# SELinux denials, init not loading in enforcing mode

## rq1

Hi everybody,

I'm issuing painful SELinux denials on systemd (tested with openrc too, and the exact same thing happened, no trolls plz   :Laughing:  ) while in enforcing mode. It does not launch, and if I `setenforce 1` after systemd has completely loaded, I can't start/stop services, inter alia, due to permission denials.

I even tried to allow them by creating a policy module, but nothing changed (manually and via audit2allow).

Some info:

systemd is correctly linked to libselinux

id -Z fires correct security contexts

modules are "correctly loaded and enabled" (semodule -l)

I followed to the letter SELinux/Installation guide

```

# cat audit.log | head

type=DAEMON_START msg=audit(1424829806.362:7333): auditd start, ver=2.2.2 format=raw kernel=3.17.7-hardened-r1 auid=4294967295 pid=259 subj=system_u:system_r:init_t res=success

type=AVC msg=audit(1424829827.687:711): avc:  denied  { sendto } for  pid=192 comm="login" path="/run/systemd/journal/dev-log" scontext=system_u:system_r:local_login_t tcontext=system_u:system_r:init_t tclass=unix_dgram_socket permissive=1

type=AVC msg=audit(1424829827.687:712): avc:  denied  { net_admin } for  pid=192 comm="login" capability=12  scontext=system_u:system_r:local_login_t tcontext=system_u:system_r:local_login_t tclass=capability permissive=1

type=AVC msg=audit(1424829827.687:713): avc:  denied  { connectto } for  pid=192 comm="login" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:local_login_t tcontext=system_u:system_r:init_t tclass=unix_stream_socket permissive=1

type=AVC msg=audit(1424829827.687:714): avc:  denied  { read } for  pid=110 comm="systemd-journal" name="exe" dev="proc" ino=6844 scontext=system_u:system_r:init_t tcontext=system_u:system_r:local_login_t tclass=lnk_file permissive=1

type=AVC msg=audit(1424829827.688:715): avc:  denied  { nlmsg_relay } for  pid=182 comm="dbus-daemon" scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t tclass=netlink_audit_socket permissive=1

type=USER_AVC msg=audit(1424829827.688:716): pid=182 uid=108 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=192 scontext=system_u:system_r:local_login_t tcontext=system_u:system_r:init_t tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=108 hostname=? addr=? terminal=?'

type=USER_AVC msg=audit(1424829827.691:717): pid=182 uid=108 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.5 spid=181 tpid=192 scontext=system_u:system_r:init_t tcontext=system_u:system_r:local_login_t tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=108 hostname=? addr=? terminal=?'

type=AVC msg=audit(1424829827.693:718): avc:  denied  { unlink } for  pid=181 comm="systemd-logind" name="2.ref" dev="tmpfs" ino=6861 scontext=system_u:system_r:init_t tcontext=system_u:object_r:init_var_run_t tclass=fifo_file permissive=1

type=AVC msg=audit(1424829827.694:719): avc:  denied  { execute_no_trans } for  pid=270 comm="kworker/u4:2" path="/usr/lib64/systemd/systemd-cgroups-agent" dev="sda4" ino=370451 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:lib_t tclass=file permissive=1
```

full audit log here : http://pastebin.com/NFWgaAMh

I'll update the post with system info and config.

I hope that's not a stupid mistake   :Embarassed: 

Thank you for reading.

Rq1.

Edit:

```
# emerge --info

Portage 2.2.14 (python 2.7.9-final-0, hardened/linux/amd64/no-multilib/selinux, gcc-4.9.2, glibc-2.19-r1, 3.17.7-hardened-r1 x86_64)

=================================================================

System uname: Linux-3.17.7-hardened-r1-x86_64-Intel-R-_Core-TM-2_Duo_CPU_P8600_@_2.40GHz-with-gentoo-2.2

KiB Mem:     3776604 total,   3047276 free

KiB Swap:    4296700 total,   4296700 free

Timestamp of tree: Tue, 24 Feb 2015 20:45:01 +0000

ld GNU ld (Gentoo 2.24 p1.4) 2.24

app-shells/bash:          4.2_p53

dev-lang/perl:            5.20.1-r4

dev-lang/python:          2.7.9-r1, 3.3.5-r1

dev-util/pkgconfig:       0.28-r1

sys-apps/baselayout:      2.2

sys-apps/openrc:          0.13.11

sys-apps/sandbox:         2.6-r1

sys-devel/autoconf:       2.69

sys-devel/automake:       1.13.4

sys-devel/binutils:       2.24-r3

sys-devel/gcc:            4.9.2

sys-devel/gcc-config:     1.7.3

sys-devel/libtool:        2.4.4

sys-devel/make:           4.0-r1

sys-kernel/linux-headers: 3.16 (virtual/os-headers)

sys-libs/glibc:           2.19-r1

Repositories: gentoo

ACCEPT_KEYWORDS="amd64"

ACCEPT_LICENSE="* -@EULA"

CBUILD="x86_64-pc-linux-gnu"

CFLAGS="-O2 -pipe -march=native -fomit-frame-pointer"

CHOST="x86_64-pc-linux-gnu"

CONFIG_PROTECT="/etc"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"

CXXFLAGS="-O2 -pipe -march=native -fomit-frame-pointer"

DISTDIR="/usr/portage/distfiles"

FCFLAGS="-O2 -pipe"

FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"

FFLAGS="-O2 -pipe"

GENTOO_MIRRORS="ftp://gentoo.mirrors.ovh.net/gentoo-distfiles ftp://mirrors.linuxant.fr/distfiles.gentoo.org ftp://mirror.switch.ch/mirror/gentoo"

LANG="fr_FR.utf8"

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

MAKEOPTS="-j3"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY=""

SYNC="rsync://rsync2.fr.gentoo.org/gentoo-portage"

USE="acl amd64 berkdb bzip2 cli cracklib crypt cxx dri fortran gdbm hardened iconv ipv6 justify libav mmx modules ncurses networkmanager nls nptl open_perms openmp pam pax_kernel pcre peer_perms readline selinux session sse sse2 ssl systemd tcpd ubac unconfined unicode urandom xattr xtpax zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx sse sse2 sse3 ssse3 sse4 sse4a sse4_1" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
```

```
# id -Z

root:sysadm_r:sysadm_t
```

While loading the audit2allow generated policy :

```
# semodule -i locpol.pp

libsepol.check_assertion_helper: neverallow violated by allow kernel_t kernel_t:process { setcurrent }; <-- this should allow systemd to load...

libsemanage.semanage_expand_sandbox: Expand module failed

semodule:  Failed!

```

----------

