How to see SELinux denials late at shutdown

How to see SELinux denials late at shutdown

[Christian Göttsche]

While trying to confine systemd-shutdown, I am unable to see any
SELinux denials late at shutdown.
I tested on Debian sid with systemd 242/243 and Linux 4.19.67-2/5.3.9-1.
The command line is: `BOOT_IMAGE=/boot/vmlinuz-5.3.0-2-amd64
root=UUID=0a22bd66-a082-4b76-b96b-ca5cff3ffdf6 ro security=selinux
console=ttyS0 console=tty0 log_buf_len=1M printk.devkmsg=on`.
When running poweroff or reboot, systemd-shutdown stalls but no denial
is printed.
With a script like [1] dmesg does not print any information.
In permissive mode the system powers off/reboots, but no denials are printed.
Trying to stop auditd/systemd-journald beforehand does not help.

Does the kernel itself shuts down the ring buffer, or can systemd
interfere somehow?



[1]: https://freedesktop.org/wiki/Software/systemd/Debugging/#shutdowncompleteseventually

Shutdown log from serial console:

Debian GNU/Linux bullseye/sid debian-test ttyS0

debian-test login: [   15.644442] audit: type=1305
audit(1573562456.536:57): audit_pid=0 old=394 auid=4294967295
ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=1
[   15.649464] audit: type=1131 audit(1573562456.540:58): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=auditd comm="systemd" exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'
[   15.656430] audit: type=1131 audit(1573562456.548:59): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=systemd-tmpfiles-setup comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
[   15.701848] audit: type=1131 audit(1573562456.592:60): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=ifup@enp0s3 comm="systemd" exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'
[   15.712466] audit: type=1131 audit(1573562456.604:61): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=systemd-sysctl comm="systemd" exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'
[   15.720237] audit: type=1131 audit(1573562456.608:62): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=systemd-modules-load comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
[   15.726141] audit: type=1131 audit(1573562456.616:63): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=systemd-tmpfiles-setup-dev comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
[   15.731848] audit: type=1131 audit(1573562456.624:64): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=systemd-sysusers comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
[   15.737084] audit: type=1131 audit(1573562456.628:65): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=systemd-remount-fs comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
[   15.745161] audit: type=1130 audit(1573562456.632:66): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=systemd-poweroff comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
[   15.866146] systemd-shutdown[1]: Syncing filesystems and block devices.
[   15.948678] systemd-shutdown[1]: Sending SIGTERM to remaining processes...
[   15.998582] systemd-journald[263]: Received SIGTERM from PID 1
(systemd-shutdow).
[   16.103917] systemd-shutdown[1]: Sending SIGKILL to remaining processes...
[   16.113594] systemd-shutdown[1]: Unmounting file systems.
[   16.116468] [484]: Remounting '/' read-only in with options
'seclabel,errors=remount-ro'.
[   16.119280] [484]: Failed to remount '/' read-only: Permission denied
[   16.121390] systemd-shutdown[1]: Not all file systems unmounted, 1 left.
[   16.122819] systemd-shutdown[1]: Deactivating swaps.
[   16.124065] systemd-shutdown[1]: All swaps deactivated.
[   16.125264] systemd-shutdown[1]: Detaching loop devices.
[   16.126533] systemd-shutdown[1]: All loop devices detached.
[   16.129193] systemd-shutdown[1]: Detaching DM devices.
[   16.130386] systemd-shutdown[1]: All DM devices detached.
[   16.131646] systemd-shutdown[1]: Unmounting file systems.
[   16.133535] [485]: Remounting '/' read-only in with options
'seclabel,errors=remount-ro'.
[   16.134932] [485]: Failed to remount '/' read-only: Permission denied
[   16.136708] systemd-shutdown[1]: Not all file systems unmounted, 1 left.
[   16.137917] systemd-shutdown[1]: Cannot finalize remaining file
systems, continuing.
[   16.140467] systemd-shutdown[1]: Failed to finalize  file systems, ignoring
[   16.142078] systemd-shutdown[1]: Syncing filesystems and block devices.
[   16.159309] systemd-shutdown[1]: Powering off.
[   16.160685] systemd-shutdown[1]: Failed to invoke reboot():
Operation not permitted
[   16.162408] systemd-shutdown[1]: Critical error while doing system
shutdown: Operation not permitted

Re: How to see SELinux denials late at shutdown

[Stephen Smalley]

On 11/12/19 8:08 AM, Christian Göttsche wrote:
> While trying to confine systemd-shutdown, I am unable to see any
> SELinux denials late at shutdown.
> I tested on Debian sid with systemd 242/243 and Linux 4.19.67-2/5.3.9-1.
> The command line is: `BOOT_IMAGE=/boot/vmlinuz-5.3.0-2-amd64
> root=UUID=0a22bd66-a082-4b76-b96b-ca5cff3ffdf6 ro security=selinux
> console=ttyS0 console=tty0 log_buf_len=1M printk.devkmsg=on`.
> When running poweroff or reboot, systemd-shutdown stalls but no denial
> is printed.
> With a script like [1] dmesg does not print any information.
> In permissive mode the system powers off/reboots, but no denials are printed.
> Trying to stop auditd/systemd-journald beforehand does not help.
> 
> Does the kernel itself shuts down the ring buffer, or can systemd
> interfere somehow?

systemd could be setting the console loglevel 
(SYSLOG_ACTION_CONSOLE_LEVEL) or disabling console logging altogether 
(SYSLOG_ACTION_CONSOLE_OFF).  Not sure why it would however.

Android had a nice facility for capturing kernel log messages after a 
reboot, originally via /proc/last_kmsg and later via 
/sys/fs/pstore/console-ramoops, but I don't think the Linux distros 
provide any equivalent.

> 
> 
> 
> [1]: https://freedesktop.org/wiki/Software/systemd/Debugging/#shutdowncompleteseventually
> 
> Shutdown log from serial console:
> 
> Debian GNU/Linux bullseye/sid debian-test ttyS0
> 
> debian-test login: [   15.644442] audit: type=1305
> audit(1573562456.536:57): audit_pid=0 old=394 auid=4294967295
> ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=1
> [   15.649464] audit: type=1131 audit(1573562456.540:58): pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
> msg='unit=auditd comm="systemd" exe="/usr/lib/systemd/systemd"
> hostname=? addr=? terminal=? res=success'
> [   15.656430] audit: type=1131 audit(1573562456.548:59): pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
> msg='unit=systemd-tmpfiles-setup comm="systemd"
> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> res=success'
> [   15.701848] audit: type=1131 audit(1573562456.592:60): pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
> msg='unit=ifup@enp0s3 comm="systemd" exe="/usr/lib/systemd/systemd"
> hostname=? addr=? terminal=? res=success'
> [   15.712466] audit: type=1131 audit(1573562456.604:61): pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
> msg='unit=systemd-sysctl comm="systemd" exe="/usr/lib/systemd/systemd"
> hostname=? addr=? terminal=? res=success'
> [   15.720237] audit: type=1131 audit(1573562456.608:62): pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
> msg='unit=systemd-modules-load comm="systemd"
> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> res=success'
> [   15.726141] audit: type=1131 audit(1573562456.616:63): pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
> msg='unit=systemd-tmpfiles-setup-dev comm="systemd"
> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> res=success'
> [   15.731848] audit: type=1131 audit(1573562456.624:64): pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
> msg='unit=systemd-sysusers comm="systemd"
> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> res=success'
> [   15.737084] audit: type=1131 audit(1573562456.628:65): pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
> msg='unit=systemd-remount-fs comm="systemd"
> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> res=success'
> [   15.745161] audit: type=1130 audit(1573562456.632:66): pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
> msg='unit=systemd-poweroff comm="systemd"
> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> res=success'
> [   15.866146] systemd-shutdown[1]: Syncing filesystems and block devices.
> [   15.948678] systemd-shutdown[1]: Sending SIGTERM to remaining processes...
> [   15.998582] systemd-journald[263]: Received SIGTERM from PID 1
> (systemd-shutdow).
> [   16.103917] systemd-shutdown[1]: Sending SIGKILL to remaining processes...
> [   16.113594] systemd-shutdown[1]: Unmounting file systems.
> [   16.116468] [484]: Remounting '/' read-only in with options
> 'seclabel,errors=remount-ro'.
> [   16.119280] [484]: Failed to remount '/' read-only: Permission denied
> [   16.121390] systemd-shutdown[1]: Not all file systems unmounted, 1 left.
> [   16.122819] systemd-shutdown[1]: Deactivating swaps.
> [   16.124065] systemd-shutdown[1]: All swaps deactivated.
> [   16.125264] systemd-shutdown[1]: Detaching loop devices.
> [   16.126533] systemd-shutdown[1]: All loop devices detached.
> [   16.129193] systemd-shutdown[1]: Detaching DM devices.
> [   16.130386] systemd-shutdown[1]: All DM devices detached.
> [   16.131646] systemd-shutdown[1]: Unmounting file systems.
> [   16.133535] [485]: Remounting '/' read-only in with options
> 'seclabel,errors=remount-ro'.
> [   16.134932] [485]: Failed to remount '/' read-only: Permission denied
> [   16.136708] systemd-shutdown[1]: Not all file systems unmounted, 1 left.
> [   16.137917] systemd-shutdown[1]: Cannot finalize remaining file
> systems, continuing.
> [   16.140467] systemd-shutdown[1]: Failed to finalize  file systems, ignoring
> [   16.142078] systemd-shutdown[1]: Syncing filesystems and block devices.
> [   16.159309] systemd-shutdown[1]: Powering off.
> [   16.160685] systemd-shutdown[1]: Failed to invoke reboot():
> Operation not permitted
> [   16.162408] systemd-shutdown[1]: Critical error while doing system
> shutdown: Operation not permitted
> 

Re: How to see SELinux denials late at shutdown

[Stephen Smalley]

On 11/12/19 11:40 AM, Stephen Smalley wrote:
> On 11/12/19 8:08 AM, Christian Göttsche wrote:
>> While trying to confine systemd-shutdown, I am unable to see any
>> SELinux denials late at shutdown.
>> I tested on Debian sid with systemd 242/243 and Linux 4.19.67-2/5.3.9-1.
>> The command line is: `BOOT_IMAGE=/boot/vmlinuz-5.3.0-2-amd64
>> root=UUID=0a22bd66-a082-4b76-b96b-ca5cff3ffdf6 ro security=selinux
>> console=ttyS0 console=tty0 log_buf_len=1M printk.devkmsg=on`.
>> When running poweroff or reboot, systemd-shutdown stalls but no denial
>> is printed.
>> With a script like [1] dmesg does not print any information.
>> In permissive mode the system powers off/reboots, but no denials are 
>> printed.
>> Trying to stop auditd/systemd-journald beforehand does not help.
>>
>> Does the kernel itself shuts down the ring buffer, or can systemd
>> interfere somehow?
> 
> systemd could be setting the console loglevel 
> (SYSLOG_ACTION_CONSOLE_LEVEL) or disabling console logging altogether 
> (SYSLOG_ACTION_CONSOLE_OFF).  Not sure why it would however.
> 
> Android had a nice facility for capturing kernel log messages after a 
> reboot, originally via /proc/last_kmsg and later via 
> /sys/fs/pstore/console-ramoops, but I don't think the Linux distros 
> provide any equivalent.

I've seen lossage of SELinux avc denials due to the printk or audit 
ratelimits in the past, FWIW, but you are supposed to then get a notice 
that there were lost records...

> 
>>
>>
>>
>> [1]: 
>> https://freedesktop.org/wiki/Software/systemd/Debugging/#shutdowncompleteseventually 
>>
>>
>> Shutdown log from serial console:
>>
>> Debian GNU/Linux bullseye/sid debian-test ttyS0
>>
>> debian-test login: [   15.644442] audit: type=1305
>> audit(1573562456.536:57): audit_pid=0 old=394 auid=4294967295
>> ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=1
>> [   15.649464] audit: type=1131 audit(1573562456.540:58): pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
>> msg='unit=auditd comm="systemd" exe="/usr/lib/systemd/systemd"
>> hostname=? addr=? terminal=? res=success'
>> [   15.656430] audit: type=1131 audit(1573562456.548:59): pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
>> msg='unit=systemd-tmpfiles-setup comm="systemd"
>> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>> res=success'
>> [   15.701848] audit: type=1131 audit(1573562456.592:60): pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
>> msg='unit=ifup@enp0s3 comm="systemd" exe="/usr/lib/systemd/systemd"
>> hostname=? addr=? terminal=? res=success'
>> [   15.712466] audit: type=1131 audit(1573562456.604:61): pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
>> msg='unit=systemd-sysctl comm="systemd" exe="/usr/lib/systemd/systemd"
>> hostname=? addr=? terminal=? res=success'
>> [   15.720237] audit: type=1131 audit(1573562456.608:62): pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
>> msg='unit=systemd-modules-load comm="systemd"
>> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>> res=success'
>> [   15.726141] audit: type=1131 audit(1573562456.616:63): pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
>> msg='unit=systemd-tmpfiles-setup-dev comm="systemd"
>> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>> res=success'
>> [   15.731848] audit: type=1131 audit(1573562456.624:64): pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
>> msg='unit=systemd-sysusers comm="systemd"
>> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>> res=success'
>> [   15.737084] audit: type=1131 audit(1573562456.628:65): pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
>> msg='unit=systemd-remount-fs comm="systemd"
>> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>> res=success'
>> [   15.745161] audit: type=1130 audit(1573562456.632:66): pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
>> msg='unit=systemd-poweroff comm="systemd"
>> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>> res=success'
>> [   15.866146] systemd-shutdown[1]: Syncing filesystems and block 
>> devices.
>> [   15.948678] systemd-shutdown[1]: Sending SIGTERM to remaining 
>> processes...
>> [   15.998582] systemd-journald[263]: Received SIGTERM from PID 1
>> (systemd-shutdow).
>> [   16.103917] systemd-shutdown[1]: Sending SIGKILL to remaining 
>> processes...
>> [   16.113594] systemd-shutdown[1]: Unmounting file systems.
>> [   16.116468] [484]: Remounting '/' read-only in with options
>> 'seclabel,errors=remount-ro'.
>> [   16.119280] [484]: Failed to remount '/' read-only: Permission denied
>> [   16.121390] systemd-shutdown[1]: Not all file systems unmounted, 1 
>> left.
>> [   16.122819] systemd-shutdown[1]: Deactivating swaps.
>> [   16.124065] systemd-shutdown[1]: All swaps deactivated.
>> [   16.125264] systemd-shutdown[1]: Detaching loop devices.
>> [   16.126533] systemd-shutdown[1]: All loop devices detached.
>> [   16.129193] systemd-shutdown[1]: Detaching DM devices.
>> [   16.130386] systemd-shutdown[1]: All DM devices detached.
>> [   16.131646] systemd-shutdown[1]: Unmounting file systems.
>> [   16.133535] [485]: Remounting '/' read-only in with options
>> 'seclabel,errors=remount-ro'.
>> [   16.134932] [485]: Failed to remount '/' read-only: Permission denied
>> [   16.136708] systemd-shutdown[1]: Not all file systems unmounted, 1 
>> left.
>> [   16.137917] systemd-shutdown[1]: Cannot finalize remaining file
>> systems, continuing.
>> [   16.140467] systemd-shutdown[1]: Failed to finalize  file systems, 
>> ignoring
>> [   16.142078] systemd-shutdown[1]: Syncing filesystems and block 
>> devices.
>> [   16.159309] systemd-shutdown[1]: Powering off.
>> [   16.160685] systemd-shutdown[1]: Failed to invoke reboot():
>> Operation not permitted
>> [   16.162408] systemd-shutdown[1]: Critical error while doing system
>> shutdown: Operation not permitted
>>
> 

Re: How to see SELinux denials late at shutdown

[Paul Moore]

On Tue, Nov 12, 2019 at 11:49 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
> On 11/12/19 11:40 AM, Stephen Smalley wrote:
> > On 11/12/19 8:08 AM, Christian Göttsche wrote:
> >> While trying to confine systemd-shutdown, I am unable to see any
> >> SELinux denials late at shutdown.
> >> I tested on Debian sid with systemd 242/243 and Linux 4.19.67-2/5.3.9-1.
> >> The command line is: `BOOT_IMAGE=/boot/vmlinuz-5.3.0-2-amd64
> >> root=UUID=0a22bd66-a082-4b76-b96b-ca5cff3ffdf6 ro security=selinux
> >> console=ttyS0 console=tty0 log_buf_len=1M printk.devkmsg=on`.
> >> When running poweroff or reboot, systemd-shutdown stalls but no denial
> >> is printed.
> >> With a script like [1] dmesg does not print any information.
> >> In permissive mode the system powers off/reboots, but no denials are
> >> printed.
> >> Trying to stop auditd/systemd-journald beforehand does not help.
> >>
> >> Does the kernel itself shuts down the ring buffer, or can systemd
> >> interfere somehow?
> >
> > systemd could be setting the console loglevel
> > (SYSLOG_ACTION_CONSOLE_LEVEL) or disabling console logging altogether
> > (SYSLOG_ACTION_CONSOLE_OFF).  Not sure why it would however.
> >
> > Android had a nice facility for capturing kernel log messages after a
> > reboot, originally via /proc/last_kmsg and later via
> > /sys/fs/pstore/console-ramoops, but I don't think the Linux distros
> > provide any equivalent.
>
> I've seen lossage of SELinux avc denials due to the printk or audit
> ratelimits in the past, FWIW, but you are supposed to then get a notice
> that there were lost records...

In this particular case I suppose it is also possible that the audit
records are stuck in the kernel audit queue and aren't fully flushed
before the system halts/reboots.

-- 
paul moore
www.paul-moore.com

Re: How to see SELinux denials late at shutdown

[Christian Göttsche]

> On 11/12/19 8:08 AM, Christian Göttsche wrote:
> While trying to confine systemd-shutdown, I am unable to see any
> SELinux denials late at shutdown.
> I tested on Debian sid with systemd 242/243 and Linux 4.19.67-2/5.3.9-1.
> The command line is: `BOOT_IMAGE=/boot/vmlinuz-5.3.0-2-amd64
> root=UUID=0a22bd66-a082-4b76-b96b-ca5cff3ffdf6 ro security=selinux
> console=ttyS0 console=tty0 log_buf_len=1M printk.devkmsg=on`.
> When running poweroff or reboot, systemd-shutdown stalls but no denial
> is printed.
> With a script like [1] dmesg does not print any information.
> In permissive mode the system powers off/reboots, but no denials are
> printed.
> Trying to stop auditd/systemd-journald beforehand does not help.
>
> Does the kernel itself shuts down the ring buffer, or can systemd
> interfere somehow?

For the record:

With a custom kernel I was able to retrieve the denials and confine
systemd-shutdown.

---
 security/selinux/avc.c | 58 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)

diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index d18cb32a242a..26c440f022ce 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -751,6 +751,62 @@ static void avc_audit_post_callback(struct
audit_buffer *ab, void *a)
     }
 }

+static void dump_avc_to_console(const struct selinux_audit_data *sad)
+{
+    u32 av = sad->audited;
+    char perm_str[128];
+    const char **perms;
+    int i, perm;
+    char *scontext = NULL, *tcontext = NULL;
+    u32 context_len;
+
+    if (av == 0) {
+        snprintf(perm_str, sizeof(perm_str), " null");
+    } else {
+        perms = secclass_map[sad->tclass-1].perms;
+
+        snprintf(perm_str, sizeof(perm_str), " {");
+
+        i = 0;
+        perm = 1;
+
+        while (i < (sizeof(av) * 8)) {
+            if ((perm & av) && perms[i]) {
+                strncat(perm_str, " ",
+                    sizeof(perm_str) - strlen(perm_str)
+                             - 1);
+                strncat(perm_str, perms[i],
+                    sizeof(perm_str) - strlen(perm_str)
+                             - 1);
+                av &= ~perm;
+            }
+            i++;
+            perm <<= 1;
+        }
+
+        if (av)
+            strncat(perm_str, " UNKNOWN",
+                sizeof(perm_str) - strlen(perm_str) - 1);
+
+        strncat(perm_str, " }", sizeof(perm_str) - strlen(perm_str)
+                             - 1);
+    }
+
+    security_sid_to_context(sad->state, sad->ssid, &scontext, &context_len);
+    security_sid_to_context(sad->state, sad->tsid, &tcontext, &context_len);
+
+    pr_warn("SELinux avc: %s %s for scontext=%s tcontext=%s tclass=%s
permissive=%d\n",
+        sad->denied ? "denied" : "granted",
+        perm_str,
+        scontext ? scontext : "KERNEL SID",
+        tcontext ? tcontext : "KERNEL SID",
+        secclass_map[sad->tclass-1].name,
+        sad->denied ? (sad->result ? 0 : 1) : -1);
+
+    kfree(scontext);
+    kfree(tcontext);
+}
+
 /* This is the slow part of avc audit with big stack footprint */
 noinline int slow_avc_audit(struct selinux_state *state,
                 u32 ssid, u32 tsid, u16 tclass,
@@ -779,6 +835,8 @@ noinline int slow_avc_audit(struct selinux_state *state,

     a->selinux_audit_data = &sad;

+    dump_avc_to_console(&sad);
+
     common_lsm_audit(a, avc_audit_pre_callback, avc_audit_post_callback);
     return 0;
 }
-- 
2.25.1