* selinux crashes always at startup
@ 2018-04-18 19:40 Jaap
2018-04-18 20:01 ` Stephen Smalley
0 siblings, 1 reply; 5+ messages in thread
From: Jaap @ 2018-04-18 19:40 UTC (permalink / raw)
To: selinux
selinux crashes always at startup. problem is always reported (says
selinux) But it does not get better.
from journalctl:
n systemd-journald[207]: Received SIGTERM from PID 1 (systemd).
Aug 15 20:43:44 localhost.localdomain kernel: systemd: 15 output lines
suppressed due to ratelimiting
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 32768 avtab hash
slots, 107409 rules.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 32768 avtab hash
slots, 107409 rules.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 8 users, 14
roles, 5094 types, 312 bools, 1 sens, 1024 cats
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 94 classes,
107409 rules
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class
sctp_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class
icmp_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class
ax25_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class ipx_socket
not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class
netrom_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class
atmpvc_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class x25_socket
not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class
rose_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class
decnet_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class
atmsvc_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class rds_socket
not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class
irda_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class
pppox_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class llc_socket
not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class can_socket
not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class
tipc_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class
bluetooth_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class
iucv_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class
rxrpc_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class
isdn_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class
phonet_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class
ieee802154_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class
caif_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class alg_socket
not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class nfc_socket
not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class
vsock_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class kcm_socket
not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class
qipcrtr_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class smc_socket
not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: the above unknown
classes and permissions will be allowed
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Completing
initialization.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Setting up
existing superblocks.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: selinux crashes always at startup
2018-04-18 19:40 selinux crashes always at startup Jaap
@ 2018-04-18 20:01 ` Stephen Smalley
2018-04-18 20:04 ` Stephen Smalley
0 siblings, 1 reply; 5+ messages in thread
From: Stephen Smalley @ 2018-04-18 20:01 UTC (permalink / raw)
To: Jaap, selinux
On 04/18/2018 03:40 PM, Jaap wrote:
>
> selinux crashes always at startup. problem is always reported (says selinux) But it does not get better.
None of the SELinux messages you showed are errors. They are just informational, and the message "the above unknown
classes and permissions will be allowed" indicates that they won't cause any permission denials.
>
> from journalctl:
>
>
> n systemd-journald[207]: Received SIGTERM from PID 1 (systemd).
> Aug 15 20:43:44 localhost.localdomain kernel: systemd: 15 output lines suppressed due to ratelimiting
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 32768 avtab hash slots, 107409 rules.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 32768 avtab hash slots, 107409 rules.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 8 users, 14 roles, 5094 types, 312 bools, 1 sens, 1024 cats
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 94 classes, 107409 rules
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class sctp_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class icmp_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class ax25_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class ipx_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class netrom_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class atmpvc_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class x25_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class rose_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class decnet_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class atmsvc_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class rds_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class irda_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class pppox_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class llc_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class can_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class tipc_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class bluetooth_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class iucv_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class rxrpc_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class isdn_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class phonet_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class ieee802154_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class caif_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class alg_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class nfc_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class vsock_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class kcm_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class qipcrtr_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class smc_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: the above unknown classes and permissions will be allowed
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Completing initialization.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Setting up existing superblocks.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: selinux crashes always at startup
2018-04-18 20:01 ` Stephen Smalley
@ 2018-04-18 20:04 ` Stephen Smalley
[not found] ` <8fce61a3-9973-24aa-048d-01c410afc333@xs4all.nl>
0 siblings, 1 reply; 5+ messages in thread
From: Stephen Smalley @ 2018-04-18 20:04 UTC (permalink / raw)
To: Jaap, selinux
On 04/18/2018 04:01 PM, Stephen Smalley wrote:
> On 04/18/2018 03:40 PM, Jaap wrote:
>>
>> selinux crashes always at startup. problem is always reported (says selinux) But it does not get better.
>
> None of the SELinux messages you showed are errors. They are just informational, and the message "the above unknown
> classes and permissions will be allowed" indicates that they won't cause any permission denials.
Also, you didn't provide any information about your kernel, distro, policy, etc.
Please provide a more complete log (particularly one that shows the actual error) and
information about the system in question.
>
>>
>> from journalctl:
>>
>>
>> n systemd-journald[207]: Received SIGTERM from PID 1 (systemd).
>> Aug 15 20:43:44 localhost.localdomain kernel: systemd: 15 output lines suppressed due to ratelimiting
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 32768 avtab hash slots, 107409 rules.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 32768 avtab hash slots, 107409 rules.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 8 users, 14 roles, 5094 types, 312 bools, 1 sens, 1024 cats
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 94 classes, 107409 rules
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class sctp_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class icmp_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class ax25_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class ipx_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class netrom_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class atmpvc_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class x25_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class rose_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class decnet_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class atmsvc_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class rds_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class irda_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class pppox_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class llc_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class can_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class tipc_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class bluetooth_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class iucv_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class rxrpc_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class isdn_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class phonet_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class ieee802154_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class caif_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class alg_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class nfc_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class vsock_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class kcm_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class qipcrtr_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class smc_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: the above unknown classes and permissions will be allowed
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Completing initialization.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Setting up existing superblocks.
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: selinux crashes always at startup
[not found] ` <8fce61a3-9973-24aa-048d-01c410afc333@xs4all.nl>
@ 2018-04-19 13:31 ` Stephen Smalley
2018-04-24 9:29 ` Lukas Vrabec
0 siblings, 1 reply; 5+ messages in thread
From: Stephen Smalley @ 2018-04-19 13:31 UTC (permalink / raw)
To: Jaap, SELinux; +Cc: selinux
On 04/18/2018 04:44 PM, Jaap wrote:
> I am on Fedora 28, 4.16.2-300.fc28.x86_64 On a Dell laptop
> policy: selinux-policy.noarch 3.14.1-18.fc28
(restored selinux list to cc line)
Since this is Fedora-specific, I also added the Fedora selinux mailing list to the cc line above.
You may wish to subscribe to that list if not already on it.
> I do not know if / where Selinux messages are about the crash of selinux. Does selinux have a log?
ausearch -i -m AVC,SELINUX_ERR,USER_AVC -ts boot will show all SELinux kernel permission denials (AVC), kernel errors (SELINUX_ERR), and userspace permission denials (USER_AVC) since boot. You can use other start time values (e.g. recent, today, ...) and other selectors to control exactly what is reported.
>
>
> On 04/18/2018 10:04 PM, Stephen Smalley wrote:
>> On 04/18/2018 04:01 PM, Stephen Smalley wrote:
>>> On 04/18/2018 03:40 PM, Jaap wrote:
>>>> selinux crashes always at startup. problem is always reported (says selinux) But it does not get better.
>>> None of the SELinux messages you showed are errors. They are just informational, and the message "the above unknown
>>> classes and permissions will be allowed" indicates that they won't cause any permission denials.
>> Also, you didn't provide any information about your kernel, distro, policy, etc.
>> Please provide a more complete log (particularly one that shows the actual error) and
>> information about the system in question.
> journalctl | grep selinux gives this:
>
> Apr 18 21:26:06 localhost.localdomain audit[1170]: USER_START pid=1170 uid=0 auid=42 ses=1 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="gdm" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
> Apr 18 21:26:06 localhost.localdomain systemd[1170]: selinux: avc: denied { status } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gdm-wayland-session gnome-session --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:08 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:08 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:17 localhost.localdomain audit[1613]: USER_START pid=1613 uid=0 auid=1000 ses=3 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="jaap" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
> Apr 18 21:26:17 localhost.localdomain audit[1606]: USER_START pid=1606 uid=0 auid=1000 ses=2 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success'
> Apr 18 21:26:50 localhost.localdomain audit[1606]: USER_END pid=1606 uid=0 auid=1000 ses=2 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success'
> Apr 18 21:26:57 localhost.localdomain audit[2919]: USER_START pid=2919 uid=0 auid=1000 ses=5 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="jaap" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
> Apr 18 21:26:57 localhost.localdomain audit[2869]: USER_START pid=2869 uid=0 auid=1000 ses=4 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success'
> Apr 18 21:27:33 localhost.localdomain audit[2869]: USER_END pid=2869 uid=0 auid=1000 ses=4 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success'
> Apr 18 21:27:40 localhost.localdomain audit[3983]: USER_START pid=3983 uid=0 auid=1000 ses=7 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="jaap" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
> Apr 18 21:27:40 localhost.localdomain audit[3940]: USER_START pid=3940 uid=0 auid=1000 ses=6 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success'
> [jaap@localhost ~]$
>
>>>> from journalctl:
>>>>
>>>>
>>>> n systemd-journald[207]: Received SIGTERM from PID 1 (systemd).
>>>> Aug 15 20:43:44 localhost.localdomain kernel: systemd: 15 output lines suppressed due to ratelimiting
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 32768 avtab hash slots, 107409 rules.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 32768 avtab hash slots, 107409 rules.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 8 users, 14 roles, 5094 types, 312 bools, 1 sens, 1024 cats
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 94 classes, 107409 rules
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class sctp_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class icmp_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class ax25_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class ipx_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class netrom_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class atmpvc_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class x25_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class rose_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class decnet_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class atmsvc_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class rds_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class irda_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class pppox_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class llc_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class can_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class tipc_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class bluetooth_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class iucv_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class rxrpc_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class isdn_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class phonet_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class ieee802154_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class caif_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class alg_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class nfc_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class vsock_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class kcm_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class qipcrtr_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class smc_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: the above unknown classes and permissions will be allowed
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Completing initialization.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Setting up existing superblocks.
>>>
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: selinux crashes always at startup
2018-04-19 13:31 ` Stephen Smalley
@ 2018-04-24 9:29 ` Lukas Vrabec
0 siblings, 0 replies; 5+ messages in thread
From: Lukas Vrabec @ 2018-04-24 9:29 UTC (permalink / raw)
To: Stephen Smalley, Jaap, SELinux; +Cc: selinux
[-- Attachment #1.1: Type: text/plain, Size: 12608 bytes --]
Hi All,
As Stephen mentioned, "Not defined classes" from dmesg are just
warnings, that following class is not supported by policy, but hooks are
present in kernel already. However, I'm not sure what version of Fedora
you're using, but From Fedora 28+, we will support all socket classes
mentioned in your report.
Thanks,
Lukas.
On 04/19/2018 03:31 PM, Stephen Smalley wrote:
> On 04/18/2018 04:44 PM, Jaap wrote:
>> I am on Fedora 28, 4.16.2-300.fc28.x86_64 On a Dell laptop
>> policy: selinux-policy.noarch 3.14.1-18.fc28
>
> (restored selinux list to cc line)
>
> Since this is Fedora-specific, I also added the Fedora selinux mailing list to the cc line above.
> You may wish to subscribe to that list if not already on it.
>
>> I do not know if / where Selinux messages are about the crash of selinux. Does selinux have a log?
>
> ausearch -i -m AVC,SELINUX_ERR,USER_AVC -ts boot will show all SELinux kernel permission denials (AVC), kernel errors (SELINUX_ERR), and userspace permission denials (USER_AVC) since boot. You can use other start time values (e.g. recent, today, ...) and other selectors to control exactly what is reported.
>
>>
>>
>> On 04/18/2018 10:04 PM, Stephen Smalley wrote:
>>> On 04/18/2018 04:01 PM, Stephen Smalley wrote:
>>>> On 04/18/2018 03:40 PM, Jaap wrote:
>>>>> selinux crashes always at startup. problem is always reported (says selinux) But it does not get better.
>>>> None of the SELinux messages you showed are errors. They are just informational, and the message "the above unknown
>>>> classes and permissions will be allowed" indicates that they won't cause any permission denials.
>>> Also, you didn't provide any information about your kernel, distro, policy, etc.
>>> Please provide a more complete log (particularly one that shows the actual error) and
>>> information about the system in question.
>> journalctl | grep selinux gives this:
>>
>> Apr 18 21:26:06 localhost.localdomain audit[1170]: USER_START pid=1170 uid=0 auid=42 ses=1 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="gdm" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
>> Apr 18 21:26:06 localhost.localdomain systemd[1170]: selinux: avc: denied { status } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gdm-wayland-session gnome-session --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
>> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
>> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
>> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
>> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
>> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
>> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
>> Apr 18 21:26:08 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
>> Apr 18 21:26:08 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
>> Apr 18 21:26:17 localhost.localdomain audit[1613]: USER_START pid=1613 uid=0 auid=1000 ses=3 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="jaap" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
>> Apr 18 21:26:17 localhost.localdomain audit[1606]: USER_START pid=1606 uid=0 auid=1000 ses=2 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success'
>> Apr 18 21:26:50 localhost.localdomain audit[1606]: USER_END pid=1606 uid=0 auid=1000 ses=2 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success'
>> Apr 18 21:26:57 localhost.localdomain audit[2919]: USER_START pid=2919 uid=0 auid=1000 ses=5 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="jaap" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
>> Apr 18 21:26:57 localhost.localdomain audit[2869]: USER_START pid=2869 uid=0 auid=1000 ses=4 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success'
>> Apr 18 21:27:33 localhost.localdomain audit[2869]: USER_END pid=2869 uid=0 auid=1000 ses=4 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success'
>> Apr 18 21:27:40 localhost.localdomain audit[3983]: USER_START pid=3983 uid=0 auid=1000 ses=7 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="jaap" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
>> Apr 18 21:27:40 localhost.localdomain audit[3940]: USER_START pid=3940 uid=0 auid=1000 ses=6 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success'
>> [jaap@localhost ~]$
>>
>>>>> from journalctl:
>>>>>
>>>>>
>>>>> n systemd-journald[207]: Received SIGTERM from PID 1 (systemd).
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: systemd: 15 output lines suppressed due to ratelimiting
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 32768 avtab hash slots, 107409 rules.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 32768 avtab hash slots, 107409 rules.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 8 users, 14 roles, 5094 types, 312 bools, 1 sens, 1024 cats
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 94 classes, 107409 rules
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class sctp_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class icmp_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class ax25_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class ipx_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class netrom_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class atmpvc_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class x25_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class rose_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class decnet_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class atmsvc_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class rds_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class irda_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class pppox_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class llc_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class can_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class tipc_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class bluetooth_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class iucv_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class rxrpc_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class isdn_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class phonet_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class ieee802154_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class caif_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class alg_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class nfc_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class vsock_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class kcm_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class qipcrtr_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class smc_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: the above unknown classes and permissions will be allowed
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Completing initialization.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Setting up existing superblocks.
>>>>
>>
>>
>
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-04-24 9:29 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-18 19:40 selinux crashes always at startup Jaap
2018-04-18 20:01 ` Stephen Smalley
2018-04-18 20:04 ` Stephen Smalley
[not found] ` <8fce61a3-9973-24aa-048d-01c410afc333@xs4all.nl>
2018-04-19 13:31 ` Stephen Smalley
2018-04-24 9:29 ` Lukas Vrabec
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.