On 04/18/2018 04:44 PM, Jaap wrote:
> I am on Fedora 28, 4.16.2-300.fc28.x86_64 On a Dell laptop
> policy: selinux-policy.noarch 3.14.1-18.fc28
(restored selinux list to cc line)
Since this is Fedora-specific, I also added the Fedora selinux mailing list to the cc line above.
You may wish to subscribe to that list if not already on it.
> I do not know if / where Selinux messages are about the crash of selinux. Does selinux have a log?
ausearch -i -m AVC,SELINUX_ERR,USER_AVC -ts boot will show all SELinux kernel permission denials (AVC), kernel errors (SELINUX_ERR), and userspace permission denials (USER_AVC) since boot. You can use other start time values (e.g. recent, today, ...) and other selectors to control exactly what is reported.
>
>
> On 04/18/2018 10:04 PM, Stephen Smalley wrote:
>> On 04/18/2018 04:01 PM, Stephen Smalley wrote:
>>> On 04/18/2018 03:40 PM, Jaap wrote:
>>>> selinux crashes always at startup. problem is always reported (says selinux) But it does not get better.
>>> None of the SELinux messages you showed are errors. They are just informational, and the message "the above unknown
>>> classes and permissions will be allowed" indicates that they won't cause any permission denials.
>> Also, you didn't provide any information about your kernel, distro, policy, etc.
>> Please provide a more complete log (particularly one that shows the actual error) and
>> information about the system in question.
> journalctl | grep selinux gives this:
>
> Apr 18 21:26:06 localhost.localdomain audit[1170]: USER_START pid=1170 uid=0 auid=42 ses=1 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="gdm" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
> Apr 18 21:26:06 localhost.localdomain systemd[1170]: selinux: avc: denied { status } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gdm-wayland-session gnome-session --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:07 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:08 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:08 localhost.localdomain systemd[1170]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
> Apr 18 21:26:17 localhost.localdomain audit[1613]: USER_START pid=1613 uid=0 auid=1000 ses=3 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="jaap" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
> Apr 18 21:26:17 localhost.localdomain audit[1606]: USER_START pid=1606 uid=0 auid=1000 ses=2 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success'
> Apr 18 21:26:50 localhost.localdomain audit[1606]: USER_END pid=1606 uid=0 auid=1000 ses=2 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success'
> Apr 18 21:26:57 localhost.localdomain audit[2919]: USER_START pid=2919 uid=0 auid=1000 ses=5 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="jaap" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
> Apr 18 21:26:57 localhost.localdomain audit[2869]: USER_START pid=2869 uid=0 auid=1000 ses=4 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success'
> Apr 18 21:27:33 localhost.localdomain audit[2869]: USER_END pid=2869 uid=0 auid=1000 ses=4 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success'
> Apr 18 21:27:40 localhost.localdomain audit[3983]: USER_START pid=3983 uid=0 auid=1000 ses=7 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="jaap" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
> Apr 18 21:27:40 localhost.localdomain audit[3940]: USER_START pid=3940 uid=0 auid=1000 ses=6 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="jaap" exe="/usr/libexec/gdm-session-worker" hostname=localhost.localdomain addr=? terminal=/dev/tty2 res=success'
> [jaap@localhost ~]$
>
>>>> from journalctl:
>>>>
>>>>
>>>> n systemd-journald[207]: Received SIGTERM from PID 1 (systemd).
>>>> Aug 15 20:43:44 localhost.localdomain kernel: systemd: 15 output lines suppressed due to ratelimiting
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 32768 avtab hash slots, 107409 rules.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 32768 avtab hash slots, 107409 rules.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 8 users, 14 roles, 5094 types, 312 bools, 1 sens, 1024 cats
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: 94 classes, 107409 rules
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class sctp_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class icmp_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class ax25_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class ipx_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class netrom_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class atmpvc_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class x25_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class rose_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class decnet_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class atmsvc_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class rds_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class irda_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class pppox_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class llc_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class can_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class tipc_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class bluetooth_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class iucv_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class rxrpc_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class isdn_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class phonet_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class ieee802154_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class caif_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class alg_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class nfc_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class vsock_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class kcm_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class qipcrtr_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Class smc_socket not defined in policy.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: the above unknown classes and permissions will be allowed
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Completing initialization.
>>>> Aug 15 20:43:44 localhost.localdomain kernel: SELinux: Setting up existing superblocks.
>>>
>
>