[Arm-dev] selinux messages during selinux-policy update
Robert Moskowitz
rgm at htt-consult.com
Tue Dec 22 16:41:57 UTC 2015
This seems to be some basic 'issue' with this image. See below
On 12/22/2015 10:52 AM, Robert Moskowitz wrote:
> I ran yum update via an ssh session and saw the updated included:
>
> selinux-policy.noarch 0:3.13.1-60.el7
> selinux-policy-targeted.noarch 0:3.13.1-60.el7
>
>
> Then on my serial console I see:
>
> [41323.407978] SELinux: Class netlink_iscsi_socket not defined in
> policy.
> [41323.414925] SELinux: Class netlink_fib_lookup_socket not defined
> in policy.
> [41323.422242] SELinux: Class netlink_connector_socket not defined in
> policy.
> [41323.429483] SELinux: Class netlink_netfilter_socket not defined in
> policy.
> [41323.436736] SELinux: Class netlink_generic_socket not defined in
> policy.
> [41323.443793] SELinux: Class netlink_scsitransport_socket not
> defined in policy.
> [41323.451346] SELinux: Class netlink_rdma_socket not defined in policy.
> [41323.458115] SELinux: Class netlink_crypto_socket not defined in
> policy.
> [41323.465102] SELinux: Permission audit_read in class capability2
> not defined in policy.
> [41323.473425] SELinux: Class binder not defined in policy.
> [41323.479019] SELinux: the above unknown classes and permissions will
> be allowed
> [41638.997450] Ebtables v2.0 unregistered
> [41641.121256] nf_conntrack version 0.5.0 (15901 buckets, 63604 max)
> [41641.191453] ip6_tables: (C) 2000-2006 Netfilter Core Team
> [41641.449223] Ebtables v2.0 registered
>
I just set up a new image on a sata HD, resized everything as I wanted
with gparted, set selinux to switch to enforcing during first boot. I
logged all the serial output, and see the following BEFORE it hit the
selinux switch:
[ OK ] Reached target Switch Root.
Starting Switch Root...
[ 12.606603] systemd-journald[120]: Received SIGTERM from PID 1 (systemd).
[ 13.913090] SELinux: Class netlink_iscsi_socket not defined in policy.
[ 13.926948] SELinux: Class netlink_fib_lookup_socket not defined in
policy.
[ 13.940976] SELinux: Class netlink_connector_socket not defined in
policy.
[ 13.954902] SELinux: Class netlink_netfilter_socket not defined in
policy.
[ 13.968771] SELinux: Class netlink_generic_socket not defined in policy.
[ 13.982346] SELinux: Class netlink_scsitransport_socket not defined
in policy.
[ 13.996377] SELinux: Class netlink_rdma_socket not defined in policy.
[ 14.009635] SELinux: Class netlink_crypto_socket not defined in policy.
[ 14.023223] SELinux: Permission audit_read in class capability2 not
defined in policy.
[ 14.038156] SELinux: Class binder not defined in policy.
[ 14.050349] SELinux: the above unknown classes and permissions will
be allowed
[ 14.108739] audit: type=1403 audit(14.085:2): policy loaded
auid=4294967295 ses=4294967295
[ 14.154072] systemd[1]: Successfully loaded SELinux policy in 991.684ms.
[ 14.713847] systemd[1]: Relabelled /dev and /run in 298.064ms.
[ 14.780982] random: nonblocking pool is initialized
So this is something in the image. In fact when the system rebooted
after the selinux switch these messages occured again:
[ 402.784167] SELinux: Class netlink_iscsi_socket not defined in policy.
[ 402.791081] SELinux: Class netlink_fib_lookup_socket not defined in
policy.
[ 402.798389] SELinux: Class netlink_connector_socket not defined in
policy.
[ 402.805623] SELinux: Class netlink_netfilter_socket not defined in
policy.
[ 402.812855] SELinux: Class netlink_generic_socket not defined in policy.
[ 402.819921] SELinux: Class netlink_scsitransport_socket not defined
in policy.
[ 402.827472] SELinux: Class netlink_rdma_socket not defined in policy.
[ 402.834248] SELinux: Class netlink_crypto_socket not defined in policy.
[ 402.841235] SELinux: Permission audit_read in class capability2 not
defined in policy.
[ 402.849552] SELinux: Class binder not defined in policy.
[ 402.855145] SELinux: the above unknown classes and permissions will
be allowed
Finally these messages occured related to the selinux switch:
Welcome to CentOS Linux 7 (Core)!
*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
Warning: Skipping the following R/O filesystems:
/sys/fs/cgroup
4.0%[ 136.228323] systemd-readahead[353]:
open(/etc/selinux/targeted/modules/active/policy.kern) failed: Too many
levels of symbolic links
Do these warnings matter?
thanks
More information about the Arm-dev
mailing list