Package: selinux-policy-default Version: 2:2.20190201-2 Using debian-10.7.0-amd64-netinst.iso we installed minimal + SSH server + standard system utilities.
Kernel: 4.19.0-13-amd64 Upon first boot of the installed system we stopped and disabled apparmor. Then we performed the steps in this : > https://wiki.debian.org/SELinux/Setup When the system rebooted following the relabelling we executed audit2why -al and found 52 denials. We expected zero denials. We expect the problem to occur with any such installation. The output of "audit2why -al" is attached, because the long lines make the pasted version very messy. Regards, The IOPEN Team
type=AVC msg=audit(1607611437.896:7): avc: denied { getattr } for pid=346 comm="mkdir" path="/run/console-setup" dev="tmpfs" ino=11449 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611437.896:8): avc: denied { create } for pid=295 comm="cached_setup_fo" name="font-loaded" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611437.896:8): avc: denied { add_name } for pid=295 comm="cached_setup_fo" name="font-loaded" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611437.896:8): avc: denied { write } for pid=295 comm="cached_setup_fo" name="console-setup" dev="tmpfs" ino=11449 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611438.920:15): avc: denied { read } for pid=229 comm="systemd-timesyn" name="dbus" dev="tmpfs" ino=12202 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611438.920:16): avc: denied { read } for pid=229 comm="systemd-timesyn" name="system_bus_socket" dev="tmpfs" ino=12205 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611448.324:34): avc: denied { add_name } for pid=399 comm="login" name="motd.dynamic" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611448.324:34): avc: denied { rename } for pid=399 comm="login" name="motd.dynamic.new" dev="tmpfs" ino=13733 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611448.324:34): avc: denied { remove_name } for pid=399 comm="login" name="motd.dynamic.new" dev="tmpfs" ino=13733 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611448.324:34): avc: denied { write } for pid=399 comm="login" name="/" dev="tmpfs" ino=1128 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611448.324:35): avc: denied { open } for pid=399 comm="login" path="/run/motd.dynamic" dev="tmpfs" ino=13733 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611448.324:35): avc: denied { read } for pid=399 comm="login" name="motd.dynamic" dev="tmpfs" ino=13733 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611448.324:36): avc: denied { getattr } for pid=399 comm="login" path="/run/motd.dynamic" dev="tmpfs" ino=13733 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611448.364:37): avc: denied { signull } for pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611448.364:38): avc: denied { signull } for pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611448.364:39): avc: denied { signull } for pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611448.364:40): avc: denied { signull } for pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611448.364:41): avc: denied { signull } for pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611448.364:42): avc: denied { signull } for pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611466.098:52): avc: denied { signull } for pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611466.098:53): avc: denied { signull } for pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611466.098:54): avc: denied { signull } for pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611466.098:55): avc: denied { signull } for pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611466.098:56): avc: denied { signull } for pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611466.098:57): avc: denied { signull } for pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611466.098:58): avc: denied { signull } for pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611466.098:51): avc: denied { signull } for pid=183 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611749.308:7): avc: denied { getattr } for pid=340 comm="mkdir" path="/run/console-setup" dev="tmpfs" ino=11360 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611749.308:8): avc: denied { create } for pid=301 comm="cached_setup_fo" name="font-loaded" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611749.308:8): avc: denied { add_name } for pid=301 comm="cached_setup_fo" name="font-loaded" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611749.308:8): avc: denied { write } for pid=301 comm="cached_setup_fo" name="console-setup" dev="tmpfs" ino=11360 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611759.128:32): avc: denied { add_name } for pid=376 comm="login" name="motd.dynamic" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611759.128:32): avc: denied { rename } for pid=376 comm="login" name="motd.dynamic.new" dev="tmpfs" ino=14476 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611759.128:32): avc: denied { remove_name } for pid=376 comm="login" name="motd.dynamic.new" dev="tmpfs" ino=14476 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611759.128:32): avc: denied { write } for pid=376 comm="login" name="/" dev="tmpfs" ino=8491 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611759.128:33): avc: denied { open } for pid=376 comm="login" path="/run/motd.dynamic" dev="tmpfs" ino=14476 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611759.128:33): avc: denied { read } for pid=376 comm="login" name="motd.dynamic" dev="tmpfs" ino=14476 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611759.128:34): avc: denied { getattr } for pid=376 comm="login" path="/run/motd.dynamic" dev="tmpfs" ino=14476 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611759.168:35): avc: denied { signull } for pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611759.168:36): avc: denied { signull } for pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611759.168:37): avc: denied { signull } for pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611759.168:38): avc: denied { signull } for pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611759.168:39): avc: denied { signull } for pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611759.168:40): avc: denied { signull } for pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611777.024:50): avc: denied { signull } for pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611777.024:51): avc: denied { signull } for pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611777.024:52): avc: denied { signull } for pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611777.024:53): avc: denied { signull } for pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611777.024:54): avc: denied { signull } for pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611777.024:55): avc: denied { signull } for pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611777.024:56): avc: denied { signull } for pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1607611777.024:49): avc: denied { signull } for pid=176 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=process permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access.