665084 – random assortment of avc denials logged by dmesg on startup (default/linux/amd64/17.0/musl/hardened/selinux profile)

Bug 665084 - random assortment of avc denials logged by dmesg on startup (default/linux/amd64/17.0/musl/hardened/selinux profile)

Summary: random assortment of avc denials logged by dmesg on startup (default/linux/am...

Status:	CONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	AMD64 Linux

Importance:	Normal normal
Assignee:	SE Linux Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2018-09-02 04:16 UTC by Steve Arnold
Modified:	2018-10-03 20:35 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Steve Arnold archtester

2018-09-02 04:16:45 UTC

We still have a few denials showing in dmesg for a random assortment of things, including rng-tools which just got installed along with its policy package.

The relevant output of dmesg looks like this:

[    1.816891] usb 1-3.2: new full-speed USB device number 7 using xhci_hcd
[    1.926430] usb 1-3.2: New USB device found, idVendor=03eb, idProduct=8a6e, bcdDevice=20.32
[    1.926441] usb 1-3.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[    1.926446] usb 1-3.2: Product: Atmel maXTouch Digitizer
[    1.926451] usb 1-3.2: Manufacturer: Atmel
[    4.004836] audit: type=1400 audit(1535861285.870:3): avc:  denied  { getattr } for  pid=469 comm="restorecon" name="/" dev="cgroup" ino=1 scontext=system_u:system_r:setfiles_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[    4.547417] audit: type=1400 audit(1535861286.413:4): avc:  denied  { read } for  pid=558 comm="dmesg" name="linux" dev="sda3" ino=2622067 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:etc_t tclass=file permissive=1
[    4.547429] audit: type=1400 audit(1535861286.413:5): avc:  denied  { open } for  pid=558 comm="dmesg" path="/etc/terminfo/l/linux" dev="sda3" ino=2622067 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:etc_t tclass=file permissive=1
[    4.740212] udevd[591]: starting version 3.2.5
[    4.748172] random: udevd: uninitialized urandom read (16 bytes read)
[    4.748775] random: udevd: uninitialized urandom read (16 bytes read)
[    4.748819] random: udevd: uninitialized urandom read (16 bytes read)
[    4.767772] udevd[592]: starting eudev-3.2.5
[    5.116283] audit: type=1400 audit(1535861286.980:6): avc:  denied  { setattr } for  pid=654 comm="mknod" name="fuse" dev="devtmpfs" ino=1782 scontext=system_u:system_r:tmpfiles_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[    5.818185] urandom_read: 2 callbacks suppressed
[    5.818190] random: udevd: uninitialized urandom read (16 bytes read)
[    5.818300] random: udevd: uninitialized urandom read (16 bytes read)
[    5.818455] random: udevd: uninitialized urandom read (16 bytes read)
[    5.937931] thermal LNXTHERM:00: registered as thermal_zone0
[    5.937935] ACPI: Thermal Zone [TZ02] (44 C)
[    5.938611] thermal LNXTHERM:01: registered as thermal_zone1
[    5.938614] ACPI: Thermal Zone [TZ01] (27 C)
[    5.953362] shpchp: Standard Hot Plug PCI Controller Driver version: 0.4
[    5.962907] i801_smbus 0000:00:1f.3: SMBus using PCI interrupt
[    5.964679] input: PC Speaker as /devices/platform/pcspkr/input/input4
[    5.987925] r8169 Gigabit Ethernet driver 2.3LK-NAPI loaded
[    5.988648] hid-generic 0003:03EB:8A6E.0001: hiddev0,hidraw0: USB HID v1.11 Device [Atmel Atmel maXTouch Digitizer] on usb-0000:00:14.0-3.2/input0
[    5.993281] input: Atmel Atmel maXTouch Digitizer as /devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3.2/1-3.2:1.1/0003:03EB:8A6E.0002/input/input5
[    5.993867] hid-generic 0003:03EB:8A6E.0002: input,hiddev1,hidraw1: USB HID v1.11 Device [Atmel Atmel maXTouch Digitizer] on usb-0000:00:14.0-3.2/input1
[    5.993956] usbcore: registered new interface driver usbhid
[    5.993958] usbhid: USB HID core driver
[    6.000403] media: Linux media interface: v0.10
[    6.009515] r8169 0000:01:00.0 eth0: RTL8168g/8111g at 0x        (ptrval), 1c:ee:c9:00:e1:e6, XID 0c000800 IRQ 122
[    6.009520] r8169 0000:01:00.0 eth0: jumbo features [frames: 9200 bytes, tx checksumming: ko]
[    6.012822] Linux video capture interface: v2.00
[    6.050510] cryptd: max_cpu_qlen set to 1000
[    6.053467] checking generic (a0000 10000) vs hw (b0000000 10000000)
[    6.053471] fb: switching to inteldrmfb from EFI VGA
[    6.053537] Console: switching to colour dummy device 80x25
[    6.057403] [drm] Replacing VGA console driver
[    6.057806] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
[    6.057809] [drm] Driver supports precise vblank timestamp query.
[    6.059901] _warn_unseeded_randomness: 11 callbacks suppressed
[    6.059913] random: get_random_bytes called from init_module+0x1d/0x1000 [usbnet] with crng_init=1
[    6.060715] i915 0000:00:02.0: vgaarb: changed VGA decodes: olddecodes=io+mem,decodes=io+mem:owns=io+mem
[    6.067441] SSE version of gcm_enc/dec engaged.
[    6.076763] [drm] Initialized i915 1.6.0 20180308 for 0000:00:02.0 on minor 0
[    6.078990] ACPI: Video Device [GFX0] (multi-head: yes  rom: no  post: no)
[    6.080109] input: Video Bus as /devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/LNXVIDEO:00/input/input6
[    6.087307] random: get_random_bytes called from load_elf_binary+0xe22/0x15e7 with crng_init=1
[    6.101311] uvcvideo: Found UVC 1.00 device FHD WebCam (0c45:6556)
[    6.151416] uvcvideo 1-4:1.0: Entity type for entity Extension 3 was not initialized!
[    6.151421] uvcvideo 1-4:1.0: Entity type for entity Processing 2 was not initialized!
[    6.151425] uvcvideo 1-4:1.0: Entity type for entity Camera 1 was not initialized!
[    6.152992] input: FHD WebCam: FHD WebCam as /devices/pci0000:00/0000:00:14.0/usb1/1-4/1-4:1.0/input/input7
[    6.153207] usbcore: registered new interface driver uvcvideo
[    6.153209] USB Video Class driver (1.1.1)
[    6.191700] snd_hda_intel 0000:00:1b.0: bound 0000:00:02.0 (ops gen9_null_state [i915])
[    6.194076] fbcon: inteldrmfb (fb0) is primary device
[    6.242063] Console: switching to colour frame buffer device 240x67
[    6.250710] intel_rapl: Found RAPL domain package
[    6.250713] intel_rapl: Found RAPL domain core
[    6.254375] snd_hda_codec_realtek hdaudioC0D0: autoconfig for ALC892: line_outs=1 (0x1b/0x0/0x0/0x0/0x0) type:speaker
[    6.254379] snd_hda_codec_realtek hdaudioC0D0:    speaker_outs=0 (0x0/0x0/0x0/0x0/0x0)
[    6.254382] snd_hda_codec_realtek hdaudioC0D0:    hp_outs=1 (0x14/0x0/0x0/0x0/0x0)
[    6.254385] snd_hda_codec_realtek hdaudioC0D0:    mono: mono_out=0x0
[    6.254387] snd_hda_codec_realtek hdaudioC0D0:    inputs:
[    6.254390] snd_hda_codec_realtek hdaudioC0D0:      Mic=0x19
[    6.271485] i915 0000:00:02.0: fb0: inteldrmfb frame buffer device
[    6.305685] EXT4-fs (sda5): mounted filesystem with ordered data mode. Opts: (null)
[    6.324507] input: HDA Intel PCH Headphone Mic as /devices/pci0000:00/0000:00:1b.0/sound/card0/input8
[    6.324646] input: HDA Intel PCH HDMI/DP,pcm=3 as /devices/pci0000:00/0000:00:1b.0/sound/card0/input9
[    6.324797] input: HDA Intel PCH HDMI/DP,pcm=7 as /devices/pci0000:00/0000:00:1b.0/sound/card0/input10
[    6.324937] input: HDA Intel PCH HDMI/DP,pcm=8 as /devices/pci0000:00/0000:00:1b.0/sound/card0/input11
[    6.400197] iTCO_wdt: Intel TCO WatchDog Timer Driver v1.11
[    6.400301] iTCO_wdt: Found a Braswell SoC TCO device (Version=3, TCOBASE=0x0460)
[    6.401274] iTCO_wdt: initialized. heartbeat=30 sec (nowayout=0)
[    6.438711] input: Atmel Atmel maXTouch Digitizer as /devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3.2/1-3.2:1.1/0003:03EB:8A6E.0002/input/input12
[    6.438895] input: Atmel Atmel maXTouch Digitizer Pen as /devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3.2/1-3.2:1.1/0003:03EB:8A6E.0002/input/input13
[    6.439155] hid-multitouch 0003:03EB:8A6E.0002: input,hiddev1,hidraw1: USB HID v1.11 Device [Atmel Atmel maXTouch Digitizer] on usb-0000:00:14.0-3.2/input1
[    6.440886] NET: Registered protocol family 10
[    6.443562] random: get_random_bytes called from ipv6_chk_prefix+0x4e9/0x30a0 [ipv6] with crng_init=1
[    6.446403] mousedev: PS/2 mouse device common for all mice
[    6.461443] Segment Routing with IPv6
[    6.462744] audit: type=1400 audit(1535861288.326:7): avc:  denied  { read } for  pid=949 comm="modprobe" path="/var/lib/ip6tables/rules-save" dev="sda3" ino=2490914 scontext=system_u:system_r:kmod_t tcontext=system_u:object_r:initrc_tmp_t tclass=file permissive=1
[    6.480368] asix 1-1.1:1.0 eth1: register 'asix' at usb-0000:00:14.0-1.1, ASIX AX88772B USB 2.0 Ethernet, 00:0e:c6:8f:69:8a
[    6.480473] usbcore: registered new interface driver asix
[    6.879544] nct6775: Found NCT6106D or compatible chip at 0x2e:0x290
[    7.102090] NET: Registered protocol family 38
[    7.236805] tun: Universal TUN/TAP device driver, 1.6
[    7.285543] usbcore: registered new interface driver usblp
[    7.379652] i2c /dev entries driver
[    8.794684] EXT4-fs (sda3): re-mounted. Opts: (null)
[    8.834266] EXT4-fs (sda5): re-mounted. Opts: (null)
[    9.306087] Adding 1023996k swap on /swapfile.  Priority:-2 extents:3 across:1040380k SSFS
[   10.067683] audit: type=1400 audit(1535861291.470:8): avc:  denied  { mounton } for  pid=1456 comm="mount" path="/tmp/tmp.J72bxg5dUm" dev="sda3" ino=2359300 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:initrc_tmp_t tclass=dir permissive=1
[   11.804768] audit: type=1400 audit(1535861293.206:9): avc:  denied  { getattr } for  pid=1745 comm="rngd" path="/sys/devices/virtual/misc/hw_random/rng_available" dev="sysfs" ino=32688 scontext=system_u:system_r:rngd_t tcontext=system_u:object_r:sysfs_t tclass=file permissive=1
[   11.804792] audit: type=1400 audit(1535861293.206:10): avc:  denied  { read } for  pid=1745 comm="rngd" name="rng_available" dev="sysfs" ino=32688 scontext=system_u:system_r:rngd_t tcontext=system_u:object_r:sysfs_t tclass=file permissive=1
[   11.804800] audit: type=1400 audit(1535861293.206:11): avc:  denied  { open } for  pid=1745 comm="rngd" path="/sys/devices/virtual/misc/hw_random/rng_available" dev="sysfs" ino=32688 scontext=system_u:system_r:rngd_t tcontext=system_u:object_r:sysfs_t tclass=file permissive=1
[   14.371565] random: crng init done
[   14.371568] random: 3 get_random_xx warning(s) missed due to ratelimiting
[   14.371569] random: 2 urandom warning(s) missed due to ratelimiting
[   34.689357] r8169 0000:01:00.0 eth0: link down
[   34.689451] r8169 0000:01:00.0 eth0: link down
[   34.689514] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[   35.395046] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[   35.626575] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
[   35.630436] asix 1-1.1:1.0 eth1: link up, 100Mbps, full-duplex, lpa 0x41E1
[   36.310854] r8169 0000:01:00.0 eth0: link up
[   36.310873] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[   39.310164] 8021q: 802.1Q VLAN Support v1.8

Comment 1 Mira Ressel 2018-10-03 20:33:06 UTC

Hello! The next time you report SELinux policy issues, please
1) split them across multiple bugs if there are multiple unrelated denials,
2) Don't intersperse the denials with random other dmesg output which doesn't matter at all, and
3) Don't give the bug "blocker" importance, that gives it a unpleasant red colour in the bug list.

Thanks!

Comment 2 Mira Ressel 2018-10-03 20:35:35 UTC

I don't even know what's going on in some of those cases, for example with this weird modprobe denials. It'd be useful if you could debug these denials a bit further.