All of lore.kernel.org
 help / color / mirror / Atom feed
* selinux crashes always at startup
@ 2018-04-18 19:40 Jaap
  2018-04-18 20:01 ` Stephen Smalley
  0 siblings, 1 reply; 5+ messages in thread
From: Jaap @ 2018-04-18 19:40 UTC (permalink / raw)
  To: selinux


selinux crashes always at startup. problem is always reported (says 
selinux) But it does not get better.

from journalctl:


n systemd-journald[207]: Received SIGTERM from PID 1 (systemd).
Aug 15 20:43:44 localhost.localdomain kernel: systemd: 15 output lines 
suppressed due to ratelimiting
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 32768 avtab hash 
slots, 107409 rules.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 32768 avtab hash 
slots, 107409 rules.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  8 users, 14 
roles, 5094 types, 312 bools, 1 sens, 1024 cats
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  94 classes, 
107409 rules
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class 
sctp_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class 
icmp_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class 
ax25_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class ipx_socket 
not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class 
netrom_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class 
atmpvc_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class x25_socket 
not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class 
rose_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class 
decnet_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class 
atmsvc_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class rds_socket 
not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class 
irda_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class 
pppox_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class llc_socket 
not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class can_socket 
not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class 
tipc_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class 
bluetooth_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class 
iucv_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class 
rxrpc_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class 
isdn_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class 
phonet_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class 
ieee802154_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class 
caif_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class alg_socket 
not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class nfc_socket 
not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class 
vsock_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class kcm_socket 
not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class 
qipcrtr_socket not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class smc_socket 
not defined in policy.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux: the above unknown 
classes and permissions will be allowed
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Completing 
initialization.
Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Setting up 
existing superblocks.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: selinux crashes always at startup
  2018-04-18 19:40 selinux crashes always at startup Jaap
@ 2018-04-18 20:01 ` Stephen Smalley
  2018-04-18 20:04   ` Stephen Smalley
  0 siblings, 1 reply; 5+ messages in thread
From: Stephen Smalley @ 2018-04-18 20:01 UTC (permalink / raw)
  To: Jaap, selinux

On 04/18/2018 03:40 PM, Jaap wrote:
> 
> selinux crashes always at startup. problem is always reported (says selinux) But it does not get better.

None of the SELinux messages you showed are errors.  They are just informational, and the message "the above unknown
classes and permissions will be allowed" indicates that they won't cause any permission denials.

> 
> from journalctl:
> 
> 
> n systemd-journald[207]: Received SIGTERM from PID 1 (systemd).
> Aug 15 20:43:44 localhost.localdomain kernel: systemd: 15 output lines suppressed due to ratelimiting
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 32768 avtab hash slots, 107409 rules.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 32768 avtab hash slots, 107409 rules.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  8 users, 14 roles, 5094 types, 312 bools, 1 sens, 1024 cats
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  94 classes, 107409 rules
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class sctp_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class icmp_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class ax25_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class ipx_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class netrom_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class atmpvc_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class x25_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class rose_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class decnet_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class atmsvc_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class rds_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class irda_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class pppox_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class llc_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class can_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class tipc_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class bluetooth_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class iucv_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class rxrpc_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class isdn_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class phonet_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class ieee802154_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class caif_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class alg_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class nfc_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class vsock_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class kcm_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class qipcrtr_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class smc_socket not defined in policy.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: the above unknown classes and permissions will be allowed
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Completing initialization.
> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Setting up existing superblocks.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: selinux crashes always at startup
  2018-04-18 20:01 ` Stephen Smalley
@ 2018-04-18 20:04   ` Stephen Smalley
       [not found]     ` <8fce61a3-9973-24aa-048d-01c410afc333@xs4all.nl>
  0 siblings, 1 reply; 5+ messages in thread
From: Stephen Smalley @ 2018-04-18 20:04 UTC (permalink / raw)
  To: Jaap, selinux

On 04/18/2018 04:01 PM, Stephen Smalley wrote:
> On 04/18/2018 03:40 PM, Jaap wrote:
>>
>> selinux crashes always at startup. problem is always reported (says selinux) But it does not get better.
> 
> None of the SELinux messages you showed are errors.  They are just informational, and the message "the above unknown
> classes and permissions will be allowed" indicates that they won't cause any permission denials.

Also, you didn't provide any information about your kernel, distro, policy, etc.
Please provide a more complete log (particularly one that shows the actual error) and
information about the system in question.

> 
>>
>> from journalctl:
>>
>>
>> n systemd-journald[207]: Received SIGTERM from PID 1 (systemd).
>> Aug 15 20:43:44 localhost.localdomain kernel: systemd: 15 output lines suppressed due to ratelimiting
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 32768 avtab hash slots, 107409 rules.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 32768 avtab hash slots, 107409 rules.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  8 users, 14 roles, 5094 types, 312 bools, 1 sens, 1024 cats
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  94 classes, 107409 rules
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class sctp_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class icmp_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class ax25_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class ipx_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class netrom_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class atmpvc_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class x25_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class rose_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class decnet_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class atmsvc_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class rds_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class irda_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class pppox_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class llc_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class can_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class tipc_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class bluetooth_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class iucv_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class rxrpc_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class isdn_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class phonet_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class ieee802154_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class caif_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class alg_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class nfc_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class vsock_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class kcm_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class qipcrtr_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class smc_socket not defined in policy.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: the above unknown classes and permissions will be allowed
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Completing initialization.
>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Setting up existing superblocks.
> 
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: selinux crashes always at startup
       [not found]     ` <8fce61a3-9973-24aa-048d-01c410afc333@xs4all.nl>
@ 2018-04-19 13:31       ` Stephen Smalley
  2018-04-24  9:29         ` Lukas Vrabec
  0 siblings, 1 reply; 5+ messages in thread
From: Stephen Smalley @ 2018-04-19 13:31 UTC (permalink / raw)
  To: Jaap, SELinux; +Cc: selinux

On 04/18/2018 04:44 PM, Jaap wrote:
> I am on Fedora 28, 4.16.2-300.fc28.x86_64 On a Dell laptop
> policy:   selinux-policy.noarch 3.14.1-18.fc28

(restored selinux list to cc line)

Since this is Fedora-specific, I also added the Fedora selinux mailing list to the cc line above.
You may wish to subscribe to that list if not already on it.

> I do not know if / where Selinux messages are about the crash of selinux. Does selinux have a log?

ausearch -i -m AVC,SELINUX_ERR,USER_AVC -ts boot will show all SELinux kernel permission denials (AVC), kernel errors (SELINUX_ERR), and userspace permission denials (USER_AVC) since boot.  You can use other start time values (e.g. recent, today, ...) and other selectors to control exactly what is reported.

> 
> 
> On 04/18/2018 10:04 PM, Stephen Smalley wrote:
>> On 04/18/2018 04:01 PM, Stephen Smalley wrote:
>>> On 04/18/2018 03:40 PM, Jaap wrote:
>>>> selinux crashes always at startup. problem is always reported (says selinux) But it does not get better.
>>> None of the SELinux messages you showed are errors.  They are just informational, and the message "the above unknown
>>> classes and permissions will be allowed" indicates that they won't cause any permission denials.
>> Also, you didn't provide any information about your kernel, distro, policy, etc.
>> Please provide a more complete log (particularly one that shows the actual error) and
>> information about the system in question.
> journalctl | grep selinux gives this:
> 
> Apr 18 21:26:06 localhost.localdomain audit[1170]: USER_START pid=1170 uid=0 auid=42 ses=1 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="gdm" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
> Apr 18 21:26:06 localhost.localdomain systemd[1170]: selinux: avc: denied  { status } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gdm-wayland-session gnome-session --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:08 localhost.localdomain systemd[1170]: selinux: avc: denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:08 localhost.localdomain systemd[1170]: selinux: avc: denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:17 localhost.localdomain audit[1613]: USER_START pid=1613 uid=0 auid=1000 ses=3 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="jaap" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
> Apr 18 21:26:17 localhost.localdomain audit[1606]: USER_START pid=1606 uid=0 auid=1000 ses=2 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success'
> Apr 18 21:26:50 localhost.localdomain audit[1606]: USER_END pid=1606 uid=0 auid=1000 ses=2 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success'
> Apr 18 21:26:57 localhost.localdomain audit[2919]: USER_START pid=2919 uid=0 auid=1000 ses=5 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="jaap" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
> Apr 18 21:26:57 localhost.localdomain audit[2869]: USER_START pid=2869 uid=0 auid=1000 ses=4 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success'
> Apr 18 21:27:33 localhost.localdomain audit[2869]: USER_END pid=2869 uid=0 auid=1000 ses=4 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success'
> Apr 18 21:27:40 localhost.localdomain audit[3983]: USER_START pid=3983 uid=0 auid=1000 ses=7 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="jaap" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
> Apr 18 21:27:40 localhost.localdomain audit[3940]: USER_START pid=3940 uid=0 auid=1000 ses=6 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success'
> [jaap@localhost ~]$
> 
>>>> from journalctl:
>>>>
>>>>
>>>> n systemd-journald[207]: Received SIGTERM from PID 1 (systemd).
>>>> Aug 15 20:43:44 localhost.localdomain kernel: systemd: 15 output lines suppressed due to ratelimiting
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 32768 avtab hash slots, 107409 rules.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 32768 avtab hash slots, 107409 rules.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  8 users, 14 roles, 5094 types, 312 bools, 1 sens, 1024 cats
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  94 classes, 107409 rules
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class sctp_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class icmp_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class ax25_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class ipx_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class netrom_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class atmpvc_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class x25_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class rose_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class decnet_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class atmsvc_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class rds_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class irda_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class pppox_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class llc_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class can_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class tipc_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class bluetooth_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class iucv_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class rxrpc_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class isdn_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class phonet_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class ieee802154_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class caif_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class alg_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class nfc_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class vsock_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class kcm_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class qipcrtr_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class smc_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: the above unknown classes and permissions will be allowed
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Completing initialization.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Setting up existing superblocks.
>>>
> 
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: selinux crashes always at startup
  2018-04-19 13:31       ` Stephen Smalley
@ 2018-04-24  9:29         ` Lukas Vrabec
  0 siblings, 0 replies; 5+ messages in thread
From: Lukas Vrabec @ 2018-04-24  9:29 UTC (permalink / raw)
  To: Stephen Smalley, Jaap, SELinux; +Cc: selinux


[-- Attachment #1.1: Type: text/plain, Size: 12608 bytes --]

Hi All,

As Stephen mentioned, "Not defined classes" from dmesg are just
warnings, that following class is not supported by policy, but hooks are
present in kernel already. However, I'm not sure what version of Fedora
you're using, but From Fedora 28+, we will support all socket classes
mentioned in your report.

Thanks,
Lukas.

On 04/19/2018 03:31 PM, Stephen Smalley wrote:
> On 04/18/2018 04:44 PM, Jaap wrote:
>> I am on Fedora 28, 4.16.2-300.fc28.x86_64 On a Dell laptop
>> policy:   selinux-policy.noarch 3.14.1-18.fc28
> 
> (restored selinux list to cc line)
> 
> Since this is Fedora-specific, I also added the Fedora selinux mailing list to the cc line above.
> You may wish to subscribe to that list if not already on it.
> 
>> I do not know if / where Selinux messages are about the crash of selinux. Does selinux have a log?
> 
> ausearch -i -m AVC,SELINUX_ERR,USER_AVC -ts boot will show all SELinux kernel permission denials (AVC), kernel errors (SELINUX_ERR), and userspace permission denials (USER_AVC) since boot.  You can use other start time values (e.g. recent, today, ...) and other selectors to control exactly what is reported.
> 
>>
>>
>> On 04/18/2018 10:04 PM, Stephen Smalley wrote:
>>> On 04/18/2018 04:01 PM, Stephen Smalley wrote:
>>>> On 04/18/2018 03:40 PM, Jaap wrote:
>>>>> selinux crashes always at startup. problem is always reported (says selinux) But it does not get better.
>>>> None of the SELinux messages you showed are errors.  They are just informational, and the message "the above unknown
>>>> classes and permissions will be allowed" indicates that they won't cause any permission denials.
>>> Also, you didn't provide any information about your kernel, distro, policy, etc.
>>> Please provide a more complete log (particularly one that shows the actual error) and
>>> information about the system in question.
>> journalctl | grep selinux gives this:
>>
>> Apr 18 21:26:06 localhost.localdomain audit[1170]: USER_START pid=1170 uid=0 auid=42 ses=1 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="gdm" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
>> Apr 18 21:26:06 localhost.localdomain systemd[1170]: selinux: avc: denied  { status } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gdm-wayland-session gnome-session --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
>> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
>> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
>> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
>> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
>> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
>> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
>> Apr 18 21:26:08 localhost.localdomain systemd[1170]: selinux: avc: denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
>> Apr 18 21:26:08 localhost.localdomain systemd[1170]: selinux: avc: denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
>> Apr 18 21:26:17 localhost.localdomain audit[1613]: USER_START pid=1613 uid=0 auid=1000 ses=3 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="jaap" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
>> Apr 18 21:26:17 localhost.localdomain audit[1606]: USER_START pid=1606 uid=0 auid=1000 ses=2 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success'
>> Apr 18 21:26:50 localhost.localdomain audit[1606]: USER_END pid=1606 uid=0 auid=1000 ses=2 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success'
>> Apr 18 21:26:57 localhost.localdomain audit[2919]: USER_START pid=2919 uid=0 auid=1000 ses=5 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="jaap" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
>> Apr 18 21:26:57 localhost.localdomain audit[2869]: USER_START pid=2869 uid=0 auid=1000 ses=4 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success'
>> Apr 18 21:27:33 localhost.localdomain audit[2869]: USER_END pid=2869 uid=0 auid=1000 ses=4 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success'
>> Apr 18 21:27:40 localhost.localdomain audit[3983]: USER_START pid=3983 uid=0 auid=1000 ses=7 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="jaap" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
>> Apr 18 21:27:40 localhost.localdomain audit[3940]: USER_START pid=3940 uid=0 auid=1000 ses=6 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success'
>> [jaap@localhost ~]$
>>
>>>>> from journalctl:
>>>>>
>>>>>
>>>>> n systemd-journald[207]: Received SIGTERM from PID 1 (systemd).
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: systemd: 15 output lines suppressed due to ratelimiting
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 32768 avtab hash slots, 107409 rules.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 32768 avtab hash slots, 107409 rules.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  8 users, 14 roles, 5094 types, 312 bools, 1 sens, 1024 cats
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  94 classes, 107409 rules
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class sctp_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class icmp_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class ax25_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class ipx_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class netrom_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class atmpvc_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class x25_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class rose_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class decnet_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class atmsvc_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class rds_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class irda_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class pppox_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class llc_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class can_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class tipc_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class bluetooth_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class iucv_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class rxrpc_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class isdn_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class phonet_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class ieee802154_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class caif_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class alg_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class nfc_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class vsock_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class kcm_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class qipcrtr_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Class smc_socket not defined in policy.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: the above unknown classes and permissions will be allowed
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Completing initialization.
>>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux:  Setting up existing superblocks.
>>>>
>>
>>
> 


-- 
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-04-24  9:29 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-18 19:40 selinux crashes always at startup Jaap
2018-04-18 20:01 ` Stephen Smalley
2018-04-18 20:04   ` Stephen Smalley
     [not found]     ` <8fce61a3-9973-24aa-048d-01c410afc333@xs4all.nl>
2018-04-19 13:31       ` Stephen Smalley
2018-04-24  9:29         ` Lukas Vrabec

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.