On Tue, Nov 12, 2019 at 11:49 AM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > On 11/12/19 11:40 AM, Stephen Smalley wrote: > > On 11/12/19 8:08 AM, Christian Göttsche wrote: > >> While trying to confine systemd-shutdown, I am unable to see any > >> SELinux denials late at shutdown. > >> I tested on Debian sid with systemd 242/243 and Linux 4.19.67-2/5.3.9-1. > >> The command line is: `BOOT_IMAGE=/boot/vmlinuz-5.3.0-2-amd64 > >> root=UUID=0a22bd66-a082-4b76-b96b-ca5cff3ffdf6 ro security=selinux > >> console=ttyS0 console=tty0 log_buf_len=1M printk.devkmsg=on`. > >> When running poweroff or reboot, systemd-shutdown stalls but no denial > >> is printed. > >> With a script like [1] dmesg does not print any information. > >> In permissive mode the system powers off/reboots, but no denials are > >> printed. > >> Trying to stop auditd/systemd-journald beforehand does not help. > >> > >> Does the kernel itself shuts down the ring buffer, or can systemd > >> interfere somehow? > > > > systemd could be setting the console loglevel > > (SYSLOG_ACTION_CONSOLE_LEVEL) or disabling console logging altogether > > (SYSLOG_ACTION_CONSOLE_OFF). Not sure why it would however. > > > > Android had a nice facility for capturing kernel log messages after a > > reboot, originally via /proc/last_kmsg and later via > > /sys/fs/pstore/console-ramoops, but I don't think the Linux distros > > provide any equivalent. > > I've seen lossage of SELinux avc denials due to the printk or audit > ratelimits in the past, FWIW, but you are supposed to then get a notice > that there were lost records... In this particular case I suppose it is also possible that the audit records are stuck in the kernel audit queue and aren't fully flushed before the system halts/reboots. -- paul moore www.paul-moore.com
