# Selinux reports a lot of avc denied messages

## droman

Hi.

Yesterday I was configuring a server and wanted to try the hardened/selinux profile, so I switched to that profile, and after following the SELinux installation guide ( https://wiki.gentoo.org/wiki/SELinux/Installation ) and emerging all the needed packages I see a lot of denials. All needed selinux packages seems to be emerged. Of course I could try to use audit2allow, but I think that I have done something wrong because I have denials of very basic programs that should be covered by default, like init or dmesg.

btw, It's the first time that I try to use SELinux.

The following are some of the denials that I see:

```
[    5.794901] audit: type=1403 audit(1527797934.153:2): policy loaded auid=4294967295 ses=4294967295

[    6.100019] audit: type=1400 audit(1527797934.457:3): avc:  denied  { map } for  pid=245 comm="restorecon" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:setfiles_t tcontext=root:object_r:etc_t tclass=file permissive=1

[    6.264110] audit: type=1400 audit(1527797934.621:4): avc:  denied  { map } for  pid=256 comm="mount" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:mount_t tcontext=root:object_r:etc_t tclass=file permissive=1

[    6.394093] audit: type=1400 audit(1527797934.753:5): avc:  denied  { map } for  pid=264 comm="checkpath" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:tmpfiles_t tcontext=root:object_r:etc_t tclass=file permissive=1

[    7.406777] audit: type=1400 audit(1527797935.765:6): avc:  denied  { getattr } for  pid=521 comm="restorecon" name="/" dev="cgroup" ino=1 scontext=system_u:system_r:setfiles_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1

[    7.550513] audit: type=1400 audit(1527797935.909:7): avc:  denied  { map } for  pid=588 comm="cgroup-release-" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:openrc_cgroup_release_t tcontext=root:object_r:etc_t tclass=file permissive=1

[    7.589767] audit: type=1400 audit(1527797935.949:8): avc:  denied  { read } for  pid=609 comm="dmesg" name="ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:dmesg_t tcontext=root:object_r:etc_t tclass=file permissive=1

[    7.589887] audit: type=1400 audit(1527797935.949:9): avc:  denied  { open } for  pid=609 comm="dmesg" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:dmesg_t tcontext=root:object_r:etc_t tclass=file permissive=1

[    7.590004] audit: type=1400 audit(1527797935.949:10): avc:  denied  { getattr } for  pid=609 comm="dmesg" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:dmesg_t tcontext=root:object_r:etc_t tclass=file permissive=1

[    7.590121] audit: type=1400 audit(1527797935.949:11): avc:  denied  { map } for  pid=609 comm="dmesg" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:dmesg_t tcontext=root:object_r:etc_t tclass=file permissive=1

[   15.530863] audit: type=1400 audit(1527797943.915:28): avc:  denied  { map } for  pid=1681 comm="cgroup-release-" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:openrc_cgroup_release_t tcontext=root:object_r:etc_t tclass=file permissive=1

[   15.591436] audit: type=1400 audit(1527797943.975:29): avc:  denied  { map } for  pid=1704 comm="named-checkconf" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:named_t tcontext=root:object_r:etc_t tclass=file permissive=1

[   15.675894] audit: type=1400 audit(1527797944.059:30): avc:  denied  { map } for  pid=1706 comm="checkpath" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:tmpfiles_t tcontext=root:object_r:etc_t tclass=file permissive=1

[   15.854157] audit: type=1400 audit(1527797944.239:31): avc:  denied  { map } for  pid=1748 comm="mount" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:mount_t tcontext=root:object_r:etc_t tclass=file permissive=1

[   15.981069] audit: type=1400 audit(1527797944.367:32): avc:  denied  { map } for  pid=1780 comm="ssh-keygen" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:ssh_keygen_t tcontext=root:object_r:etc_t tclass=file permissive=1

[   15.982079] audit: type=1400 audit(1527797944.367:33): avc:  denied  { read } for  pid=1780 comm="ssh-keygen" name="locale-archive" dev="sda3" ino=4212902 scontext=system_u:system_r:ssh_keygen_t tcontext=root:object_r:locale_t tclass=file permissive=1

[   15.982081] audit: type=1400 audit(1527797944.367:34): avc:  denied  { open } for  pid=1780 comm="ssh-keygen" path="/usr/lib64/locale/locale-archive" dev="sda3" ino=4212902 scontext=system_u:system_r:ssh_keygen_t tcontext=root:object_r:locale_t tclass=file permissive=1

[   15.982082] audit: type=1400 audit(1527797944.367:35): avc:  denied  { getattr } for  pid=1780 comm="ssh-keygen" path="/usr/lib64/locale/locale-archive" dev="sda3" ino=4212902 scontext=system_u:system_r:ssh_keygen_t tcontext=root:object_r:locale_t tclass=file permissive=1

[   15.982083] audit: type=1400 audit(1527797944.367:36): avc:  denied  { map } for  pid=1780 comm="ssh-keygen" path="/usr/lib64/locale/locale-archive" dev="sda3" ino=4212902 scontext=system_u:system_r:ssh_keygen_t tcontext=root:object_r:locale_t tclass=file permissive=1

[   16.001305] audit: type=1400 audit(1527797944.387:37): avc:  denied  { map } for  pid=1781 comm="sshd" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:sshd_t tcontext=root:object_r:etc_t tclass=file permissive=1

[ 1684.529559] kauditd_printk_skb: 1 callbacks suppressed

[ 1684.529561] audit: type=1400 audit(1527799612.915:39): avc:  denied  { map } for  pid=1838 comm="unix_chkpwd" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:chkpwd_t tcontext=root:object_r:etc_t tclass=file permissive=1

[ 1685.104077] audit: type=1400 audit(1527799613.491:40): avc:  denied  { getattr } for  pid=1 comm="init" path="/run/initctl" dev="tmpfs" ino=5288 scontext=system_u:system_r:init_t tcontext=system_u:object_r:var_run_t tclass=fifo_file permissive=1

[ 1687.610857] audit: type=1400 audit(1527799615.995:41): avc:  denied  { read } for  pid=1843 comm="dmesg" name="kmsg" dev="devtmpfs" ino=1035 scontext=root:staff_r:staff_t tcontext=system_u:object_r:kmsg_device_t tclass=chr_file permissive=1

[ 1687.610861] audit: type=1400 audit(1527799615.995:42): avc:  denied  { open } for  pid=1843 comm="dmesg" path="/dev/kmsg" dev="devtmpfs" ino=1035 scontext=root:staff_r:staff_t tcontext=system_u:object_r:kmsg_device_t tclass=chr_file permissive=1
```

Thanks in advance

----------

## Melunlina

Hello

Similar problem.

I have system built on Sakaki's EFI Install Guide https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide with Selinux MCS on top.

Started to migrate from old 4.8 hardened kernel to newest 4.16 to confront CPU vulnerabilities and got Selinux not working. Unmasking latest Selinux to 2.20180114-r2 didn`t help.

The problem seems that some classes and permission are not defined according to messages log:

```
kernel: SELinux: 8192 avtab hash slots, 32441 rules.

kernel: SELinux: 8192 avtab hash slots, 32441 rules.

kernel: SELinux:  7 users, 8 roles, 1972 types, 156 bools, 1 sens, 1024 cats

kernel: SELinux:  123 classes, 32441 rules

kernel: SELinux:  Permission getrlimit in class process not defined in policy.

kernel: SELinux:  Class process2 not defined in policy.

kernel: SELinux:  Permission map in class file not defined in policy.

kernel: SELinux:  Permission map in class dir not defined in policy.

kernel: SELinux:  Permission map in class lnk_file not defined in policy.

kernel: SELinux:  Permission map in class chr_file not defined in policy.

kernel: SELinux:  Permission map in class blk_file not defined in policy.

kernel: SELinux:  Permission map in class sock_file not defined in policy.

kernel: SELinux:  Permission map in class fifo_file not defined in policy.

kernel: SELinux:  Permission map in class socket not defined in policy.

kernel: SELinux:  Permission map in class tcp_socket not defined in policy.

kernel: SELinux:  Permission map in class udp_socket not defined in policy.

kernel: SELinux:  Permission map in class rawip_socket not defined in policy.

kernel: SELinux:  Permission map in class netlink_socket not defined in policy.

kernel: SELinux:  Permission map in class packet_socket not defined in policy.

kernel: SELinux:  Permission map in class key_socket not defined in policy.

kernel: SELinux:  Permission map in class unix_stream_socket not defined in policy.

kernel: SELinux:  Permission map in class unix_dgram_socket not defined in policy.

kernel: SELinux:  Permission map in class netlink_route_socket not defined in policy.

kernel: SELinux:  Permission map in class netlink_tcpdiag_socket not defined in policy.

kernel: SELinux:  Permission map in class netlink_nflog_socket not defined in policy.

kernel: SELinux:  Permission map in class netlink_xfrm_socket not defined in policy.

kernel: SELinux:  Permission map in class netlink_selinux_socket not defined in policy.

kernel: SELinux:  Permission map in class netlink_iscsi_socket not defined in policy.

kernel: SELinux:  Permission map in class netlink_audit_socket not defined in policy.

kernel: SELinux:  Permission map in class netlink_fib_lookup_socket not defined in policy.

kernel: SELinux:  Permission map in class netlink_connector_socket not defined in policy.

kernel: SELinux:  Permission map in class netlink_netfilter_socket not defined in policy.

kernel: SELinux:  Permission map in class netlink_dnrt_socket not defined in policy.

kernel: SELinux:  Permission map in class netlink_kobject_uevent_socket not defined in policy.

kernel: SELinux:  Permission map in class netlink_generic_socket not defined in policy.

kernel: SELinux:  Permission map in class netlink_scsitransport_socket not defined in policy.

kernel: SELinux:  Permission map in class netlink_rdma_socket not defined in policy.

kernel: SELinux:  Permission map in class netlink_crypto_socket not defined in policy.

kernel: SELinux:  Permission map in class appletalk_socket not defined in policy.

kernel: SELinux:  Permission map in class dccp_socket not defined in policy.

kernel: SELinux:  Permission map in class tun_socket not defined in policy.

kernel: SELinux:  Permission map in class sctp_socket not defined in policy.

kernel: SELinux:  Permission map in class icmp_socket not defined in policy.

kernel: SELinux:  Permission map in class ax25_socket not defined in policy.

kernel: SELinux:  Permission map in class ipx_socket not defined in policy.

kernel: SELinux:  Permission map in class netrom_socket not defined in policy.

kernel: SELinux:  Permission map in class atmpvc_socket not defined in policy.

kernel: SELinux:  Permission map in class x25_socket not defined in policy.

kernel: SELinux:  Permission map in class rose_socket not defined in policy.

kernel: SELinux:  Permission map in class decnet_socket not defined in policy.

kernel: SELinux:  Permission map in class atmsvc_socket not defined in policy.

kernel: SELinux:  Permission map in class rds_socket not defined in policy.

kernel: SELinux:  Permission map in class irda_socket not defined in policy.

kernel: SELinux:  Permission map in class pppox_socket not defined in policy.

kernel: SELinux:  Permission map in class llc_socket not defined in policy.

kernel: SELinux:  Permission map in class can_socket not defined in policy.

kernel: SELinux:  Permission map in class tipc_socket not defined in policy.

kernel: SELinux:  Permission map in class bluetooth_socket not defined in policy.

kernel: SELinux:  Permission map in class iucv_socket not defined in policy.

kernel: SELinux:  Permission map in class rxrpc_socket not defined in policy.

kernel: SELinux:  Permission map in class isdn_socket not defined in policy.

kernel: SELinux:  Permission map in class phonet_socket not defined in policy.

kernel: SELinux:  Permission map in class ieee802154_socket not defined in policy.

kernel: SELinux:  Permission map in class caif_socket not defined in policy.

kernel: SELinux:  Permission map in class alg_socket not defined in policy.

kernel: SELinux:  Permission map in class nfc_socket not defined in policy.

kernel: SELinux:  Permission map in class vsock_socket not defined in policy.

kernel: SELinux:  Permission map in class kcm_socket not defined in policy.

kernel: SELinux:  Permission map in class qipcrtr_socket not defined in policy.

kernel: SELinux:  Class smc_socket not defined in policy.

kernel: SELinux:  Class infiniband_pkey not defined in policy.

kernel: SELinux:  Class infiniband_endport not defined in policy.

kernel: SELinux:  Class bpf not defined in policy.

kernel: SELinux: the above unknown classes and permissions will be denied

kernel: SELinux:  policy capability network_peer_controls=1

kernel: SELinux:  policy capability open_perms=1

kernel: SELinux:  policy capability extended_socket_class=0

kernel: SELinux:  policy capability always_check_network=0

kernel: SELinux:  policy capability cgroup_seclabel=0

kernel: SELinux:  policy capability nnp_nosuid_transition=0

```

The audit2allow command says:

```
libsepol.sepol_string_to_av_perm: could not convert map to av bit
```

Tried to generate .te policy in fedora 4.16.3 kernel, including `dontaudit` logs. Audit2allow generates .te policy which is compiled and inserted in Gentoo, but when Selinux is been enabling the problem remains.

Found this information in web https://android-review.googlesource.com/c/platform/system/sepolicy/+/432339 *Quote:*   

> sepolicy: Define and allow map permission
> 
> Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap")
> 
> added a map permission check on mmap so that we can
> ...

 

and https://lkml.org/lkml/2017/7/6/441 *Quote:*   

> 
> 
> The short version is that this is the expected behavior given your
> 
> SELinux policy configuration and isn't a regression; your SELinux
> ...

 

So, I see the following options:

use kernel version <4.13

wait for new Gentoo Selinux policy version release

allow  *Quote:*   

> SELinux policy access to any new object classes or permissions that are not defined
> 
> in the policy

 but how? have not investigated it yet, need a help of Selinux Master.

----------

