Bug 478299
Summary: | AVC denials on kernel 2.6.27.9-159.fc10.x86_64 | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mihai Harpau <mishu> | ||||||
Component: | kernel | Assignee: | Eric Sandeen <esandeen> | ||||||
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | high | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | 10 | CC: | dwalsh, esandeen, jarin.franek, jkubin, kernel-maint, mcepl, mcepl, mgrepl, quintela | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2009-01-27 01:48:10 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Mihai Harpau
2008-12-27 15:50:02 UTC
[root@taz ~]# sealert -l 9402cfbc-aa3a-4107-a131-bfac6985b517 Summary: SELinux is preventing console-kit-dae (consolekit_t) "sys_resource" consolekit_t. Detailed Description: SELinux denied access requested by console-kit-dae. It is not expected that this access is required by console-kit-dae and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023 Target Context system_u:system_r:consolekit_t:s0-s0:c0.c1023 Target Objects None [ capability ] Source console-kit-dae Source Path /usr/sbin/console-kit-daemon Port <Unknown> Host taz Source RPM Packages ConsoleKit-0.3.0-2.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-34.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name taz Platform Linux taz 2.6.27.9-159.fc10.x86_64 #1 SMP Tue Dec 16 14:47:52 EST 2008 x86_64 x86_64 Alert Count 51 First Seen Sat Dec 20 14:27:50 2008 Last Seen Sat Dec 27 16:45:12 2008 Local ID 9402cfbc-aa3a-4107-a131-bfac6985b517 Line Numbers Raw Audit Messages node=taz type=AVC msg=audit(1230389112.0:97): avc: denied { sys_resource } for pid=2677 comm="console-kit-dae" capability=24 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=SYSCALL msg=audit(1230389112.0:97): arch=c000003e syscall=1 success=yes exit=672 a0=1a a1=7f4fe40171a0 a2=2a0 a3=0 items=0 ppid=1 pid=2677 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null) On kernel 2.6.27.7-134.fc10 I don't have any of these AVC denials. What FS are in use? /me wonders if the patches to ext4 got dropped somehow.... also can I get the output of ausearch -m AVC attached? I'd like to see both the avc denials and the audit syscall records related to them.... On 2 systems where I see those AVC denials are both only ext4 (except /boot of course) Created attachment 328167 [details]
ausearch -m avc -c setroubleshootd
Thanks, it's what I thought. ext4 is checking to see if you have CAP_SYS_RESOURCE on every write. esandeen already wrote a patch to fix this during the reserve block checking. I guess it got dropped. I'll run it down in the morning. As a side note, the denials are completely harmless (outside of the wasted resources to log them...) I see also this AVC denials: Summary: SELinux is preventing console-kit-dae (consolekit_t) "sys_admin" consolekit_t. Detailed Description: SELinux denied access requested by console-kit-dae. It is not expected that this access is required by console-kit-dae and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023 Target Context system_u:system_r:consolekit_t:s0-s0:c0.c1023 Target Objects None [ capability ] Source console-kit-dae Source Path <Unknown> Port <Unknown> Host taz Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.5.13-34.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name taz Platform Linux taz 2.6.27.9-159.fc10.x86_64 #1 SMP Tue Dec 16 14:47:52 EST 2008 x86_64 x86_64 Alert Count 4 First Seen Sb 03 ian 2009 15:14:22 +0000 Last Seen Sb 03 ian 2009 15:16:09 +0000 Local ID acab3174-b202-4d65-b12b-d64ec8832253 Line Numbers Raw Audit Messages node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_admin } for pid=2729 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_rawio } for pid=2729 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_admin } for pid=2730 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_rawio } for pid=2730 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_admin } for pid=2731 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_rawio } for pid=2731 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_admin } for pid=2732 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_rawio } for pid=2732 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_admin } for pid=2733 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_rawio } for pid=2733 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_admin } for pid=2734 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_rawio } for pid=2734 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_admin } for pid=2735 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_rawio } for pid=2735 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_admin } for pid=2736 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_rawio } for pid=2736 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_admin } for pid=2737 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_rawio } for pid=2737 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_admin } for pid=2738 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_rawio } for pid=2738 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_admin } for pid=2739 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_rawio } for pid=2739 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_admin } for pid=2740 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_rawio } for pid=2740 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_admin } for pid=2741 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_rawio } for pid=2741 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_admin } for pid=2742 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_rawio } for pid=2742 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_admin } for pid=2743 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_rawio } for pid=2743 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988462.849:101): avc: denied { sys_admin } for pid=2840 comm="pcscd" capability=21 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=capability I see also this denials: Summary: SELinux is preventing console-kit-dae (consolekit_t) "sys_rawio" consolekit_t. Detailed Description: SELinux denied access requested by console-kit-dae. It is not expected that this access is required by console-kit-dae and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023 Target Context system_u:system_r:consolekit_t:s0-s0:c0.c1023 Target Objects None [ capability ] Source console-kit-dae Source Path <Unknown> Port <Unknown> Host taz Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.5.13-34.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name taz Platform Linux taz 2.6.27.9-159.fc10.x86_64 #1 SMP Tue Dec 16 14:47:52 EST 2008 x86_64 x86_64 Alert Count 3 First Seen Sb 03 ian 2009 15:14:22 +0000 Last Seen Sb 03 ian 2009 15:16:09 +0000 Local ID fa102a84-a9c5-406a-a183-52e6fadda71b Line Numbers Raw Audit Messages node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2709 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2710 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2710 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2711 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2711 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2712 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2712 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2713 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2713 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2714 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2714 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2715 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2715 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2716 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2716 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2717 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2717 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2718 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2718 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2719 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2719 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2720 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2720 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2721 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2721 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2722 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2722 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2723 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2723 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2724 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2724 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2725 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2725 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2726 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2726 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2727 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2727 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2728 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2728 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2729 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2729 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2730 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2730 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2731 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2731 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2732 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2732 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2733 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2733 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2734 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2734 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2735 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2735 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2736 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2736 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2737 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2737 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2738 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2738 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2739 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2739 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2740 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2740 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2741 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2741 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2742 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2742 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2743 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2743 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2840 comm="pcscd" capability=21 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_resource } for pid=2840 comm="pcscd" capability=24 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2840 comm="pcscd" capability=17 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2861 comm="pcscd" capability=21 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_resource } for pid=2861 comm="pcscd" capability=24 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2861 comm="pcscd" capability=17 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2902 comm="setroubleshootd" capability=21 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2902 comm="setroubleshootd" capability=17 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=3230 comm="setroubleshootd" capability=21 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=3230 comm="setroubleshootd" capability=17 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=3231 comm="setroubleshootd" capability=21 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=3231 comm="setroubleshootd" capability=17 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2918 comm="bluetoothd" capability=21 scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:system_r:bluetooth_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_resource } for pid=2918 comm="bluetoothd" capability=24 scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:system_r:bluetooth_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2918 comm="bluetoothd" capability=17 scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:system_r:bluetooth_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=2973 comm="sshd" capability=21 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=2973 comm="sshd" capability=17 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=3000 comm="dhcpd" capability=21 scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:system_r:dhcpd_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=3000 comm="dhcpd" capability=17 scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:system_r:dhcpd_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=3023 comm="sendmail" capability=21 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_resource } for pid=3023 comm="sendmail" capability=24 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=3023 comm="sendmail" capability=17 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=3042 comm="gpm" capability=17 scontext=system_u:system_r:gpm_t:s0 tcontext=system_u:system_r:gpm_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=3062 comm="kerneloops" capability=21 scontext=system_u:system_r:kerneloops_t:s0 tcontext=system_u:system_r:kerneloops_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_resource } for pid=3062 comm="kerneloops" capability=24 scontext=system_u:system_r:kerneloops_t:s0 tcontext=system_u:system_r:kerneloops_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=3062 comm="kerneloops" capability=17 scontext=system_u:system_r:kerneloops_t:s0 tcontext=system_u:system_r:kerneloops_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=3172 comm="gdm-binary" capability=21 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=3173 comm="mingetty" capability=17 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=3174 comm="mingetty" capability=17 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=3175 comm="mingetty" capability=17 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=3176 comm="mingetty" capability=17 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=3177 comm="mingetty" capability=17 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=3237 comm="gdm-simple-slav" capability=21 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_admin } for pid=3334 comm="gdm-session-wor" capability=21 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=capability node=taz type=AVC msg=audit(1230988569.974:100): avc: denied { sys_rawio } for pid=3765 comm="nm-system-setti" capability=17 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tclass=capability Created attachment 328172 [details]
ausearch -m avc -c console-kit-dae
The "victim" of these AVC denials seems to setroubleshootd daemon. There is a patch upstream: commit a996031c87e093017c0763326a08896a3a4817f4 Author: Eric Sandeen <sandeen> Date: Tue Oct 28 00:08:17 2008 -0400 delay capable() check in ext4_has_free_blocks() As reported by Eric Paris, the capable() check in ext4_has_free_blocks() sometimes causes SELinux denials. We can rearrange the logic so that we only try to use the root-reserved blocks when necessary, and even then we can move the capable() test to last, to avoid the check most of the time. Signed-off-by: Eric Sandeen <sandeen> Reviewed-by: Mingming Cao <cmm.com> Signed-off-by: "Theodore Ts'o" <tytso> but let me see what we've got in F10 ... Hmm the latest F10 should also have this patch in place. Mihai, what was the last kernel that did not show these denials for you? Sorry, comment #2 provided the answer to that question.... Ok, that patch got lost in the F10 kernels; we updated to 2.6.27-stable but that patch wasn't sent for stable, oops. I'll get it back into F10, sorry about that! (In reply to comment #13) > There is a patch upstream: > > commit a996031c87e093017c0763326a08896a3a4817f4 > Author: Eric Sandeen <sandeen> > Date: Tue Oct 28 00:08:17 2008 -0400 > > delay capable() check in ext4_has_free_blocks() > > As reported by Eric Paris, the capable() check in ext4_has_free_blocks() > sometimes causes SELinux denials. > > We can rearrange the logic so that we only try to use the root-reserved > blocks when necessary, and even then we can move the capable() test > to last, to avoid the check most of the time. > > Signed-off-by: Eric Sandeen <sandeen> > Reviewed-by: Mingming Cao <cmm.com> > Signed-off-by: "Theodore Ts'o" <tytso> > > but let me see what we've got in F10 ... How can I get easily this patch ? With git somehow ? (In reply to comment #13) > There is a patch upstream: > > commit a996031c87e093017c0763326a08896a3a4817f4 > Author: Eric Sandeen <sandeen> > Date: Tue Oct 28 00:08:17 2008 -0400 > > delay capable() check in ext4_has_free_blocks() > > As reported by Eric Paris, the capable() check in ext4_has_free_blocks() > sometimes causes SELinux denials. > > We can rearrange the logic so that we only try to use the root-reserved > blocks when necessary, and even then we can move the capable() test > to last, to avoid the check most of the time. > > Signed-off-by: Eric Sandeen <sandeen> > Reviewed-by: Mingming Cao <cmm.com> > Signed-off-by: "Theodore Ts'o" <tytso> > > but let me see what we've got in F10 ... How can I get easily this patch ? With git somehow ? Checked what should be a fix into the f10 kernel tree, should be in 2.6.27.10-168 and later. With kernel 2.6.27.10-168.fc10 all these AVC denials disappear. Bug resolved. Thank you very much! How to close the bug: with ERRATA or NEXTRELEASE resolution? I think that when bodhi pushes the kernel to stable, it'll close this bug for us. Thanks for testing! -Eric Am I blind or stupid? Where does 2.6.27.10-168.fc10 lives? http://koji.fedoraproject.org/koji/packageinfo?packageID=8 doesn't look like knowing about it. Sure enough, not built yet :) Mihai, what did you find to test? (or maybe built your own?) I make first a copy through cvs of the kernel tree for F10 from cvs.fedora.redhat.com:/cvs/pkgs and then I compile locally the kernel rpms that I need. In comment #26 I need to s/compile/build/ Matej, it's building now, sorry for the confusion. kernel-2.6.27.12-170.2.5.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/kernel-2.6.27.12-170.2.5.fc10 kernel-2.6.27.12-170.2.5.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update kernel'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-0923 kernel-2.6.27.12-170.2.5.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. |