hellow everyone,
I have minimal installation of centos7 3.10.0-229.el7.x86_64 and installed selinux-policy-mls touched /.autorelabel. after system reboot and relabeling I have problem that there is no default label for some files, I think because mls policy does not have unconfined modules included. Can anyone suggest how to relabel system correctly or how to correct labeling.
Thanks
Here is my audit.log
Code:
#============= auditctl_t ==============
allow auditctl_t unlabeled_t:file read;
#============= chkpwd_t ==============
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-) or (t1=chkpwd_t eq TYPE_ENTRY -Fail-) and (h1 dom L2 -Pass-) or (t1=chkpwd_t eq TYPE_ENTRY -Fail-) or (t2=unlabeled_t eq TYPE_ENTRY -Fail-) ); Constraint DENIED
# Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.
allow chkpwd_t unlabeled_t:file { read getattr };
#============= crond_t ==============
allow crond_t unlabeled_t:file { read getattr open };
#============= dmesg_t ==============
allow dmesg_t unlabeled_t:file { read getattr open };
#============= hostname_t ==============
allow hostname_t unlabeled_t:file open;
#============= ifconfig_t ==============
allow ifconfig_t unlabeled_t:file { read getattr open };
#============= init_t ==============
allow init_t root_t:dir remove_name;
allow init_t rpm_script_tmp_t:dir read;
allow init_t unlabeled_t:file { read open };
allow init_t user_fonts_t:dir read;
allow init_t var_log_t:file { rename create unlink };
#============= initrc_t ==============
allow initrc_t etc_t:service status;
allow initrc_t unlabeled_t:file { read ioctl open };
#============= irqbalance_t ==============
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
mlsconstrain dir { search } ((l1 dom l2 -Fail-) or (t1=irqbalance_t eq TYPE_ENTRY -Fail-) and (h1 dom L2 -Pass-) or (t1=irqbalance_t eq TYPE_ENTRY -Fail-) or (t2=etc_t eq TYPE_ENTRY -Fail-) ); Constraint DENIED
mlsconstrain dir { read getattr execute } ((l1 dom l2 -Fail-) or (t1=irqbalance_t eq TYPE_ENTRY -Fail-) and (h1 dom L2 -Pass-) or (t1=irqbalance_t eq TYPE_ENTRY -Fail-) or (t2=etc_t eq TYPE_ENTRY -Fail-) ); Constraint DENIED
# Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.
allow irqbalance_t etc_t:dir search;
allow irqbalance_t unlabeled_t:file { read getattr open };
#============= kdumpctl_t ==============
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
mlsconstrain dir { search } ((l1 dom l2 -Fail-) or (t1=kdumpctl_t eq TYPE_ENTRY -Fail-) and (h1 dom L2 -Pass-) or (t1=kdumpctl_t eq TYPE_ENTRY -Fail-) or (t2=etc_t eq TYPE_ENTRY -Fail-) ); Constraint DENIED
mlsconstrain dir { read getattr execute } ((l1 dom l2 -Fail-) or (t1=kdumpctl_t eq TYPE_ENTRY -Fail-) and (h1 dom L2 -Pass-) or (t1=kdumpctl_t eq TYPE_ENTRY -Fail-) or (t2=etc_t eq TYPE_ENTRY -Fail-) ); Constraint DENIED
# Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.
allow kdumpctl_t etc_t:dir search;
allow kdumpctl_t unlabeled_t:file { read getattr open };
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
mlsconstrain dir { add_name remove_name reparent rmdir } ((l1 eq l2 -Fail-) or (t1=kdumpctl_t eq TYPE_ENTRY -Fail-) and (l1 dom l2 -Fail-) and (l1 domby h2 -Pass-) or (t1=kdumpctl_t eq TYPE_ENTRY -Fail-) and (h1 dom L2 -Pass-) and (l1 domby l2 -Pass-) or (t1=kdumpctl_t eq TYPE_ENTRY -Fail-) or (t2=var_t eq TYPE_ENTRY -Fail-) ); Constraint DENIED
mlsconstrain dir { write create setattr relabelfrom append unlink link rename mounton } ((l1 eq l2 -Fail-) or (t1=kdumpctl_t eq TYPE_ENTRY -Fail-) and (h1 dom L2 -Pass-) and (l1 domby l2 -Pass-) or (t2=var_t eq TYPE_ENTRY -Fail-) and (l1 dom l2 -Fail-) and (h1 domby h2 -Pass-) or (t1=kdumpctl_t eq TYPE_ENTRY -Fail-) or (t2=var_t eq TYPE_ENTRY -Fail-) ); Constraint DENIED
mlsconstrain dir { search } ((l1 dom l2 -Fail-) or (t1=kdumpctl_t eq TYPE_ENTRY -Fail-) and (h1 dom L2 -Pass-) or (t1=kdumpctl_t eq TYPE_ENTRY -Fail-) or (t2=var_t eq TYPE_ENTRY -Fail-) ); Constraint DENIED
mlsconstrain dir { read getattr execute } ((l1 dom l2 -Fail-) or (t1=kdumpctl_t eq TYPE_ENTRY -Fail-) and (h1 dom L2 -Pass-) or (t1=kdumpctl_t eq TYPE_ENTRY -Fail-) or (t2=var_t eq TYPE_ENTRY -Fail-) ); Constraint DENIED
# Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.
allow kdumpctl_t var_t:dir { getattr search };
#============= netutils_t ==============
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-) or (t1=netutils_t eq TYPE_ENTRY -Fail-) and (h1 dom L2 -Pass-) or (t1=netutils_t eq TYPE_ENTRY -Fail-) or (t2=unlabeled_t eq TYPE_ENTRY -Fail-) ); Constraint DENIED
# Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.
allow netutils_t unlabeled_t:file { read getattr };
#============= plymouthd_t ==============
allow plymouthd_t devpts_t:chr_file setattr;
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
mlsconstrain dir { search } ((l1 dom l2 -Fail-) or (t1=plymouthd_t eq TYPE_ENTRY -Fail-) and (h1 dom L2 -Pass-) or (t1=plymouthd_t eq TYPE_ENTRY -Fail-) or (t2=etc_t eq TYPE_ENTRY -Fail-) ); Constraint DENIED
mlsconstrain dir { read getattr execute } ((l1 dom l2 -Fail-) or (t1=plymouthd_t eq TYPE_ENTRY -Fail-) and (h1 dom L2 -Pass-) or (t1=plymouthd_t eq TYPE_ENTRY -Fail-) or (t2=etc_t eq TYPE_ENTRY -Fail-) ); Constraint DENIED
# Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.
allow plymouthd_t etc_t:dir search;
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-) or (t1=plymouthd_t eq TYPE_ENTRY -Fail-) and (h1 dom L2 -Pass-) or (t1=plymouthd_t eq TYPE_ENTRY -Fail-) or (t2=unlabeled_t eq TYPE_ENTRY -Fail-) ); Constraint DENIED
# Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.
allow plymouthd_t unlabeled_t:file { read getattr };
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
mlsconstrain dir { search } ((l1 dom l2 -Fail-) or (t1=plymouthd_t eq TYPE_ENTRY -Fail-) and (h1 dom L2 -Pass-) or (t1=plymouthd_t eq TYPE_ENTRY -Fail-) or (t2=var_t eq TYPE_ENTRY -Fail-) ); Constraint DENIED
mlsconstrain dir { read getattr execute } ((l1 dom l2 -Fail-) or (t1=plymouthd_t eq TYPE_ENTRY -Fail-) and (h1 dom L2 -Pass-) or (t1=plymouthd_t eq TYPE_ENTRY -Fail-) or (t2=var_t eq TYPE_ENTRY -Fail-) ); Constraint DENIED
# Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.
allow plymouthd_t var_t:dir search;
#============= system_cronjob_t ==============
allow system_cronjob_t unlabeled_t:file { read open };
#============= systemd_sysctl_t ==============
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
mlsconstrain dir { search } ((l1 dom l2 -Fail-) or (t1=systemd_sysctl_t eq TYPE_ENTRY -Fail-) and (h1 dom L2 -Pass-) or (t1=systemd_sysctl_t eq TYPE_ENTRY -Fail-) or (t2=etc_t eq TYPE_ENTRY -Fail-) ); Constraint DENIED
mlsconstrain dir { read getattr execute } ((l1 dom l2 -Fail-) or (t1=systemd_sysctl_t eq TYPE_ENTRY -Fail-) and (h1 dom L2 -Pass-) or (t1=systemd_sysctl_t eq TYPE_ENTRY -Fail-) or (t2=etc_t eq TYPE_ENTRY -Fail-) ); Constraint DENIED
# Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.
allow systemd_sysctl_t etc_t:dir { getattr search };
allow systemd_sysctl_t unlabeled_t:file { read getattr open };
#============= tuned_t ==============
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
mlsconstrain dir { add_name remove_name reparent rmdir } ((l1 eq l2 -Fail-) or (t1=tuned_t eq TYPE_ENTRY -Fail-) and (l1 dom l2 -Fail-) and (l1 domby h2 -Pass-) or (t1=tuned_t eq TYPE_ENTRY -Fail-) and (h1 dom L2 -Pass-) and (l1 domby l2 -Pass-) or (t1=tuned_t eq TYPE_ENTRY -Fail-) or (t2=etc_t eq TYPE_ENTRY -Fail-) ); Constraint DENIED
mlsconstrain dir { write create setattr relabelfrom append unlink link rename mounton } ((l1 eq l2 -Fail-) or (t1=tuned_t eq TYPE_ENTRY -Fail-) and (h1 dom L2 -Pass-) and (l1 domby l2 -Pass-) or (t2=etc_t eq TYPE_ENTRY -Fail-) and (l1 dom l2 -Fail-) and (h1 domby h2 -Pass-) or (t1=tuned_t eq TYPE_ENTRY -Fail-) or (t2=etc_t eq TYPE_ENTRY -Fail-) ); Constraint DENIED
mlsconstrain dir { search } ((l1 dom l2 -Fail-) or (t1=tuned_t eq TYPE_ENTRY -Fail-) and (h1 dom L2 -Pass-) or (t1=tuned_t eq TYPE_ENTRY -Fail-) or (t2=etc_t eq TYPE_ENTRY -Fail-) ); Constraint DENIED
mlsconstrain dir { read getattr execute } ((l1 dom l2 -Fail-) or (t1=tuned_t eq TYPE_ENTRY -Fail-) and (h1 dom L2 -Pass-) or (t1=tuned_t eq TYPE_ENTRY -Fail-) or (t2=etc_t eq TYPE_ENTRY -Fail-) ); Constraint DENIED
# Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.
allow tuned_t etc_t:dir search;
allow tuned_t unlabeled_t:file { read getattr open };
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
mlsconstrain dir { search } ((l1 dom l2 -Fail-) or (t1=tuned_t eq TYPE_ENTRY -Fail-) and (h1 dom L2 -Pass-) or (t1=tuned_t eq TYPE_ENTRY -Fail-) or (t2=var_t eq TYPE_ENTRY -Fail-) ); Constraint DENIED
mlsconstrain dir { read getattr execute } ((l1 dom l2 -Fail-) or (t1=tuned_t eq TYPE_ENTRY -Fail-) and (h1 dom L2 -Pass-) or (t1=tuned_t eq TYPE_ENTRY -Fail-) or (t2=var_t eq TYPE_ENTRY -Fail-) ); Constraint DENIED
# Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.
allow tuned_t var_t:dir search;
#============= udev_t ==============
allow udev_t unlabeled_t:file { read getattr open };