kernel 3.9.4 on Centos6

Dominick Grift dominick.grift at gmail.com
Wed Jun 5 21:22:34 UTC 2013 

On Wed, 2013-06-05 at 17:07 -0400, Vadym Chepkov wrote:
> On Jun 5, 2013, at 5:03 PM, Dominick Grift wrote:
> 
> > On Wed, 2013-06-05 at 15:44 -0400, Vadym Chepkov wrote:
> >> Hi,
> >> 
> >> Unfortunately, Linode.com VPS provider doesn't include SELinux support in their kernels, so I had to recompile my kernel with SELinux enabled.
> >> Due to some other limitations they do not support stock centos6 kernel (2.6.32) and told me to install the latest 3.x, which I did.
> >> But now I see these messages in the kernel boot log, which makes me to think my SELinux is "broken"
> >> 
> > 
> > You can ignore those if you like they aren't that important and it
> > should not break anything. Its just an incompatibility between your
> > policy and kernel versions.
> > 
> 
> This would be the best outcome, but do you mind to educate me, what exactly those "permissions" are?
> When I see something like open in class lnk_file not defined in policy and will be allowed I do feel uncomfortable :)

These are object classes and av permissions that were introduced in the
newer kernel, but your policy is for the older kernel and thus does npt
know these new object classes and av permissions. So they will just be
ignored (allowed). So other than a few warnings it really does not
affect anything or change the behavior of the policy i believe.

It is a incompatibility between kernel and policy.  Your kernel is too
new for the policy. most of the entries are insignificant either way
audit_access is not important and execmod on dirs lnks fifo block and
character device nodes arent applicable either.

Only the wake_alarm block_suspend syslog and attach_queue permissions
have some significance but if would use a compatible kernel the
functionality that those permission provide would also be allowed by
default.

So, in my view, really nothing to worry about ( and i guess that is also
the reason why redhat decided to allow unknown permissions by default ).

> 
> Thanks,
> Vadym
> 
> 
> 
> 
> >> dracut: Loading SELinux policy
> >> type=1404 audit(1370460658.483:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
> >> SELinux:  Permission audit_access in class file not defined in policy.
> >> SELinux:  Permission audit_access in class dir not defined in policy.
> >> SELinux:  Permission execmod in class dir not defined in policy.
> >> SELinux:  Permission audit_access in class lnk_file not defined in policy.
> >> SELinux:  Permission open in class lnk_file not defined in policy.
> >> SELinux:  Permission execmod in class lnk_file not defined in policy.
> >> SELinux:  Permission audit_access in class chr_file not defined in policy.
> >> SELinux:  Permission audit_access in class blk_file not defined in policy.
> >> SELinux:  Permission execmod in class blk_file not defined in policy.
> >> SELinux:  Permission audit_access in class sock_file not defined in policy.
> >> SELinux:  Permission execmod in class sock_file not defined in policy.
> >> SELinux:  Permission audit_access in class fifo_file not defined in policy.
> >> SELinux:  Permission execmod in class fifo_file not defined in policy.
> >> SELinux:  Permission syslog in class capability2 not defined in policy.
> >> SELinux:  Permission wake_alarm in class capability2 not defined in policy.
> >> SELinux:  Permission block_suspend in class capability2 not defined in policy.
> >> SELinux:  Permission attach_queue in class tun_socket not defined in policy.
> >> SELinux: the above unknown classes and permissions will be allowed
> >> type=1403 audit(1370460659.259:3): policy loaded auid=4294967295 ses=4294967295
> >> 
> >> Is there anything I can do besides changing provider?
> >> 
> >> Thanks,
> >> Vadym
> >> 
> >> 
> >> --
> >> selinux mailing list
> >> selinux at lists.fedoraproject.org
> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > 
> > 
>

More information about the selinux mailing list