# Any documentation on systemd and selinux ?

## wichtounet

Hello Gentoo folks  :Smile: 

I started installing a new server following the Gentoo hardened information and it works well for now with SELINUX in permissive mode. However, I have a lot of denial that seems related to selinux and I don't find any information on how to work with the two together. 

Here are some examples of denials I have: 

 *Quote:*   

> avc:  denied  { search } for  pid=3481 comm="systemd-journal" name="4119" dev="proc" ino=10406 scontext=system_u:system_r:init_t tcontext=staff_u:sysadm_r:sysadm_sudo_t tclass=dir permissive=1
> 
> avc:  denied  { read } for  pid=3481 comm="systemd-journal" name="cgroup" dev="proc" ino=9616 scontext=system_u:system_r:init_t tcontext=staff_u:sysadm_r:sysadm_sudo_t tclass=file permissive=1
> 
> avc:  denied  { open } for  pid=3481 comm="systemd-journal" path="/proc/4119/cgroup" dev="proc" ino=9616 scontext=system_u:system_r:init_t tcontext=staff_u:sysadm_r:sysadm_sudo_t tclass=file permissive=1
> ...

 

Have I missed something in the installation ?

Another question with this kind of denial: 

 *Quote:*   

> avc:  denied  { use } for  pid=4119 comm="sudo" path="/dev/pts/0" dev="devpts" ino=3 scontext=staff_u:sysadm_r:sysadm_sudo_t tcontext=system_u:system_r:init_t tclass=fd permissive=1

 

I have read that it is necessary to put tmpfs/devpts and other non-physical file systems in fstab for selinux, but in my case, it is systemd that is mounting them. What do I have to do to fix this ? 

This is my first functional selinux system, so maybe there is something trivial that I forgot, don't hesitate to point me out to docs. 

Thanks a lot  :Smile: 

----------

## gienah

If you like you could join the effort to create a selinux systemd policy, the repo

is linked from the email thread linked from comment 1 of the tracker:

https://bugs.gentoo.org/show_bug.cgi?id=528674

Or the other alternative, since it appears that the selinux systemd policy is not ready yet:

https://bugs.gentoo.org/show_bug.cgi?id=508390#c5

is to switch to OpenRC.

----------

## wichtounet

 *gienah wrote:*   

> If you like you could join the effort to create a selinux systemd policy, the repo
> 
> is linked from the email thread linked from comment 1 of the tracker:
> 
> https://bugs.gentoo.org/show_bug.cgi?id=528674
> ...

 

Thanks for your answer. I assumed that systemd policy would be complete since so many people are using it now, but it seems I was too optimistic   :Embarassed: 

It is my first system every with selinux, I'm probably not a good candidate to help with creating the policy. OpenRC is not an option on this server. I'm gonna try seeing what I can do with audit2allow for starter. 

Thanks

----------

