[root@anolis810 ~]# yum install -y selinux-policy-mls policycoreutils-python-utils AnolisOS-8 - Kernel 5.10 65 kB/s | 3.8 kB 00:00 Dependencies resolved. ====================================================================================================================== Package Architecture Version Repository Size ====================================================================================================================== Installing: policycoreutils-python-utils noarch 2.9-26.an8 BaseOS 253 k selinux-policy-mls noarch 3.14.3-139.0.1.an8.1 BaseOS 7.4 M Installing dependencies: checkpolicy x86_64 2.9-1.el8 BaseOS 345 k mcstrans x86_64 2.9-2.0.1.an8 BaseOS 135 k policycoreutils-newrole x86_64 2.9-26.an8 BaseOS 199 k python3-audit x86_64 3.1.2-1.0.1.an8 BaseOS 87 k python3-libsemanage x86_64 2.9-11.0.1.an8 BaseOS 128 k python3-policycoreutils noarch 2.9-26.an8 BaseOS 2.3 M python3-setools x86_64 4.3.0-5.an8 BaseOS 626 k Transaction Summary ====================================================================================================================== Install 9 Packages Total download size: 11 M Installed size: 27 M Downloading Packages: (1/9): policycoreutils-newrole-2.9-26.an8.x86_64.rpm 693 kB/s | 199 kB 00:00 (2/9): mcstrans-2.9-2.0.1.an8.x86_64.rpm 426 kB/s | 135 kB 00:00 (3/9): checkpolicy-2.9-1.el8.x86_64.rpm 1.0 MB/s | 345 kB 00:00 (4/9): python3-audit-3.1.2-1.0.1.an8.x86_64.rpm 709 kB/s | 87 kB 00:00 (5/9): policycoreutils-python-utils-2.9-26.an8.noarch.rpm 1.6 MB/s | 253 kB 00:00 (6/9): python3-libsemanage-2.9-11.0.1.an8.x86_64.rpm 767 kB/s | 128 kB 00:00 (7/9): python3-setools-4.3.0-5.an8.x86_64.rpm 1.5 MB/s | 626 kB 00:00 (8/9): python3-policycoreutils-2.9-26.an8.noarch.rpm 4.6 MB/s | 2.3 MB 00:00 (9/9): selinux-policy-mls-3.14.3-139.0.1.an8.1.noarch.rpm 6.7 MB/s | 7.4 MB 00:01 ---------------------------------------------------------------------------------------------------------------------- Total 6.8 MB/s | 11 MB 00:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : python3-setools-4.3.0-5.an8.x86_64 1/9 Installing : python3-libsemanage-2.9-11.0.1.an8.x86_64 2/9 Installing : python3-audit-3.1.2-1.0.1.an8.x86_64 3/9 Installing : policycoreutils-newrole-2.9-26.an8.x86_64 4/9 Installing : mcstrans-2.9-2.0.1.an8.x86_64 5/9 Running scriptlet: mcstrans-2.9-2.0.1.an8.x86_64 5/9 Installing : checkpolicy-2.9-1.el8.x86_64 6/9 Installing : python3-policycoreutils-2.9-26.an8.noarch 7/9 Installing : policycoreutils-python-utils-2.9-26.an8.noarch 8/9 Running scriptlet: selinux-policy-mls-3.14.3-139.0.1.an8.1.noarch 9/9 Installing : selinux-policy-mls-3.14.3-139.0.1.an8.1.noarch 9/9 Running scriptlet: selinux-policy-mls-3.14.3-139.0.1.an8.1.noarch 9/9 Verifying : checkpolicy-2.9-1.el8.x86_64 1/9 Verifying : mcstrans-2.9-2.0.1.an8.x86_64 2/9 Verifying : policycoreutils-newrole-2.9-26.an8.x86_64 3/9 Verifying : policycoreutils-python-utils-2.9-26.an8.noarch 4/9 Verifying : python3-audit-3.1.2-1.0.1.an8.x86_64 5/9 Verifying : python3-libsemanage-2.9-11.0.1.an8.x86_64 6/9 Verifying : python3-policycoreutils-2.9-26.an8.noarch 7/9 Verifying : python3-setools-4.3.0-5.an8.x86_64 8/9 Verifying : selinux-policy-mls-3.14.3-139.0.1.an8.1.noarch 9/9 Installed: checkpolicy-2.9-1.el8.x86_64 mcstrans-2.9-2.0.1.an8.x86_64 policycoreutils-newrole-2.9-26.an8.x86_64 policycoreutils-python-utils-2.9-26.an8.noarch python3-audit-3.1.2-1.0.1.an8.x86_64 python3-libsemanage-2.9-11.0.1.an8.x86_64 python3-policycoreutils-2.9-26.an8.noarch python3-setools-4.3.0-5.an8.x86_64 selinux-policy-mls-3.14.3-139.0.1.an8.1.noarch Complete! [root@anolis810 ~]# sed -i "s#SELINUX\=disabled#SELINUX\=permissive#" /etc/selinux/config [root@anolis810 ~]# sed -i "s#SELINUXTYPE\=targeted#SELINUXTYPE\=mls#" /etc/selinux/config [root@anolis810 ~]# systemctl enable auditd Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service → /usr/lib/systemd/system/auditd.service. [root@anolis810 ~]# fixfiles -F onboot System will relabel on next boot [root@anolis810 ~]# reboot Last login: Thu Apr 24 11:31:23 2025 from 192.168.10.1 [root@anolis810 ~]# grep 'denied' /var/log/audit/audit.log |head type=AVC msg=audit(1745483528.284:33): avc: denied { watch } for pid=812 comm="systemd-logind" path="/run/utmp" dev="tmpfs" ino=518 scontext=system_u:system_r:systemd_logind_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1745483528.895:34): avc: denied { watch } for pid=808 comm="dbus-daemon" path="/usr/share/dbus-1/system.d" dev="dm-0" ino=68269914 scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1745483528.895:35): avc: denied { watch } for pid=808 comm="dbus-daemon" path="/etc/dbus-1/system.d" dev="dm-0" ino=695996 scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dbusd_etc_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1745483530.442:39): avc: denied { integrity } for pid=835 comm="modprobe" lockdown_reason="unsigned module loading" scontext=system_u:system_r:kmod_t:s15:c0.c1023 tcontext=system_u:system_r:kmod_t:s15:c0.c1023 tclass=lockdown permissive=1 type=AVC msg=audit(1745483530.622:43): avc: denied { watch } for pid=834 comm="NetworkManager" path="/usr/lib/firmware" dev="dm-0" ino=36301 scontext=system_u:system_r:NetworkManager_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1745483530.625:45): avc: denied { watch } for pid=834 comm="NetworkManager" path="/run/systemd/seats" dev="tmpfs" ino=519 scontext=system_u:system_r:NetworkManager_t:s0-s15:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1745483530.626:46): avc: denied { watch } for pid=834 comm="NetworkManager" path="/run/systemd/sessions" dev="tmpfs" ino=520 scontext=system_u:system_r:NetworkManager_t:s0-s15:c0.c1023 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1745483530.626:47): avc: denied { watch } for pid=834 comm="NetworkManager" path="/run/systemd/machines" dev="tmpfs" ino=522 scontext=system_u:system_r:NetworkManager_t:s0-s15:c0.c1023 tcontext=system_u:object_r:systemd_machined_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1745483530.866:51): avc: denied { watch } for pid=855 comm="crond" path="/var/spool/cron" dev="dm-0" ino=889648 scontext=system_u:system_r:crond_t:s0-s15:c0.c1023 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1745483530.866:52): avc: denied { watch } for pid=855 comm="crond" path="/etc/cron.d" dev="dm-0" ino=34259913 scontext=system_u:system_r:crond_t:s0-s15:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=dir permissive=1 [root@anolis810 ~]# [root@anolis810 ~]# uname -a Linux anolis810 5.10.134-18.an8.x86_64 #1 SMP Fri Dec 13 16:32:58 CST 2024 x86_64 x86_64 x86_64 GNU/Linux [root@anolis810 ~]# audit2allow < /var/log/audit/audit.log libsepol.sepol_string_to_av_perm: could not convert watch to av bit libsepol.sepol_string_to_av_perm: could not convert watch to av bit libsepol.sepol_string_to_av_perm: could not convert watch to av bit libsepol.sepol_string_to_security_class: unrecognized class lockdown libsepol.sepol_string_to_av_perm: could not convert watch to av bit libsepol.sepol_string_to_av_perm: could not convert watch to av bit libsepol.sepol_string_to_av_perm: could not convert watch to av bit libsepol.sepol_string_to_av_perm: could not convert watch to av bit libsepol.sepol_string_to_av_perm: could not convert watch to av bit libsepol.sepol_string_to_av_perm: could not convert watch to av bit libsepol.sepol_string_to_av_perm: could not convert watch to av bit libsepol.sepol_string_to_av_perm: could not convert watch to av bit libsepol.sepol_string_to_av_perm: could not convert watch to av bit libsepol.sepol_string_to_av_perm: could not convert watch to av bit libsepol.sepol_string_to_av_perm: could not convert watch to av bit libsepol.sepol_string_to_av_perm: could not convert watch to av bit libsepol.sepol_string_to_av_perm: could not convert watch to av bit libsepol.sepol_string_to_av_perm: could not convert watch to av bit libsepol.sepol_string_to_av_perm: could not convert watch to av bit #============= fsadm_t ============== allow fsadm_t nvme_device_t:blk_file { ioctl open read }; #============= kmod_t ============== allow kmod_t self:lockdown integrity; #============= staff_t ============== allow staff_t admin_home_t:file setattr; allow staff_t auditd_log_t:dir { open read search }; allow staff_t auditd_log_t:file { ioctl open read }; allow staff_t security_t:security read_policy; #============= tuned_t ============== allow tuned_t NetworkManager_t:dir { getattr open read search }; allow tuned_t NetworkManager_t:file { getattr ioctl open read }; allow tuned_t auditd_t:dir { getattr open read search }; allow tuned_t auditd_t:file { getattr ioctl open read }; allow tuned_t chronyd_t:dir { getattr open read search }; allow tuned_t chronyd_t:file { getattr ioctl open read }; allow tuned_t crond_t:dir { getattr open read search }; allow tuned_t crond_t:file { getattr ioctl open read }; allow tuned_t firewalld_t:dir { getattr open read search }; allow tuned_t firewalld_t:file { getattr ioctl open read }; allow tuned_t init_t:dir read; allow tuned_t init_t:file { getattr ioctl open read }; allow tuned_t irqbalance_t:dir { getattr open read search }; allow tuned_t irqbalance_t:file { getattr ioctl open read }; allow tuned_t kernel_t:dir { getattr open read search }; allow tuned_t kernel_t:file { getattr ioctl open read }; allow tuned_t policykit_t:dir { getattr open read search }; allow tuned_t policykit_t:file { getattr ioctl open read }; allow tuned_t sshd_t:dir { getattr open read search }; allow tuned_t sshd_t:file { getattr ioctl open read }; allow tuned_t syslogd_t:dir { getattr open read search }; allow tuned_t syslogd_t:file { getattr ioctl open read }; allow tuned_t system_dbusd_t:dir { getattr open read search }; allow tuned_t system_dbusd_t:file { getattr ioctl open read }; allow tuned_t systemd_hostnamed_t:dir { getattr open read search }; allow tuned_t systemd_hostnamed_t:file { getattr ioctl open read }; allow tuned_t systemd_logind_t:dir { getattr open read search }; allow tuned_t systemd_logind_t:file { getattr ioctl open read }; allow tuned_t tuned_etc_t:file write; allow tuned_t udev_t:dir { getattr open read search }; allow tuned_t udev_t:file { getattr ioctl open read }; [root@anolis810 ~]#