Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 634340 - SELINUX Wrong file contexts
Summary: SELINUX Wrong file contexts
Status: RESOLVED NEEDINFO
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal critical
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-15 14:32 UTC by Oruriz
Modified: 2018-10-12 21:26 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
More info (rc-update.txt,2.25 KB, text/plain)
2017-10-16 13:58 UTC, Oruriz 		Details
fstab (fstab.txt,1.43 KB, text/plain)
2017-10-16 13:58 UTC, Oruriz 		Details
make.conf (make.conf.txt,2.63 KB, text/plain)
2017-10-16 13:59 UTC, Oruriz 		Details
My packages (mypackages.txt,160.71 KB, text/plain)
2017-10-16 14:00 UTC, Oruriz 		Details
gmesg | grep audit (log,20.16 KB, text/plain)
2017-10-17 23:42 UTC, Oruriz 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Oruriz 2017-10-15 14:32:22 UTC 
After installing selinux on my system. I discovered that some system files have wrong contexts. For example:

NONAME ~ # ls -Z /bin/mount
system_u:object_r:bin_t /bin/mount
when it must be:
system_u:object_r:mount_exec_t

In fact, I founded that file /etc/selinux/strict/contexts/files/file_contexts.subs_dist not working as properly. It must be in /var/lib/selinux/strict/active/file_contexts.subs_dist in order to this migration news https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration

so after:
NONAME ~ # cp /etc/selinux/strict/contexts/files/file_contexts.subs_dist /var/lib/selinux/strict/active/file_contexts.subs_dist
NONAME ~ # restorecon -F /bin/mount
NONAME ~ # ls -Z /bin/mount
system_u:object_r:mount_exec_t /bin/mount
This trouble is gone. But I dont know if all other stuff works properly.
Comment 1 Oruriz 2017-10-16 13:58:10 UTC 
Created attachment 498834 [details]
More info
Comment 2 Oruriz 2017-10-16 13:58:39 UTC 
Created attachment 498836 [details]
fstab
Comment 3 Oruriz 2017-10-16 13:59:44 UTC 
Created attachment 498838 [details]
make.conf
Comment 4 Oruriz 2017-10-16 14:00:11 UTC 
Created attachment 498840 [details]
My packages
Comment 5 Oruriz 2017-10-16 14:00:23 UTC 
Founded some wroong config in my kernel:
Was:
SECURITY_SELINUX_BOOTPARAM [=y]
SECURITY_SELINUX_DISABLE [=y]
SECURITY_SELINUX_AVC_STATS [=y]
SECURITY_SELINUX_CHECKREQPROT_VALUE [=0]

Now i chanded this to:
SECURITY_SELINUX_BOOTPARAM [=n]
SECURITY_SELINUX_DISABLE [=n]
SECURITY_SELINUX_AVC_STATS [=n]
SECURITY_SELINUX_CHECKREQPROT_VALUE [=1]

and I has another strange AVC deny massages:
NONAME linux # dmesg | grep audit
[    0.653518] audit: initializing netlink subsys (disabled)
[    0.653694] audit: type=2000 audit(1508160285.649:1): state=initialized audit_enabled=0 res=1
[    2.278989] audit: type=1403 audit(1508160287.274:2): policy loaded auid=4294967295 ses=4294967295
[    2.392582] audit: type=1400 audit(1508160287.388:3): avc:  denied  { read write } for  pid=3104 comm="mount" path="/dev/console" dev="devtmpfs" ino=3086 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[    2.401317] audit: type=1400 audit(1508160287.396:4): avc:  denied  { use } for  pid=3105 comm="checkpath" path="/dev/console" dev="devtmpfs" ino=3086 scontext=system_u:system_r:tmpfiles_t tcontext=system_u:system_r:init_t tclass=fd permissive=1
[    3.138143] audit: type=1400 audit(1508160288.133:5): avc:  denied  { write } for  pid=3387 comm="mount" name="/" dev="devtmpfs" ino=1025 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:device_t tclass=dir permissive=1
[    3.154256] audit: type=1400 audit(1508160288.149:6): avc:  denied  { write } for  pid=3399 comm="mount" name="/" dev="mqueue" ino=2108 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[    3.213602] audit: type=1400 audit(1508160288.209:7): avc:  denied  { read } for  pid=3434 comm="dmesg" path="/dev/console" dev="devtmpfs" ino=3086 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:console_device_t tclass=chr_file permissive=1
[    3.245066] audit: type=1400 audit(1508160288.240:8): avc:  denied  { read write } for  pid=3457 comm="checkpath" path="/dev/console" dev="devtmpfs" ino=3086 scontext=system_u:system_r:tmpfiles_t tcontext=system_u:object_r:console_device_t tclass=chr_file permissive=1
[    3.249297] audit: type=1400 audit(1508160288.244:9): avc:  denied  { read } for  pid=3458 comm="kmod" path="/dev/console" dev="devtmpfs" ino=3086 scontext=system_u:system_r:kmod_t tcontext=system_u:object_r:console_device_t tclass=chr_file permissive=1
[    3.404621] audit: type=1400 audit(1508160288.400:10): avc:  denied  { use } for  pid=3537 comm="restorecond" path="/dev/console" dev="devtmpfs" ino=3086 scontext=system_u:system_r:restorecond_t tcontext=system_u:system_r:init_t tclass=fd permissive=1
[    8.162514] kauditd_printk_skb: 54 callbacks suppressed
[    8.162517] audit: type=1400 audit(1508160294.080:65): avc:  denied  { write } for  pid=4156 comm="mount" name="/" dev="sdb3" ino=256 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:default_t tclass=dir permissive=1
[   11.934756] audit: type=1400 audit(1508160297.852:66): avc:  denied  { write } for  pid=4284 comm="mount" name="/" dev="binfmt_misc" ino=1 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1
[   12.111775] audit: type=1400 audit(1508160298.029:67): avc:  denied  { read } for  pid=4413 comm="restorecon" path="/dev/console" dev="devtmpfs" ino=3086 scontext=system_u:system_r:setfiles_t tcontext=system_u:object_r:console_device_t tclass=chr_file permissive=1
[   12.116584] audit: type=1400 audit(1508160298.034:68): avc:  denied  { read } for  pid=4415 comm="dmesg" path="/dev/console" dev="devtmpfs" ino=3086 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:console_device_t tclass=chr_file permissive=1
[   12.159386] audit: type=1400 audit(1508160298.077:69): avc:  denied  { read } for  pid=4450 comm="hostname" path="/dev/console" dev="devtmpfs" ino=3086 scontext=system_u:system_r:hostname_t tcontext=system_u:object_r:console_device_t tclass=chr_file permissive=1
[   12.207801] audit: type=1400 audit(1508160298.125:70): avc:  denied  { use } for  pid=4492 comm="checkpath" path="/dev/console" dev="devtmpfs" ino=3086 scontext=system_u:system_r:tmpfiles_t tcontext=system_u:system_r:init_t tclass=fd permissive=1
[   12.346738] audit: type=1400 audit(1508160298.264:71): avc:  denied  { read } for  pid=4583 comm="ip" path="/dev/console" dev="devtmpfs" ino=3086 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:console_device_t tclass=chr_file permissive=1
[   12.456119] audit: type=1400 audit(1508160298.374:72): avc:  denied  { ioctl } for  pid=4658 comm="restorecon" path="/dev/console" dev="devtmpfs" ino=3086 ioctlcmd=0x5401 scontext=system_u:system_r:tmpfiles_t tcontext=system_u:object_r:console_device_t tclass=chr_file permissive=1
[   12.662002] audit: type=1400 audit(1508160298.580:73): avc:  denied  { read } for  pid=4784 comm="dbus-daemon" path="/dev/console" dev="devtmpfs" ino=3086 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:console_device_t tclass=chr_file permissive=1
[   12.733752] audit: type=1400 audit(1508160298.651:74): avc:  denied  { read } for  pid=4817 comm="rsyslogd" path="/dev/console" dev="devtmpfs" ino=3086 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:console_device_t tclass=chr_file permissive=1
[   13.810824] audit: type=1400 audit(1508160299.728:75): avc:  denied  { use } for  pid=4858 comm="console-kit-dae" path="/dev/console" dev="devtmpfs" ino=3086 scontext=system_u:system_r:consolekit_t tcontext=system_u:system_r:init_t tclass=fd permissive=1
[   13.839197] audit: type=1400 audit(1508160299.757:76): avc:  denied  { rlimitinh } for  pid=4878 comm="udev-acl.ck" scontext=system_u:system_r:consolekit_t tcontext=system_u:system_r:udev_t tclass=process permissive=1
[   13.839199] audit: type=1400 audit(1508160299.757:77): avc:  denied  { siginh } for  pid=4878 comm="udev-acl.ck" scontext=system_u:system_r:consolekit_t tcontext=system_u:system_r:udev_t tclass=process permissive=1
[   13.839223] audit: type=1400 audit(1508160299.757:78): avc:  denied  { noatsecure } for  pid=4878 comm="udev-acl.ck" scontext=system_u:system_r:consolekit_t tcontext=system_u:system_r:udev_t tclass=process permissive=1
[   13.839397] audit: type=1400 audit(1508160299.757:79): avc:  denied  { rlimitinh } for  pid=4873 comm="polkitd" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:policykit_t tclass=process permissive=1
[   13.839400] audit: type=1400 audit(1508160299.757:80): avc:  denied  { siginh } for  pid=4873 comm="polkitd" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:policykit_t tclass=process permissive=1
[   13.839700] audit: type=1400 audit(1508160299.757:81): avc:  denied  { noatsecure } for  pid=4873 comm="polkitd" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:policykit_t tclass=process permissive=1
[   13.854480] audit: type=1400 audit(1508160299.772:82): avc:  denied  { getattr } for  pid=4873 comm="polkitd" name="/" dev="selinuxfs" ino=1 scontext=system_u:system_r:policykit_t tcontext=system_u:object_r:security_t tclass=filesystem permissive=1
[   13.857176] audit: type=1400 audit(1508160299.775:83): avc:  denied  { use } for  pid=4899 comm="NetworkManager" path="/dev/console" dev="devtmpfs" ino=3086 scontext=system_u:system_r:NetworkManager_t tcontext=system_u:system_r:init_t tclass=fd permissive=1
[   13.857178] audit: type=1400 audit(1508160299.775:84): avc:  denied  { read } for  pid=4899 comm="NetworkManager" path="/dev/console" dev="devtmpfs" ino=3086 scontext=system_u:system_r:NetworkManager_t tcontext=system_u:object_r:console_device_t tclass=chr_file permissive=1
Comment 6 Oruriz 2017-10-16 14:19:26 UTC 
semodule -B fixes allmost all previous troubles

NONAME ~ # dmesg | grep audit
[    0.649726] audit: initializing netlink subsys (disabled)
[    0.649905] audit: type=2000 audit(1508163280.646:1): state=initialized audit_enabled=0 res=1
[    2.282155] audit: type=1403 audit(1508163282.278:2): policy loaded auid=4294967295 ses=4294967295
[    3.420962] audit: type=1400 audit(1508163283.417:3): avc:  denied  { read } for  pid=3538 comm="restorecond" name=".gtkrc-2.0-kde4" dev="sda2" ino=136808 scontext=system_u:system_r:restorecond_t tcontext=root:object_r:user_home_t tclass=lnk_file permissive=1
[    3.688639] audit: type=1400 audit(1508163283.685:4): avc:  denied  { getattr } for  pid=3538 comm="restorecond" path="/proc/kcore" dev="proc" ino=4026532010 scontext=system_u:system_r:restorecond_t tcontext=system_u:object_r:proc_kcore_t tclass=file permissive=1
[    3.688726] audit: type=1400 audit(1508163283.685:5): avc:  denied  { getattr } for  pid=3538 comm="restorecond" path="/dev/0:0:0:0" dev="devtmpfs" ino=11512 scontext=system_u:system_r:restorecond_t tcontext=system_u:object_r:usb_device_t tclass=chr_file permissive=1
[    3.688885] audit: type=1400 audit(1508163283.685:6): avc:  denied  { getattr } for  pid=3538 comm="restorecond" path="/dev/audio" dev="devtmpfs" ino=9739 scontext=system_u:system_r:restorecond_t tcontext=system_u:object_r:sound_device_t tclass=chr_file permissive=1
[    3.688887] audit: type=1400 audit(1508163283.685:7): avc:  denied  { getattr } for  pid=3538 comm="restorecond" path="/dev/autofs" dev="devtmpfs" ino=9633 scontext=system_u:system_r:restorecond_t tcontext=system_u:object_r:autofs_device_t tclass=chr_file permissive=1
[    3.688963] audit: type=1400 audit(1508163283.685:8): avc:  denied  { getattr } for  pid=3538 comm="restorecond" path="/dev/bsg/4:0:0:0" dev="devtmpfs" ino=1118 scontext=system_u:system_r:restorecond_t tcontext=system_u:object_r:scsi_generic_device_t tclass=chr_file permissive=1
[    3.689061] audit: type=1400 audit(1508163283.685:9): avc:  denied  { getattr } for  pid=3538 comm="restorecond" path="/dev/btrfs-control" dev="devtmpfs" ino=1107 scontext=system_u:system_r:restorecond_t tcontext=system_u:object_r:lvm_control_t tclass=chr_file permissive=1
[    3.689390] audit: type=1400 audit(1508163283.685:10): avc:  denied  { getattr } for  pid=3538 comm="restorecond" name="/" dev="proc" ino=1 scontext=system_u:system_r:restorecond_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1
[   12.216648] kauditd_printk_skb: 28 callbacks suppressed
[   12.216650] audit: type=1400 audit(1508163292.959:39): avc:  denied  { relabelto } for  pid=3540 comm="restorecond" name="vcs2" dev="devtmpfs" ino=16968 scontext=system_u:system_r:restorecond_t tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1

Sorry, for wasting your time.
Comment 7 Oruriz 2017-10-16 17:52:48 UTC 
and after removing /dev/* from rectorecond.conf audit log is finally clear.

I dont know if /var/lib/selinux/strict/active/file_contexts.subs_dist works from /etc/selinux. Guess it must work. 

So better fix to this bug - add kernel config check to selinux-basepolicy ebuild to prevent "shooing user`s leg off".
Comment 8 Jason Zaman gentoo-dev 2017-10-17 03:40:03 UTC 
(In reply to Oruriz from comment #7)
> and after removing /dev/* from rectorecond.conf audit log is finally clear.

Did you add /dev/* to restorecond or was it there already? /dev should not be required. on boot the init scripts take care of any initial labelling and afterwards udev handles setting permissions and fixing any labels.

> I dont know if /var/lib/selinux/strict/active/file_contexts.subs_dist works
> from /etc/selinux. Guess it must work.

I dont have that file (i only have it in /etc/selinux) and subs_dist work fine for me. weird that it didnt before.

> So better fix to this bug - add kernel config check to selinux-basepolicy
> ebuild to prevent "shooing user`s leg off".

(In reply to Oruriz from comment #5)
> Founded some wroong config in my kernel:
> Was:
> SECURITY_SELINUX_BOOTPARAM [=y]
> SECURITY_SELINUX_DISABLE [=y]
> SECURITY_SELINUX_AVC_STATS [=y]
> SECURITY_SELINUX_CHECKREQPROT_VALUE [=0]
> 
> Now i chanded this to:
> SECURITY_SELINUX_BOOTPARAM [=n]
> SECURITY_SELINUX_DISABLE [=n]
> SECURITY_SELINUX_AVC_STATS [=n]
> SECURITY_SELINUX_CHECKREQPROT_VALUE [=1]

_DISABLE doesnt matter. it only lets you change from enforcing or permissive -> disabled. but theres like no point in disabled so ...
_BOOTPARAM is similar, it lets you disable selinux from the kernel commandline so doesnt matter either.
_AVC_STATS is nice to have but shouldnt affect anything
CHECKREQPROT can matter but 0 is stricter than 1 and 0 is working for me. I also dont see how it would have any relation to subs_dist. 

This is the help text for checkreqprot
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE:

This option sets the default value for the 'checkreqprot' flag
that determines whether SELinux checks the protection requested
by the application or the protection that will be applied by the
kernel (including any implied execute for read-implies-exec) for
mmap and mprotect calls.  If this option is set to 0 (zero),
SELinux will default to checking the protection that will be applied
by the kernel.  If this option is set to 1 (one), SELinux will
default to checking the protection requested by the application.
The checkreqprot flag may be changed from the default via the
'checkreqprot=' boot parameter.  It may also be changed at runtime
via /selinux/checkreqprot if authorized by policy.

If you are unsure how to answer this question, answer 0.


I have these settings and things work:
# zgrep -i selinux /proc/config.gz 
CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
# CONFIG_SECURITY_SELINUX_DISABLE is not set
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
CONFIG_DEFAULT_SECURITY_SELINUX=y
CONFIG_DEFAULT_SECURITY="selinux"


Was this after a brand new install of selinux? or had you been using it before? All I can think of is maybe there was some update of the policies and something failed to load so the policy store wasnt completely consistent. I'm glad semodule -B fixed it.

If its a new install then it might mean that we need to update the documentation to force a rebuild of the policies at some point.
Comment 9 Oruriz 2017-10-17 09:27:39 UTC 
Yes, I added /dev/* (I has troubles with /dev/sdb3 labvel with previous configs).

I try to use selinux before (I had same troubles). Then i used tomoyo linux as security module. Now I reinstalled selinux from 2.6 to 2.7 to try again.


CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
# CONFIG_SECURITY_SELINUX_DISABLE is not set
CONFIG_SECURITY_SELINUX_DEVELOP=y
# CONFIG_SECURITY_SELINUX_AVC_STATS is not set
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
# CONFIG_DEFAULT_SECURITY_SELINUX is not set
Comment 10 Oruriz 2017-10-17 09:28:52 UTC 
I has fresh gentoo without selinux on virtualbox, so I can try to reproduse this on VM.
Comment 11 Oruriz 2017-10-17 23:42:23 UTC 
Created attachment 499038 [details]
gmesg | grep audit

fresh gentoo install after switching to hardned profile and installing selinux. I used this guide https://wiki.gentoo.org/wiki/SELinux/Installation with my previous kernel options: 

SECURITY_SELINUX_BOOTPARAM [=y]
SECURITY_SELINUX_DISABLE [=y]
SECURITY_SELINUX_AVC_STATS [=y]
SECURITY_SELINUX_CHECKREQPROT_VALUE [=0]

and similar troubles
Comment 12 Oruriz 2017-10-17 23:47:15 UTC 
semodule -B 
restorecon -F -R /

not helped
Comment 13 Oruriz 2017-10-17 23:54:01 UTC 
And rebuilding kernel with guide options not helped at all. 
By brain is cracked. I`ll try again tomorrow. 
And I can upload my wm to dropbox.
Comment 14 Oruriz 2017-10-19 20:17:53 UTC 
Installed selinux on fresh gentoo. File contexts is write. So this troubles occurs when reinstalling selinux. 

But, I have another audit log messages: 
[    0.703078] audit: initializing netlink subsys (disabled)
[    0.703798] audit: type=2000 audit(1508444049.604:1): state=initialized audit_enabled=0 res=1
[    1.569846] audit: type=1403 audit(1508444050.470:2): policy loaded auid=4294967295 ses=4294967295
[    1.995687] audit: type=1400 audit(1508444050.896:3): avc:  denied  { read write } for  pid=1112 comm="lvm" path="/dev/console" dev="devtmpfs" ino=1039 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[    2.009771] audit: type=1400 audit(1508444050.910:4): avc:  denied  { open } for  pid=1112 comm="lvm" path="/dev/urandom" dev="devtmpfs" ino=1036 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[    2.387531] audit: type=1400 audit(1508444051.287:5): avc:  denied  { read write } for  pid=1289 comm="cgroup-release-" name="tty" dev="devtmpfs" ino=1038 scontext=system_u:system_r:openrc_cgroup_release_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[    2.389728] audit: type=1400 audit(1508444051.287:6): avc:  denied  { open } for  pid=1289 comm="cgroup-release-" path="/dev/tty" dev="devtmpfs" ino=1038 scontext=system_u:system_r:openrc_cgroup_release_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[    2.601100] audit: type=1400 audit(1508444051.501:7): avc:  denied  { associate } for  pid=1441 comm="kmod" name="kmod.conf" scontext=system_u:object_r:kmod_tmpfiles_conf_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1
[    3.345491] audit: type=1400 audit(1508444052.245:8): avc:  denied  { search } for  pid=1667 comm="alsactl" name=".config" dev="sda2" ino=3094778 scontext=system_u:system_r:alsa_t tcontext=root:object_r:xdg_config_home_t tclass=dir permissive=1
[    3.346282] audit: type=1400 audit(1508444052.246:9): avc:  denied  { read } for  pid=1667 comm="alsactl" name="pulse" dev="sda2" ino=3094828 scontext=system_u:system_r:alsa_t tcontext=root:object_r:xdg_config_home_t tclass=dir permissive=1
[    6.089072] kauditd_printk_skb: 18 callbacks suppressed
[    6.089076] audit: type=1400 audit(1508444056.323:28): avc:  denied  { search } for  pid=2544 comm="syslog-ng" name="NetworkManager" dev="tmpfs" ino=8947 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:NetworkManager_var_run_t tclass=dir permissive=1
[    6.089079] audit: type=1400 audit(1508444056.323:29): avc:  denied  { read } for  pid=2544 comm="syslog-ng" name="resolv.conf" dev="tmpfs" ino=7801 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:NetworkManager_var_run_t tclass=file permissive=1
[    6.089081] audit: type=1400 audit(1508444056.323:30): avc:  denied  { open } for  pid=2544 comm="syslog-ng" path="/run/NetworkManager/resolv.conf" dev="tmpfs" ino=7801 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:NetworkManager_var_run_t tclass=file permissive=1
[    6.089083] audit: type=1400 audit(1508444056.323:31): avc:  denied  { getattr } for  pid=2544 comm="syslog-ng" path="/run/NetworkManager/resolv.conf" dev="tmpfs" ino=7801 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:NetworkManager_var_run_t tclass=file permissive=1
[    6.128744] audit: type=1400 audit(1508444056.362:32): avc:  denied  { getattr } for  pid=2546 comm="checkpath" path="/var/lib/syslog-ng" dev="sda2" ino=958476 scontext=system_u:system_r:tmpfiles_t tcontext=system_u:object_r:syslogd_var_lib_t tclass=dir permissive=1
[    6.128846] audit: type=1400 audit(1508444056.362:33): avc:  denied  { relabelfrom } for  pid=2546 comm="checkpath" name="syslog-ng" dev="sda2" ino=958476 scontext=system_u:system_r:tmpfiles_t tcontext=system_u:object_r:syslogd_var_lib_t tclass=dir permissive=1
[    6.128849] audit: type=1400 audit(1508444056.362:34): avc:  denied  { relabelto } for  pid=2546 comm="checkpath" name="syslog-ng" dev="sda2" ino=958476 scontext=system_u:system_r:tmpfiles_t tcontext=system_u:object_r:syslogd_var_lib_t tclass=dir permissive=1
[    6.344400] audit: type=1400 audit(1508444056.577:35): avc:  denied  { mounton } for  pid=2665 comm="automount" path="/media/sf_Downloads" dev="sda2" ino=3800372 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:mnt_t tclass=dir permissive=1
[    6.403126] audit: type=1400 audit(1508444056.637:36): avc:  denied  { read } for  pid=2715 comm="agetty" name="resolv.conf" dev="tmpfs" ino=7801 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:NetworkManager_var_run_t tclass=file permissive=1
[    6.403145] audit: type=1400 audit(1508444056.637:37): avc:  denied  { open } for  pid=2715 comm="agetty" path="/run/NetworkManager/resolv.conf" dev="tmpfs" ino=7801 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:NetworkManager_var_run_t tclass=file permissive=1
[   23.859625] kauditd_printk_skb: 1 callbacks suppressed
[   23.859628] audit: type=1400 audit(1508444074.102:39): avc:  denied  { search } for  pid=2743 comm="dmesg" name=".config" dev="sda2" ino=3094778 scontext=root:sysadm_r:dmesg_t tcontext=root:object_r:xdg_config_home_t tclass=dir permissive=1

Looks like /dev/tty0 has wrong context at startup (maybe consolekit oroubles or something else)
Comment 15 Oruriz 2017-10-19 22:24:41 UTC 
My Vm

https://www.dropbox.com/s/wxv647wwttjg6sm/GB_selinux_troc.ova?dl=0

root password:
gentooroot

startx launches kde plasma
Comment 16 Mira Ressel 2018-10-12 21:26:16 UTC 
Old, inactive bug, most likely either caused by an obsolete bug or by an admin error.