* Mount of cgroup filesystems fails when booting in SELinux enforcing mode
@ 2013-02-14 21:25 aranea
2013-02-15 13:32 ` Stephen Smalley
0 siblings, 1 reply; 11+ messages in thread
From: aranea @ 2013-02-14 21:25 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 1477 bytes --]
Hello everyone,
does anybody have an idea about this bug?
https://bugs.gentoo.org/show_bug.cgi?id=457618
It looks like help from SELinux kernel developers would be really
helpful here, as everything is going on in-kernel here. It would be
especially helpful if someone could explain why there are no avc denial
messages.
If it helps, this is the userland script which mounts the cgroup
filesystems and therefore causes the messages:
local agent="/lib64/rc/sh/cgroup-release-agent.sh"
mkdir /sys/fs/cgroup/openrc
mount -n -t cgroup \
-o none,nodev,noexec,nosuid,name=openrc,release_agent="$agent" \
openrc /sys/fs/cgroup/openrc
echo 1 > /sys/fs/cgroup/openrc/notify_on_release
yesno ${rc_controller_cgroups:-YES} && [ -e /proc/cgroups ] || return 0
while read name hier groups enabled rest; do
case "${enabled}" in
1) mkdir /sys/fs/cgroup/${name}
mount -n -t cgroup -o nodev,noexec,nosuid,${name} \
${name} /sys/fs/cgroup/${name}
;;
esac
done < /proc/cgroups
The "echo 1" line yields a "permission denied" error, but apart from
that there are no other messages.
If you need more details, just ask me.
Any feedback will be greatly appreciated!
Regards,
Luis "aranea" Ressel
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Mount of cgroup filesystems fails when booting in SELinux enforcing mode
2013-02-14 21:25 Mount of cgroup filesystems fails when booting in SELinux enforcing mode aranea
@ 2013-02-15 13:32 ` Stephen Smalley
2013-02-15 14:06 ` Luis Ressel
0 siblings, 1 reply; 11+ messages in thread
From: Stephen Smalley @ 2013-02-15 13:32 UTC (permalink / raw)
To: Luis Ressel; +Cc: selinux
On 02/14/2013 04:25 PM, Luis Ressel wrote:
> Hello everyone,
>
>
> does anybody have an idea about this bug?
> https://bugs.gentoo.org/show_bug.cgi?id=457618
>
> It looks like help from SELinux kernel developers would be really
> helpful here, as everything is going on in-kernel here. It would be
> especially helpful if someone could explain why there are no avc denial
> messages.
>
> If it helps, this is the userland script which mounts the cgroup
> filesystems and therefore causes the messages:
>
> local agent="/lib64/rc/sh/cgroup-release-agent.sh"
> mkdir /sys/fs/cgroup/openrc
> mount -n -t cgroup \
> -o none,nodev,noexec,nosuid,name=openrc,release_agent="$agent" \
> openrc /sys/fs/cgroup/openrc
> echo 1 > /sys/fs/cgroup/openrc/notify_on_release
>
> yesno ${rc_controller_cgroups:-YES} && [ -e /proc/cgroups ] || return 0
> while read name hier groups enabled rest; do
> case "${enabled}" in
> 1) mkdir /sys/fs/cgroup/${name}
> mount -n -t cgroup -o nodev,noexec,nosuid,${name} \
> ${name} /sys/fs/cgroup/${name}
> ;;
> esac
> done < /proc/cgroups
>
> The "echo 1" line yields a "permission denied" error, but apart from
> that there are no other messages.
>
>
> If you need more details, just ask me.
> Any feedback will be greatly appreciated!
Try stripping dontaudit rules from your policy and re-testing.
semodule -DB
<re-test>
semodule -B
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Mount of cgroup filesystems fails when booting in SELinux enforcing mode
2013-02-15 13:32 ` Stephen Smalley
@ 2013-02-15 14:06 ` Luis Ressel
2013-02-15 14:28 ` Stephen Smalley
0 siblings, 1 reply; 11+ messages in thread
From: Luis Ressel @ 2013-02-15 14:06 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 611 bytes --]
On Fri, 15 Feb 2013 08:32:23 -0500
Stephen Smalley <sds@tycho.nsa.gov> wrote:
> Try stripping dontaudit rules from your policy and re-testing.
> semodule -DB
> <re-test>
> semodule -B
Thanks for your tip, but I already did that before contacting this ML.
There are no denial messages during that time of boot, and all denials
which happen earlier or later don't look related.
Some minutes ago, I managed to find the exact calls to
avc_has_perm_noaudit which are involved here by excessive use of printk,
but I haven't figured out yet how to interpret its arguments.
Regards,
Luis Ressel
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Mount of cgroup filesystems fails when booting in SELinux enforcing mode
2013-02-15 14:06 ` Luis Ressel
@ 2013-02-15 14:28 ` Stephen Smalley
2013-02-15 15:02 ` Luis Ressel
0 siblings, 1 reply; 11+ messages in thread
From: Stephen Smalley @ 2013-02-15 14:28 UTC (permalink / raw)
To: Luis Ressel; +Cc: SELinux, Eric Paris
On 02/15/2013 09:06 AM, Luis Ressel wrote:
> On Fri, 15 Feb 2013 08:32:23 -0500
> Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
>> Try stripping dontaudit rules from your policy and re-testing.
>> semodule -DB
>> <re-test>
>> semodule -B
>
> Thanks for your tip, but I already did that before contacting this ML.
> There are no denial messages during that time of boot, and all denials
> which happen earlier or later don't look related.
>
> Some minutes ago, I managed to find the exact calls to
> avc_has_perm_noaudit which are involved here by excessive use of printk,
> but I haven't figured out yet how to interpret its arguments.
So, just to be clear, you are saying that avc_has_perm_noaudit() is
getting a denial (i.e. denied != 0) but you are never getting an avc
denied message even with no dontaudit rules?
You could call slow_avc_audit() directly to display the arguments in a
meaningful format.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Mount of cgroup filesystems fails when booting in SELinux enforcing mode
2013-02-15 14:28 ` Stephen Smalley
@ 2013-02-15 15:02 ` Luis Ressel
2013-02-15 15:34 ` Stephen Smalley
0 siblings, 1 reply; 11+ messages in thread
From: Luis Ressel @ 2013-02-15 15:02 UTC (permalink / raw)
To: SELinux; +Cc: Eric Paris
[-- Attachment #1: Type: text/plain, Size: 1318 bytes --]
On Fri, 15 Feb 2013 09:28:06 -0500
Stephen Smalley <sds@tycho.nsa.gov> wrote:
> So, just to be clear, you are saying that avc_has_perm_noaudit() is
> getting a denial (i.e. denied != 0) but you are never getting an avc
> denied message even with no dontaudit rules?
I know this sounds strange, but that's exactly what it looks like to me
at the moment. (I'm a SELinux beginner, though)
> You could call slow_avc_audit() directly to display the arguments in
> a meaningful format.
I did the following in hooks.c:
rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
+ if (rc == -13)
+ {
+ printk(KERN_ERR "avc_has_perm_noaudit(%u, %u, %u, %u, 0, &avd)", sid, isec->sid, isec->sclass, perms);
+ slow_avc_audit(sid, isec->sid, isec->sclass, perms, 1, 1, NULL, 0);
+ }
But that also didn't yield any audit messages. The printk call works, however.
To be honest, I don't know exactly what to fill in for the last 4 arguments.
The call chain leading there is
cgroup_addrm_files
cgroup_add_file
lookup_one_len
inode_permission
__inode_permission
security_inode_permission
selinux_inode_permission
Inside selinux_inode_permission, avc_has_perm_noaudit returns -ENOACCES
and avc_audit_required returns 0.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Mount of cgroup filesystems fails when booting in SELinux enforcing mode
2013-02-15 15:02 ` Luis Ressel
@ 2013-02-15 15:34 ` Stephen Smalley
2013-02-15 16:07 ` Luis Ressel
0 siblings, 1 reply; 11+ messages in thread
From: Stephen Smalley @ 2013-02-15 15:34 UTC (permalink / raw)
To: Luis Ressel; +Cc: SELinux, Eric Paris
On 02/15/2013 10:02 AM, Luis Ressel wrote:
> On Fri, 15 Feb 2013 09:28:06 -0500
> Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
>> So, just to be clear, you are saying that avc_has_perm_noaudit() is
>> getting a denial (i.e. denied != 0) but you are never getting an avc
>> denied message even with no dontaudit rules?
>
> I know this sounds strange, but that's exactly what it looks like to me
> at the moment. (I'm a SELinux beginner, though)
>
>> You could call slow_avc_audit() directly to display the arguments in
>> a meaningful format.
>
> I did the following in hooks.c:
>
> rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
> + if (rc == -13)
> + {
> + printk(KERN_ERR "avc_has_perm_noaudit(%u, %u, %u, %u, 0, &avd)", sid, isec->sid, isec->sclass, perms);
> + slow_avc_audit(sid, isec->sid, isec->sclass, perms, 1, 1, NULL, 0);
> + }
>
> But that also didn't yield any audit messages. The printk call works, however.
> To be honest, I don't know exactly what to fill in for the last 4 arguments.
>
> The call chain leading there is
> cgroup_addrm_files
> cgroup_add_file
> lookup_one_len
> inode_permission
> __inode_permission
> security_inode_permission
> selinux_inode_permission
>
> Inside selinux_inode_permission, avc_has_perm_noaudit returns -ENOACCES
> and avc_audit_required returns 0.
Output from the printk was what?
Also of interest would be avd->allowed, avd->auditdeny, from_access.
In this situation, if you just let it fall through to
audit_inode_permission() rather than bailing on !audited, you should get
an avc audit message. audit_inode_permission() calls slow_avc_audit()
for you.
Are you sure your audit messages aren't just going to audit.log rather
than syslog? That would be the case if auditd has started.
Need to figure out why the kernel isn't auditing the denial for you
(that's a kernel bug), but the policy bug here is likely that you aren't
allowing the process to search the cgroup dir. Don't know anything
about your policy.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Mount of cgroup filesystems fails when booting in SELinux enforcing mode
2013-02-15 15:34 ` Stephen Smalley
@ 2013-02-15 16:07 ` Luis Ressel
2013-02-15 18:19 ` Stephen Smalley
0 siblings, 1 reply; 11+ messages in thread
From: Luis Ressel @ 2013-02-15 16:07 UTC (permalink / raw)
To: SELinux; +Cc: Eric Paris
[-- Attachment #1.1: Type: text/plain, Size: 1192 bytes --]
On Fri, 15 Feb 2013 10:34:00 -0500
Stephen Smalley <sds@tycho.nsa.gov> wrote:
> Output from the printk was what?
> Also of interest would be avd->allowed, avd->auditdeny, from_access.
I attached a syslog snippet.
> In this situation, if you just let it fall through to
> audit_inode_permission() rather than bailing on !audited, you should
> get an avc audit message. audit_inode_permission() calls
> slow_avc_audit() for you.
I already tried that; It doesn't yield a message either.
> Are you sure your audit messages aren't just going to audit.log
> rather than syslog? That would be the case if auditd has started.
I don't use auditd, and there are some other audit messages in kern.log
and avc.log (at least if I disable dontaudit rules).
> Need to figure out why the kernel isn't auditing the denial for you
> (that's a kernel bug), but the policy bug here is likely that you
> aren't allowing the process to search the cgroup dir. Don't know
> anything about your policy.
I'm using the refpolicy 2.20120725 with some Gentoo-specific patches:
http://mirror.mcs.anl.gov/pub/gentoo/distfiles/patchbundle-selinux-base-policy-2.20120725-r9.tar.bz
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: debug2.log --]
[-- Type: text/x-log, Size: 15118 bytes --]
Feb 15 17:01:23 virt kernel: [ 0.361809] SELinux: 2048 avtab hash slots, 11172 rules.
Feb 15 17:01:23 virt kernel: [ 0.365897] SELinux: 2048 avtab hash slots, 11172 rules.
Feb 15 17:01:23 virt kernel: [ 0.366308] SELinux: 6 users, 27 roles, 1325 types, 41 bools
Feb 15 17:01:23 virt kernel: [ 0.366314] SELinux: 81 classes, 11172 rules
Feb 15 17:01:23 virt kernel: [ 0.369135] SELinux: Completing initialization.
Feb 15 17:01:23 virt kernel: [ 0.369139] SELinux: Setting up existing superblocks.
Feb 15 17:01:23 virt kernel: [ 0.369159] SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [ 0.369169] SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [ 0.369178] SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [ 0.369188] SELinux: initialized (dev proc, type proc), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [ 0.369211] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Feb 15 17:01:23 virt kernel: [ 0.369225] SELinux: initialized (dev devtmpfs, type devtmpfs), uses transition SIDs
Feb 15 17:01:23 virt kernel: [ 0.369349] SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
Feb 15 17:01:23 virt kernel: [ 0.369357] SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [ 0.369648] SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
Feb 15 17:01:23 virt kernel: [ 0.369657] SELinux: initialized (dev anon_inodefs, type anon_inodefs), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [ 0.369664] SELinux: initialized (dev devpts, type devpts), uses transition SIDs
Feb 15 17:01:23 virt kernel: [ 0.369674] SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses transition SIDs
Feb 15 17:01:23 virt kernel: [ 0.369681] SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
Feb 15 17:01:23 virt kernel: [ 0.369689] SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [ 0.369712] SELinux: initialized (dev sda, type ext4), uses xattr
Feb 15 17:01:23 virt kernel: [ 0.369823] SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [ 0.372785] type=1403 audit(1360944081.372:2): policy loaded auid=4294967295 ses=4294967295
Feb 15 17:01:23 virt kernel: [ 0.374173] avc_has_perm_noaudit(46, 5, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 0.374364] allowed: 0, auditdeny: -8650769, from_access: 0avc_has_perm_noaudit(46, 5, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 0.375184] allowed: 0, auditdeny: -8650769, from_access: 0avc_has_perm_noaudit(46, 5, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 0.383584] allowed: 0, auditdeny: -8650769, from_access: 0avc_has_perm_noaudit(46, 5, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 0.391980] allowed: 0, auditdeny: -8650769, from_access: 0<4>[ 0.423450] kbd_mode (710) used greatest stack depth: 5664 bytes left
Feb 15 17:01:23 virt kernel: [ 0.452719] loadkeys (711) used greatest stack depth: 5096 bytes left
Feb 15 17:01:23 virt kernel: [ 0.453328] init-early.sh (709) used greatest stack depth: 4416 bytes left
Feb 15 17:01:23 virt kernel: [ 0.488124] avc_has_perm_noaudit(63, 31, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 0.488360] allowed: 8716371, auditdeny: -37, from_access: 1<7>[ 0.503648] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Feb 15 17:01:23 virt kernel: [ 0.503664] avc_has_perm_noaudit(63, 50, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 0.503860] allowed: 8716304, auditdeny: -37, from_access: 1avc_has_perm_noaudit(63, 33, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 0.983790] allowed: 8716371, auditdeny: -37, from_access: 1avc_has_perm_noaudit(63, 33, 10, 6, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.005856] allowed: 0, auditdeny: -262744, from_access: 0avc_has_perm_noaudit(63, 36, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.062238] allowed: 8716371, auditdeny: -32775296, from_access: 1avc_has_perm_noaudit(63, 33, 10, 6, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.072475] allowed: 0, auditdeny: -262744, from_access: 0<7>[ 1.073087] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Feb 15 17:01:23 virt kernel: [ 1.073094] avc_has_perm_noaudit(63, 33, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.073452] allowed: 8716371, auditdeny: -37, from_access: 1avc_has_perm_noaudit(63, 33, 10, 6, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.158504] allowed: 0, auditdeny: -262744, from_access: 0<7>[ 1.158572] SELinux: initialized (dev securityfs, type securityfs), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [ 1.158578] avc_has_perm_noaudit(63, 2, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.158579] allowed: 8716371, auditdeny: -8650805, from_access: 1avc_has_perm_noaudit(63, 33, 10, 6, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.165915] allowed: 0, auditdeny: -262744, from_access: 0avc_has_perm_noaudit(63, 34, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.166064] allowed: 8716304, auditdeny: -37, from_access: 1avc_has_perm_noaudit(63, 33, 10, 6, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.226628] allowed: 0, auditdeny: -262744, from_access: 0<7>[ 1.226759] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Feb 15 17:01:23 virt kernel: [ 1.226766] avc_has_perm_noaudit(63, 28, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.226767] allowed: 8716371, auditdeny: -8650805, from_access: 1avc_has_perm_noaudit(63, 33, 10, 6, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.231707] allowed: 0, auditdeny: -262744, from_access: 0avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.231804] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[ 1.231805] cgroup_addrm_files: failed to add tasks, err=-13
Feb 15 17:01:23 virt kernel: [ 1.231807] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.231808] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[ 1.231809] cgroup_addrm_files: failed to add cgroup.procs, err=-13
Feb 15 17:01:23 virt kernel: [ 1.231810] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.231811] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[ 1.231811] cgroup_addrm_files: failed to add notify_on_release, err=-13
Feb 15 17:01:23 virt kernel: [ 1.231812] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.231813] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[ 1.231814] cgroup_addrm_files: failed to add cgroup.event_control, err=-13
Feb 15 17:01:23 virt kernel: [ 1.231815] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.231816] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[ 1.231817] cgroup_addrm_files: failed to add cgroup.clone_children, err=-13
Feb 15 17:01:23 virt kernel: [ 1.231818] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.231818] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[ 1.231819] cgroup_addrm_files: failed to add release_agent, err=-13
Feb 15 17:01:23 virt kernel: [ 1.231825] SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [ 1.231851] avc_has_perm_noaudit(63, 69, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.231852] allowed: 8716304, auditdeny: -37, from_access: 1avc_has_perm_noaudit(63, 33, 10, 6, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.233988] allowed: 0, auditdeny: -262744, from_access: 0avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.234100] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[ 1.234102] cgroup_addrm_files: failed to add tasks, err=-13
Feb 15 17:01:23 virt kernel: [ 1.234103] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.234104] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[ 1.234105] cgroup_addrm_files: failed to add cgroup.procs, err=-13
Feb 15 17:01:23 virt kernel: [ 1.234106] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.234107] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[ 1.234108] cgroup_addrm_files: failed to add notify_on_release, err=-13
Feb 15 17:01:23 virt kernel: [ 1.234109] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.234109] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[ 1.234110] cgroup_addrm_files: failed to add cgroup.event_control, err=-13
Feb 15 17:01:23 virt kernel: [ 1.234111] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.234112] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[ 1.234113] cgroup_addrm_files: failed to add cgroup.clone_children, err=-13
Feb 15 17:01:23 virt kernel: [ 1.234114] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.234114] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[ 1.234115] cgroup_addrm_files: failed to add release_agent, err=-13
Feb 15 17:01:23 virt kernel: [ 1.234118] SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [ 1.234124] avc_has_perm_noaudit(63, 69, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.234125] allowed: 8716304, auditdeny: -37, from_access: 1avc_has_perm_noaudit(63, 33, 10, 6, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.235315] allowed: 0, auditdeny: -262744, from_access: 0avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.235379] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[ 1.235380] cgroup_addrm_files: failed to add tasks, err=-13
Feb 15 17:01:23 virt kernel: [ 1.235381] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.235382] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[ 1.235383] cgroup_addrm_files: failed to add cgroup.procs, err=-13
Feb 15 17:01:23 virt kernel: [ 1.235384] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.235385] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[ 1.235386] cgroup_addrm_files: failed to add notify_on_release, err=-13
Feb 15 17:01:23 virt kernel: [ 1.235387] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.235388] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[ 1.235389] cgroup_addrm_files: failed to add cgroup.event_control, err=-13
Feb 15 17:01:23 virt kernel: [ 1.235390] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.235391] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[ 1.235391] cgroup_addrm_files: failed to add cgroup.clone_children, err=-13
Feb 15 17:01:23 virt kernel: [ 1.235392] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.235393] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[ 1.235394] cgroup_addrm_files: failed to add release_agent, err=-13
Feb 15 17:01:23 virt kernel: [ 1.235396] SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [ 1.235401] avc_has_perm_noaudit(63, 69, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.235402] allowed: 8716304, auditdeny: -37, from_access: 1avc_has_perm_noaudit(63, 33, 10, 6, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.236562] allowed: 0, auditdeny: -262744, from_access: 0avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.236619] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[ 1.236620] cgroup_addrm_files: failed to add tasks, err=-13
Feb 15 17:01:23 virt kernel: [ 1.236621] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.236622] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[ 1.236623] cgroup_addrm_files: failed to add cgroup.procs, err=-13
Feb 15 17:01:23 virt kernel: [ 1.236624] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.236625] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[ 1.236625] cgroup_addrm_files: failed to add notify_on_release, err=-13
Feb 15 17:01:23 virt kernel: [ 1.236626] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.236627] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[ 1.236628] cgroup_addrm_files: failed to add cgroup.event_control, err=-13
Feb 15 17:01:23 virt kernel: [ 1.236629] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.236630] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[ 1.236631] cgroup_addrm_files: failed to add cgroup.clone_children, err=-13
Feb 15 17:01:23 virt kernel: [ 1.236632] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.236632] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[ 1.236633] cgroup_addrm_files: failed to add release_agent, err=-13
Feb 15 17:01:23 virt kernel: [ 1.236635] SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [ 1.236640] avc_has_perm_noaudit(63, 69, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 1.236641] allowed: 8716304, auditdeny: -37, from_access: 1systemd-udevd[904]: starting version 197
Feb 15 17:01:23 virt kernel: [ 1.746764] hpet1: lost 2 rtc interrupts
Feb 15 17:01:23 virt kernel: [ 2.454130] avc_has_perm_noaudit(63, 50, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 2.454133] allowed: 8716304, auditdeny: -37, from_access: 1<7>[ 3.555584] SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [ 3.555613] avc_has_perm_noaudit(63, 120, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [ 3.555614] allowed: 8716304, auditdeny: -37, from_access: 1avc_has_perm_noaudit(63, 2, 7, 4, 0, &avd)
Feb 15 17:01:31 virt kernel: [ 3.569335] allowed: 8716371, auditdeny: -8650805, from_access: 1avc_has_perm_noaudit(134, 28, 7, 8388608, 0, &avd)
Feb 15 17:01:31 virt kernel: [ 11.700595] allowed: 0, auditdeny: -8650769, from_access: 0avc_has_perm_noaudit(134, 28, 7, 8388608, 0, &avd)
Feb 15 17:01:32 virt kernel: [ 11.701646] allowed: 0, auditdeny: -8650769, from_access: 0avc_has_perm_noaudit(134, 28, 7, 8388608, 0, &avd)
Feb 15 17:01:32 virt kernel: [ 12.822528] allowed: 0, auditdeny: -8650769, from_access: 0avc_has_perm_noaudit(134, 28, 7, 8388608, 0, &avd)
Feb 15 17:01:32 virt kernel: [ 12.822649] allowed: 0, auditdeny: -8650769, from_access: 0avc_has_perm_noaudit(134, 28, 7, 8388608, 0, &avd)
Feb 15 17:01:32 virt kernel: [ 12.832442] allowed: 0, auditdeny: -8650769, from_access: 0avc_has_perm_noaudit(134, 28, 7, 8388608, 0, &avd)
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Mount of cgroup filesystems fails when booting in SELinux enforcing mode
2013-02-15 16:07 ` Luis Ressel
@ 2013-02-15 18:19 ` Stephen Smalley
2013-02-15 18:44 ` Luis Ressel
0 siblings, 1 reply; 11+ messages in thread
From: Stephen Smalley @ 2013-02-15 18:19 UTC (permalink / raw)
To: Luis Ressel; +Cc: SELinux, Eric Paris
On 02/15/2013 11:07 AM, Luis Ressel wrote:
> On Fri, 15 Feb 2013 10:34:00 -0500
> Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
>> Output from the printk was what?
>> Also of interest would be avd->allowed, avd->auditdeny, from_access.
>
> I attached a syslog snippet.
Easier to read if you use %x for the access vectors - perms, allowed,
auditdeny, put everything into a single printk statement so that there
is no potential for interleaving of the output and put a newline (\n) at
the end of that printk so we don't end up with mixed output on lines.
You could also compute the set of denied permissions (perms & ~allowed)
and the set of permissions to be audited (denied & auditdeny) and
display those for convenience. But anyway, let's look at this one:
avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
allowed: 65536, auditdeny: -8388609, from_access: 0
cgroup_addrm_files: failed to add cgroup.procs, err=-13
Mapping to slightly more readable output, that would be:
avc_has_perm_noaudit(1, 3, 7, 0x800000, 0, &avd)
allowed: 0x10000, auditdeny: 0xff7fffff, from_access: 0
So in this situation, the requested permission is in fact not allowed,
but it is masked out of auditdeny, so it will not be audited.
Presumably you booted this time with a policy that has dontaudit rules;
otherwise your auditdeny vectors would have all permission bits set.
The kernel is functioning correctly there but your policy is denying
access and silencing the audit message.
If we try to map this to more readable output using
security/selinux/flask.h and security/selinux/av_permissions.h, we have:
avc_has_perm_noaudit(SECINITSID_KERNEL, SECINITSID_UNLABELED,
SECCLASS_DIR, DIR__SEARCH, 0, &avd)
allowed: DIR__MOUNTON, auditdeny: <everything except DIR__SEARCH>
We can map the SIDs because the SIDs in that case happen to be
predefined SIDs as opposed to dynamically allocated ones; otherwise we
need security_sid_to_context() to look them up, which is what
avc_audit() will do for us. So this was a directory search denial
between the kernel context and the unlabeled context.
On the policy side, I think the problem is that your policy doesn't
include the unconfined module (so kernel is confined) while not granting
sufficient permissions individually. I still don't understand why you
aren't getting avc denials if you truly stripped the dontaudit rules but
I can't tell that from this log - this log was clearly of a policy that
has dontaudit rules.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Mount of cgroup filesystems fails when booting in SELinux enforcing mode
2013-02-15 18:19 ` Stephen Smalley
@ 2013-02-15 18:44 ` Luis Ressel
2013-02-15 19:30 ` Stephen Smalley
0 siblings, 1 reply; 11+ messages in thread
From: Luis Ressel @ 2013-02-15 18:44 UTC (permalink / raw)
To: SELinux; +Cc: Eric Paris
[-- Attachment #1.1: Type: text/plain, Size: 2258 bytes --]
On Fri, 15 Feb 2013 13:19:22 -0500
Stephen Smalley <sds@tycho.nsa.gov> wrote:
> Easier to read if you use %x for the access vectors - perms, allowed,
> auditdeny, put everything into a single printk statement so that
> there is no potential for interleaving of the output and put a
> newline (\n) at the end of that printk so we don't end up with mixed
> output on lines. You could also compute the set of denied permissions
> (perms & ~allowed) and the set of permissions to be audited (denied &
> auditdeny) and display those for convenience. But anyway, let's look
> at this one:
>
> avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
> allowed: 65536, auditdeny: -8388609, from_access: 0
> cgroup_addrm_files: failed to add cgroup.procs, err=-13
>
> Mapping to slightly more readable output, that would be:
> avc_has_perm_noaudit(1, 3, 7, 0x800000, 0, &avd)
> allowed: 0x10000, auditdeny: 0xff7fffff, from_access: 0
You're absolutely right, the formatting was quite ugly.
> So in this situation, the requested permission is in fact not
> allowed, but it is masked out of auditdeny, so it will not be
> audited. Presumably you booted this time with a policy that has
> dontaudit rules; otherwise your auditdeny vectors would have all
> permission bits set. The kernel is functioning correctly there but
> your policy is denying access and silencing the audit message.
Again, you're right. On this boot, dontaudit rules were actually
enabled. Now, here's another log where they are disabled again.
> If we try to map this to more readable output using
> security/selinux/flask.h and security/selinux/av_permissions.h, we
> have:
>
> avc_has_perm_noaudit(SECINITSID_KERNEL, SECINITSID_UNLABELED,
> SECCLASS_DIR, DIR__SEARCH, 0, &avd)
> allowed: DIR__MOUNTON, auditdeny: <everything except DIR__SEARCH>
>
> We can map the SIDs because the SIDs in that case happen to be
> predefined SIDs as opposed to dynamically allocated ones; otherwise
> we need security_sid_to_context() to look them up, which is what
> avc_audit() will do for us. So this was a directory search denial
> between the kernel context and the unlabeled context.
Thanks for clarifying this! I somehow missed those static SIDs...
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: debug3.log --]
[-- Type: text/x-log, Size: 27145 bytes --]
Feb 15 19:32:44 virt kernel: [ 0.501773] SELinux: 2048 avtab hash slots, 9297 rules.
Feb 15 19:32:44 virt kernel: [ 0.502579] SELinux: 2048 avtab hash slots, 9297 rules.
Feb 15 19:32:44 virt kernel: [ 0.502668] SELinux: 6 users, 27 roles, 1325 types, 41 bools
Feb 15 19:32:44 virt kernel: [ 0.502670] SELinux: 81 classes, 9297 rules
Feb 15 19:32:44 virt kernel: [ 0.503399] SELinux: Completing initialization.
Feb 15 19:32:44 virt kernel: [ 0.503401] SELinux: Setting up existing superblocks.
Feb 15 19:32:44 virt kernel: [ 0.503405] SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
Feb 15 19:32:44 virt kernel: [ 0.503409] SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
Feb 15 19:32:44 virt kernel: [ 0.503412] SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
Feb 15 19:32:44 virt kernel: [ 0.503415] SELinux: initialized (dev proc, type proc), uses genfs_contexts
Feb 15 19:32:44 virt kernel: [ 0.503422] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Feb 15 19:32:44 virt kernel: [ 0.503427] SELinux: initialized (dev devtmpfs, type devtmpfs), uses transition SIDs
Feb 15 19:32:44 virt kernel: [ 0.503466] SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
Feb 15 19:32:44 virt kernel: [ 0.503469] SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
Feb 15 19:32:44 virt kernel: [ 0.503617] SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
Feb 15 19:32:44 virt kernel: [ 0.503620] SELinux: initialized (dev anon_inodefs, type anon_inodefs), uses genfs_contexts
Feb 15 19:32:44 virt kernel: [ 0.503623] SELinux: initialized (dev devpts, type devpts), uses transition SIDs
Feb 15 19:32:44 virt kernel: [ 0.503626] SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses transition SIDs
Feb 15 19:32:44 virt kernel: [ 0.503628] SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
Feb 15 19:32:44 virt kernel: [ 0.503630] SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
Feb 15 19:32:44 virt kernel: [ 0.503642] SELinux: initialized (dev sda, type ext4), uses xattr
Feb 15 19:32:44 virt kernel: [ 0.503692] SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
Feb 15 19:32:44 virt kernel: [ 0.504938] type=1403 audit(1360953160.504:2): policy loaded auid=4294967295 ses=4294967295
Feb 15 19:32:44 virt kernel: [ 0.505903] type=1400 audit(1360953160.505:3): avc: denied { read write } for pid=1 comm="init" path="/dev/console" dev="rootfs" ino=1562 scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t tclass=chr_file
Feb 15 19:32:44 virt kernel: [ 0.506963] type=1400 audit(1360953160.506:4): avc: denied { read write } for pid=1 comm="init" path="/dev/console" dev="rootfs" ino=1562 scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t tclass=chr_file
Feb 15 19:32:44 virt kernel: [ 0.564095] type=1400 audit(1360953160.564:5): avc: denied { read write } for pid=1 comm="init" path="/dev/console" dev="rootfs" ino=1562 scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t tclass=chr_file
Feb 15 19:32:44 virt kernel: [ 0.567995] type=1400 audit(1360953160.567:6): avc: denied { rlimitinh } for pid=1 comm="init" scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t tclass=process
Feb 15 19:32:44 virt kernel: [ 0.569326] type=1400 audit(1360953160.569:7): avc: denied { siginh } for pid=1 comm="init" scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t tclass=process
Feb 15 19:32:44 virt kernel: [ 0.570239] type=1400 audit(1360953160.570:8): avc: denied { noatsecure } for pid=1 comm="init" scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t tclass=process
Feb 15 19:32:44 virt kernel: [ 0.571689] type=1400 audit(1360953160.571:9): avc: denied { getattr } for pid=1 comm="init" name="/" dev="selinuxfs" ino=1 scontext=system_u:system_r:init_t tcontext=system_u:object_r:security_t tclass=filesystem
Feb 15 19:32:44 virt kernel: [ 0.572730] avc_has_perm_noaudit(2f, 5, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 0.572730] allowed: 0, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 0.572730] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 0.573614] avc_has_perm_noaudit(2f, 5, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 0.573614] allowed: 0, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 0.573614] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 0.574514] type=1400 audit(1360953160.574:10): avc: denied { search } for pid=1 comm="init" name="proc" dev="sda" ino=131360 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=dir
Feb 15 19:32:44 virt kernel: [ 0.575461] avc_has_perm_noaudit(2f, 5, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 0.575461] allowed: 0, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 0.575461] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 0.576334] avc_has_perm_noaudit(2f, 5, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 0.576334] allowed: 0, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 0.576334] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 0.579972] avc_has_perm_noaudit(2f, 5, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 0.579972] allowed: 0, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 0.579972] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 0.583312] avc_has_perm_noaudit(2f, 5, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 0.583312] allowed: 0, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 0.583312] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 0.677117] kbd_mode (710) used greatest stack depth: 5664 bytes left
Feb 15 19:32:44 virt kernel: [ 0.743231] loadkeys (711) used greatest stack depth: 5096 bytes left
Feb 15 19:32:44 virt kernel: [ 0.743821] init-early.sh (709) used greatest stack depth: 4416 bytes left
Feb 15 19:32:44 virt kernel: [ 0.829588] avc_has_perm_noaudit(40, 1f, 7, 4, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 0.829588] allowed: 850053, auditdeny: ffffffff, from_access: 1
Feb 15 19:32:44 virt kernel: [ 0.829588] denied: 4, audited: 4
Feb 15 19:32:44 virt kernel: [ 0.846962] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Feb 15 19:32:44 virt kernel: [ 0.846986] avc_has_perm_noaudit(40, 33, 7, 4, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 0.846986] allowed: 850010, auditdeny: ffffffff, from_access: 1
Feb 15 19:32:44 virt kernel: [ 0.846986] denied: 4, audited: 4
Feb 15 19:32:44 virt kernel: [ 1.104186] tsc: Refined TSC clocksource calibration: 2491.780 MHz
Feb 15 19:32:44 virt kernel: [ 1.420375] avc_has_perm_noaudit(40, 21, 7, 4, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.420375] allowed: 850053, auditdeny: ffffffff, from_access: 1
Feb 15 19:32:44 virt kernel: [ 1.420375] denied: 4, audited: 4
Feb 15 19:32:44 virt kernel: [ 1.490189] avc_has_perm_noaudit(40, 21, a, 6, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.490189] allowed: 0, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.490189] denied: 6, audited: 6
Feb 15 19:32:44 virt kernel: [ 1.491187] avc_has_perm_noaudit(40, 24, 7, 4, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.491187] allowed: 850053, auditdeny: ffffffff, from_access: 1
Feb 15 19:32:44 virt kernel: [ 1.491187] denied: 4, audited: 4
Feb 15 19:32:44 virt kernel: [ 1.501860] avc_has_perm_noaudit(40, 21, a, 6, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.501860] allowed: 0, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.501860] denied: 6, audited: 6
Feb 15 19:32:44 virt kernel: [ 1.502919] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Feb 15 19:32:44 virt kernel: [ 1.502926] avc_has_perm_noaudit(40, 21, 7, 4, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.502926] allowed: 850053, auditdeny: ffffffff, from_access: 1
Feb 15 19:32:44 virt kernel: [ 1.502926] denied: 4, audited: 4
Feb 15 19:32:44 virt kernel: [ 1.586961] avc_has_perm_noaudit(40, 21, a, 6, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.586961] allowed: 0, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.586961] denied: 6, audited: 6
Feb 15 19:32:44 virt kernel: [ 1.587066] SELinux: initialized (dev securityfs, type securityfs), uses genfs_contexts
Feb 15 19:32:44 virt kernel: [ 1.587073] avc_has_perm_noaudit(40, 2, 7, 4, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.587073] allowed: 850053, auditdeny: ffffffff, from_access: 1
Feb 15 19:32:44 virt kernel: [ 1.587073] denied: 4, audited: 4
Feb 15 19:32:44 virt kernel: [ 1.652930] avc_has_perm_noaudit(40, 21, a, 6, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.652930] allowed: 0, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.652930] denied: 6, audited: 6
Feb 15 19:32:44 virt kernel: [ 1.653046] avc_has_perm_noaudit(40, 22, 7, 4, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.653046] allowed: 850010, auditdeny: ffffffff, from_access: 1
Feb 15 19:32:44 virt kernel: [ 1.653046] denied: 4, audited: 4
Feb 15 19:32:44 virt kernel: [ 1.661059] avc_has_perm_noaudit(40, 21, a, 6, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.661059] allowed: 0, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.661059] denied: 6, audited: 6
Feb 15 19:32:44 virt kernel: [ 1.661201] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Feb 15 19:32:44 virt kernel: [ 1.661209] avc_has_perm_noaudit(40, 1c, 7, 4, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.661209] allowed: 850053, auditdeny: ffffffff, from_access: 1
Feb 15 19:32:44 virt kernel: [ 1.661209] denied: 4, audited: 4
Feb 15 19:32:44 virt kernel: [ 1.666659] avc_has_perm_noaudit(40, 21, a, 6, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.666659] allowed: 0, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.666659] denied: 6, audited: 6
Feb 15 19:32:44 virt kernel: [ 1.666768] avc_has_perm_noaudit(1, 3, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.666768] allowed: 10000, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.666768] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 1.666775] cgroup_addrm_files: failed to add tasks, err=-13
Feb 15 19:32:44 virt kernel: [ 1.666777] avc_has_perm_noaudit(1, 3, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.666777] allowed: 10000, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.666777] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 1.666781] cgroup_addrm_files: failed to add cgroup.procs, err=-13
Feb 15 19:32:44 virt kernel: [ 1.666782] avc_has_perm_noaudit(1, 3, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.666782] allowed: 10000, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.666782] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 1.666786] cgroup_addrm_files: failed to add notify_on_release, err=-13
Feb 15 19:32:44 virt kernel: [ 1.666788] avc_has_perm_noaudit(1, 3, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.666788] allowed: 10000, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.666788] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 1.666791] cgroup_addrm_files: failed to add cgroup.event_control, err=-13
Feb 15 19:32:44 virt kernel: [ 1.666793] avc_has_perm_noaudit(1, 3, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.666793] allowed: 10000, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.666793] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 1.666797] cgroup_addrm_files: failed to add cgroup.clone_children, err=-13
Feb 15 19:32:44 virt kernel: [ 1.666798] avc_has_perm_noaudit(1, 3, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.666798] allowed: 10000, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.666798] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 1.666802] cgroup_addrm_files: failed to add release_agent, err=-13
Feb 15 19:32:44 virt kernel: [ 1.666808] SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts
Feb 15 19:32:44 virt kernel: [ 1.666833] avc_has_perm_noaudit(40, 46, 7, 4, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.666833] allowed: 850010, auditdeny: ffffffff, from_access: 1
Feb 15 19:32:44 virt kernel: [ 1.666833] denied: 4, audited: 4
Feb 15 19:32:44 virt kernel: [ 1.669184] avc_has_perm_noaudit(40, 21, a, 6, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.669184] allowed: 0, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.669184] denied: 6, audited: 6
Feb 15 19:32:44 virt kernel: [ 1.669260] avc_has_perm_noaudit(1, 3, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.669260] allowed: 10000, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.669260] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 1.669266] cgroup_addrm_files: failed to add tasks, err=-13
Feb 15 19:32:44 virt kernel: [ 1.669268] avc_has_perm_noaudit(1, 3, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.669268] allowed: 10000, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.669268] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 1.669272] cgroup_addrm_files: failed to add cgroup.procs, err=-13
Feb 15 19:32:44 virt kernel: [ 1.669274] avc_has_perm_noaudit(1, 3, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.669274] allowed: 10000, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.669274] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 1.669277] cgroup_addrm_files: failed to add notify_on_release, err=-13
Feb 15 19:32:44 virt kernel: [ 1.669279] avc_has_perm_noaudit(1, 3, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.669279] allowed: 10000, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.669279] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 1.669283] cgroup_addrm_files: failed to add cgroup.event_control, err=-13
Feb 15 19:32:44 virt kernel: [ 1.669284] avc_has_perm_noaudit(1, 3, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.669284] allowed: 10000, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.669284] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 1.669288] cgroup_addrm_files: failed to add cgroup.clone_children, err=-13
Feb 15 19:32:44 virt kernel: [ 1.669289] avc_has_perm_noaudit(1, 3, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.669289] allowed: 10000, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.669289] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 1.669293] cgroup_addrm_files: failed to add release_agent, err=-13
Feb 15 19:32:44 virt kernel: [ 1.669296] SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts
Feb 15 19:32:44 virt kernel: [ 1.669302] avc_has_perm_noaudit(40, 46, 7, 4, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.669302] allowed: 850010, auditdeny: ffffffff, from_access: 1
Feb 15 19:32:44 virt kernel: [ 1.669302] denied: 4, audited: 4
Feb 15 19:32:44 virt kernel: [ 1.670658] avc_has_perm_noaudit(40, 21, a, 6, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.670658] allowed: 0, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.670658] denied: 6, audited: 6
Feb 15 19:32:44 virt kernel: [ 1.670730] avc_has_perm_noaudit(1, 3, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.670730] allowed: 10000, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.670730] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 1.670736] cgroup_addrm_files: failed to add tasks, err=-13
Feb 15 19:32:44 virt kernel: [ 1.670738] avc_has_perm_noaudit(1, 3, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.670738] allowed: 10000, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.670738] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 1.670742] cgroup_addrm_files: failed to add cgroup.procs, err=-13
Feb 15 19:32:44 virt kernel: [ 1.670743] avc_has_perm_noaudit(1, 3, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.670743] allowed: 10000, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.670743] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 1.670747] cgroup_addrm_files: failed to add notify_on_release, err=-13
Feb 15 19:32:44 virt kernel: [ 1.670748] avc_has_perm_noaudit(1, 3, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.670748] allowed: 10000, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.670748] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 1.670752] cgroup_addrm_files: failed to add cgroup.event_control, err=-13
Feb 15 19:32:44 virt kernel: [ 1.670754] avc_has_perm_noaudit(1, 3, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.670754] allowed: 10000, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.670754] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 1.670757] cgroup_addrm_files: failed to add cgroup.clone_children, err=-13
Feb 15 19:32:44 virt kernel: [ 1.670759] avc_has_perm_noaudit(1, 3, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.670759] allowed: 10000, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.670759] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 1.670763] cgroup_addrm_files: failed to add release_agent, err=-13
Feb 15 19:32:44 virt kernel: [ 1.670765] SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts
Feb 15 19:32:44 virt kernel: [ 1.670771] avc_has_perm_noaudit(40, 46, 7, 4, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.670771] allowed: 850010, auditdeny: ffffffff, from_access: 1
Feb 15 19:32:44 virt kernel: [ 1.670771] denied: 4, audited: 4
Feb 15 19:32:44 virt kernel: [ 1.672179] avc_has_perm_noaudit(40, 21, a, 6, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.672179] allowed: 0, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.672179] denied: 6, audited: 6
Feb 15 19:32:44 virt kernel: [ 1.672260] avc_has_perm_noaudit(1, 3, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.672260] allowed: 10000, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.672260] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 1.672266] cgroup_addrm_files: failed to add tasks, err=-13
Feb 15 19:32:44 virt kernel: [ 1.672268] avc_has_perm_noaudit(1, 3, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.672268] allowed: 10000, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.672268] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 1.672272] cgroup_addrm_files: failed to add cgroup.procs, err=-13
Feb 15 19:32:44 virt kernel: [ 1.672273] avc_has_perm_noaudit(1, 3, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.672273] allowed: 10000, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.672273] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 1.672279] cgroup_addrm_files: failed to add notify_on_release, err=-13
Feb 15 19:32:44 virt kernel: [ 1.672281] avc_has_perm_noaudit(1, 3, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.672281] allowed: 10000, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.672281] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 1.672286] cgroup_addrm_files: failed to add cgroup.event_control, err=-13
Feb 15 19:32:44 virt kernel: [ 1.672287] avc_has_perm_noaudit(1, 3, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.672287] allowed: 10000, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.672287] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 1.672291] cgroup_addrm_files: failed to add cgroup.clone_children, err=-13
Feb 15 19:32:44 virt kernel: [ 1.672293] avc_has_perm_noaudit(1, 3, 7, 800000, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.672293] allowed: 10000, auditdeny: ffffffff, from_access: 0
Feb 15 19:32:44 virt kernel: [ 1.672293] denied: 800000, audited: 800000
Feb 15 19:32:44 virt kernel: [ 1.672297] cgroup_addrm_files: failed to add release_agent, err=-13
Feb 15 19:32:44 virt kernel: [ 1.672299] SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts
Feb 15 19:32:44 virt kernel: [ 1.672306] avc_has_perm_noaudit(40, 46, 7, 4, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 1.672306] allowed: 850010, auditdeny: ffffffff, from_access: 1
Feb 15 19:32:44 virt kernel: [ 1.672306] denied: 4, audited: 4
Feb 15 19:32:44 virt kernel: [ 3.174413] avc_has_perm_noaudit(40, 33, 7, 4, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 3.174413] allowed: 850010, auditdeny: ffffffff, from_access: 1
Feb 15 19:32:44 virt kernel: [ 3.174413] denied: 4, audited: 4
Feb 15 19:32:44 virt kernel: [ 4.240111] SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
Feb 15 19:32:44 virt kernel: [ 4.240133] avc_has_perm_noaudit(40, 7a, 7, 4, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 4.240133] allowed: 850010, auditdeny: ffffffff, from_access: 1
Feb 15 19:32:44 virt kernel: [ 4.240133] denied: 4, audited: 4
Feb 15 19:32:44 virt kernel: [ 4.309095] avc_has_perm_noaudit(40, 2, 7, 4, 0, &avd)
Feb 15 19:32:44 virt kernel: [ 4.309095] allowed: 850053, auditdeny: ffffffff, from_access: 1
Feb 15 19:32:44 virt kernel: [ 4.309095] denied: 4, audited: 4
Feb 15 19:33:09 virt kernel: [ 29.071179] audit_printk_skb: 643 callbacks suppressed
Feb 15 19:33:09 virt kernel: [ 29.071188] type=1400 audit(1360953189.081:225): avc: denied { rlimitinh } for pid=1369 comm="login" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:local_login_t tclass=process
Feb 15 19:33:09 virt kernel: [ 29.071209] type=1400 audit(1360953189.081:226): avc: denied { siginh } for pid=1369 comm="login" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:local_login_t tclass=process
Feb 15 19:33:09 virt kernel: [ 29.071256] type=1400 audit(1360953189.081:227): avc: denied { noatsecure } for pid=1369 comm="login" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:local_login_t tclass=process
Feb 15 19:33:09 virt kernel: [ 29.262718] type=1400 audit(1360953189.272:228): avc: denied { read write } for pid=1376 comm="unix_chkpwd" path="/dev/tty1" dev="devtmpfs" ino=1496 scontext=system_u:system_r:chkpwd_t tcontext=system_u:object_r:tty_device_t tclass=chr_file
Feb 15 19:33:09 virt kernel: [ 29.262781] type=1400 audit(1360953189.272:229): avc: denied { rlimitinh } for pid=1376 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t tcontext=system_u:system_r:chkpwd_t tclass=process
Feb 15 19:33:09 virt kernel: [ 29.262800] type=1400 audit(1360953189.272:230): avc: denied { siginh } for pid=1376 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t tcontext=system_u:system_r:chkpwd_t tclass=process
Feb 15 19:33:09 virt kernel: [ 29.262874] type=1400 audit(1360953189.272:231): avc: denied { noatsecure } for pid=1376 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t tcontext=system_u:system_r:chkpwd_t tclass=process
Feb 15 19:33:09 virt kernel: [ 29.265504] avc_has_perm_noaudit(88, 1c, 7, 800000, 0, &avd)
Feb 15 19:33:09 virt kernel: [ 29.265504] allowed: 0, auditdeny: ffffffff, from_access: 0
Feb 15 19:33:09 virt kernel: [ 29.265504] denied: 800000, audited: 800000
Feb 15 19:33:09 virt kernel: [ 29.265535] type=1400 audit(1360953189.275:232): avc: denied { search } for pid=1376 comm="unix_chkpwd" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:chkpwd_t tcontext=system_u:object_r:sysfs_t tclass=dir
Feb 15 19:33:09 virt kernel: [ 29.265578] type=1400 audit(1360953189.275:233): avc: denied { getattr } for pid=1376 comm="unix_chkpwd" name="/" dev="selinuxfs" ino=1 scontext=system_u:system_r:chkpwd_t tcontext=system_u:object_r:security_t tclass=filesystem
Feb 15 19:33:09 virt kernel: [ 29.266882] avc_has_perm_noaudit(88, 1c, 7, 800000, 0, &avd)
Feb 15 19:33:09 virt kernel: [ 29.266882] allowed: 0, auditdeny: ffffffff, from_access: 0
Feb 15 19:33:09 virt kernel: [ 29.266882] denied: 800000, audited: 800000
Feb 15 19:33:09 virt kernel: [ 29.266909] type=1400 audit(1360953189.276:234): avc: denied { search } for pid=1376 comm="unix_chkpwd" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:chkpwd_t tcontext=system_u:object_r:sysfs_t tclass=dir
Feb 15 19:33:10 virt kernel: [ 30.709703] avc_has_perm_noaudit(88, 1c, 7, 800000, 0, &avd)
Feb 15 19:33:10 virt kernel: [ 30.709703] allowed: 0, auditdeny: ffffffff, from_access: 0
Feb 15 19:33:10 virt kernel: [ 30.709703] denied: 800000, audited: 800000
Feb 15 19:33:10 virt kernel: [ 30.709847] avc_has_perm_noaudit(88, 1c, 7, 800000, 0, &avd)
Feb 15 19:33:10 virt kernel: [ 30.709847] allowed: 0, auditdeny: ffffffff, from_access: 0
Feb 15 19:33:10 virt kernel: [ 30.709847] denied: 800000, audited: 800000
Feb 15 19:33:10 virt kernel: [ 30.723471] avc_has_perm_noaudit(88, 1c, 7, 800000, 0, &avd)
Feb 15 19:33:10 virt kernel: [ 30.723471] allowed: 0, auditdeny: ffffffff, from_access: 0
Feb 15 19:33:10 virt kernel: [ 30.723471] denied: 800000, audited: 800000
Feb 15 19:33:10 virt kernel: [ 30.723934] avc_has_perm_noaudit(88, 1c, 7, 800000, 0, &avd)
Feb 15 19:33:10 virt kernel: [ 30.723934] allowed: 0, auditdeny: ffffffff, from_access: 0
Feb 15 19:33:10 virt kernel: [ 30.723934] denied: 800000, audited: 800000
Feb 15 19:34:00 virt kernel: [ 80.574008] audit_printk_skb: 51 callbacks suppressed
Feb 15 19:34:00 virt kernel: [ 80.574016] type=1400 audit(1360953240.583:252): avc: denied { rlimitinh } for pid=1386 comm="rc" scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t tclass=process
Feb 15 19:34:00 virt kernel: [ 80.574154] type=1400 audit(1360953240.584:253): avc: denied { siginh } for pid=1386 comm="rc" scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t tclass=process
Feb 15 19:34:00 virt kernel: [ 80.574189] type=1400 audit(1360953240.584:254): avc: denied { noatsecure } for pid=1386 comm="rc" scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t tclass=process
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Mount of cgroup filesystems fails when booting in SELinux enforcing mode
2013-02-15 18:44 ` Luis Ressel
@ 2013-02-15 19:30 ` Stephen Smalley
2013-02-15 21:03 ` Luis Ressel
0 siblings, 1 reply; 11+ messages in thread
From: Stephen Smalley @ 2013-02-15 19:30 UTC (permalink / raw)
To: Luis Ressel; +Cc: SELinux, Eric Paris
[-- Attachment #1: Type: text/plain, Size: 831 bytes --]
On 02/15/2013 01:44 PM, Luis Ressel wrote:
> Again, you're right. On this boot, dontaudit rules were actually
> enabled. Now, here's another log where they are disabled again.
This line from your log file:
audit_printk_skb: 643 callbacks suppressed
indicates that you are hitting the printk ratelimit (to prevent flooding
of syslog) and therefore dropping messages.
You could apply the attached patch or something like it to disable the
printk ratelimit on audit messages.
However, you might want to first fix some of the obvious denials in your
policy. The rlimitinh, siginh, and noatsecure ones can generally be
ignored. But you are getting various other denials that likely should
be allowed. Adding the unconfined module to your policy would
automatically eliminate any denials for the kernel or init domains.
[-- Attachment #2: audit-noratelimit.diff --]
[-- Type: text/x-patch, Size: 496 bytes --]
diff --git a/kernel/audit.c b/kernel/audit.c
index d596e53..fdcfe1d 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -390,10 +390,7 @@ static void audit_printk_skb(struct sk_buff *skb)
char *data = nlmsg_data(nlh);
if (nlh->nlmsg_type != AUDIT_EOE) {
- if (printk_ratelimit())
- printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, data);
- else
- audit_log_lost("printk limit exceeded\n");
+ printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, data);
}
audit_hold_skb(skb);
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: Mount of cgroup filesystems fails when booting in SELinux enforcing mode
2013-02-15 19:30 ` Stephen Smalley
@ 2013-02-15 21:03 ` Luis Ressel
0 siblings, 0 replies; 11+ messages in thread
From: Luis Ressel @ 2013-02-15 21:03 UTC (permalink / raw)
To: SELinux; +Cc: Eric Paris
[-- Attachment #1: Type: text/plain, Size: 1652 bytes --]
On Fri, 15 Feb 2013 14:30:11 -0500
Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 02/15/2013 01:44 PM, Luis Ressel wrote:
> > Again, you're right. On this boot, dontaudit rules were actually
> > enabled. Now, here's another log where they are disabled again.
>
> This line from your log file:
>
> audit_printk_skb: 643 callbacks suppressed
>
> indicates that you are hitting the printk ratelimit (to prevent
> flooding of syslog) and therefore dropping messages.
>
> You could apply the attached patch or something like it to disable
> the printk ratelimit on audit messages.
Thanks! Now I finally got a denial message. kernel_t needs search
permissions on unlabeled_t dirs, that's all.
> However, you might want to first fix some of the obvious denials in
> your policy. The rlimitinh, siginh, and noatsecure ones can
> generally be ignored. But you are getting various other denials that
> likely should be allowed. Adding the unconfined module to your
> policy would automatically eliminate any denials for the kernel or
> init domains.
Yes, I did all this testing in a VM, not on the system where I
originally encountered these issues, and I didn't fine-tune the VM
policy. And my policy doesn't include the unconfined module because it
was optional in my distro, defaulted to off and I thought it was only
neccessary for targeted mode. But I'll try it out now.
I want to thank you again for your fast and helpful responses. Without
your help, I probably wouldn't have been able to resolve this issue, at
least not within resonable time. You really saved me from having severe
headaches!
Luis
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2013-02-15 21:03 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-02-14 21:25 Mount of cgroup filesystems fails when booting in SELinux enforcing mode aranea
2013-02-15 13:32 ` Stephen Smalley
2013-02-15 14:06 ` Luis Ressel
2013-02-15 14:28 ` Stephen Smalley
2013-02-15 15:02 ` Luis Ressel
2013-02-15 15:34 ` Stephen Smalley
2013-02-15 16:07 ` Luis Ressel
2013-02-15 18:19 ` Stephen Smalley
2013-02-15 18:44 ` Luis Ressel
2013-02-15 19:30 ` Stephen Smalley
2013-02-15 21:03 ` Luis Ressel
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.