Bug 733086

Summary: avcs on boot - rtc and /dev/live and systemd-tmpfiles
Product: [Fedora] Fedora Reporter: Mads Kiilerich <mads>
Component: libselinuxAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: awilliam, dwalsh, fedora, harald, igor.redhat, johannbg, jonathan, kay, lemenkov, lpoetter, metherid, mgrepl, mschmidt, notting, oliver.henshaw, plautrba, satellitgo, tflink, vedran
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: AcceptedNTH
Fixed In Version: libselinux-2.1.5-5.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-23 04:01:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 713565, 713568    
Attachments:
Description Flags
dmesg
none
dmesg none

Description Mads Kiilerich 2011-08-24 17:29:38 UTC 
Created attachment 519674 [details]
dmesg

When booting live image with
selinux-policy-targeted-3.10.0-18.fc16.noarch
dracut-013-4.fc16.noarch
systemd-33-2.fc16.x86_64
udev-173-1.fc16.x86_64

I get:

[   16.592255] type=1400 audit(1314206451.269:4): avc:  denied  { relabelto } for  pid=538 comm="udevd" name="rtc" dev=devtmpfs ino=1326 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   16.592355] type=1400 audit(1314206451.270:5): avc:  denied  { associate } for  pid=538 comm="udevd" name="rtc" dev=devtmpfs ino=1326 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem

[   17.380126] type=1400 audit(1314206452.058:6): avc:  denied  { associate } for  pid=463 comm="udevd" name="live" dev=devtmpfs ino=6778 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
[   17.382508] udevd[463]: setfilecon /dev/live failed: Permission denied

[   18.537611] systemd-tmpfiles[748]: Successfully loaded SELinux database in 16ms 966us, size on heap is 464K.
[   18.590550] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   18.602486] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   18.603547] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   18.610616] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   18.613431] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   18.615268] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   18.616286] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   18.617392] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   18.618274] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   18.619099] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   18.619919] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   18.620572] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   18.621293] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   18.622276] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   18.623425] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   18.631411] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   18.632045] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   18.632578] type=1400 audit(1314206453.311:7): avc:  denied  { write } for  pid=748 comm="systemd-tmpfile" name="cache" dev=dm-0 ino=13 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
[   18.632696] systemd-tmpfiles[748]: Failed to create directory /var/cache/man: Permission denied
[   18.633078] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   18.634558] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   18.635318] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   18.636119] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   18.636634] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied
[   18.642937] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied
[   18.645264] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied
[   18.647172] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied
[   18.649596] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied

I don't know if they are related ... or if the latter should be reported to systemd?
Comment 1 Miroslav Grepl 2011-08-25 09:38:57 UTC 
Did you build own live image?
Comment 2 Mads Kiilerich 2011-08-25 09:57:47 UTC 
Yes I did. I don't think there has been made official images from -testing with dracut-013-4 yet - but I'm not up-to-date on that.

I'm using livecd-tools-16.3-1.fc16.x86_64 . AFAIK the conclusion on bug 728576 was that it should be OK as long as there is no /selinux on the build host. I would however expect the version with dwalsh's fixes to get in now after the alpha has been released.

I can try with the rawhide livecd-tools - if you think that makes any difference?
Comment 3 Mads Kiilerich 2011-08-25 12:29:25 UTC 
Created attachment 519832 [details]
dmesg

I get the same (and other) avcs on a real installed non-live system:

[   16.402026] type=1400 audit(1314274910.239:3): avc:  denied  { relabelto } for  pid=569 comm="udevd" name="rtc" dev=devtmpfs ino=1294 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   16.406903] type=1400 audit(1314274910.244:4): avc:  denied  { associate } for  pid=569 comm="udevd" name="rtc" dev=devtmpfs ino=1294 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
[   16.419579] type=1400 audit(1314274910.257:5): avc:  denied  { write } for  pid=569 comm="udevd" name="rtc" dev=devtmpfs ino=1294 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file

[   20.478361] type=1400 audit(1314274914.325:6): avc:  denied  { relabelto } for  pid=579 comm="udevd" name="scd0" dev=devtmpfs ino=7326 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   20.482800] type=1400 audit(1314274914.329:7): avc:  denied  { write } for  pid=579 comm="udevd" name="scd0" dev=devtmpfs ino=7326 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   20.489577] type=1400 audit(1314274914.336:8): avc:  denied  { create } for  pid=579 comm="udevd" name="cdrom" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file

[   22.518889] type=1400 audit(1314274916.370:9): avc:  denied  { read } for  pid=918 comm="udisks-lvm-pv-e" name="scd0" dev=devtmpfs ino=7326 scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   22.522458] type=1400 audit(1314274916.374:10): avc:  denied  { getattr } for  pid=918 comm="udisks-lvm-pv-e" path="/dev/scd0" dev=devtmpfs ino=7326 scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   22.596964] type=1400 audit(1314274916.448:11): avc:  denied  { read } for  pid=919 comm="lvm" name="scd0" dev=devtmpfs ino=7326 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   22.599293] type=1400 audit(1314274916.451:12): avc:  denied  { getattr } for  pid=919 comm="lvm" path="/dev/scd0" dev=devtmpfs ino=7326 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   22.671811] type=1400 audit(1314274916.523:13): avc:  denied  { associate } for  pid=638 comm="udevd" name="root" dev=devtmpfs ino=10462 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem

[   24.914650] multipathd[988]: /etc/multipath.conf does not exist, blacklisting all devices.
[   24.917362] type=1400 audit(1314274918.771:14): avc:  denied  { getattr } for  pid=996 comm="modprobe" path="socket:[14635]" dev=sockfs ino=14635 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
[   24.917624] multipathd[988]: A sample multipath.conf file is located at

I guess the new dracut requires new policies ... or is buggy ...

selinux-policy-targeted-3.10.0-18.fc16.noarch
dracut-013-4.fc16.noarch
systemd-33-2.fc16.x86_64
Comment 4 Miroslav Grepl 2011-08-25 12:37:45 UTC 
What does

# matchpathcon /dev/rtc

on your F16 real installed non-live system?
Comment 5 Mads Kiilerich 2011-08-25 12:40:46 UTC 
[root@imac ~]# matchpathcon /dev/rtc
/dev/rtc	system_u:object_r:default_t:s0
[root@imac ~]# restorecon /dev/rtc
[root@imac ~]# matchpathcon /dev/rtc
/dev/rtc	system_u:object_r:default_t:s0
[root@imac ~]# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.10.0-18.fc16.noarch
[root@imac ~]#
Comment 6 Mads Kiilerich 2011-08-25 12:58:22 UTC 
I guess it doesn't make sense to repeat matchpathcon without -V, but both before and after and everywhere and with selinux-policy-targeted-3.10.0-21.fc16 it is:
lrwxrwxrwx. root root system_u:object_r:default_t:s0   /dev/rtc -> rtc0
crw-------. root root system_u:object_r:clock_device_t:s0 /dev/rtc0
Comment 7 Daniel Walsh 2011-08-25 19:06:46 UTC 
So this is fixed with -21 correct?
Comment 8 Mads Kiilerich 2011-08-25 23:02:16 UTC 
No, it is not my experience that -21 fixes it, but I also didn't look for that. Should -21 fix it? Then I will try again and focus on that.

One piece of the puzzle I might be missing: Is the policy more or less included in the dracut initrd so that I have to rebuild it after updating the policy? Or do the dracut scripts run without SE constraints until the policy is loaded from /etc ?
Comment 9 Mads Kiilerich 2011-08-26 19:12:15 UTC 
After installation of -21 and relabel and dracut -f I still get:

[   15.842516] type=1400 audit(1314384836.679:3): avc:  denied  { relabelto } for  pid=500 comm="udevd" name="rtc" dev=devtmpfs ino=10268 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   15.847266] type=1400 audit(1314384836.684:4): avc:  denied  { associate } for  pid=500 comm="udevd" name="rtc" dev=devtmpfs ino=10268 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
[   15.849860] type=1400 audit(1314384836.687:5): avc:  denied  { write } for  pid=500 comm="udevd" name="rtc" dev=devtmpfs ino=10268 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   16.752414] type=1400 audit(1314384837.591:6): avc:  denied  { relabelto } for  pid=603 comm="udevd" name="scd0" dev=devtmpfs ino=10309 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   16.757783] type=1400 audit(1314384837.597:7): avc:  denied  { associate } for  pid=603 comm="udevd" name="scd0" dev=devtmpfs ino=10309 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
[   16.760762] type=1400 audit(1314384837.600:8): avc:  denied  { write } for  pid=603 comm="udevd" name="scd0" dev=devtmpfs ino=10309 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   16.768291] type=1400 audit(1314384837.607:9): avc:  denied  { create } for  pid=603 comm="udevd" name="cdrom" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   23.345013] type=1400 audit(1314384844.199:10): avc:  denied  { read } for  pid=825 comm="udisks-lvm-pv-e" name="scd0" dev=devtmpfs ino=10309 scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   23.350214] type=1400 audit(1314384844.204:11): avc:  denied  { getattr } for  pid=825 comm="udisks-lvm-pv-e" path="/dev/scd0" dev=devtmpfs ino=10309 scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   24.441708] type=1400 audit(1314384845.298:12): avc:  denied  { read } for  pid=885 comm="lvm" name="scd0" dev=devtmpfs ino=10309 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   24.443988] type=1400 audit(1314384845.301:13): avc:  denied  { getattr } for  pid=885 comm="lvm" path="/dev/scd0" dev=devtmpfs ino=10309 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   27.258082] dbus[998]: avc:  netlink poll: error 4

and I get 
[root@imac ~]# restorecon -R -v /dev
restorecon reset /dev/dvdrw context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0
restorecon reset /dev/dvd context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0
restorecon reset /dev/cdrw context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0
restorecon reset /dev/cdrom context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0
restorecon reset /dev/root context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0
restorecon reset /dev/scd0 context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0
restorecon reset /dev/rtc context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0
restorecon reset /dev/pts/ptmx context system_u:object_r:devpts_t:s0->system_u:object_r:ptmx_t:s0

selinux-policy-targeted-3.10.0-21.fc16.noarch
dracut-013-4.fc16.noarch
Comment 10 Daniel Walsh 2011-08-26 20:43:36 UTC 
Is this a livecd still?
Comment 11 Mads Kiilerich 2011-08-26 20:47:44 UTC 
Comment 9 is on a real /dev/sda f16 + updates-testing system

(I obviously don't get the "live" errors here, but most of avc's are the same.)
Comment 12 Daniel Walsh 2011-08-26 21:55:23 UTC 
This looks like a bogus labelling and is either caused by dracut or systemd.
Comment 13 Harald Hoyer 2011-08-29 08:20:50 UTC 
In F16 dracut does not do any selinux anymore. Systemd took full control over it.
Comment 14 Daniel Walsh 2011-08-29 16:17:23 UTC 
*** Bug 733512 has been marked as a duplicate of this bug. ***
Comment 15 Mads Kiilerich 2011-09-09 15:31:10 UTC 
Same issues is seen with:
systemd-35-1.fc16.i686
dracut-013-8.fc16.noarch
selinux-policy-targeted-3.10.0-25.fc16.noarch
kernel-PAE-3.1.0-0.rc4.git0.1.fc16.i686
on a livecd built with livecd-tools-16.5-1.fc16.

This one do however also show up on a "real" machine:
type=1400 audit(1315568190.150:3): avc:  denied  { associate } for  pid=505 comm="udevd" name="rtc" dev=devtmpfs ino=179 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
Comment 16 Peter Lemenkov 2011-09-11 11:51:22 UTC 
Same for me:

[   56.745901] SELinux: initialized (dev sdh1, type xfs), uses xattr
[   56.851290] systemd-tmpfiles[959]: Successfully loaded SELinux database in 24ms 299us, size on heap is 469K.
[   56.878309] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   56.910704] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   56.915637] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   56.919232] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   56.922765] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   56.926310] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   56.929707] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   56.933037] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   56.936311] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   56.939428] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   56.942619] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   56.945781] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   56.961252] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   56.966561] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   56.969696] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   56.972737] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   56.975672] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   56.978586] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   56.981489] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied
[   56.984506] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied
[   56.987397] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied
[   56.990160] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied
[   56.992969] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied
Comment 17 Daniel Walsh 2011-09-12 19:23:22 UTC 
If you run 

restorecon -R -v -n /run

Does it show anything?
Comment 18 Mads Kiilerich 2011-09-12 19:31:33 UTC 
On a live system:

# restorecon -R -v -n /run
restorecon reset /run/abrt context system_u:object_r:var_run_t:s0->system_u:object_r:abrt_var_run_t:s0
restorecon reset /run/abrt/saved_core_pattern context system_u:object_r:initrc_var_run_t:s0->system_u:object_r:abrt_var_run_t:s0
restorecon reset /run/user/liveuser/dconf context unconfined_u:object_r:config_home_t:s0->system_u:object_r:user_tmp_t:s0
restorecon reset /run/user/liveuser/dconf/user context unconfined_u:object_r:config_home_t:s0->system_u:object_r:user_tmp_t:s0

# dmesg|grep audit.*rtc
[   12.120169] type=1400 audit(1315852826.192:3): avc:  denied  { associate } for  pid=530 comm="udevd" name="rtc" dev=devtmpfs ino=9487 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem

# rpm -q dracut systemd selinux-policy-targeted
dracut-013-8.fc16.noarch
systemd-35-1.fc16.x86_64
selinux-policy-targeted-3.10.0-25.fc16.noarch


FWIW I see many issues that indicates problems with the dracut/systemd interfacing and stuff from before the root pivoting causing strange errors later.
Comment 19 Mads Kiilerich 2011-09-12 19:42:39 UTC 
On a installed system with the same package versions and enforcing=0 there is (almost) the same avcs and bad fs labels as mentioned in comment 9, but nothing wrong in /run.
Comment 20 Daniel Walsh 2011-09-12 19:45:40 UTC 
The dconf file labels should be fixed in the next policy update.  Where is rtc located?
Comment 21 Peter Lemenkov 2011-09-12 19:45:59 UTC 
(In reply to comment #17)
> If you run 
> 
> restorecon -R -v -n /run
> 
> Does it show anything?

[root@nostromo ~]# restorecon -R -v -n /run
[root@nostromo ~]# 

Unfortunately, nothing was changed. I still see all these messages after reboot (they're gone only if I switch to the permissive mode).
Comment 22 Mads Kiilerich 2011-09-12 19:52:53 UTC 
(In reply to comment #20)
> The dconf file labels should be fixed in the next policy update.  Where is rtc
> located?

I assume it is /dev/rtc - which comment 9 points out has the wrong label.
Comment 23 Mads Kiilerich 2011-09-12 19:55:38 UTC 
(In reply to comment #21)
> (they're gone only if I switch to the permissive mode).

Really? I do see them in permissive mode - I don't think I am able to boot in enforcing mode. Or did you mean selinux=0 / SELINUX=disabled mode?
Comment 24 Peter Lemenkov 2011-09-12 20:06:39 UTC 
(In reply to comment #23)
> (In reply to comment #21)
> > (they're gone only if I switch to the permissive mode).
> 
> Really? I do see them in permissive mode - I don't think I am able to boot in
> enforcing mode. Or did you mean selinux=0 / SELINUX=disabled mode?

Yes, I was wrong - they still exists in a permissive mode as well.

I just updated to the latest selinux-policy-3.10.0-26.fc16.noarch and these issues are still here:

[root@nostromo ~]# dmesg | grep avc
[   17.456585] type=1400 audit(1315857818.600:4): avc:  denied  { associate } for  pid=445 comm="udevd" name="root" dev=devtmpfs ino=8261 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
[   17.520470] type=1400 audit(1315857818.664:5): avc:  denied  { associate } for  pid=447 comm="udevd" name="rtc" dev=devtmpfs ino=8105 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
[   56.882987] type=1400 audit(1315857858.025:6): avc:  denied  { associate } for  pid=714 comm="udevd" name="root" dev=devtmpfs ino=8261 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
[   57.121410] type=1400 audit(1315857858.266:7): avc:  denied  { associate } for  pid=714 comm="udevd" name="rtc" dev=devtmpfs ino=8105 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
[root@nostromo ~]#
Comment 25 Daniel Walsh 2011-09-12 20:50:00 UTC 
Fixed in libselinux-2.1.5-4.fc16
Comment 26 Fedora Update System 2011-09-12 20:51:52 UTC 
libselinux-2.1.5-4.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/libselinux-2.1.5-4.fc16
Comment 27 Fedora Update System 2011-09-13 00:09:28 UTC 
Package libselinux-2.1.5-4.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing libselinux-2.1.5-4.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/libselinux-2.1.5-4.fc16
then log in and leave karma (feedback).
Comment 28 Peter Lemenkov 2011-09-13 05:26:47 UTC 
Confirmed. This fixed issues with udevd. Unfortunately the issues with systemd-tmpfiles are still remaining unfixed.
Comment 29 Mads Kiilerich 2011-09-13 08:46:41 UTC 
I have filed 
Bug 737837 - systemd-tmpfiles: Failed to set security context ... for /var: Permission denied
Comment 30 Fedora Update System 2011-09-15 21:20:39 UTC 
Package libselinux-2.1.5-5.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing libselinux-2.1.5-5.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/libselinux-2.1.5-5.fc16
then log in and leave karma (feedback).
Comment 31 Tim Flink 2011-09-17 02:39:23 UTC 
Discussed in the 2011-09-16 blocker review meeting. Accepted as NTH for Fedora 16 beta because it will eventually be a final blocker and a fix is ready.
Comment 32 Fedora Update System 2011-09-23 04:01:42 UTC 
libselinux-2.1.5-5.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.