Bug 478299

Summary:

AVC denials on kernel 2.6.27.9-159.fc10.x86_64

Product:

[Fedora] Fedora

Reporter:

Mihai Harpau <mishu>

Component:

kernel

Assignee:

Eric Sandeen <esandeen>

Status:

CLOSED NEXTRELEASE

QA Contact:

Fedora Extras Quality Assurance <extras-qa>

Severity:

high

Docs Contact:

Priority:

low

Version:

CC:

dwalsh, esandeen, jarin.franek, jkubin, kernel-maint, mcepl, mcepl, mgrepl, quintela

Target Milestone:

---

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2009-01-27 01:48:10 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
ausearch -m avc -c setroubleshootd	none
ausearch -m avc -c console-kit-dae	none

Description Mihai Harpau 2008-12-27 15:50:02 UTC

Description of problem:
After update to kernel 2.6.27.9-159.fc10.x86_64 I get a lot of AVC denials:
Dec 27 16:42:13 taz kernel: type=1400 audit(1230388920.452:6): avc:  denied  { sys_resource } for  pid=1815 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
Dec 27 16:42:13 taz kernel: type=1400 audit(1230388920.452:7): avc:  denied  { sys_resource } for  pid=1815 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
Dec 27 16:42:13 taz kernel: type=1400 audit(1230388920.452:8): avc:  denied  { sys_resource } for  pid=1815 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
Dec 27 16:42:13 taz kernel: type=1400 audit(1230388920.453:9): avc:  denied  { sys_resource } for  pid=1815 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
Dec 27 16:42:13 taz kernel: type=1400 audit(1230388920.453:10): avc:  denied  { sys_resource } for  pid=1815 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
Dec 27 16:42:13 taz kernel: type=1400 audit(1230388920.453:11): avc:  denied  { sys_resource } for  pid=1815 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
Dec 27 16:42:13 taz kernel: type=1400 audit(1230388920.453:12): avc:  denied  { sys_resource } for  pid=1815 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
Dec 27 16:42:13 taz kernel: type=1400 audit(1230388920.453:13): avc:  denied  { sys_resource } for  pid=1815 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
Dec 27 16:42:13 taz kernel: type=1400 audit(1230388926.952:16): avc:  denied  { sys_resource } for  pid=2269 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:42:13 taz kernel: type=1400 audit(1230388926.952:17): avc:  denied  { sys_resource } for  pid=2269 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:42:13 taz kernel: type=1400 audit(1230388926.952:18): avc:  denied  { sys_resource } for  pid=2269 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:42:13 taz kernel: type=1400 audit(1230388927.188:19): avc:  denied  { sys_resource } for  pid=2269 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:42:13 taz kernel: type=1400 audit(1230388927.188:20): avc:  denied  { sys_resource } for  pid=2269 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:42:21 taz setroubleshoot: SELinux is preventing console-kit-dae (consolekit_t) "sys_resource" consolekit_t. For complete SELinux messages. run sealert -l 9402cfbc-aa3a-4107-a131-bfac6985b517
Dec 27 16:42:22 taz setroubleshoot: SELinux is preventing console-kit-dae (consolekit_t) "sys_resource" consolekit_t. For complete SELinux messages. run sealert -l 9402cfbc-aa3a-4107-a131-bfac6985b517
Dec 27 16:42:35 taz setroubleshoot: SELinux is preventing console-kit-dae (consolekit_t) "sys_resource" consolekit_t. For complete SELinux messages. run sealert -l 9402cfbc-aa3a-4107-a131-bfac6985b517
Dec 27 16:42:35 taz setroubleshoot: SELinux is preventing console-kit-dae (consolekit_t) "sys_resource" consolekit_t. For complete SELinux messages. run sealert -l 9402cfbc-aa3a-4107-a131-bfac6985b517
Dec 27 16:42:35 taz setroubleshoot: SELinux is preventing console-kit-dae (consolekit_t) "sys_resource" consolekit_t. For complete SELinux messages. run sealert -l 9402cfbc-aa3a-4107-a131-bfac6985b517
Dec 27 16:44:38 taz kernel: type=1400 audit(1230388993.353:4): avc:  denied  { sys_resource } for  pid=1723 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230388993.353:5): avc:  denied  { sys_resource } for  pid=1723 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230388993.353:6): avc:  denied  { sys_resource } for  pid=1723 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230388993.353:7): avc:  denied  { sys_resource } for  pid=1723 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230388993.354:8): avc:  denied  { sys_resource } for  pid=1723 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230388993.354:9): avc:  denied  { sys_resource } for  pid=1723 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230388993.354:10): avc:  denied  { sys_resource } for  pid=1723 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230388993.354:11): avc:  denied  { sys_resource } for  pid=1723 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230388993.354:12): avc:  denied  { sys_resource } for  pid=1723 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230388993.354:13): avc:  denied  { sys_resource } for  pid=1723 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389000.241:14): avc:  denied  { sys_resource } for  pid=2177 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389000.242:15): avc:  denied  { sys_resource } for  pid=2177 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389000.242:16): avc:  denied  { sys_resource } for  pid=2177 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389006.656:17): avc:  denied  { sys_resource } for  pid=2177 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389006.656:18): avc:  denied  { sys_resource } for  pid=2177 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389012.336:19): avc:  denied  { sys_resource } for  pid=2215 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389012.701:20): avc:  denied  { sys_resource } for  pid=2215 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389012.702:21): avc:  denied  { sys_resource } for  pid=2215 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389018.423:22): avc:  denied  { sys_resource } for  pid=2244 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389018.939:23): avc:  denied  { sys_resource } for  pid=2244 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389018.939:24): avc:  denied  { sys_resource } for  pid=2244 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389024.658:25): avc:  denied  { sys_resource } for  pid=2271 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389025.066:26): avc:  denied  { sys_resource } for  pid=2271 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389025.067:27): avc:  denied  { sys_resource } for  pid=2271 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389030.946:28): avc:  denied  { sys_resource } for  pid=2298 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389031.149:29): avc:  denied  { sys_resource } for  pid=2298 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389031.149:30): avc:  denied  { sys_resource } for  pid=2298 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389036.600:31): avc:  denied  { sys_resource } for  pid=2325 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389037.084:32): avc:  denied  { sys_resource } for  pid=2325 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389037.085:33): avc:  denied  { sys_resource } for  pid=2325 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389042.807:34): avc:  denied  { sys_resource } for  pid=2352 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389043.403:35): avc:  denied  { sys_resource } for  pid=2352 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389043.404:36): avc:  denied  { sys_resource } for  pid=2352 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389049.026:37): avc:  denied  { sys_resource } for  pid=2379 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389049.691:38): avc:  denied  { sys_resource } for  pid=2379 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389049.692:39): avc:  denied  { sys_resource } for  pid=2379 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389055.189:40): avc:  denied  { sys_resource } for  pid=2406 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389055.610:41): avc:  denied  { sys_resource } for  pid=2406 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389055.611:42): avc:  denied  { sys_resource } for  pid=2406 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389061.323:43): avc:  denied  { sys_resource } for  pid=2433 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389061.752:44): avc:  denied  { sys_resource } for  pid=2433 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389061.752:45): avc:  denied  { sys_resource } for  pid=2433 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389067.244:46): avc:  denied  { sys_resource } for  pid=2460 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389072.808:47): avc:  denied  { sys_resource } for  pid=2460 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:38 taz kernel: type=1400 audit(1230389072.808:48): avc:  denied  { sys_resource } for  pid=2460 comm="pppd" capability=24 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=capability
Dec 27 16:44:50 taz setroubleshoot: SELinux is preventing console-kit-dae (consolekit_t) "sys_resource" consolekit_t. For complete SELinux messages. run sealert -l 9402cfbc-aa3a-4107-a131-bfac6985b517
Dec 27 16:44:50 taz setroubleshoot: SELinux is preventing console-kit-dae (consolekit_t) "sys_resource" consolekit_t. For complete SELinux messages. run sealert -l 9402cfbc-aa3a-4107-a131-bfac6985b517
Dec 27 16:45:12 taz setroubleshoot: SELinux is preventing console-kit-dae (consolekit_t) "sys_resource" consolekit_t. For complete SELinux messages. run sealert -l 9402cfbc-aa3a-4107-a131-bfac6985b517
Dec 27 16:45:12 taz setroubleshoot: SELinux is preventing console-kit-dae (consolekit_t) "sys_resource" consolekit_t. For complete SELinux messages. run sealert -l 9402cfbc-aa3a-4107-a131-bfac6985b517
Dec 27 16:45:12 taz setroubleshoot: SELinux is preventing console-kit-dae (consolekit_t) "sys_resource" consolekit_t. For complete SELinux messages. run sealert -l 9402cfbc-aa3a-4107-a131-bfac6985b517
Dec 27 16:45:12 taz setroubleshoot: SELinux is preventing console-kit-dae (consolekit_t) "sys_resource" consolekit_t. For complete SELinux messages. run sealert -l 9402cfbc-aa3a-4107-a131-bfac6985b517
Dec 27 16:45:13 taz setroubleshoot: SELinux is preventing console-kit-dae (consolekit_t) "sys_resource" consolekit_t. For complete SELinux messages. run sealert -l 9402cfbc-aa3a-4107-a131-bfac6985b517
Dec 27 16:45:20 taz setroubleshoot: [program.ERROR] audit event#012node=taz type=AVC msg=audit(1230389120.220:98): avc:  denied  { sys_resource } for  pid=2900 comm="setroubleshootd" capability=24 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability#012#012node=taz type=AVC msg=audit(1230389120.220:98): avc:  denied  { sys_resource } for  pid=2900 comm="setroubleshootd" capability=24 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability#012#012node=taz type=AVC msg=audit(1230389120.220:98): avc:  denied  { sys_resource } for  pid=2900 comm="setroubleshootd" capability=24 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability#012#012node=taz type=SYSCALL msg=audit(1230389120.220:98): arch=c000003e syscall=1 success=yes exit=12288 a0=c a1=7f99f3941684 a2=3000 a3=22 items=0 ppid=1 pid=2900 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null)
Dec 27 16:45:20 taz setroubleshoot: [program.ERROR] audit event#012node=taz type=AVC msg=audit(1230389120.220:99): avc:  denied  { sys_resource } for  pid=2900 comm="setroubleshootd" capability=24 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability#012#012node=taz type=SYSCALL msg=audit(1230389120.220:99): arch=c000003e syscall=1 success=yes exit=1349 a0=c a1=7f99f2378000 a2=545 a3=7f99fcd396f0 items=0 ppid=1 pid=2900 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null)
Dec 27 16:45:20 taz setroubleshoot: [program.ERROR] audit event#012node=taz type=AVC msg=audit(1230389120.220:99): avc:  denied  { sys_resource } for  pid=2900 comm="setroubleshootd" capability=24 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability#012#012node=taz type=SYSCALL msg=audit(1230389120.220:99): arch=c000003e syscall=1 success=yes exit=1349 a0=c a1=7f99f2378000 a2=545 a3=7f99fcd396f0 items=0 ppid=1 pid=2900 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null)


Version-Release number of selected component (if applicable):
kernel-2.6.27.9-159.fc10
selinux-policy-3.5.13-34.fc10
setroubleshoot-2.0.12-3.fc10

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Mihai Harpau 2008-12-27 15:54:53 UTC

[root@taz ~]# sealert -l 9402cfbc-aa3a-4107-a131-bfac6985b517

Summary:

SELinux is preventing console-kit-dae (consolekit_t) "sys_resource"
consolekit_t.

Detailed Description:

SELinux denied access requested by console-kit-dae. It is not expected that this
access is required by console-kit-dae and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Context                system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Objects                None [ capability ]
Source                        console-kit-dae
Source Path                   /usr/sbin/console-kit-daemon
Port                          <Unknown>
Host                          taz
Source RPM Packages           ConsoleKit-0.3.0-2.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-34.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     taz
Platform                      Linux taz 2.6.27.9-159.fc10.x86_64 #1 SMP Tue Dec
                              16 14:47:52 EST 2008 x86_64 x86_64
Alert Count                   51
First Seen                    Sat Dec 20 14:27:50 2008
Last Seen                     Sat Dec 27 16:45:12 2008
Local ID                      9402cfbc-aa3a-4107-a131-bfac6985b517
Line Numbers                  

Raw Audit Messages            

node=taz type=AVC msg=audit(1230389112.0:97): avc:  denied  { sys_resource } for  pid=2677 comm="console-kit-dae" capability=24 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=SYSCALL msg=audit(1230389112.0:97): arch=c000003e syscall=1 success=yes exit=672 a0=1a a1=7f4fe40171a0 a2=2a0 a3=0 items=0 ppid=1 pid=2677 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)

Comment 2 Mihai Harpau 2008-12-27 15:57:27 UTC

On kernel 2.6.27.7-134.fc10 I don't have any of these AVC denials.

Comment 3 Eric Paris 2009-01-04 17:29:46 UTC

What FS are in use?

/me wonders if the patches to ext4 got dropped somehow....

Comment 4 Eric Paris 2009-01-04 17:39:58 UTC

also can I get the output of ausearch -m AVC attached?  I'd like to see both the avc denials and the audit syscall records related to them....

Comment 5 Mihai Harpau 2009-01-05 01:19:13 UTC

On 2 systems where I see those AVC denials are both only ext4 (except /boot of course)

Comment 6 Mihai Harpau 2009-01-05 01:36:49 UTC

Created attachment 328167 [details]
ausearch -m avc -c setroubleshootd

Comment 7 Eric Paris 2009-01-05 03:16:16 UTC

Thanks, it's what I thought.  ext4 is checking to see if you have CAP_SYS_RESOURCE on every write.  esandeen already wrote a patch to fix this during the reserve block checking.  I guess it got dropped.  I'll run it down in the morning.

Comment 8 Eric Paris 2009-01-05 03:17:09 UTC

As a side note, the denials are completely harmless (outside of the wasted resources to log them...)

Comment 9 Mihai Harpau 2009-01-05 06:24:59 UTC

I see also this AVC denials:

Summary:

SELinux is preventing console-kit-dae (consolekit_t) "sys_admin" consolekit_t.

Detailed Description:

SELinux denied access requested by console-kit-dae. It is not expected that this
access is required by console-kit-dae and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Context                system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Objects                None [ capability ]
Source                        console-kit-dae
Source Path                   <Unknown>
Port                          <Unknown>
Host                          taz
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-34.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     taz
Platform                      Linux taz 2.6.27.9-159.fc10.x86_64 #1 SMP Tue Dec
                              16 14:47:52 EST 2008 x86_64 x86_64
Alert Count                   4
First Seen                    Sb 03 ian 2009 15:14:22 +0000
Last Seen                     Sb 03 ian 2009 15:16:09 +0000
Local ID                      acab3174-b202-4d65-b12b-d64ec8832253
Line Numbers                  

Raw Audit Messages            

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_admin } for  pid=2729 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_rawio } for  pid=2729 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_admin } for  pid=2730 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_rawio } for  pid=2730 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_admin } for  pid=2731 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_rawio } for  pid=2731 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_admin } for  pid=2732 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_rawio } for  pid=2732 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_admin } for  pid=2733 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_rawio } for  pid=2733 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_admin } for  pid=2734 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_rawio } for  pid=2734 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_admin } for  pid=2735 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_rawio } for  pid=2735 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_admin } for  pid=2736 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_rawio } for  pid=2736 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_admin } for  pid=2737 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_rawio } for  pid=2737 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_admin } for  pid=2738 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_rawio } for  pid=2738 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_admin } for  pid=2739 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_rawio } for  pid=2739 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_admin } for  pid=2740 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_rawio } for  pid=2740 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_admin } for  pid=2741 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_rawio } for  pid=2741 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_admin } for  pid=2742 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_rawio } for  pid=2742 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_admin } for  pid=2743 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_rawio } for  pid=2743 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988462.849:101): avc:  denied  { sys_admin } for  pid=2840 comm="pcscd" capability=21 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=capability

Comment 10 Mihai Harpau 2009-01-05 06:26:05 UTC

I see also this denials:


Summary:

SELinux is preventing console-kit-dae (consolekit_t) "sys_rawio" consolekit_t.

Detailed Description:

SELinux denied access requested by console-kit-dae. It is not expected that this
access is required by console-kit-dae and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Context                system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Objects                None [ capability ]
Source                        console-kit-dae
Source Path                   <Unknown>
Port                          <Unknown>
Host                          taz
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-34.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     taz
Platform                      Linux taz 2.6.27.9-159.fc10.x86_64 #1 SMP Tue Dec
                              16 14:47:52 EST 2008 x86_64 x86_64
Alert Count                   3
First Seen                    Sb 03 ian 2009 15:14:22 +0000
Last Seen                     Sb 03 ian 2009 15:16:09 +0000
Local ID                      fa102a84-a9c5-406a-a183-52e6fadda71b
Line Numbers                  

Raw Audit Messages            

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2709 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2710 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2710 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2711 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2711 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2712 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2712 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2713 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2713 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2714 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2714 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2715 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2715 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2716 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2716 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2717 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2717 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2718 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2718 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2719 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2719 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2720 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2720 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2721 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2721 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2722 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2722 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2723 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2723 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2724 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2724 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2725 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2725 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2726 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2726 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2727 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2727 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2728 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2728 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2729 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2729 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2730 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2730 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2731 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2731 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2732 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2732 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2733 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2733 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2734 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2734 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2735 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2735 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2736 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2736 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2737 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2737 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2738 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2738 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2739 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2739 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2740 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2740 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2741 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2741 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2742 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2742 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2743 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2743 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2840 comm="pcscd" capability=21 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_resource } for  pid=2840 comm="pcscd" capability=24 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2840 comm="pcscd" capability=17 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2861 comm="pcscd" capability=21 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_resource } for  pid=2861 comm="pcscd" capability=24 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2861 comm="pcscd" capability=17 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2902 comm="setroubleshootd" capability=21 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2902 comm="setroubleshootd" capability=17 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=3230 comm="setroubleshootd" capability=21 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=3230 comm="setroubleshootd" capability=17 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=3231 comm="setroubleshootd" capability=21 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=3231 comm="setroubleshootd" capability=17 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2918 comm="bluetoothd" capability=21 scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:system_r:bluetooth_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_resource } for  pid=2918 comm="bluetoothd" capability=24 scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:system_r:bluetooth_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2918 comm="bluetoothd" capability=17 scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:system_r:bluetooth_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=2973 comm="sshd" capability=21 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=2973 comm="sshd" capability=17 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=3000 comm="dhcpd" capability=21 scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:system_r:dhcpd_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=3000 comm="dhcpd" capability=17 scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:system_r:dhcpd_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=3023 comm="sendmail" capability=21 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_resource } for  pid=3023 comm="sendmail" capability=24 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=3023 comm="sendmail" capability=17 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=3042 comm="gpm" capability=17 scontext=system_u:system_r:gpm_t:s0 tcontext=system_u:system_r:gpm_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=3062 comm="kerneloops" capability=21 scontext=system_u:system_r:kerneloops_t:s0 tcontext=system_u:system_r:kerneloops_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_resource } for  pid=3062 comm="kerneloops" capability=24 scontext=system_u:system_r:kerneloops_t:s0 tcontext=system_u:system_r:kerneloops_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=3062 comm="kerneloops" capability=17 scontext=system_u:system_r:kerneloops_t:s0 tcontext=system_u:system_r:kerneloops_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=3172 comm="gdm-binary" capability=21 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=3173 comm="mingetty" capability=17 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=3174 comm="mingetty" capability=17 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=3175 comm="mingetty" capability=17 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=3176 comm="mingetty" capability=17 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=3177 comm="mingetty" capability=17 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=3237 comm="gdm-simple-slav" capability=21 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_admin } for  pid=3334 comm="gdm-session-wor" capability=21 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=capability

node=taz type=AVC msg=audit(1230988569.974:100): avc:  denied  { sys_rawio } for  pid=3765 comm="nm-system-setti" capability=17 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tclass=capability

Comment 11 Mihai Harpau 2009-01-05 06:27:30 UTC

Created attachment 328172 [details]
ausearch -m avc -c console-kit-dae

Comment 12 Mihai Harpau 2009-01-05 06:29:01 UTC

The "victim" of these AVC denials seems to setroubleshootd daemon.

Comment 13 Eric Sandeen 2009-01-05 18:45:58 UTC

There is a patch upstream:

commit a996031c87e093017c0763326a08896a3a4817f4
Author: Eric Sandeen <sandeen>
Date:   Tue Oct 28 00:08:17 2008 -0400

    delay capable() check in ext4_has_free_blocks()
    
    As reported by Eric Paris, the capable() check in ext4_has_free_blocks()
    sometimes causes SELinux denials.
    
    We can rearrange the logic so that we only try to use the root-reserved
    blocks when necessary, and even then we can move the capable() test
    to last, to avoid the check most of the time.
    
    Signed-off-by: Eric Sandeen <sandeen>
    Reviewed-by: Mingming Cao <cmm.com>
    Signed-off-by: "Theodore Ts'o" <tytso>

but let me see what we've got in F10 ...

Comment 14 Eric Sandeen 2009-01-05 19:21:32 UTC

Hmm the latest F10 should also have this patch in place.

Mihai, what was the last kernel that did not show these denials for you?

Comment 15 Eric Sandeen 2009-01-05 19:39:16 UTC

Sorry, comment #2 provided the answer to that question....

Comment 16 Eric Sandeen 2009-01-05 20:04:12 UTC

Ok, that patch got lost in the F10 kernels; we updated to 2.6.27-stable but that patch wasn't sent for stable, oops.  I'll get it back into F10, sorry about that!

Comment 17 Mihai Harpau 2009-01-05 22:20:12 UTC

(In reply to comment #13)
> There is a patch upstream:
> 
> commit a996031c87e093017c0763326a08896a3a4817f4
> Author: Eric Sandeen <sandeen>
> Date:   Tue Oct 28 00:08:17 2008 -0400
> 
>     delay capable() check in ext4_has_free_blocks()
> 
>     As reported by Eric Paris, the capable() check in ext4_has_free_blocks()
>     sometimes causes SELinux denials.
> 
>     We can rearrange the logic so that we only try to use the root-reserved
>     blocks when necessary, and even then we can move the capable() test
>     to last, to avoid the check most of the time.
> 
>     Signed-off-by: Eric Sandeen <sandeen>
>     Reviewed-by: Mingming Cao <cmm.com>
>     Signed-off-by: "Theodore Ts'o" <tytso>
> 
> but let me see what we've got in F10 ...

How can I get easily this patch ? With git somehow ?

Comment 18 Mihai Harpau 2009-01-05 22:31:38 UTC

(In reply to comment #13)
> There is a patch upstream:
> 
> commit a996031c87e093017c0763326a08896a3a4817f4
> Author: Eric Sandeen <sandeen>
> Date:   Tue Oct 28 00:08:17 2008 -0400
> 
>     delay capable() check in ext4_has_free_blocks()
> 
>     As reported by Eric Paris, the capable() check in ext4_has_free_blocks()
>     sometimes causes SELinux denials.
> 
>     We can rearrange the logic so that we only try to use the root-reserved
>     blocks when necessary, and even then we can move the capable() test
>     to last, to avoid the check most of the time.
> 
>     Signed-off-by: Eric Sandeen <sandeen>
>     Reviewed-by: Mingming Cao <cmm.com>
>     Signed-off-by: "Theodore Ts'o" <tytso>
> 
> but let me see what we've got in F10 ...

How can I get easily this patch ? With git somehow ?

Comment 19 Eric Sandeen 2009-01-05 22:36:14 UTC

see:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=a996031c87e093017c0763326a08896a3a4817f4

Comment 20 Eric Sandeen 2009-01-06 22:03:04 UTC

Checked what should be a fix into the f10 kernel tree, should be in 2.6.27.10-168 and later.

Comment 21 Mihai Harpau 2009-01-07 18:29:40 UTC

With kernel 2.6.27.10-168.fc10 all these AVC denials disappear. Bug resolved. Thank you very much!

Comment 22 Mihai Harpau 2009-01-07 18:34:40 UTC

How to close the bug: with ERRATA or NEXTRELEASE resolution?

Comment 23 Eric Sandeen 2009-01-07 19:09:00 UTC

I think that when bodhi pushes the kernel to stable, it'll close this bug for us.

Thanks for testing!

-Eric

Comment 24 Matěj Cepl 2009-01-07 22:21:57 UTC

Am I blind or stupid? Where does 2.6.27.10-168.fc10 lives? http://koji.fedoraproject.org/koji/packageinfo?packageID=8 doesn't look like knowing about it.

Comment 25 Eric Sandeen 2009-01-07 22:33:44 UTC

Sure enough, not built yet :)  Mihai, what did you find to test?  (or maybe built your own?)

Comment 26 Mihai Harpau 2009-01-07 22:36:37 UTC

I make first a copy through cvs of the kernel tree for F10 from cvs.fedora.redhat.com:/cvs/pkgs and then I compile locally the kernel rpms that I need.

Comment 27 Mihai Harpau 2009-01-07 22:39:57 UTC

In comment #26 I need to s/compile/build/

Comment 28 Eric Sandeen 2009-01-07 23:07:19 UTC

Matej, it's building now, sorry for the confusion.

Comment 29 Fedora Update System 2009-01-21 16:16:04 UTC

kernel-2.6.27.12-170.2.5.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kernel-2.6.27.12-170.2.5.fc10

Comment 30 Fedora Update System 2009-01-24 02:40:19 UTC

kernel-2.6.27.12-170.2.5.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update kernel'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-0923

Comment 31 Fedora Update System 2009-01-27 01:47:53 UTC

kernel-2.6.27.12-170.2.5.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.