On 11/12/19 8:08 AM, Christian Göttsche wrote:
While trying to confine systemd-shutdown, I am unable to see any SELinux denials late at shutdown. I tested on Debian sid with systemd 242/243 and Linux 4.19.67-2/5.3.9-1. The command line is: `BOOT_IMAGE=/boot/vmlinuz-5.3.0-2-amd64 root=UUID=0a22bd66-a082-4b76-b96b-ca5cff3ffdf6 ro security=selinux console=ttyS0 console=tty0 log_buf_len=1M printk.devkmsg=on`. When running poweroff or reboot, systemd-shutdown stalls but no denial is printed. With a script like [1] dmesg does not print any information. In permissive mode the system powers off/reboots, but no denials are printed. Trying to stop auditd/systemd-journald beforehand does not help. Does the kernel itself shuts down the ring buffer, or can systemd interfere somehow?
systemd could be setting the console loglevel (SYSLOG_ACTION_CONSOLE_LEVEL) or disabling console logging altogether (SYSLOG_ACTION_CONSOLE_OFF). Not sure why it would however.
Android had a nice facility for capturing kernel log messages after a reboot, originally via /proc/last_kmsg and later via /sys/fs/pstore/console-ramoops, but I don't think the Linux distros provide any equivalent.
[1]: https://freedesktop.org/wiki/Software/systemd/Debugging/#shutdowncompleteseventually Shutdown log from serial console: Debian GNU/Linux bullseye/sid debian-test ttyS0 debian-test login: [ 15.644442] audit: type=1305 audit(1573562456.536:57): audit_pid=0 old=394 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=1 [ 15.649464] audit: type=1131 audit(1573562456.540:58): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0 msg='unit=auditd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ 15.656430] audit: type=1131 audit(1573562456.548:59): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0 msg='unit=systemd-tmpfiles-setup comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ 15.701848] audit: type=1131 audit(1573562456.592:60): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0 msg='unit=ifup@enp0s3 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ 15.712466] audit: type=1131 audit(1573562456.604:61): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0 msg='unit=systemd-sysctl comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ 15.720237] audit: type=1131 audit(1573562456.608:62): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0 msg='unit=systemd-modules-load comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ 15.726141] audit: type=1131 audit(1573562456.616:63): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0 msg='unit=systemd-tmpfiles-setup-dev comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ 15.731848] audit: type=1131 audit(1573562456.624:64): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0 msg='unit=systemd-sysusers comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ 15.737084] audit: type=1131 audit(1573562456.628:65): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0 msg='unit=systemd-remount-fs comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ 15.745161] audit: type=1130 audit(1573562456.632:66): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0 msg='unit=systemd-poweroff comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ 15.866146] systemd-shutdown[1]: Syncing filesystems and block devices. [ 15.948678] systemd-shutdown[1]: Sending SIGTERM to remaining processes... [ 15.998582] systemd-journald[263]: Received SIGTERM from PID 1 (systemd-shutdow). [ 16.103917] systemd-shutdown[1]: Sending SIGKILL to remaining processes... [ 16.113594] systemd-shutdown[1]: Unmounting file systems. [ 16.116468] [484]: Remounting '/' read-only in with options 'seclabel,errors=remount-ro'. [ 16.119280] [484]: Failed to remount '/' read-only: Permission denied [ 16.121390] systemd-shutdown[1]: Not all file systems unmounted, 1 left. [ 16.122819] systemd-shutdown[1]: Deactivating swaps. [ 16.124065] systemd-shutdown[1]: All swaps deactivated. [ 16.125264] systemd-shutdown[1]: Detaching loop devices. [ 16.126533] systemd-shutdown[1]: All loop devices detached. [ 16.129193] systemd-shutdown[1]: Detaching DM devices. [ 16.130386] systemd-shutdown[1]: All DM devices detached. [ 16.131646] systemd-shutdown[1]: Unmounting file systems. [ 16.133535] [485]: Remounting '/' read-only in with options 'seclabel,errors=remount-ro'. [ 16.134932] [485]: Failed to remount '/' read-only: Permission denied [ 16.136708] systemd-shutdown[1]: Not all file systems unmounted, 1 left. [ 16.137917] systemd-shutdown[1]: Cannot finalize remaining file systems, continuing. [ 16.140467] systemd-shutdown[1]: Failed to finalize file systems, ignoring [ 16.142078] systemd-shutdown[1]: Syncing filesystems and block devices. [ 16.159309] systemd-shutdown[1]: Powering off. [ 16.160685] systemd-shutdown[1]: Failed to invoke reboot(): Operation not permitted [ 16.162408] systemd-shutdown[1]: Critical error while doing system shutdown: Operation not permitted
