When booting a hardened image in restricted mode, I am getting a bunch of errors during boot that have something to do with cgroups. In permissive mode there are no such errors, and the audit logs are clean. Here's the OpenRC terminal output: cgroup_addrm_files: failed to add tasks, err=-13 cgroup_addrm_files: failed to add cgroup.procs, err=-13 cgroup_addrm_files: failed to add notify_on_release, err=-13 cgroup_addrm_files: failed to add cgroup.event_control, err=-13 cgroup_addrm_files: failed to add cgroup.clone_children, err=-13 cgroup_addrm_files: failed to add release_agent, err=-13 /etc/init.d/sysfs: line 85: /sys/fs/cgroup/openrc/notify_on_release: Permission denied cgroup_addrm_files: failed to add tasks, err=-13 cgroup_addrm_files: failed to add cgroup.procs, err=-13 cgroup_addrm_files: failed to add notify_on_release, err=-13 cgroup_addrm_files: failed to add cgroup.event_control, err=-13 cgroup_addrm_files: failed to add cgroup.clone_children, err=-13 cgroup_addrm_files: failed to add release_agent, err=-13 cgroup_addrm_files: failed to add tasks, err=-13 cgroup_addrm_files: failed to add cgroup.procs, err=-13 cgroup_addrm_files: failed to add notify_on_release, err=-13 cgroup_addrm_files: failed to add cgroup.event_control, err=-13 cgroup_addrm_files: failed to add cgroup.clone_children, err=-13 cgroup_addrm_files: failed to add release_agent, err=-13 cgroup_addrm_files: failed to add tasks, err=-13 cgroup_addrm_files: failed to add cgroup.procs, err=-13 cgroup_addrm_files: failed to add cgroup.procs, err=-13 cgroup_addrm_files: failed to add notify_on_release, err=-13 cgroup_addrm_files: failed to add cgroup.event_control, err=-13 cgroup_addrm_files: failed to add cgroup.clone_children, err=-13 cgroup_addrm_files: failed to add release_agent, err=-13 cgroup_addrm_files: failed to add tasks, err=-13 cgroup_addrm_files: failed to add cgroup.procs, err=-13 cgroup_addrm_files: failed to add notify_on_release, err=-13 cgroup_addrm_files: failed to add cgroup.event_control, err=-13 cgroup_addrm_files: failed to add cgroup.clone_children, err=-13 cgroup_addrm_files: failed to add release_agent, err=-13 cgroup_addrm_files: failed to add tasks, err=-13 cgroup_addrm_files: failed to add cgroup.procs, err=-13 cgroup_addrm_files: failed to add notify_on_release, err=-13 cgroup_addrm_files: failed to add cgroup.event_control, err=-13 cgroup_addrm_files: failed to add cgroup.clone_children, err=-13 cgroup_addrm_files: failed to add release_agent, err=-13 cgroup_addrm_files: failed to add tasks, err=-13 cgroup_addrm_files: failed to add cgroup.procs, err=-13 cgroup_addrm_files: failed to add notify_on_release, err=-13 cgroup_addrm_files: failed to add cgroup.event_control, err=-13 cgroup_addrm_files: failed to add cgroup.clone_children, err=-13 cgroup_addrm_files: failed to add release_agent, err=-13 cgroup_addrm_files: failed to add tasks, err=-13 cgroup_addrm_files: failed to add cgroup.procs, err=-13 cgroup_addrm_files: failed to add notify_on_release, err=-13 cgroup_addrm_files: failed to add cgroup.event_control, err=-13 cgroup_addrm_files: failed to add cgroup.clone_children, err=-13 cgroup_addrm_files: failed to add release_agent, err=-13 cgroup_addrm_files: failed to add tasks, err=-13 cgroup_addrm_files: failed to add cgroup.procs, err=-13 cgroup_addrm_files: failed to add notify_on_release, err=-13 cgroup_addrm_files: failed to add cgroup.event_control, err=-13 cgroup_addrm_files: failed to add cgroup.clone_children, err=-13 cgroup_addrm_files: failed to add release_agent, err=-13 cgroup_addrm_files: failed to add tasks, err=-13 cgroup_addrm_files: failed to add cgroup.procs, err=-13 cgroup_addrm_files: failed to add notify_on_release, err=-13 cgroup_addrm_files: failed to add cgroup.event_control, err=-13 cgroup_addrm_files: failed to add cgroup.clone_children, err=-13 cgroup_addrm_files: failed to add release_agent, err=-13 cgroup_addrm_files: failed to add tasks, err=-13 cgroup_addrm_files: failed to add cgroup.procs, err=-13 cgroup_addrm_files: failed to add notify_on_release, err=-13 cgroup_addrm_files: failed to add cgroup.event_control, err=-13 cgroup_addrm_files: failed to add cgroup.clone_children, err=-13 cgroup_addrm_files: failed to add release_agent, err=-13 Reproducible: Always
Created attachment 325620 [details] emerge info
Yup, confirmed with stable & unstable. Seems it has something to do with the Linux kernel (?), didn't really notice this earlier and just recently updated the kernel to 3.5.4-hardened-r2.
After you clued me in on showing otherwise hidden avc messages (semodule -DB) I seem to be able to mount cgroups properly. Of the sec modules I've been creating, here's the output from: $ grep -r 'cgroup\|mount' ./*/*.te | grep allow ./initrcfixes/initrcfixes.te:allow initrc_t mount_t:process { siginh rlimitinh noatsecure }; ./mountfixes/mountfixes.te:allow mount_t cgroup_t:dir { write setattr }; ./mountfixes/mountfixes.te:allow mount_t device_t:chr_file { read write }; ./mountfixes/mountfixes.te:allow mount_t mnt_t:dir write; ./mountfixes/mountfixes.te:allow mount_t root_t:dir write; ./mountfixes/mountfixes.te:allow mount_t security_t:dir { write setattr }; ./mountfixes/mountfixes.te:allow mount_t var_run_t:dir { write setattr }; ./mountfixes/mountfixes.te:allow mount_t tmp_t:dir { write setattr }; ./tmpfs/tmpfs.te:allow mount_t tmpfs_t:file { read write open getattr setattr create lock }; ./tmpfs/tmpfs.te:allow mount_t tmpfs_t:dir { read write search open getattr setattr add_name }; Perhaps that is enough to get started. I suspect the crucial fixes are in that set of allow-rules. If not, I can post all the .te files I've created...
For some reason, the messages disappeared on my test VM (running Linux 3.6.3 now, with selinux-*-9999 policies). If you have made a kernel upgrade since you reported this, can you try remove the policy rules you added and see if you can reproduce the errors?
For me currently, this has disappeared the same way as it occurred: no idea what did it, but a fresh installation doesn't seem to show this anymore.
I can't reproduce it anymore either.