Package: selinux-policy-default Version: 2:2.20110726-12 Severity: normal Dear Maintainer,
using systemd from backports (version see below) many AVCs appear in the logging. The system is (partially) unusable - e.g. eth0 works not reliable. This is needed to reproduce the problem: Install a new (minimal) Debian 7.6. Install selinux. During the installation of systemd I have to set SELinux to permissive, because there is a problem with groupadd: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756468 # getenforce Enforcing # setenforce 0 # se_apt-get install -t wheezy-backports systemd # setenforce 1 # reboot When the system comes up, it has some 'hickups' - like eth0 is not reliable. The audit.log is full of AVCs - and even there are some in the /var/log/messages (because IMHO they occur when the auditd is not up and running.) /var/log/messages Jul 30 13:31:05 debselinux kernel: [ 3.995920] type=1400 audit(1406719861.688:4): avc: denied { setattr } for pid=224 comm="mount" name="/" dev=debugfs ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir Jul 30 13:31:05 debselinux kernel: [ 4.381726] type=1400 audit(1406719862.076:5): avc: denied { read } for pid=239 comm="systemd-journal" name="kmsg" dev=devtmpfs ino=1034 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file Jul 30 13:31:05 debselinux kernel: [ 4.381773] type=1400 audit(1406719862.076:6): avc: denied { write } for pid=239 comm="systemd-journal" name="journal" dev=tmpfs ino=1351 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir Jul 30 13:31:05 debselinux kernel: [ 6.214468] type=1400 audit(1406719863.908:7): avc: denied { mounton } for pid=502 comm="mount" path="/run/user" dev=tmpfs ino=4987 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_auth_t:s0 tclass=dir Jul 30 13:31:05 debselinux kernel: [ 6.214861] type=1400 audit(1406719863.908:8): avc: denied { mounton } for pid=502 comm="mount" path="/run/user" dev=tmpfs ino=4987 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_auth_t:s0 tclass=dir Jul 30 13:31:05 debselinux kernel: [ 6.748974] type=1400 audit(1406719864.444:9): avc: denied { getattr } for pid=587 comm="systemd-tmpfile" path="/dev/xconsole" dev=devtmpfs ino=4500 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:xconsole_device_t:s0 tclass=fifo_file Jul 30 13:31:05 debselinux kernel: [ 6.765430] type=1107 audit(1406719864.460:10): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=-1 uid=0 gid=0 path="/lib/systemd/system/ifup@.service" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service Jul 30 13:31:05 debselinux kernel: [ 6.824456] type=1400 audit(1406719864.520:11): avc: denied { name_bind } for pid=708 comm="dhclient" src=9131 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket Jul 30 13:31:05 debselinux kernel: [ 6.824535] type=1400 audit(1406719864.520:12): avc: denied { name_bind } for pid=708 comm="dhclient" src=10664 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket Jul 30 13:31:05 debselinux kernel: [ 7.214021] type=1107 audit(1406719864.908:13): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { stop } for auid=-1 uid=0 gid=0 path="/lib/systemd/system/systemd-journald.service" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service /var/log/audit/audit.log type=AVC msg=audit(1406719814.627:15): avc: denied { use } for pid=3117 comm="groupadd" path="/dev/pts/2" dev=devpts ino=5 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd type=AVC msg=audit(1406719814.635:16): avc: denied { search } for pid=3117 comm="groupadd" name="files" dev=dm-0 ino=522863 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=dir type=AVC msg=audit(1406719814.635:16): avc: denied { read } for pid=3117 comm="groupadd" name="file_contexts.subs_dist" dev=dm-0 ino=522865 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file type=AVC msg=audit(1406719814.635:16): avc: denied { open } for pid=3117 comm="groupadd" name="file_contexts.subs_dist" dev=dm-0 ino=522865 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file type=AVC msg=audit(1406719814.635:17): avc: denied { getattr } for pid=3117 comm="groupadd" path="/etc/selinux/default/contexts/files/file_contexts.subs_dist" dev=dm-0 ino=522865 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file type=AVC msg=audit(1406719865.856:17): avc: denied { read } for pid=1275 comm="systemd-logind" name="cpu" dev=tmpfs ino=3353 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=lnk_file type=AVC msg=audit(1406719866.004:26): avc: denied { read } for pid=1351 comm="dmesg" name="locale.alias" dev=dm-0 ino=522685 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=USER_AVC msg=audit(1406719866.260:31): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=-1 uid=0 gid=0 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1406719866.280:32): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=-1 uid=0 gid=0 path="/lib/systemd/system/graphical.target" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1406719866.280:33): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=-1 uid=0 gid=0 path="/lib/systemd/system/multi-user.target" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1406719866.284:34): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=-1 uid=0 gid=0 path="/lib/systemd/system/multi-user.target" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1406719866.284:35): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=-1 uid=0 gid=0 path="/lib/systemd/system/multi-user.target" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1406719866.284:36): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=-1 uid=0 gid=0 path="/lib/systemd/system/rescue.target" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)' type=AVC msg=audit(1406719885.267:39): avc: denied { name_bind } for pid=1370 comm="dhclient" src=14083 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket type=AVC msg=audit(1406719885.291:40): avc: denied { read write } for pid=1373 comm="ip" path="socket:[10651]" dev=sockfs ino=10651 scontext=unconfined_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket type=AVC msg=audit(1406719885.392:41): avc: denied { read write } for pid=1377 comm="hostname" path="socket:[10651]" dev=sockfs ino=10651 scontext=unconfined_u:system_r:hostname_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket type=AVC msg=audit(1406719885.396:42): avc: denied { read write } for pid=1378 comm="ip" path="socket:[10651]" dev=sockfs ino=10651 scontext=unconfined_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket type=AVC msg=audit(1406719885.396:43): avc: denied { read write } for pid=1379 comm="ip" path="socket:[10651]" dev=sockfs ino=10651 scontext=unconfined_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket type=USER_AVC msg=audit(1406719885.484:44): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=0 uid=0 gid=0 path="/etc/init.d/ssh" cmdline="systemctl -p CanReload show ssh.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=service : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1406719885.488:45): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=0 uid=0 gid=0 path="/etc/init.d/ssh" cmdline="systemctl -p LoadState show ssh.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=service : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1406719885.496:46): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=0 uid=0 gid=0 path="/etc/init.d/ssh" cmdline="/bin/systemctl restart ssh.service" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=service : exe="/lib/systemd/systemd" (sauid=0, hostname=?, addr=?, terminal=?)' Kind regards Andre # dpkg -l | grep systemd ii libpam-systemd:amd64 204-14~bpo70+1 amd64 system and service manager - PAM module ii libsystemd-daemon0:amd64 204-14~bpo70+1 amd64 systemd utility library ii libsystemd-journal0:amd64 204-14~bpo70+1 amd64 systemd journal utility library ii libsystemd-login0:amd64 204-14~bpo70+1 amd64 systemd login utility library ii systemd 204-14~bpo70+1 amd64 system and service manager ii systemd-sysv 204-14~bpo70+1 amd64 system and service manager - SysV links -- System Information: Debian Release: 7.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages selinux-policy-default depends on: ii libpam-modules 1.1.3-7.1 ii libselinux1 2.1.9-5 ii libsepol1 2.1.4-3 ii policycoreutils 2.1.10-9 ii python 2.7.3-4+deb7u1 Versions of packages selinux-policy-default recommends: ii checkpolicy 2.1.8-2 pn setools <none> Versions of packages selinux-policy-default suggests: pn logcheck <none> pn syslog-summary <none> -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
