Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

(solved?) SELinux : "avc: denied" message spamming my dmesg
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
abanoub
n00b
n00b


Joined: 25 Apr 2022
Posts: 3
Location: Mount Olympus
PostPosted: Thu Jul 21, 2022 1:06 pm    Post subject: SELinux : "avc: denied" message spamming my dmesg Reply with quote
Title says it all, when booting (and after boot too) my dmesg is spammed of "avc: denied" messages like this:

Code:
[  893.531060] audit: type=1400 audit(1658408460.688:929): avc:  denied  { use } for  pid=8792 comm="sh" path="/dev/tty1" dev="devtmpfs" ino=20 ioctlcmd=0x540f scontext=staff_u:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=fd permissive=1


But even with these messages, my system still boots fine.

Anyways thanks in advance, I'm sorry if I'm forgetting any crucial logs or whatever as I'm new to SELinux.
_________________
Segmentation fault (core dumped)

Last edited by abanoub on Thu Jul 21, 2022 8:21 pm; edited 2 times in total
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 20067
PostPosted: Thu Jul 21, 2022 1:22 pm    Post subject: Reply with quote
Is SELinux configured to enforce? SELinux state and mode

How to read and correct SELinux denial messages (RedHat) seems to have some good information. If nothing else, maybe you can get the "more approachable" messages.

I haven't read Gentoo's SELinux wiki closely, but at first glance, it seems to have some resources that may be helpful.

So far I've only looked into SELinux sufficiently to determine that it isn't practical to retrofit onto an existing environment. At least not where implementing it isn't a priority.
_________________
Quis separabit? Quo animo?
Back to top
View user's profile Send private message
abanoub
n00b
n00b


Joined: 25 Apr 2022
Posts: 3
Location: Mount Olympus
PostPosted: Thu Jul 21, 2022 1:35 pm    Post subject: Reply with quote
pjp wrote:
Is SELinux configured to enforce?


No its configured to permissive.

pjp wrote:
How to read and correct SE Linux denial messages (RedHat) seems to have some good information. If nothing else, maybe you can get the "more approachable" messages.


Thanks, will give that a read.

pjp wrote:
I haven't read Gentoo's SE Linux wiki closely, but at first glance, it seems to have some resources that may be helpful.


EDIT: Looking at that link you sent about SE Linux modes, I see that the easiest way to stop the kernel error messages is to just disable SE Linux because by setting it to enforce it'll actually start causing problems as a lot of the errors I'm getting are for essential system stuff, but that's not practical since at that point that would just be extra bloat by leaving it in and not using it, and plus I'd have to choose another profile and all that.
_________________
Segmentation fault (core dumped)
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 20067
PostPosted: Thu Jul 21, 2022 5:22 pm    Post subject: Reply with quote
Verifying the mode setting was to clarify "But even with these messages, my system still boots fine. "

It (may) boot fine because the configuration is set to permissive. As you point out, if you were to enable enforcing mode, it would likely cause problems.

One approach to configuring SELinux is to use permissive mode and create the rules from the messages. The RH link mentioned "more approachable" messages, which (may?) provide better information about what to configure to allow whatever caused the error.
_________________
Quis separabit? Quo animo?
Back to top
View user's profile Send private message
abanoub
n00b
n00b


Joined: 25 Apr 2022
Posts: 3
Location: Mount Olympus
PostPosted: Thu Jul 21, 2022 8:20 pm    Post subject: Reply with quote
pjp wrote:
One approach to configuring SE-Linux is to use permissive mode and create the rules from the messages. The RH link mentioned "more approachable" messages, which (may?) provide better information about what to configure to allow whatever caused the error


Yeah, about this my "solution" was to just switch out my hardened/SE-Linux profile since its caused more problems if anything and hasn't increased my security 1 bit.

Still, thanks for your help man.

And about the RH link, I've checked in the directories it mentions and suprise suprise there are no logs at all.
_________________
Segmentation fault (core dumped)
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 20067
PostPosted: Thu Jul 21, 2022 10:25 pm    Post subject: Reply with quote
You're welcome, such as it was. Reaching a decision is always nice too :). Hardening is definitely a challenge, especially with "desktop" type environments.


In case anyone comes along, I'll add a couple of clarifying quotes from the RH link
Quote:
Where are denials logged?

Now, these AVC denials, much like everything else in Linux, are logged by the system. Where those messages are logged varies depending on which system daemons are running.

auditd on - /var/log/audit/audit.log
auditd off; rsyslogd on - /var/log/messages
setroubleshootd, rsyslogd, and auditd on - Both locations, though the messages in /var/log/messages are easier to make sense of
Quote:
Here the output is in more approachable language, and if you read carefully, a solution is presented:
Sep 22 13:35:24 server setroubleshoot[3999]: SELinux is preventing rhsmcertd-worke from read access on the file virt.module. For complete SELinux messages run: sealert -l 97a1c0df-81ed-4c08-ba27-41c5067b713b
Sep 22 13:35:24 server platform-python[3999]: SELinux is preventing rhsmcertd-worke from read access on the file virt.module.#012#012***** Plugin catchall_boolean (89.3 confidence) suggests ******************#012#012If you want to allow daemons to dump core#012Then you must tell SELinux about this by enabling the 'daemons_dump_core' boolean.#012#012Do#012setsebool -P daemons_dump_core 1#012#012***** Plugin catchall (11.6 confidence) suggests **************************#012#012If you believe that rhsmcertd-worke should be allowed read access on the virt.module file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'rhsmcertd-worke' --raw | audit2allow -M my-rhsmcertdworke#012# semodule -X 300 -i my-rhsmcertdworke.pp#012
I'm guessing setroubleshootd would need to be configured (and possibly other things) to log the "approachable" messages. Also, auditd likely comes from sys-process/audit. And since Gentoo isn't RH, things may not be the same.
_________________
Quis separabit? Quo animo?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy