Package: selinux-policy-default
Version: 2:2.20190201-2
Using debian-10.7.0-amd64-netinst.iso we installed minimal + SSH server
+ standard system utilities.
Kernel: 4.19.0-13-amd64
Upon first boot of the installed system we stopped and disabled apparmor.
Then we performed the steps in this :
> https://wiki.debian.org/SELinux/Setup
When the system rebooted following the relabelling we executed
audit2why -al and found 52 denials.
We expected zero denials. We expect the problem to occur with any such
installation.
The output of "audit2why -al" is attached, because the long lines make
the pasted version very messy.
Regards,
The IOPEN Team
type=AVC msg=audit(1607611437.896:7): avc: denied { getattr } for pid=346
comm="mkdir" path="/run/console-setup" dev="tmpfs" ino=11449
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611437.896:8): avc: denied { create } for pid=295
comm="cached_setup_fo" name="font-loaded"
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611437.896:8): avc: denied { add_name } for pid=295
comm="cached_setup_fo" name="font-loaded"
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611437.896:8): avc: denied { write } for pid=295
comm="cached_setup_fo" name="console-setup" dev="tmpfs" ino=11449
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611438.920:15): avc: denied { read } for pid=229
comm="systemd-timesyn" name="dbus" dev="tmpfs" ino=12202
scontext=system_u:system_r:ntpd_t:s0
tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611438.920:16): avc: denied { read } for pid=229
comm="systemd-timesyn" name="system_bus_socket" dev="tmpfs" ino=12205
scontext=system_u:system_r:ntpd_t:s0
tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611448.324:34): avc: denied { add_name } for pid=399
comm="login" name="motd.dynamic"
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611448.324:34): avc: denied { rename } for pid=399
comm="login" name="motd.dynamic.new" dev="tmpfs" ino=13733
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611448.324:34): avc: denied { remove_name } for
pid=399 comm="login" name="motd.dynamic.new" dev="tmpfs" ino=13733
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611448.324:34): avc: denied { write } for pid=399
comm="login" name="/" dev="tmpfs" ino=1128
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611448.324:35): avc: denied { open } for pid=399
comm="login" path="/run/motd.dynamic" dev="tmpfs" ino=13733
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611448.324:35): avc: denied { read } for pid=399
comm="login" name="motd.dynamic" dev="tmpfs" ino=13733
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611448.324:36): avc: denied { getattr } for pid=399
comm="login" path="/run/motd.dynamic" dev="tmpfs" ino=13733
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611448.364:37): avc: denied { signull } for pid=183
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:auditd_t:s0 tclass=process permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611448.364:38): avc: denied { signull } for pid=183
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:dhcpc_t:s0 tclass=process permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611448.364:39): avc: denied { signull } for pid=183
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=process permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611448.364:40): avc: denied { signull } for pid=183
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:systemd_logind_t:s0 tclass=process permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611448.364:41): avc: denied { signull } for pid=183
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:NetworkManager_t:s0 tclass=process permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611448.364:42): avc: denied { signull } for pid=183
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611466.098:52): avc: denied { signull } for pid=183
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:dhcpc_t:s0 tclass=process permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611466.098:53): avc: denied { signull } for pid=183
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=process permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611466.098:54): avc: denied { signull } for pid=183
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611466.098:55): avc: denied { signull } for pid=183
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:NetworkManager_t:s0 tclass=process permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611466.098:56): avc: denied { signull } for pid=183
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:systemd_logind_t:s0 tclass=process permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611466.098:57): avc: denied { signull } for pid=183
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611466.098:58): avc: denied { signull } for pid=183
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611466.098:51): avc: denied { signull } for pid=183
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:auditd_t:s0 tclass=process permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611749.308:7): avc: denied { getattr } for pid=340
comm="mkdir" path="/run/console-setup" dev="tmpfs" ino=11360
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611749.308:8): avc: denied { create } for pid=301
comm="cached_setup_fo" name="font-loaded"
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611749.308:8): avc: denied { add_name } for pid=301
comm="cached_setup_fo" name="font-loaded"
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611749.308:8): avc: denied { write } for pid=301
comm="cached_setup_fo" name="console-setup" dev="tmpfs" ino=11360
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611759.128:32): avc: denied { add_name } for pid=376
comm="login" name="motd.dynamic"
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611759.128:32): avc: denied { rename } for pid=376
comm="login" name="motd.dynamic.new" dev="tmpfs" ino=14476
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611759.128:32): avc: denied { remove_name } for
pid=376 comm="login" name="motd.dynamic.new" dev="tmpfs" ino=14476
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611759.128:32): avc: denied { write } for pid=376
comm="login" name="/" dev="tmpfs" ino=8491
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611759.128:33): avc: denied { open } for pid=376
comm="login" path="/run/motd.dynamic" dev="tmpfs" ino=14476
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611759.128:33): avc: denied { read } for pid=376
comm="login" name="motd.dynamic" dev="tmpfs" ino=14476
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611759.128:34): avc: denied { getattr } for pid=376
comm="login" path="/run/motd.dynamic" dev="tmpfs" ino=14476
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611759.168:35): avc: denied { signull } for pid=176
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:auditd_t:s0 tclass=process permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611759.168:36): avc: denied { signull } for pid=176
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:systemd_logind_t:s0 tclass=process permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611759.168:37): avc: denied { signull } for pid=176
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=process permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611759.168:38): avc: denied { signull } for pid=176
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:NetworkManager_t:s0 tclass=process permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611759.168:39): avc: denied { signull } for pid=176
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611759.168:40): avc: denied { signull } for pid=176
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:dhcpc_t:s0 tclass=process permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611777.024:50): avc: denied { signull } for pid=176
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=process permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611777.024:51): avc: denied { signull } for pid=176
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:dhcpc_t:s0 tclass=process permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611777.024:52): avc: denied { signull } for pid=176
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:NetworkManager_t:s0 tclass=process permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611777.024:53): avc: denied { signull } for pid=176
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611777.024:54): avc: denied { signull } for pid=176
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:systemd_logind_t:s0 tclass=process permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611777.024:55): avc: denied { signull } for pid=176
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611777.024:56): avc: denied { signull } for pid=176
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1607611777.024:49): avc: denied { signull } for pid=176
comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:auditd_t:s0 tclass=process permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.