages selinux-policy-default suggests:
pn logchecknone
pn syslog-summary none
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#756731: [DSE-Dev] Bug#756731: selinux-policy-default: Setting SELinux to enforce when using systemd some AVCs are logged during boot
Hi Andre, as you can see I set the severity of the cosmetic bug reports, where AVCs are logged but apparently no functional degradation happens to minor. Often programs will use different codepaths (or do not actually care) when something is denied (think of the equivalent of ls -la|grep etc [or something along the lines which actually makes sense] where stat'ing /dev will be prohibited. It will log an AVC, but the program doesn't actually care). Therefore, in policy we have dontaudit rules, which do deny access, but don't log AVCs. So if functionality is not degraded, this actually looks like a missing dontaudit rule, which is arguably only a minor error. Also please note that updates to Debian stable are only done for at least important bugs, so it is not really worth reporting minor bugs against versions in stable (other than for documentation purposes), we most likely will not actually fix them. If someone finds time, we will however try to test if they persist in testing/unstable to try to fix them in testing, such that the next stable release will have fewer bugs. If you could test minor/normal bugs you find in stable in testing/unstable (e.g. in a VM), that would actually help us a lot! If you need some help in setting up a test environment for that, I can help you with it (or even provide a vm to you which you can use for testing if you do not have necessary hardware). Cheers, Mika -- signature.asc Description: PGP signature
Bug#756731: [DSE-Dev] Bug#756731: selinux-policy-default: Setting SELinux to enforce when using systemd some AVCs are logged during boot
Hello Mika, thank you very much for your detailed explanation. Looks that I miss some basics here. I'll try to reproduce the bugs I found with Jessie. (It might take some time, because I start vacation in the next days...) Thanks for your offer about the VMs - but I am able to setup a VM on my own ;-) Kind regards Andre -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
