[Arm-dev] Solved kind of - Re: semanage messages with selinux enforced

Tue Dec 22 16:49:11 UTC 2015
Robert Moskowitz <rgm at htt-consult.com>

As you may note from my other selinux message post, these are messages 
that are just there in selinux, having nothing, much, to do with running 
semanage.  They indicate a potential issue that since semanage is making 
one change, there are some 'outstanding problems'?

On 12/21/2015 04:04 PM, Robert Moskowitz wrote:
> So one of the first things I do on a new system is to move SSHD to a 
> different port.  The semanage command is now well documented in the 
> config file:
>
> # semanage port -a -t ssh_port_t -p tcp 1234
>
> That is not the port I use, but the port number is not important. I 
> get the following messages.  Note that on my Fedora notebooks and 
> Fedora23-arm builds I do not get these messages with the same command:
>
> [ 2764.233201] SELinux:  Class netlink_iscsi_socket not defined in 
> policy.
> [ 2764.240183] SELinux:  Class netlink_fib_lookup_socket not defined 
> in policy.
> [ 2764.247573] SELinux:  Class netlink_connector_socket not defined in 
> policy.
> [ 2764.254900] SELinux:  Class netlink_netfilter_socket not defined in 
> policy.
> [ 2764.262239] SELinux:  Class netlink_generic_socket not defined in 
> policy.
> [ 2764.269398] SELinux:  Class netlink_scsitransport_socket not 
> defined in policy.
> [ 2764.277027] SELinux:  Class netlink_rdma_socket not defined in policy.
> [ 2764.283880] SELinux:  Class netlink_crypto_socket not defined in 
> policy.
> [ 2764.290990] SELinux:  Permission audit_read in class capability2 
> not defined in policy.
> [ 2764.299367] SELinux:  Class binder not defined in policy.
> [ 2764.305053] SELinux: the above unknown classes and permissions will 
> be allowed
>
> The semanage command seems to have worked, as I can connect to sshd on 
> the port I moved it to.
>
> I don't know if this constitutes a bug to file a bug report or not. I 
> did this on the serial console and maybe that is why I am seeing these 
> messages.  But I do it on the serial console port with F23-arm and 
> don't get these messages.
>
>
> _______________________________________________
> Arm-dev mailing list
> Arm-dev at centos.org
> https://lists.centos.org/mailman/listinfo/arm-dev
>