[Arm-dev] selinux messages during selinux-policy update

Tue Dec 22 16:41:57 UTC 2015
Robert Moskowitz <rgm at htt-consult.com>

This seems to be some basic 'issue' with this image.  See below

On 12/22/2015 10:52 AM, Robert Moskowitz wrote:
> I ran yum update via an ssh session and saw the updated included:
>
>   selinux-policy.noarch 0:3.13.1-60.el7
>   selinux-policy-targeted.noarch 0:3.13.1-60.el7
>
>
> Then on my serial console I see:
>
> [41323.407978] SELinux:  Class netlink_iscsi_socket not defined in 
> policy.
> [41323.414925] SELinux:  Class netlink_fib_lookup_socket not defined 
> in policy.
> [41323.422242] SELinux:  Class netlink_connector_socket not defined in 
> policy.
> [41323.429483] SELinux:  Class netlink_netfilter_socket not defined in 
> policy.
> [41323.436736] SELinux:  Class netlink_generic_socket not defined in 
> policy.
> [41323.443793] SELinux:  Class netlink_scsitransport_socket not 
> defined in policy.
> [41323.451346] SELinux:  Class netlink_rdma_socket not defined in policy.
> [41323.458115] SELinux:  Class netlink_crypto_socket not defined in 
> policy.
> [41323.465102] SELinux:  Permission audit_read in class capability2 
> not defined in policy.
> [41323.473425] SELinux:  Class binder not defined in policy.
> [41323.479019] SELinux: the above unknown classes and permissions will 
> be allowed
> [41638.997450] Ebtables v2.0 unregistered
> [41641.121256] nf_conntrack version 0.5.0 (15901 buckets, 63604 max)
> [41641.191453] ip6_tables: (C) 2000-2006 Netfilter Core Team
> [41641.449223] Ebtables v2.0 registered
>

I just set up a new image on a sata HD, resized everything as I wanted 
with gparted, set selinux to switch to enforcing during first boot.  I 
logged all the serial output, and see the following BEFORE it hit the 
selinux switch:

[  OK  ] Reached target Switch Root.
          Starting Switch Root...
[   12.606603] systemd-journald[120]: Received SIGTERM from PID 1 (systemd).
[   13.913090] SELinux:  Class netlink_iscsi_socket not defined in policy.
[   13.926948] SELinux:  Class netlink_fib_lookup_socket not defined in 
policy.
[   13.940976] SELinux:  Class netlink_connector_socket not defined in 
policy.
[   13.954902] SELinux:  Class netlink_netfilter_socket not defined in 
policy.
[   13.968771] SELinux:  Class netlink_generic_socket not defined in policy.
[   13.982346] SELinux:  Class netlink_scsitransport_socket not defined 
in policy.
[   13.996377] SELinux:  Class netlink_rdma_socket not defined in policy.
[   14.009635] SELinux:  Class netlink_crypto_socket not defined in policy.
[   14.023223] SELinux:  Permission audit_read in class capability2 not 
defined in policy.
[   14.038156] SELinux:  Class binder not defined in policy.
[   14.050349] SELinux: the above unknown classes and permissions will 
be allowed
[   14.108739] audit: type=1403 audit(14.085:2): policy loaded 
auid=4294967295 ses=4294967295
[   14.154072] systemd[1]: Successfully loaded SELinux policy in 991.684ms.
[   14.713847] systemd[1]: Relabelled /dev and /run in 298.064ms.
[   14.780982] random: nonblocking pool is initialized

So this is something in the image.  In fact when the system rebooted 
after the selinux switch these messages occured again:

[  402.784167] SELinux:  Class netlink_iscsi_socket not defined in policy.
[  402.791081] SELinux:  Class netlink_fib_lookup_socket not defined in 
policy.
[  402.798389] SELinux:  Class netlink_connector_socket not defined in 
policy.
[  402.805623] SELinux:  Class netlink_netfilter_socket not defined in 
policy.
[  402.812855] SELinux:  Class netlink_generic_socket not defined in policy.
[  402.819921] SELinux:  Class netlink_scsitransport_socket not defined 
in policy.
[  402.827472] SELinux:  Class netlink_rdma_socket not defined in policy.
[  402.834248] SELinux:  Class netlink_crypto_socket not defined in policy.
[  402.841235] SELinux:  Permission audit_read in class capability2 not 
defined in policy.
[  402.849552] SELinux:  Class binder not defined in policy.
[  402.855145] SELinux: the above unknown classes and permissions will 
be allowed

Finally these messages occured related to the selinux switch:


Welcome to CentOS Linux 7 (Core)!

*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
Warning: Skipping the following R/O filesystems:
/sys/fs/cgroup
4.0%[  136.228323] systemd-readahead[353]: 
open(/etc/selinux/targeted/modules/active/policy.kern) failed: Too many 
levels of symbolic links

Do these warnings matter?

thanks