Bug 733086
Summary: | avcs on boot - rtc and /dev/live and systemd-tmpfiles | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mads Kiilerich <mads> | ||||||
Component: | libselinux | Assignee: | Daniel Walsh <dwalsh> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 16 | CC: | awilliam, dwalsh, fedora, harald, igor.redhat, johannbg, jonathan, kay, lemenkov, lpoetter, metherid, mgrepl, mschmidt, notting, oliver.henshaw, plautrba, satellitgo, tflink, vedran | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | AcceptedNTH | ||||||||
Fixed In Version: | libselinux-2.1.5-5.fc16 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2011-09-23 04:01:53 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 713565, 713568 | ||||||||
Attachments: |
|
Did you build own live image? Yes I did. I don't think there has been made official images from -testing with dracut-013-4 yet - but I'm not up-to-date on that. I'm using livecd-tools-16.3-1.fc16.x86_64 . AFAIK the conclusion on bug 728576 was that it should be OK as long as there is no /selinux on the build host. I would however expect the version with dwalsh's fixes to get in now after the alpha has been released. I can try with the rawhide livecd-tools - if you think that makes any difference? Created attachment 519832 [details]
dmesg
I get the same (and other) avcs on a real installed non-live system:
[ 16.402026] type=1400 audit(1314274910.239:3): avc: denied { relabelto } for pid=569 comm="udevd" name="rtc" dev=devtmpfs ino=1294 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[ 16.406903] type=1400 audit(1314274910.244:4): avc: denied { associate } for pid=569 comm="udevd" name="rtc" dev=devtmpfs ino=1294 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
[ 16.419579] type=1400 audit(1314274910.257:5): avc: denied { write } for pid=569 comm="udevd" name="rtc" dev=devtmpfs ino=1294 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[ 20.478361] type=1400 audit(1314274914.325:6): avc: denied { relabelto } for pid=579 comm="udevd" name="scd0" dev=devtmpfs ino=7326 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[ 20.482800] type=1400 audit(1314274914.329:7): avc: denied { write } for pid=579 comm="udevd" name="scd0" dev=devtmpfs ino=7326 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[ 20.489577] type=1400 audit(1314274914.336:8): avc: denied { create } for pid=579 comm="udevd" name="cdrom" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[ 22.518889] type=1400 audit(1314274916.370:9): avc: denied { read } for pid=918 comm="udisks-lvm-pv-e" name="scd0" dev=devtmpfs ino=7326 scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[ 22.522458] type=1400 audit(1314274916.374:10): avc: denied { getattr } for pid=918 comm="udisks-lvm-pv-e" path="/dev/scd0" dev=devtmpfs ino=7326 scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[ 22.596964] type=1400 audit(1314274916.448:11): avc: denied { read } for pid=919 comm="lvm" name="scd0" dev=devtmpfs ino=7326 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[ 22.599293] type=1400 audit(1314274916.451:12): avc: denied { getattr } for pid=919 comm="lvm" path="/dev/scd0" dev=devtmpfs ino=7326 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[ 22.671811] type=1400 audit(1314274916.523:13): avc: denied { associate } for pid=638 comm="udevd" name="root" dev=devtmpfs ino=10462 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
[ 24.914650] multipathd[988]: /etc/multipath.conf does not exist, blacklisting all devices.
[ 24.917362] type=1400 audit(1314274918.771:14): avc: denied { getattr } for pid=996 comm="modprobe" path="socket:[14635]" dev=sockfs ino=14635 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
[ 24.917624] multipathd[988]: A sample multipath.conf file is located at
I guess the new dracut requires new policies ... or is buggy ...
selinux-policy-targeted-3.10.0-18.fc16.noarch
dracut-013-4.fc16.noarch
systemd-33-2.fc16.x86_64
What does # matchpathcon /dev/rtc on your F16 real installed non-live system? [root@imac ~]# matchpathcon /dev/rtc /dev/rtc system_u:object_r:default_t:s0 [root@imac ~]# restorecon /dev/rtc [root@imac ~]# matchpathcon /dev/rtc /dev/rtc system_u:object_r:default_t:s0 [root@imac ~]# rpm -q selinux-policy-targeted selinux-policy-targeted-3.10.0-18.fc16.noarch [root@imac ~]# I guess it doesn't make sense to repeat matchpathcon without -V, but both before and after and everywhere and with selinux-policy-targeted-3.10.0-21.fc16 it is: lrwxrwxrwx. root root system_u:object_r:default_t:s0 /dev/rtc -> rtc0 crw-------. root root system_u:object_r:clock_device_t:s0 /dev/rtc0 So this is fixed with -21 correct? No, it is not my experience that -21 fixes it, but I also didn't look for that. Should -21 fix it? Then I will try again and focus on that. One piece of the puzzle I might be missing: Is the policy more or less included in the dracut initrd so that I have to rebuild it after updating the policy? Or do the dracut scripts run without SE constraints until the policy is loaded from /etc ? After installation of -21 and relabel and dracut -f I still get: [ 15.842516] type=1400 audit(1314384836.679:3): avc: denied { relabelto } for pid=500 comm="udevd" name="rtc" dev=devtmpfs ino=10268 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file [ 15.847266] type=1400 audit(1314384836.684:4): avc: denied { associate } for pid=500 comm="udevd" name="rtc" dev=devtmpfs ino=10268 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem [ 15.849860] type=1400 audit(1314384836.687:5): avc: denied { write } for pid=500 comm="udevd" name="rtc" dev=devtmpfs ino=10268 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file [ 16.752414] type=1400 audit(1314384837.591:6): avc: denied { relabelto } for pid=603 comm="udevd" name="scd0" dev=devtmpfs ino=10309 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file [ 16.757783] type=1400 audit(1314384837.597:7): avc: denied { associate } for pid=603 comm="udevd" name="scd0" dev=devtmpfs ino=10309 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem [ 16.760762] type=1400 audit(1314384837.600:8): avc: denied { write } for pid=603 comm="udevd" name="scd0" dev=devtmpfs ino=10309 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file [ 16.768291] type=1400 audit(1314384837.607:9): avc: denied { create } for pid=603 comm="udevd" name="cdrom" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file [ 23.345013] type=1400 audit(1314384844.199:10): avc: denied { read } for pid=825 comm="udisks-lvm-pv-e" name="scd0" dev=devtmpfs ino=10309 scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file [ 23.350214] type=1400 audit(1314384844.204:11): avc: denied { getattr } for pid=825 comm="udisks-lvm-pv-e" path="/dev/scd0" dev=devtmpfs ino=10309 scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file [ 24.441708] type=1400 audit(1314384845.298:12): avc: denied { read } for pid=885 comm="lvm" name="scd0" dev=devtmpfs ino=10309 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file [ 24.443988] type=1400 audit(1314384845.301:13): avc: denied { getattr } for pid=885 comm="lvm" path="/dev/scd0" dev=devtmpfs ino=10309 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file [ 27.258082] dbus[998]: avc: netlink poll: error 4 and I get [root@imac ~]# restorecon -R -v /dev restorecon reset /dev/dvdrw context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0 restorecon reset /dev/dvd context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0 restorecon reset /dev/cdrw context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0 restorecon reset /dev/cdrom context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0 restorecon reset /dev/root context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0 restorecon reset /dev/scd0 context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0 restorecon reset /dev/rtc context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0 restorecon reset /dev/pts/ptmx context system_u:object_r:devpts_t:s0->system_u:object_r:ptmx_t:s0 selinux-policy-targeted-3.10.0-21.fc16.noarch dracut-013-4.fc16.noarch Is this a livecd still? Comment 9 is on a real /dev/sda f16 + updates-testing system (I obviously don't get the "live" errors here, but most of avc's are the same.) This looks like a bogus labelling and is either caused by dracut or systemd. In F16 dracut does not do any selinux anymore. Systemd took full control over it. *** Bug 733512 has been marked as a duplicate of this bug. *** Same issues is seen with: systemd-35-1.fc16.i686 dracut-013-8.fc16.noarch selinux-policy-targeted-3.10.0-25.fc16.noarch kernel-PAE-3.1.0-0.rc4.git0.1.fc16.i686 on a livecd built with livecd-tools-16.5-1.fc16. This one do however also show up on a "real" machine: type=1400 audit(1315568190.150:3): avc: denied { associate } for pid=505 comm="udevd" name="rtc" dev=devtmpfs ino=179 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem Same for me: [ 56.745901] SELinux: initialized (dev sdh1, type xfs), uses xattr [ 56.851290] systemd-tmpfiles[959]: Successfully loaded SELinux database in 24ms 299us, size on heap is 469K. [ 56.878309] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.910704] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 56.915637] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 56.919232] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 56.922765] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.926310] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.929707] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.933037] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.936311] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.939428] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.942619] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.945781] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 56.961252] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.966561] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 56.969696] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 56.972737] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 56.975672] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 56.978586] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.981489] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied [ 56.984506] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied [ 56.987397] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied [ 56.990160] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied [ 56.992969] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied If you run restorecon -R -v -n /run Does it show anything? On a live system: # restorecon -R -v -n /run restorecon reset /run/abrt context system_u:object_r:var_run_t:s0->system_u:object_r:abrt_var_run_t:s0 restorecon reset /run/abrt/saved_core_pattern context system_u:object_r:initrc_var_run_t:s0->system_u:object_r:abrt_var_run_t:s0 restorecon reset /run/user/liveuser/dconf context unconfined_u:object_r:config_home_t:s0->system_u:object_r:user_tmp_t:s0 restorecon reset /run/user/liveuser/dconf/user context unconfined_u:object_r:config_home_t:s0->system_u:object_r:user_tmp_t:s0 # dmesg|grep audit.*rtc [ 12.120169] type=1400 audit(1315852826.192:3): avc: denied { associate } for pid=530 comm="udevd" name="rtc" dev=devtmpfs ino=9487 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem # rpm -q dracut systemd selinux-policy-targeted dracut-013-8.fc16.noarch systemd-35-1.fc16.x86_64 selinux-policy-targeted-3.10.0-25.fc16.noarch FWIW I see many issues that indicates problems with the dracut/systemd interfacing and stuff from before the root pivoting causing strange errors later. On a installed system with the same package versions and enforcing=0 there is (almost) the same avcs and bad fs labels as mentioned in comment 9, but nothing wrong in /run. The dconf file labels should be fixed in the next policy update. Where is rtc located? (In reply to comment #17) > If you run > > restorecon -R -v -n /run > > Does it show anything? [root@nostromo ~]# restorecon -R -v -n /run [root@nostromo ~]# Unfortunately, nothing was changed. I still see all these messages after reboot (they're gone only if I switch to the permissive mode). (In reply to comment #20) > The dconf file labels should be fixed in the next policy update. Where is rtc > located? I assume it is /dev/rtc - which comment 9 points out has the wrong label. (In reply to comment #21) > (they're gone only if I switch to the permissive mode). Really? I do see them in permissive mode - I don't think I am able to boot in enforcing mode. Or did you mean selinux=0 / SELINUX=disabled mode? (In reply to comment #23) > (In reply to comment #21) > > (they're gone only if I switch to the permissive mode). > > Really? I do see them in permissive mode - I don't think I am able to boot in > enforcing mode. Or did you mean selinux=0 / SELINUX=disabled mode? Yes, I was wrong - they still exists in a permissive mode as well. I just updated to the latest selinux-policy-3.10.0-26.fc16.noarch and these issues are still here: [root@nostromo ~]# dmesg | grep avc [ 17.456585] type=1400 audit(1315857818.600:4): avc: denied { associate } for pid=445 comm="udevd" name="root" dev=devtmpfs ino=8261 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem [ 17.520470] type=1400 audit(1315857818.664:5): avc: denied { associate } for pid=447 comm="udevd" name="rtc" dev=devtmpfs ino=8105 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem [ 56.882987] type=1400 audit(1315857858.025:6): avc: denied { associate } for pid=714 comm="udevd" name="root" dev=devtmpfs ino=8261 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem [ 57.121410] type=1400 audit(1315857858.266:7): avc: denied { associate } for pid=714 comm="udevd" name="rtc" dev=devtmpfs ino=8105 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem [root@nostromo ~]# Fixed in libselinux-2.1.5-4.fc16 libselinux-2.1.5-4.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/libselinux-2.1.5-4.fc16 Package libselinux-2.1.5-4.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing libselinux-2.1.5-4.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/libselinux-2.1.5-4.fc16 then log in and leave karma (feedback). Confirmed. This fixed issues with udevd. Unfortunately the issues with systemd-tmpfiles are still remaining unfixed. I have filed Bug 737837 - systemd-tmpfiles: Failed to set security context ... for /var: Permission denied Package libselinux-2.1.5-5.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing libselinux-2.1.5-5.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/libselinux-2.1.5-5.fc16 then log in and leave karma (feedback). Discussed in the 2011-09-16 blocker review meeting. Accepted as NTH for Fedora 16 beta because it will eventually be a final blocker and a fix is ready. libselinux-2.1.5-5.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 519674 [details] dmesg When booting live image with selinux-policy-targeted-3.10.0-18.fc16.noarch dracut-013-4.fc16.noarch systemd-33-2.fc16.x86_64 udev-173-1.fc16.x86_64 I get: [ 16.592255] type=1400 audit(1314206451.269:4): avc: denied { relabelto } for pid=538 comm="udevd" name="rtc" dev=devtmpfs ino=1326 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file [ 16.592355] type=1400 audit(1314206451.270:5): avc: denied { associate } for pid=538 comm="udevd" name="rtc" dev=devtmpfs ino=1326 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem [ 17.380126] type=1400 audit(1314206452.058:6): avc: denied { associate } for pid=463 comm="udevd" name="live" dev=devtmpfs ino=6778 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem [ 17.382508] udevd[463]: setfilecon /dev/live failed: Permission denied [ 18.537611] systemd-tmpfiles[748]: Successfully loaded SELinux database in 16ms 966us, size on heap is 464K. [ 18.590550] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 18.602486] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 18.603547] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 18.610616] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 18.613431] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 18.615268] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 18.616286] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 18.617392] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 18.618274] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 18.619099] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 18.619919] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 18.620572] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 18.621293] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 18.622276] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 18.623425] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 18.631411] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 18.632045] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 18.632578] type=1400 audit(1314206453.311:7): avc: denied { write } for pid=748 comm="systemd-tmpfile" name="cache" dev=dm-0 ino=13 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir [ 18.632696] systemd-tmpfiles[748]: Failed to create directory /var/cache/man: Permission denied [ 18.633078] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 18.634558] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 18.635318] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 18.636119] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 18.636634] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied [ 18.642937] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied [ 18.645264] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied [ 18.647172] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied [ 18.649596] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied I don't know if they are related ... or if the latter should be reported to systemd?