Bug 1470701

Summary: Switching from Targeted to MLS shows "denied" AVCs after reboot
Product: Red Hat Enterprise Linux 7 Reporter: Renaud Métrich <rmetrich>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: low    
Version: 7.3CC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, ruckc, ssekidde
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 12:34:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2017-07-13 13:38:26 UTC 
Description of problem:

After a fresh minimal installation of RHEL7.3 using the DVD, then updating to latest updates,
I followed strictly the documentation to switch from Targeted policy to MLS (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/mls.html).
After reboot, relabelling occurred but some "denied" AVCs are shown in the audit log.

Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-102.el7_3.16.noarch
selinux-policy-mls-3.13.1-102.el7_3.16.noarch


How reproducible:

Always

Steps to Reproduce:
1. Install a VM using RHEL7.3 DVD
2. (Optional) Update
3. Have the journal be persistent:
    mkdir /var/log/journal
    systemctl restart systemd-journald.service
4. Follow the doc to switch to MLS

Actual results:

During relabelling, some contexts are invalid:

Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:cert_t:s0 is not valid (left unmapped).
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:selinux_config_t:s0 is not valid (left unmapped
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:semanage_store_t:s0 is not valid (left unmapped
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:file_context_t:s0 is not valid (left unmapped).
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:system_conf_t:s0 is not valid (left unmapped).
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:bin_t:s0 is not valid (left unmapped).
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context system_u:object_r:rhnsd_conf_t:s0 is not valid (left unmapped).
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:etc_t:s0 is not valid (left unmapped).
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:admin_home_t:s0 is not valid (left unmapped).
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:home_cert_t:s0 is not valid (left unmapped).
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context system_u:object_r:rhsmcertd_var_lib_t:s0 is not valid (left unmapped)
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context system_u:object_r:authconfig_var_lib_t:s0 is not valid (left unmapped
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context unconfined_u:object_r:init_var_lib_t:s0 is not valid (left unmapped).
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context unconfined_u:object_r:rhsmcertd_var_lib_t:s0 is not valid (left unmap
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context system_u:object_r:rhsmcertd_log_t:s0 is not valid (left unmapped).
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context unconfined_u:object_r:rpm_log_t:s0 is not valid (left unmapped).
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context unconfined_u:object_r:rhsmcertd_log_t:s0 is not valid (left unmapped)
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context unconfined_u:object_r:ldconfig_cache_t:s0 is not valid (left unmapped
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context unconfined_u:object_r:rpm_var_cache_t:s0 is not valid (left unmapped)
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context unconfined_u:object_r:mail_spool_t:s0 is not valid (left unmapped).
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context system_u:object_r:abrt_var_cache_t:s0 is not valid (left unmapped).
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context system_u:object_r:vlock_exec_t:s0 is not valid (left unmapped).
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context system_u:object_r:rhsmcertd_exec_t:s0 is not valid (left unmapped).
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context system_u:object_r:rhnsd_exec_t:s0 is not valid (left unmapped).
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context system_u:object_r:blkmapd_exec_t:s0 is not valid (left unmapped).
Jul 13 15:27:44 vm-mls kernel: SELinux:  Context system_u:object_r:authconfig_exec_t:s0 is not valid (left unmapped).
Jul 13 15:27:45 vm-mls kernel: SELinux:  Context unconfined_u:object_r:user_home_dir_t:s0 is not valid (left unmapped)
Jul 13 15:27:45 vm-mls kernel: SELinux:  Context unconfined_u:object_r:user_home_t:s0 is not valid (left unmapped).
Jul 13 15:27:45 vm-mls kernel: SELinux:  Context unconfined_u:object_r:boot_t:s0 is not valid (left unmapped).

After complete boot, "audit2why" reports errors:

# audit2why -a
type=AVC msg=audit(1499952452.636:83): avc:  denied  { open } for  pid=659 comm="audispd" path="/etc/ld.so.cache" dev="dm-0" ino=16885169 scontext=system_u:system_r:audisp_t:s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952452.636:84): avc:  denied  { getattr } for  pid=659 comm="audispd" path="/etc/ld.so.cache" dev="dm-0" ino=16885169 scontext=system_u:system_r:audisp_t:s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952452.651:85): avc:  denied  { open } for  pid=671 comm="auditctl" path="/etc/ld.so.cache" dev="dm-0" ino=16885169 scontext=system_u:system_r:auditctl_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952452.651:85): avc:  denied  { read } for  pid=671 comm="auditctl" name="ld.so.cache" dev="dm-0" ino=16885169 scontext=system_u:system_r:auditctl_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952453.432:89): avc:  denied  { read } for  pid=563 comm="lvm" name="gconv-modules.cache" dev="dm-0" ino=50337353 scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952453.433:90): avc:  denied  { open } for  pid=563 comm="lvm" path="/usr/lib64/gconv/gconv-modules.cache" dev="dm-0" ino=50337353 scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952453.433:91): avc:  denied  { getattr } for  pid=563 comm="lvm" path="/usr/lib64/gconv/gconv-modules.cache" dev="dm-0" ino=50337353 scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952455.281:93): avc:  denied  { getattr } for  pid=513 comm="systemd-udevd" path="/usr/lib/modules/3.10.0-514.26.2.el7.x86_64/modules.dep.bin" dev="dm-0" ino=50702474 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=USER_AVC msg=audit(1499952465.825:96): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { reboot } for auid=n/a uid=0 gid=0 cmdline="systemctl --force reboot" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952465.809:95): avc:  denied  { setattr } for  pid=1197 comm="cpio" name="null" dev="tmpfs" ino=18286 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=USER_AVC msg=audit(1499952478.285:14): pid=654 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 msg='avc:  denied  { contains } for  spid=1 tpid=1 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=context  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=USER_AVC msg=audit(1499952478.285:15): pid=654 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 msg='avc:  denied  { contains } for  spid=1 tpid=651 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0-s15:c0.c1023 tclass=context  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952478.248:13): avc:  denied  { write } for  pid=653 comm="brandbot" name="os-release" dev="dm-0" ino=16777319 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952478.424:22): avc:  denied  { getopt } for  pid=672 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:gssproxy_t:s0-s15:c0.c1023 tcontext=system_u:system_r:gssproxy_t:s15:c0.c1023 tclass=unix_stream_socket
	Was caused by:
()
#Constraint rule:

#	mlsconstrain unix_stream_socket { connect accept } ((l1 eq l2 -Fail-)  or (t1 == { system_dbusd_t inetd_t sssd_t virtd_t xserver_t } -Fail-)  and (h1 dom l2)  or (t1 == { init_t setrans_t } -Fail-)  and (t1 == virtd_t -Fail-)  and (l1 dom l2 -Fail-)  and (l1 domby h2)  or (t1 == { inetd_t initrc_t sssd_t virtd_t xdm_t } -Fail-)  and (h1 dom l2)  and (l1 domby l2)  or (t1 == { kernel_t cupsd_t system_dbusd_t init_t auditd_t audisp_t audisp_remote_t syslogd_t setrans_t } -Fail-) ); Constraint DENIED
mlsconstrain unix_stream_socket { read getattr listen accept getopt recv_msg } ((l1 dom l2 -Fail-)  or (t1 == { system_dbusd_t inetd_t sssd_t virtd_t xserver_t } -Fail-)  and (h1 dom l2)  or (t1 == { init_t setrans_t } -Fail-) ); Constraint DENIED
mlsconstrain unix_stream_socket { write setattr relabelfrom connect setopt shutdown } ((l1 eq l2 -Fail-)  or (t1 == virtd_t -Fail-)  and (l1 dom l2 -Fail-)  and (l1 domby h2)  or (t1 == { inetd_t initrc_t sssd_t virtd_t xdm_t } -Fail-)  and (h1 dom l2)  and (l1 domby l2)  or (t1 == { kernel_t cupsd_t system_dbusd_t init_t auditd_t audisp_t audisp_remote_t syslogd_t setrans_t } -Fail-)  or (t2 == { httpd_bool_t faillog_t anon_inodefs_t devtty_t kernel_t kvm_device_t null_device_t proc_numa_t ptmx_t security_t tmpfs_t tun_tap_device_t vhost_device_t zero_device_t crond_t cupsd_t cupsd_var_run_t system_dbusd_t system_dbusd_var_run_t initctl_t devlog_t syslogd_t syslogd_var_run_t setrans_t setrans_var_run_t sshd_t sssd_t sssd_var_lib_t sudo_db_t virt_log_t qemu_var_run_t xdm_t xserver_t } -Fail-) ); Constraint DENIED

#	Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.

type=AVC msg=audit(1499952478.748:26): avc:  denied  { read } for  pid=684 comm="modprobe" path="/run/xtables.lock" dev="tmpfs" ino=14220 scontext=system_u:system_r:insmod_t:s0-s15:c0.c1023 tcontext=system_u:object_r:iptables_var_run_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952484.416:95): avc:  denied  { getattr } for  pid=1035 comm="sysctl" path="/proc/sys/fs/protected_hardlinks" dev="proc" ino=1323 scontext=system_u:system_r:tuned_t:s0-s15:c0.c1023 tcontext=system_u:object_r:proc_security_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952484.416:96): avc:  denied  { open } for  pid=1035 comm="sysctl" path="/proc/sys/fs/protected_hardlinks" dev="proc" ino=1323 scontext=system_u:system_r:tuned_t:s0-s15:c0.c1023 tcontext=system_u:object_r:proc_security_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952484.416:96): avc:  denied  { write } for  pid=1035 comm="sysctl" name="protected_hardlinks" dev="proc" ino=1323 scontext=system_u:system_r:tuned_t:s0-s15:c0.c1023 tcontext=system_u:object_r:proc_security_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952488.579:115): avc:  denied  { dyntransition } for  pid=1086 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0 tclass=process
	Was caused by:
	The boolean ssh_sysadm_login was set incorrectly. 
	Description:
	Allow ssh to sysadm login

	Allow access by executing:
	# setsebool -P ssh_sysadm_login 1
type=AVC msg=audit(1499952604.360:124): avc:  denied  { name_connect } for  pid=1173 comm="rhsmcertd-worke" dest=443 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
	Was caused by:
	The boolean nis_enabled was set incorrectly. 
	Description:
	Allow nis to enabled

	Allow access by executing:
	# setsebool -P nis_enabled 1
type=AVC msg=audit(1499952609.767:125): avc:  denied  { name_connect } for  pid=1175 comm="rhsmcertd-worke" dest=443 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
	Was caused by:
	The boolean nis_enabled was set incorrectly. 
	Description:
	Allow nis to enabled

	Allow access by executing:
	# setsebool -P nis_enabled 1
type=AVC msg=audit(1499952619.668:126): avc:  denied  { getattr } for  pid=1187 comm="virt-what" path="/usr/sbin/dmidecode" dev="dm-0" ino=233086 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dmidecode_exec_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952619.668:127): avc:  denied  { execute } for  pid=1187 comm="virt-what" name="dmidecode" dev="dm-0" ino=233086 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dmidecode_exec_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952619.668:128): avc:  denied  { read } for  pid=1187 comm="virt-what" name="dmidecode" dev="dm-0" ino=233086 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dmidecode_exec_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952619.668:129): avc:  denied  { execute_no_trans } for  pid=1188 comm="virt-what" path="/usr/sbin/dmidecode" dev="dm-0" ino=233086 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dmidecode_exec_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952619.668:129): avc:  denied  { open } for  pid=1188 comm="virt-what" path="/usr/sbin/dmidecode" dev="dm-0" ino=233086 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dmidecode_exec_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952619.700:130): avc:  denied  { open } for  pid=1175 comm="rhsmcertd-worke" path="/var/lib/rpm/.dbenv.lock" dev="dm-0" ino=16777291 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952619.700:131): avc:  denied  { create } for  pid=1175 comm="rhsmcertd-worke" name="__db.001" scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952619.700:131): avc:  denied  { add_name } for  pid=1175 comm="rhsmcertd-worke" name="__db.001" scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952619.700:131): avc:  denied  { write } for  pid=1175 comm="rhsmcertd-worke" name="rpm" dev="dm-0" ino=16777290 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.
Comment 2 Lukas Vrabec 2017-07-17 12:17:12 UTC 
Hi, 

Di you follow these instructions? Because if you switching to MLS you should do restorecon. 

Please try it again with following tutorial: 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/enabling-mls-in-selinux.html

If you have still some issues, feel free to re-open this BZ.
Comment 3 Renaud Métrich 2017-07-17 12:49:38 UTC 
I followed the instructions. There is no restorecon command to issue, but the autorelabel.
As written, relabelling occurs during reboot but fails partially.
Comment 4 Lukas Vrabec 2017-07-17 13:39:48 UTC 
Okay, 

Could you run fixfiles instead of autorelabel? 

# fixfiles -F onboot

Thanks.
Comment 5 Renaud Métrich 2017-07-17 15:26:48 UTC 
This is what I did since I followed the RHEL7 guide.
From the relabelling traces, some invalid context issues appear (see the description).
Comment 6 ruckc@yahoo.com 2017-07-18 00:10:51 UTC 
just ran into these today, when trying to test the MLS policies in RHEL 7, versus RHEL 6.  Seems like most of this should be caught before getting released.  Also catches me in kind of a bind, as it appears most of these appear because the scontext isn't getting set correctly.  I'd be tempted to write a module to address these, but allowing permissions to services properly typed is one thing, and improperly typed is quite another.
Comment 7 Lukas Vrabec 2017-09-18 14:38:51 UTC 
I tried switch RHEL-7.4 and RHEL-7.3 systems to MLS using: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/mls.html

Systems are booting fine in Enforcing. 

MLS policy type is too strictly so some AVCs during boot are expected. I prefer close this and use local policy for fixing AVCS.
Comment 10 Milos Malik 2018-02-22 08:22:24 UTC 
Messages like "Context unconfined_u:.* is not valid" are expected, because unconfined_u is not defined in MLS policy:

# seinfo -uunconfined_u -x /etc/selinux/targeted/policy/policy.30 
   unconfined_u
      default level: s0
      range: s0 - s0:c0.c1023
      roles:
         object_r
         system_r
         unconfined_r
# seinfo -uunconfined_u -x /etc/selinux/mls/policy/policy.30
ERROR: could not find datum for user unconfined_u
#
Comment 11 Milos Malik 2018-02-22 08:38:41 UTC 
After switching to MLS, you can see a lot SELinux denials, because the MLS policy supports only a subset of domains supported in the targeted policy. Of course, this can improve in future.
Comment 12 Milos Malik 2018-02-22 11:25:40 UTC 
The documentation cited in comment#0 says:

7. If there were no denial messages in the /var/log/messages file, or you have resolved all existing denials, configure SELINUX=enforcing in the /etc/selinux/config file...

The "if" part of the sentence is not necessary. The "configure ..." part is enough. The machine is able to boot in MLS enforcing even if there are some SELinux denials.

Based on the tests I ran, there are no SELinux denials which contain unlabeled_t.
Comment 15 errata-xmlrpc 2018-04-10 12:34:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763