Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1437012

Summary: 4.11 kernels announce that several classes are not defined in policy
Product: Red Hat Enterprise Linux 7 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 7.5-AltCC: bgodusky, bluevox.inc, dan, fedora, lvrabec, mgrepl, mmalik, mr.cyberpower, plautrba, pvrabec, ssekidde, thomas
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1427296
: 1469533 (view as bug list) Environment:
Last Closed: 2018-04-16 14:02:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1469533    

Description Milos Malik 2017-03-29 09:19:25 UTC 
# uname -a
Linux myvm74 4.11.0-0.rc3.git0.1.el7_UNSUPPORTED.x86_64 #2 SMP Mon Mar 20 00:02:19 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux
# dmesg | grep -i selinux[    0.004003] SELinux:  Initializing.
[    0.004340] SELinux:  Starting in permissive mode
[    0.619509] SELinux:  Registering netfilter hooks
[    0.994928] systemd[1]: systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
[    1.734426] SELinux: 32768 avtab hash slots, 104903 rules.
[    1.751156] SELinux: 32768 avtab hash slots, 104903 rules.
[    1.773615] SELinux:  8 users, 14 roles, 4987 types, 303 bools, 1 sens, 1024 cats
[    1.773617] SELinux:  94 classes, 104903 rules
[    1.776665] SELinux:  Class sctp_socket not defined in policy.
[    1.776883] SELinux:  Class icmp_socket not defined in policy.
[    1.776994] SELinux:  Class ax25_socket not defined in policy.
[    1.777091] SELinux:  Class ipx_socket not defined in policy.
[    1.777186] SELinux:  Class netrom_socket not defined in policy.
[    1.777280] SELinux:  Class atmpvc_socket not defined in policy.
[    1.777372] SELinux:  Class x25_socket not defined in policy.
[    1.777462] SELinux:  Class rose_socket not defined in policy.
[    1.777553] SELinux:  Class decnet_socket not defined in policy.
[    1.777651] SELinux:  Class atmsvc_socket not defined in policy.
[    1.777744] SELinux:  Class rds_socket not defined in policy.
[    1.777833] SELinux:  Class irda_socket not defined in policy.
[    1.777922] SELinux:  Class pppox_socket not defined in policy.
[    1.778010] SELinux:  Class llc_socket not defined in policy.
[    1.778098] SELinux:  Class can_socket not defined in policy.
[    1.778185] SELinux:  Class tipc_socket not defined in policy.
[    1.778273] SELinux:  Class bluetooth_socket not defined in policy.
[    1.778362] SELinux:  Class iucv_socket not defined in policy.
[    1.778452] SELinux:  Class rxrpc_socket not defined in policy.
[    1.778541] SELinux:  Class isdn_socket not defined in policy.
[    1.778635] SELinux:  Class phonet_socket not defined in policy.
[    1.778728] SELinux:  Class ieee802154_socket not defined in policy.
[    1.778830] SELinux:  Class caif_socket not defined in policy.
[    1.778965] SELinux:  Class alg_socket not defined in policy.
[    1.779092] SELinux:  Class nfc_socket not defined in policy.
[    1.779181] SELinux:  Class vsock_socket not defined in policy.
[    1.779268] SELinux:  Class kcm_socket not defined in policy.
[    1.779356] SELinux:  Class qipcrtr_socket not defined in policy.
[    1.779444] SELinux:  Class smc_socket not defined in policy.
[    1.779532] SELinux: the above unknown classes and permissions will be allowed
[    1.779638] SELinux:  Completing initialization.
[    1.779638] SELinux:  Setting up existing superblocks.
[    1.786031] systemd[1]: Successfully loaded SELinux policy in 60.455ms.
# 

I would like to keep this bug open, because above-mentioned newly defined classes can cause AVCs in the future, once the newly defined classes are added to selinux-policy. For now, any aceess to newly defined classes is allowed, because that's a default setting.

# sestatus | grep deny
Policy deny_unknown status:     allowed
#
Comment 2 Georg Sauthoff 2017-07-09 16:08:59 UTC 
I also see those messages on current Fedora 26.
Comment 4 Barry Godusky 2017-12-23 15:34:58 UTC 
I also see them in the current Fedora 27 release.
Comment 5 Bavarian 2018-01-03 06:08:10 UTC 
I can also confirm for Fedora 27 using kernel 4.14.8-300.fc27.x86_64.
Comment 6 Lukas Vrabec 2018-04-16 14:02:43 UTC 

*** This bug has been marked as a duplicate of bug 1427553 ***