Re: How to see SELinux denials late at shutdown

Stephen Smalley <sds@xxxxxxxxxxxxx> · Tue, 12 Nov 2019 11:49:14 -0500

On 11/12/19 11:40 AM, Stephen Smalley wrote:
On 11/12/19 8:08 AM, Christian Göttsche wrote:
While trying to confine systemd-shutdown, I am unable to see any
SELinux denials late at shutdown.
I tested on Debian sid with systemd 242/243 and Linux 4.19.67-2/5.3.9-1.
The command line is: `BOOT_IMAGE=/boot/vmlinuz-5.3.0-2-amd64
root=UUID=0a22bd66-a082-4b76-b96b-ca5cff3ffdf6 ro security=selinux
console=ttyS0 console=tty0 log_buf_len=1M printk.devkmsg=on`.
When running poweroff or reboot, systemd-shutdown stalls but no denial
is printed.
With a script like [1] dmesg does not print any information.
In permissive mode the system powers off/reboots, but no denials are 
printed.
Trying to stop auditd/systemd-journald beforehand does not help.

Does the kernel itself shuts down the ring buffer, or can systemd
interfere somehow?

systemd could be setting the console loglevel 
(SYSLOG_ACTION_CONSOLE_LEVEL) or disabling console logging altogether 
(SYSLOG_ACTION_CONSOLE_OFF).  Not sure why it would however.

Android had a nice facility for capturing kernel log messages after a 
reboot, originally via /proc/last_kmsg and later via 
/sys/fs/pstore/console-ramoops, but I don't think the Linux distros 
provide any equivalent.

I've seen lossage of SELinux avc denials due to the printk or audit 
ratelimits in the past, FWIW, but you are supposed to then get a notice 
that there were lost records...

[1]: 
https://freedesktop.org/wiki/Software/systemd/Debugging/#shutdowncompleteseventually 

Shutdown log from serial console:

Debian GNU/Linux bullseye/sid debian-test ttyS0

debian-test login: [   15.644442] audit: type=1305
audit(1573562456.536:57): audit_pid=0 old=394 auid=4294967295
ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=1
[   15.649464] audit: type=1131 audit(1573562456.540:58): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=auditd comm="systemd" exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'
[   15.656430] audit: type=1131 audit(1573562456.548:59): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=systemd-tmpfiles-setup comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
[   15.701848] audit: type=1131 audit(1573562456.592:60): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=ifup@enp0s3 comm="systemd" exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'
[   15.712466] audit: type=1131 audit(1573562456.604:61): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=systemd-sysctl comm="systemd" exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'
[   15.720237] audit: type=1131 audit(1573562456.608:62): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=systemd-modules-load comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
[   15.726141] audit: type=1131 audit(1573562456.616:63): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=systemd-tmpfiles-setup-dev comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
[   15.731848] audit: type=1131 audit(1573562456.624:64): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=systemd-sysusers comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
[   15.737084] audit: type=1131 audit(1573562456.628:65): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=systemd-remount-fs comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
[   15.745161] audit: type=1130 audit(1573562456.632:66): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=systemd-poweroff comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
[   15.866146] systemd-shutdown[1]: Syncing filesystems and block 
devices.
[   15.948678] systemd-shutdown[1]: Sending SIGTERM to remaining 
processes...
[   15.998582] systemd-journald[263]: Received SIGTERM from PID 1
(systemd-shutdow).
[   16.103917] systemd-shutdown[1]: Sending SIGKILL to remaining 
processes...
[   16.113594] systemd-shutdown[1]: Unmounting file systems.
[   16.116468] [484]: Remounting '/' read-only in with options
'seclabel,errors=remount-ro'.
[   16.119280] [484]: Failed to remount '/' read-only: Permission denied
[   16.121390] systemd-shutdown[1]: Not all file systems unmounted, 1 
left.
[   16.122819] systemd-shutdown[1]: Deactivating swaps.
[   16.124065] systemd-shutdown[1]: All swaps deactivated.
[   16.125264] systemd-shutdown[1]: Detaching loop devices.
[   16.126533] systemd-shutdown[1]: All loop devices detached.
[   16.129193] systemd-shutdown[1]: Detaching DM devices.
[   16.130386] systemd-shutdown[1]: All DM devices detached.
[   16.131646] systemd-shutdown[1]: Unmounting file systems.
[   16.133535] [485]: Remounting '/' read-only in with options
'seclabel,errors=remount-ro'.
[   16.134932] [485]: Failed to remount '/' read-only: Permission denied
[   16.136708] systemd-shutdown[1]: Not all file systems unmounted, 1 
left.
[   16.137917] systemd-shutdown[1]: Cannot finalize remaining file
systems, continuing.
[   16.140467] systemd-shutdown[1]: Failed to finalize  file systems, 
ignoring
[   16.142078] systemd-shutdown[1]: Syncing filesystems and block 
devices.
[   16.159309] systemd-shutdown[1]: Powering off.
[   16.160685] systemd-shutdown[1]: Failed to invoke reboot():
Operation not permitted
[   16.162408] systemd-shutdown[1]: Critical error while doing system
shutdown: Operation not permitted