# [ABANDONED] SELinux default policy blocks system processes

## aryaniae

I have a new installation of Gentoo with SELinux in which the default security policy blocks operations by system processes including udev and init. I followed the Gentoo SELinux Handbook's install instuctions as best I could, but at boot time I get denials for processes that should be in the base policy (sec-policy/selinux-base-policy).

I have SELinux set to permissive mode so I can use the system in the meantime, but needless to say, this defeats the pupose of having it at all.   :Wink: 

The auditing log and the output of audit2allow follow:

```
audit: initializing netlink socket (disabled)

audit(1159107246.636:1): initialized

audit(1159107251.924:2): avc:  denied  { read } for  pid=833 comm="hotplug" name="nsswitch.conf" dev=hda5 ino=433815 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:etc_t tclass=file

audit(1159107251.924:3): avc:  denied  { getattr } for  pid=833 comm="hotplug" name="nsswitch.conf" dev=hda5 ino=433815 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:etc_t tclass=file

audit(1159107252.068:4): avc:  denied  { read write } for  pid=1 comm="init" name="console" dev=hda5 ino=148361 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1159107252.104:5): avc:  denied  { read } for  pid=833 comm="hotplug" name="passwd" dev=hda5 ino=434460 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:etc_t tclass=file

audit(1159107252.104:6): avc:  denied  { getattr } for  pid=833 comm="hotplug" name="passwd" dev=hda5 ino=434460 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:etc_t tclass=file

audit(1159107252.116:7): avc:  denied  { ioctl } for  pid=833 comm="hotplug" name="hotplug" dev=hda5 ino=32211 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:hotplug_exec_t tclass=file

audit(1159107252.132:8): avc:  denied  { ioctl } for  pid=1 comm="init" name="tty0" dev=hda5 ino=147715 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1159107252.132:9): avc:  denied  { read } for  pid=837 comm="hotplug" name="urandom" dev=hda5 ino=148073 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1159107252.136:10): avc:  denied  { write } for  pid=837 comm="hotplug" name="tty" dev=hda5 ino=148637 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1159107252.184:11): avc:  denied  { read } for  pid=856 comm="10-udev.hotplug" name="urandom" dev=hda5 ino=148073 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1159107252.256:12): avc:  denied  { getcap } for  pid=1 comm="init" scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t tclass=process

audit(1159107252.256:13): avc:  denied  { setcap } for  pid=1 comm="init" scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t tclass=process

audit(1159107252.312:14): avc:  denied  { read write } for  pid=882 comm="rc" name="console" dev=hda5 ino=148361 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1159107252.436:15): avc:  denied  { read write } for  pid=884 comm="consoletype" name="console" dev=hda5 ino=148361 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1159107252.436:16): avc:  denied  { search } for  pid=884 comm="consoletype" name="dev" dev=hda5 ino=144577 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:file_t tclass=dir

audit(1159107252.436:17): avc:  denied  { getattr } for  pid=884 comm="consoletype" name="console" dev=hda5 ino=148361 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1159107252.436:18): avc:  denied  { ioctl } for  pid=884 comm="consoletype" name="console" dev=hda5 ino=148361 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1159107252.468:19): avc:  denied  { ioctl } for  pid=887 comm="stty" name="console" dev=hda5 ino=148361 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1159107252.484:20): avc:  denied  { getattr } for  pid=888 comm="tty" name="console" dev=hda5 ino=148361 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1159107252.600:21): avc:  denied  { read write } for  pid=893 comm="mount" name="console" dev=hda5 ino=148361 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1159107252.792:22): avc:  denied  { write } for  pid=913 comm="touch" name="/" dev=tmpfs ino=1146 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tmpfs_t tclass=dir

audit(1159107252.792:23): avc:  denied  { add_name } for  pid=913 comm="touch" name=".rcsysinit" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tmpfs_t tclass=dir

audit(1159107252.792:24): avc:  denied  { create } for  pid=913 comm="touch" name=".rcsysinit" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tmpfs_t tclass=file

audit(1159107252.792:25): avc:  denied  { write } for  pid=913 comm="touch" name=".rcsysinit" dev=tmpfs ino=1147 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tmpfs_t tclass=file

audit(1159107252.820:26): avc:  denied  { read write } for  pid=914 comm="restorecon" name="console" dev=hda5 ino=148361 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1159107252.932:27): avc:  denied  { getattr } for  pid=915 comm="cp" name="console" dev=hda5 ino=225157 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=chr_file

audit(1159107252.932:28): avc:  denied  { write } for  pid=915 comm="cp" name="fscreate" dev=proc ino=59965465 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=file

audit(1159107252.932:29): avc:  denied  { setfscreate } for  pid=915 comm="cp" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=process

audit(1159107252.932:30): avc:  denied  { create } for  pid=915 comm="cp" name="console" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=chr_file

audit(1159107252.932:31): avc:  denied  { associate } for  pid=915 comm="cp" name="console" scontext=system_u:object_r:lib_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem

audit(1159107252.932:32): avc:  denied  { setattr } for  pid=915 comm="cp" name="console" dev=tmpfs ino=1161 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=chr_file

audit(1159107252.948:33): avc:  denied  { getattr } for  pid=908 comm="bash" name="kcore" dev=proc ino=-268435435 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:proc_kcore_t tclass=file

audit(1159107253.016:34): avc:  denied  { write } for  pid=933 comm="udevd" name="console" dev=hda5 ino=148361 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1159107253.016:35): avc:  denied  { read write } for  pid=933 comm="udevd" name="null" dev=tmpfs ino=1162 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=chr_file

audit(1159107253.064:36): avc:  denied  { sys_nice } for  pid=934 comm="udevd" capability=23 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability

audit(1159107253.064:37): avc:  denied  { sys_resource } for  pid=934 comm="udevd" capability=24 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability

audit(1159107253.688:38): avc:  denied  { getattr } for  pid=964 comm="udevd" name="null" dev=tmpfs ino=1162 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=chr_file

audit(1159107253.688:39): avc:  denied  { relabelfrom } for  pid=964 comm="udevd" name="null" dev=tmpfs ino=1162 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=chr_file

audit(1159107263.153:40): avc:  denied  { setgid } for  pid=1840 comm="vol_id" capability=6 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability

audit(1159107263.153:41): avc:  denied  { setuid } for  pid=1840 comm="vol_id" capability=7 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability

audit(1159107264.457:42): avc:  denied  { read write } for  pid=1932 comm="modules-update" name="console" dev=hda5 ino=148361 scontext=system_u:system_r:update_modules_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1159107264.457:43): avc:  denied  { search } for  pid=1932 comm="modules-update" name="var" dev=hda5 ino=16065 scontext=system_u:system_r:update_modules_t tcontext=system_u:object_r:file_t tclass=dir

audit(1159107264.477:44): avc:  denied  { ioctl } for  pid=1938 comm="stty" name="console" dev=hda5 ino=148361 scontext=system_u:system_r:update_modules_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1159107264.589:45): avc:  denied  { read write } for  pid=1956 comm="modprobe" name="console" dev=hda5 ino=148361 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1159107264.625:46): avc:  denied  { getattr } for  pid=1956 comm="modprobe" name="console" dev=hda5 ino=148361 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1159107264.669:47): avc:  denied  { read write } for  pid=1965 comm="fsck" name="console" dev=hda5 ino=148361 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1159107265.233:48): avc:  denied  { read write } for  pid=2013 comm="hwclock" name="console" dev=hda5 ino=148361 scontext=system_u:system_r:hwclock_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1159107266.600:49): avc:  denied  { read write } for  pid=2045 comm="dmesg" name="console" dev=hda5 ino=148361 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1159107266.980:50): avc:  denied  { unlink } for  pid=2106 comm="rm" name=".rcsysinit" dev=tmpfs ino=1147 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tmpfs_t tclass=file

audit(1159107272.092:51): avc:  denied  { execmod } for  pid=3618 comm="syslog-ng" name="syslog-ng" dev=hda6 ino=81737 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:syslogd_exec_t tclass=file
```

```
allow consoletype_t file_t:chr_file { getattr ioctl read write };

allow consoletype_t file_t:dir search;

allow dmesg_t file_t:chr_file { read write };

allow fsadm_t file_t:chr_file { read write };

allow hotplug_t file_t:chr_file { read write };

allow hwclock_t file_t:chr_file { read write };

allow init_t file_t:chr_file { ioctl read write };

allow init_t self:process { getcap setcap };

allow initrc_t file_t:chr_file { getattr ioctl read write };

allow initrc_t self:file write;

allow initrc_t self:process setfscreate;

allow initrc_t lib_t:chr_file { create getattr setattr };

allow initrc_t proc_kcore_t:file getattr;

allow initrc_t tmpfs_t:dir { add_name write };

allow initrc_t tmpfs_t:file { create unlink write };

allow insmod_t file_t:chr_file { getattr read write };

allow kernel_t etc_t:file { getattr read };

allow kernel_t hotplug_exec_t:file ioctl;

allow lib_t tmpfs_t:filesystem associate;

allow mount_t file_t:chr_file { read write };

allow restorecon_t file_t:chr_file { read write };

allow syslogd_t syslogd_exec_t:file execmod;

allow udev_t file_t:chr_file { read write };

allow udev_t lib_t:chr_file { getattr read relabelfrom write };

allow udev_t self:capability { setgid setuid sys_nice sys_resource };

allow update_modules_t file_t:chr_file { ioctl read write };

allow update_modules_t file_t:dir search;
```

----------

## aryaniae

I have abandoned this thread due to the lack of posts, but I've still got it watched, so any ideas would still be welcome. It may, however, take me a while to respond, as I only check my E-Mail once a day.

----------

