20657 – audit2allow生成selinux策略报错

Bug 20657 - audit2allow生成selinux策略报错

Summary: audit2allow生成selinux策略报错

Status:	NEW

Alias:	None

Product:	ANCK 5.10 Dev
Classification:	ANCK
Component:	X86 (show other bugs)	X86
Sub Component:
Version:	5.10.y-18
Hardware:	x86_64 Linux

Importance:	P3-Medium S3-normal
Target Milestone:	---
Assignee:	Guanjun
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2025-04-24 16:36 UTC by liquan
Modified:	2025-04-24 16:36 UTC (History)
CC List:	0 users

See Also:

Attachments
audit2allow报错的复现过程。 (13.24 KB, text/plain) 2025-04-24 16:36 UTC, liquan	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description liquan 2025-04-24 16:36:32 UTC

Created attachment 1334 [details]
audit2allow报错的复现过程。

Description of problem:
audit2allow生成selinux策略报错。AnolisOS-8.6-x86_64镜像正常，AnolisOS-8.6-x86_64镜像报错。似乎跟watch权限有关。

Version-Release number of selected component (if applicable):
Linux anolis810 5.10.134-18.an8.x86_64 #1 SMP Fri Dec 13 16:32:58 CST 2024 x86_64 x86_64 x86_64 GNU/Linux

How reproducible:
使用audit2allow工具生成selinux策略报错，报错命令如下
audit2allow < /var/log/audit/audit.log 

Steps to Reproduce:
1.安装selinux mls模块和策略管理工具
yum install -y selinux-policy-mls policycoreutils-python-utils

2.修改selinux配置文件
sed -i "s#SELINUX\=disabled#SELINUX\=permissive#" /etc/selinux/config
sed -i "s#SELINUXTYPE\=targeted#SELINUXTYPE\=mls#" /etc/selinux/config

3.允许auditd日志开机启动
systemctl enable auditd


4.重新生成selinux标签
fixfiles -F onboot

5. 重启服务器
reboot

6.使用audit2allow生成推荐的selinux策略。在这一步报错了。
audit2allow < /var/log/audit/audit.log 

Actual results:
ibsepol.sepol_string_to_av_perm: could not convert watch to av bit
libsepol.sepol_string_to_av_perm: could not convert watch to av bit
libsepol.sepol_string_to_security_class: unrecognized class lockdown
libsepol.sepol_string_to_av_perm: could not convert watch to av bit
libsepol.sepol_string_to_av_perm: could not convert watch to av bit

Expected results:
成功生成策略提示，而不报错。

Additional info:
[root@anolis810 ~]# grep 'denied' /var/log/audit/audit.log |head
type=AVC msg=audit(1745476514.294:395): avc:  denied  { write } for  pid=1058 comm="bash" name="audit.log" dev="dm-0" ino=67190527 scontext=root:staff_r:staff_t:s0-s15:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(1745476516.083:396): avc:  denied  { setattr } for  pid=1058 comm="bash" name=".bash_history" dev="dm-0" ino=68701260 scontext=root:staff_r:staff_t:s0-s15:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=1
type=AVC msg=audit(1745476516.087:397): avc:  denied  { watch } for  pid=1 comm="systemd" path="/run/systemd/ask-password" dev="tmpfs" ino=37 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:systemd_passwd_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1745476516.153:405): avc:  denied  { open } for  pid=1585 comm="lvm" path="/dev/nvme0n1p2" dev="devtmpfs" ino=247 scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file permissive=1
type=AVC msg=audit(1745476516.153:406): avc:  denied  { ioctl } for  pid=1585 comm="lvm" path="/dev/nvme0n1p2" dev="devtmpfs" ino=247 ioctlcmd=0x1272 scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file permissive=1
type=AVC msg=audit(1745476518.012:452): avc:  denied  { watch } for  pid=1649 comm="systemd-udevd" path="/dev/dm-1" dev="devtmpfs" ino=287 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 tclass=blk_file permissive=1
type=AVC msg=audit(1745476538.843:21): avc:  denied  { watch } for  pid=733 comm="systemd-udevd" path="/dev/dm-0" dev="devtmpfs" ino=279 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 tclass=blk_file permissive=1
type=AVC msg=audit(1745476538.876:22): avc:  denied  { open } for  pid=762 comm="lvm" path="/dev/nvme0n1p2" dev="devtmpfs" ino=145 scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file permissive=1
type=AVC msg=audit(1745476538.876:23): avc:  denied  { ioctl } for  pid=762 comm="lvm" path="/dev/nvme0n1p2" dev="devtmpfs" ino=145 ioctlcmd=0x1272 scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file permissive=1
type=AVC msg=audit(1745476539.317:34): avc:  denied  { watch } for  pid=825 comm="systemd-logind" path="/run/utmp" dev="tmpfs" ino=444 scontext=system_u:system_r:systemd_logind_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
[root@anolis810 ~]# 
[root@anolis810 ~]# audit2allow < /var/log/audit/audit.log 
libsepol.sepol_string_to_av_perm: could not convert watch to av bit
libsepol.sepol_string_to_av_perm: could not convert watch to av bit
libsepol.sepol_string_to_av_perm: could not convert watch to av bit
libsepol.sepol_string_to_av_perm: could not convert watch to av bit
libsepol.sepol_string_to_av_perm: could not convert watch to av bit
libsepol.sepol_string_to_av_perm: could not convert watch to av bit
libsepol.sepol_string_to_security_class: unrecognized class lockdown
libsepol.sepol_string_to_av_perm: could not convert watch to av bit
libsepol.sepol_string_to_av_perm: could not convert watch to av bit
libsepol.sepol_string_to_av_perm: could not convert watch to av bit
libsepol.sepol_string_to_av_perm: could not convert watch to av bit
libsepol.sepol_string_to_av_perm: could not convert watch to av bit
libsepol.sepol_string_to_av_perm: could not convert watch to av bit
libsepol.sepol_string_to_av_perm: could not convert watch to av bit