Re: Mount of cgroup filesystems fails when booting in SELinux enforcing mode

[Luis Ressel <aranea@xxxxxxxx>]

On Fri, 15 Feb 2013 10:34:00 -0500
Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:

> Output from the printk was what?
> Also of interest would be avd->allowed, avd->auditdeny, from_access.

I attached a syslog snippet.

> In this situation, if you just let it fall through to 
> audit_inode_permission() rather than bailing on !audited, you should
> get an avc audit message.  audit_inode_permission() calls
> slow_avc_audit() for you.

I already tried that; It doesn't yield a message either.

> Are you sure your audit messages aren't just going to audit.log
> rather than syslog?  That would be the case if auditd has started.

I don't use auditd, and there are some other audit messages in kern.log
and avc.log (at least if I disable dontaudit rules).

> Need to figure out why the kernel isn't auditing the denial for you 
> (that's a kernel bug), but the policy bug here is likely that you
> aren't allowing the process to search the cgroup dir.  Don't know
> anything about your policy.

I'm using the refpolicy 2.20120725 with some Gentoo-specific patches:
http://mirror.mcs.anl.gov/pub/gentoo/distfiles/patchbundle-selinux-base-policy-2.20120725-r9.tar.bz
 

Feb 15 17:01:23 virt kernel: [    0.361809] SELinux: 2048 avtab hash slots, 11172 rules.
Feb 15 17:01:23 virt kernel: [    0.365897] SELinux: 2048 avtab hash slots, 11172 rules.
Feb 15 17:01:23 virt kernel: [    0.366308] SELinux:  6 users, 27 roles, 1325 types, 41 bools
Feb 15 17:01:23 virt kernel: [    0.366314] SELinux:  81 classes, 11172 rules
Feb 15 17:01:23 virt kernel: [    0.369135] SELinux:  Completing initialization.
Feb 15 17:01:23 virt kernel: [    0.369139] SELinux:  Setting up existing superblocks.
Feb 15 17:01:23 virt kernel: [    0.369159] SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [    0.369169] SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [    0.369178] SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [    0.369188] SELinux: initialized (dev proc, type proc), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [    0.369211] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Feb 15 17:01:23 virt kernel: [    0.369225] SELinux: initialized (dev devtmpfs, type devtmpfs), uses transition SIDs
Feb 15 17:01:23 virt kernel: [    0.369349] SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
Feb 15 17:01:23 virt kernel: [    0.369357] SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [    0.369648] SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
Feb 15 17:01:23 virt kernel: [    0.369657] SELinux: initialized (dev anon_inodefs, type anon_inodefs), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [    0.369664] SELinux: initialized (dev devpts, type devpts), uses transition SIDs
Feb 15 17:01:23 virt kernel: [    0.369674] SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses transition SIDs
Feb 15 17:01:23 virt kernel: [    0.369681] SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
Feb 15 17:01:23 virt kernel: [    0.369689] SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [    0.369712] SELinux: initialized (dev sda, type ext4), uses xattr
Feb 15 17:01:23 virt kernel: [    0.369823] SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [    0.372785] type=1403 audit(1360944081.372:2): policy loaded auid=4294967295 ses=4294967295
Feb 15 17:01:23 virt kernel: [    0.374173] avc_has_perm_noaudit(46, 5, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    0.374364] allowed: 0, auditdeny: -8650769, from_access: 0avc_has_perm_noaudit(46, 5, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    0.375184] allowed: 0, auditdeny: -8650769, from_access: 0avc_has_perm_noaudit(46, 5, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    0.383584] allowed: 0, auditdeny: -8650769, from_access: 0avc_has_perm_noaudit(46, 5, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    0.391980] allowed: 0, auditdeny: -8650769, from_access: 0<4>[    0.423450] kbd_mode (710) used greatest stack depth: 5664 bytes left
Feb 15 17:01:23 virt kernel: [    0.452719] loadkeys (711) used greatest stack depth: 5096 bytes left
Feb 15 17:01:23 virt kernel: [    0.453328] init-early.sh (709) used greatest stack depth: 4416 bytes left
Feb 15 17:01:23 virt kernel: [    0.488124] avc_has_perm_noaudit(63, 31, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [    0.488360] allowed: 8716371, auditdeny: -37, from_access: 1<7>[    0.503648] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Feb 15 17:01:23 virt kernel: [    0.503664] avc_has_perm_noaudit(63, 50, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [    0.503860] allowed: 8716304, auditdeny: -37, from_access: 1avc_has_perm_noaudit(63, 33, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [    0.983790] allowed: 8716371, auditdeny: -37, from_access: 1avc_has_perm_noaudit(63, 33, 10, 6, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.005856] allowed: 0, auditdeny: -262744, from_access: 0avc_has_perm_noaudit(63, 36, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.062238] allowed: 8716371, auditdeny: -32775296, from_access: 1avc_has_perm_noaudit(63, 33, 10, 6, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.072475] allowed: 0, auditdeny: -262744, from_access: 0<7>[    1.073087] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Feb 15 17:01:23 virt kernel: [    1.073094] avc_has_perm_noaudit(63, 33, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.073452] allowed: 8716371, auditdeny: -37, from_access: 1avc_has_perm_noaudit(63, 33, 10, 6, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.158504] allowed: 0, auditdeny: -262744, from_access: 0<7>[    1.158572] SELinux: initialized (dev securityfs, type securityfs), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [    1.158578] avc_has_perm_noaudit(63, 2, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.158579] allowed: 8716371, auditdeny: -8650805, from_access: 1avc_has_perm_noaudit(63, 33, 10, 6, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.165915] allowed: 0, auditdeny: -262744, from_access: 0avc_has_perm_noaudit(63, 34, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.166064] allowed: 8716304, auditdeny: -37, from_access: 1avc_has_perm_noaudit(63, 33, 10, 6, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.226628] allowed: 0, auditdeny: -262744, from_access: 0<7>[    1.226759] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Feb 15 17:01:23 virt kernel: [    1.226766] avc_has_perm_noaudit(63, 28, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.226767] allowed: 8716371, auditdeny: -8650805, from_access: 1avc_has_perm_noaudit(63, 33, 10, 6, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.231707] allowed: 0, auditdeny: -262744, from_access: 0avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.231804] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[    1.231805] cgroup_addrm_files: failed to add tasks, err=-13
Feb 15 17:01:23 virt kernel: [    1.231807] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.231808] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[    1.231809] cgroup_addrm_files: failed to add cgroup.procs, err=-13
Feb 15 17:01:23 virt kernel: [    1.231810] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.231811] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[    1.231811] cgroup_addrm_files: failed to add notify_on_release, err=-13
Feb 15 17:01:23 virt kernel: [    1.231812] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.231813] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[    1.231814] cgroup_addrm_files: failed to add cgroup.event_control, err=-13
Feb 15 17:01:23 virt kernel: [    1.231815] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.231816] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[    1.231817] cgroup_addrm_files: failed to add cgroup.clone_children, err=-13
Feb 15 17:01:23 virt kernel: [    1.231818] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.231818] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[    1.231819] cgroup_addrm_files: failed to add release_agent, err=-13
Feb 15 17:01:23 virt kernel: [    1.231825] SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [    1.231851] avc_has_perm_noaudit(63, 69, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.231852] allowed: 8716304, auditdeny: -37, from_access: 1avc_has_perm_noaudit(63, 33, 10, 6, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.233988] allowed: 0, auditdeny: -262744, from_access: 0avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.234100] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[    1.234102] cgroup_addrm_files: failed to add tasks, err=-13
Feb 15 17:01:23 virt kernel: [    1.234103] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.234104] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[    1.234105] cgroup_addrm_files: failed to add cgroup.procs, err=-13
Feb 15 17:01:23 virt kernel: [    1.234106] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.234107] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[    1.234108] cgroup_addrm_files: failed to add notify_on_release, err=-13
Feb 15 17:01:23 virt kernel: [    1.234109] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.234109] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[    1.234110] cgroup_addrm_files: failed to add cgroup.event_control, err=-13
Feb 15 17:01:23 virt kernel: [    1.234111] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.234112] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[    1.234113] cgroup_addrm_files: failed to add cgroup.clone_children, err=-13
Feb 15 17:01:23 virt kernel: [    1.234114] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.234114] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[    1.234115] cgroup_addrm_files: failed to add release_agent, err=-13
Feb 15 17:01:23 virt kernel: [    1.234118] SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [    1.234124] avc_has_perm_noaudit(63, 69, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.234125] allowed: 8716304, auditdeny: -37, from_access: 1avc_has_perm_noaudit(63, 33, 10, 6, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.235315] allowed: 0, auditdeny: -262744, from_access: 0avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.235379] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[    1.235380] cgroup_addrm_files: failed to add tasks, err=-13
Feb 15 17:01:23 virt kernel: [    1.235381] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.235382] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[    1.235383] cgroup_addrm_files: failed to add cgroup.procs, err=-13
Feb 15 17:01:23 virt kernel: [    1.235384] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.235385] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[    1.235386] cgroup_addrm_files: failed to add notify_on_release, err=-13
Feb 15 17:01:23 virt kernel: [    1.235387] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.235388] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[    1.235389] cgroup_addrm_files: failed to add cgroup.event_control, err=-13
Feb 15 17:01:23 virt kernel: [    1.235390] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.235391] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[    1.235391] cgroup_addrm_files: failed to add cgroup.clone_children, err=-13
Feb 15 17:01:23 virt kernel: [    1.235392] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.235393] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[    1.235394] cgroup_addrm_files: failed to add release_agent, err=-13
Feb 15 17:01:23 virt kernel: [    1.235396] SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [    1.235401] avc_has_perm_noaudit(63, 69, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.235402] allowed: 8716304, auditdeny: -37, from_access: 1avc_has_perm_noaudit(63, 33, 10, 6, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.236562] allowed: 0, auditdeny: -262744, from_access: 0avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.236619] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[    1.236620] cgroup_addrm_files: failed to add tasks, err=-13
Feb 15 17:01:23 virt kernel: [    1.236621] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.236622] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[    1.236623] cgroup_addrm_files: failed to add cgroup.procs, err=-13
Feb 15 17:01:23 virt kernel: [    1.236624] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.236625] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[    1.236625] cgroup_addrm_files: failed to add notify_on_release, err=-13
Feb 15 17:01:23 virt kernel: [    1.236626] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.236627] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[    1.236628] cgroup_addrm_files: failed to add cgroup.event_control, err=-13
Feb 15 17:01:23 virt kernel: [    1.236629] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.236630] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[    1.236631] cgroup_addrm_files: failed to add cgroup.clone_children, err=-13
Feb 15 17:01:23 virt kernel: [    1.236632] avc_has_perm_noaudit(1, 3, 7, 8388608, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.236632] allowed: 65536, auditdeny: -8388609, from_access: 0<4>[    1.236633] cgroup_addrm_files: failed to add release_agent, err=-13
Feb 15 17:01:23 virt kernel: [    1.236635] SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [    1.236640] avc_has_perm_noaudit(63, 69, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [    1.236641] allowed: 8716304, auditdeny: -37, from_access: 1systemd-udevd[904]: starting version 197
Feb 15 17:01:23 virt kernel: [    1.746764] hpet1: lost 2 rtc interrupts
Feb 15 17:01:23 virt kernel: [    2.454130] avc_has_perm_noaudit(63, 50, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [    2.454133] allowed: 8716304, auditdeny: -37, from_access: 1<7>[    3.555584] SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
Feb 15 17:01:23 virt kernel: [    3.555613] avc_has_perm_noaudit(63, 120, 7, 4, 0, &avd)
Feb 15 17:01:23 virt kernel: [    3.555614] allowed: 8716304, auditdeny: -37, from_access: 1avc_has_perm_noaudit(63, 2, 7, 4, 0, &avd)
Feb 15 17:01:31 virt kernel: [    3.569335] allowed: 8716371, auditdeny: -8650805, from_access: 1avc_has_perm_noaudit(134, 28, 7, 8388608, 0, &avd)
Feb 15 17:01:31 virt kernel: [   11.700595] allowed: 0, auditdeny: -8650769, from_access: 0avc_has_perm_noaudit(134, 28, 7, 8388608, 0, &avd)
Feb 15 17:01:32 virt kernel: [   11.701646] allowed: 0, auditdeny: -8650769, from_access: 0avc_has_perm_noaudit(134, 28, 7, 8388608, 0, &avd)
Feb 15 17:01:32 virt kernel: [   12.822528] allowed: 0, auditdeny: -8650769, from_access: 0avc_has_perm_noaudit(134, 28, 7, 8388608, 0, &avd)
Feb 15 17:01:32 virt kernel: [   12.822649] allowed: 0, auditdeny: -8650769, from_access: 0avc_has_perm_noaudit(134, 28, 7, 8388608, 0, &avd)
Feb 15 17:01:32 virt kernel: [   12.832442] allowed: 0, auditdeny: -8650769, from_access: 0avc_has_perm_noaudit(134, 28, 7, 8388608, 0, &avd)

Attachment: signature.asc
Description: PGP signature