Bug 739301

Summary: SELinux is preventing /usr/bin/passwd from 'getattr' accesses on the chr_file /dev/autofs.
Product: [Fedora] Fedora Reporter: Mads Kiilerich <mads>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dominick.grift, dwalsh, mgrepl, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:df837202987928496be98e8a4238ff7bd1272bc0dfc34beec41162dcdd3b29e1
Fixed In Version: selinux-policy-3.10.0-38.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-09 19:35:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Mads Kiilerich 2011-09-17 11:45:51 UTC
abrt version: 2.0.5
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.1.0-0.rc6.git0.0.fc16.x86_64
reason:         SELinux is preventing /usr/bin/passwd from 'getattr' accesses on the chr_file /dev/autofs.
time:           Sat Sep 17 13:45:18 2011

description:
:SELinux is preventing /usr/bin/passwd from 'getattr' accesses on the chr_file /dev/autofs.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that passwd should be allowed getattr access on the autofs chr_file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep passwd /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:autofs_device_t:s0
:Target Objects                /dev/autofs [ chr_file ]
:Source                        passwd
:Source Path                   /usr/bin/passwd
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           passwd-0.78-3.fc15
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-28.fc16
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.1.0-0.rc6.git0.0.fc16.x86_64 #1 SMP
:                              Mon Sep 12 22:46:15 UTC 2011 x86_64 x86_64
:Alert Count                   7
:First Seen                    Sat 17 Sep 2011 01:43:22 PM CEST
:Last Seen                     Sat 17 Sep 2011 01:44:10 PM CEST
:Local ID                      03ab46fb-ecca-4c35-a51b-52b98ce5be41
:
:Raw Audit Messages
:type=AVC msg=audit(1316259850.563:742): avc:  denied  { getattr } for  pid=2214 comm="passwd" path="/dev/autofs" dev=devtmpfs ino=1121 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:autofs_device_t:s0 tclass=chr_file
:
:
:type=SYSCALL msg=audit(1316259850.563:742): arch=x86_64 syscall=stat success=no exit=EACCES a0=7fffdb767ce0 a1=7fffdb7635b0 a2=7fffdb7635b0 a3=0 items=0 ppid=2213 pid=2214 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm=passwd exe=/usr/bin/passwd subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
:
:Hash: passwd,passwd_t,autofs_device_t,chr_file,getattr
:
:audit2allow
:
:#============= passwd_t ==============
:allow passwd_t autofs_device_t:chr_file getattr;
:
:audit2allow -R
:
:#============= passwd_t ==============
:allow passwd_t autofs_device_t:chr_file getattr;
:

Comment 1 Mads Kiilerich 2011-09-17 11:59:13 UTC
See also Bug 739302 - passwd will stat all files in /dev

This shows up as one of many avcs:

type=SYSCALL msg=audit(1316260343.422:3158): arch=c000003e syscall=4 success=no exit=-13 a0=7fff129292a0 a1=7fff12924b70 a2=7fff12924b70 a3=0 items=0 ppid=2398 pid=2399 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260343.422:3159): avc:  denied  { getattr } for  pid=2399 comm="passwd" path="/dev/mem" dev=devtmpfs ino=1027 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1316260343.422:3159): arch=c000003e syscall=4 success=no exit=-13 a0=7fff129292a0 a1=7fff12924b70 a2=7fff12924b70 a3=0 items=0 ppid=2398 pid=2399 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260343.422:3160): avc:  denied  { getattr } for  pid=2399 comm="passwd" path="/dev/vga_arbiter" dev=devtmpfs ino=1026 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xserver_misc_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1316260343.422:3160): arch=c000003e syscall=4 success=no exit=-13 a0=7fff129292a0 a1=7fff12924b70 a2=7fff12924b70 a3=0 items=0 ppid=2398 pid=2399 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=USER_CHAUTHTOK msg=audit(1316260343.423:3161): user pid=2399 uid=0 auid=500 ses=4 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=change password id=501 exe="/usr/bin/passwd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1316260346.075:3162): avc:  denied  { getattr } for  pid=2230 comm="setroubleshootd" path="/dev/media0" dev=devtmpfs ino=12644 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1316260346.075:3162): arch=c000003e syscall=6 success=no exit=-13 a0=7f88921df2a0 a1=7f88921df1c0 a2=7f88921df1c0 a3=35fb33f770 items=0 ppid=1 pid=2230 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260348.793:3163): avc:  denied  { getattr } for  pid=2230 comm="setroubleshootd" path="/dev/media0" dev=devtmpfs ino=12644 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1316260348.793:3163): arch=c000003e syscall=6 success=no exit=-13 a0=7f88921df2a0 a1=7f88921df1c0 a2=7f88921df1c0 a3=35fb33f770 items=0 ppid=1 pid=2230 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)


















type=USER_AUTH msg=audit(1316260641.376:3164): user pid=2441 uid=0 auid=500 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="mk" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_ACCT msg=audit(1316260641.379:3165): user pid=2441 uid=0 auid=500 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="mk" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_CMD msg=audit(1316260641.382:3166): user pid=2441 uid=0 auid=500 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/mk" cmd=70617373776420626F62 terminal=pts/1 res=success'
type=CRED_ACQ msg=audit(1316260641.383:3167): user pid=2447 uid=0 auid=500 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_START msg=audit(1316260641.385:3168): user pid=2447 uid=0 auid=500 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=AVC msg=audit(1316260641.392:3169): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/hidraw1" dev=devtmpfs ino=26523 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1316260641.392:3169): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.392:3170): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/hidraw0" dev=devtmpfs ino=26520 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1316260641.392:3170): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.392:3171): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/video0" dev=devtmpfs ino=12645 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1316260641.392:3171): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.392:3172): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/media0" dev=devtmpfs ino=12644 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1316260641.392:3172): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.393:3173): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/rfkill" dev=devtmpfs ino=12642 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wireless_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1316260641.393:3173): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.393:3174): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/watchdog" dev=devtmpfs ino=11687 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:watchdog_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1316260641.393:3174): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.393:3175): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/sr0" dev=devtmpfs ino=1171 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1316260641.393:3175): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.393:3176): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/sr0" dev=devtmpfs ino=1171 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1316260641.393:3176): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.393:3177): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/sr0" dev=devtmpfs ino=1171 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1316260641.393:3177): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.393:3178): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/sr0" dev=devtmpfs ino=1171 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1316260641.393:3178): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.393:3179): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/uinput" dev=devtmpfs ino=10881 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1316260641.393:3179): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.393:3180): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/ppp" dev=devtmpfs ino=10873 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ppp_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1316260641.393:3180): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.393:3181): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/lp0" dev=devtmpfs ino=10751 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1316260641.393:3181): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.393:3182): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/lp1" dev=devtmpfs ino=10750 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1316260641.393:3182): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.393:3183): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/lp2" dev=devtmpfs ino=10749 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1316260641.393:3183): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.393:3184): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/lp3" dev=devtmpfs ino=10748 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1316260641.393:3184): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.394:3185): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/initctl" dev=devtmpfs ino=10559 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1316260641.394:3185): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.394:3186): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/sda4" dev=devtmpfs ino=1169 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1316260641.394:3186): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.394:3187): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/sr0" dev=devtmpfs ino=1171 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1316260641.394:3187): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.394:3188): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/rtc0" dev=devtmpfs ino=1155 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1316260641.394:3188): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.394:3189): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/fb0" dev=devtmpfs ino=7089 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:framebuf_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1316260641.394:3189): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.394:3190): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/fb0" dev=devtmpfs ino=7089 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:framebuf_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1316260641.394:3190): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.394:3191): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/fuse" dev=devtmpfs ino=9897 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fuse_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1316260641.394:3191): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.394:3192): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/btrfs-control" dev=devtmpfs ino=9896 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1316260641.394:3192): arch=c000003e syscall=4 success=no exit=-13 a0=905570 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.394:3193): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/proc/kcore" dev=proc ino=4026532032 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file
type=SYSCALL msg=audit(1316260641.394:3193): arch=c000003e syscall=4 success=no exit=-13 a0=905570 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.394:3194): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/sg1" dev=devtmpfs ino=1172 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1316260641.394:3194): arch=c000003e syscall=4 success=no exit=-13 a0=905570 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.394:3195): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/sr0" dev=devtmpfs ino=1171 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1316260641.394:3195): arch=c000003e syscall=4 success=no exit=-13 a0=905570 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316260641.395:3196): avc:  denied  { getattr } for  pid=2447 comm="passwd" path="/dev/sda4" dev=devtmpfs ino=1169 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1316260641.395:3196): arch=c000003e syscall=4 success=no exit=-13 a0=905570 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)

Comment 2 Miroslav Grepl 2011-09-19 10:06:08 UTC
Did you run restorecon on /dev when this happened?

Comment 3 Mads Kiilerich 2011-09-19 12:27:27 UTC
No, I didn't run restorecon. The system has just been rebooted and relabeled:

[root@fladmast ~]# restorecon -rvn /dev
restorecon reset /dev/pts/ptmx context system_u:object_r:devpts_t:s0->system_u:object_r:ptmx_t:s0

[root@fladmast ~]# rpm -q selinux-policy systemd dracut
selinux-policy-3.10.0-30.fc16.noarch
systemd-35-1.fc16.x86_64
dracut-013-8.fc16.noarch

[root@fladmast ~]# useradd aa

[root@fladmast ~]# passwd aa
Changing password for user aa.

Sep 19 08:21:23 fladmast kernel: [ 4038.534940] type=1400 audit(1316434883.228:4): avc:  denied  { getattr } for  pid=1500 comm="passwd" path="/dev/uinput" dev=devtmpfs ino=11284 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file
Sep 19 08:21:23 fladmast kernel: [ 4038.534975] type=1400 audit(1316434883.228:5): avc:  denied  { getattr } for  pid=1500 comm="passwd" path="/dev/ppp" dev=devtmpfs ino=11276 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ppp_device_t:s0 tclass=chr_file
Sep 19 08:21:23 fladmast kernel: [ 4038.535013] type=1400 audit(1316434883.228:6): avc:  denied  { getattr } for  pid=1500 comm="passwd" path="/dev/lp2" dev=devtmpfs ino=10458 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
Sep 19 08:21:23 fladmast kernel: [ 4038.535038] type=1400 audit(1316434883.228:7): avc:  denied  { getattr } for  pid=1500 comm="passwd" path="/dev/lp0" dev=devtmpfs ino=10457 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
Sep 19 08:21:23 fladmast kernel: [ 4038.535063] type=1400 audit(1316434883.228:8): avc:  denied  { getattr } for  pid=1500 comm="passwd" path="/dev/lp3" dev=devtmpfs ino=10456 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
Sep 19 08:21:23 fladmast kernel: [ 4038.535087] type=1400 audit(1316434883.228:9): avc:  denied  { getattr } for  pid=1500 comm="passwd" path="/dev/lp1" dev=devtmpfs ino=10455 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
Sep 19 08:21:23 fladmast kernel: [ 4038.535144] type=1400 audit(1316434883.228:10): avc:  denied  { getattr } for  pid=1500 comm="passwd" path="/dev/initctl" dev=devtmpfs ino=10267 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file
Sep 19 08:21:23 fladmast kernel: [ 4038.535246] type=1400 audit(1316434883.229:11): avc:  denied  { getattr } for  pid=1500 comm="passwd" path="/dev/dm-2" dev=devtmpfs ino=6966 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
Sep 19 08:21:23 fladmast kernel: [ 4038.535289] type=1400 audit(1316434883.229:12): avc:  denied  { getattr } for  pid=1500 comm="passwd" path="/dev/sdb1" dev=devtmpfs ino=1497 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
Sep 19 08:21:23 fladmast kernel: [ 4038.535331] type=1400 audit(1316434883.229:13): avc:  denied  { getattr } for  pid=1500 comm="passwd" path="/dev/sdb" dev=devtmpfs ino=7781 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file

New password: 
Retype new password: 

Sep 19 08:21:36 fladmast kernel: [ 4051.879476] audit_printk_skb: 156 callbacks suppressed
Sep 19 08:21:36 fladmast kernel: [ 4051.879485] type=1400 audit(1316434896.579:66): avc:  denied  { getattr } for  pid=1500 comm="passwd" path="/dev/uinput" dev=devtmpfs ino=11284 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file
Sep 19 08:21:36 fladmast kernel: [ 4051.879587] type=1400 audit(1316434896.580:67): avc:  denied  { getattr } for  pid=1500 comm="passwd" path="/dev/ppp" dev=devtmpfs ino=11276 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ppp_device_t:s0 tclass=chr_file
Sep 19 08:21:36 fladmast kernel: [ 4051.879678] type=1400 audit(1316434896.580:68): avc:  denied  { getattr } for  pid=1500 comm="passwd" path="/dev/lp2" dev=devtmpfs ino=10458 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
Sep 19 08:21:36 fladmast kernel: [ 4051.879769] type=1400 audit(1316434896.580:69): avc:  denied  { getattr } for  pid=1500 comm="passwd" path="/dev/lp0" dev=devtmpfs ino=10457 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
Sep 19 08:21:36 fladmast kernel: [ 4051.879858] type=1400 audit(1316434896.580:70): avc:  denied  { getattr } for  pid=1500 comm="passwd" path="/dev/lp3" dev=devtmpfs ino=10456 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
Sep 19 08:21:36 fladmast kernel: [ 4051.879948] type=1400 audit(1316434896.580:71): avc:  denied  { getattr } for  pid=1500 comm="passwd" path="/dev/lp1" dev=devtmpfs ino=10455 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
Sep 19 08:21:36 fladmast kernel: [ 4051.880042] type=1400 audit(1316434896.580:72): avc:  denied  { getattr } for  pid=1500 comm="passwd" path="/dev/initctl" dev=devtmpfs ino=10267 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file
Sep 19 08:21:36 fladmast kernel: [ 4051.880233] type=1400 audit(1316434896.580:73): avc:  denied  { getattr } for  pid=1500 comm="passwd" path="/dev/dm-2" dev=devtmpfs ino=6966 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
Sep 19 08:21:36 fladmast kernel: [ 4051.880326] type=1400 audit(1316434896.580:74): avc:  denied  { getattr } for  pid=1500 comm="passwd" path="/dev/sdb1" dev=devtmpfs ino=1497 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
Sep 19 08:21:36 fladmast kernel: [ 4051.880445] type=1400 audit(1316434896.580:75): avc:  denied  { getattr } for  pid=1500 comm="passwd" path="/dev/sdb" dev=devtmpfs ino=7781 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file

passwd: all authentication tokens updated successfully.

Comment 4 Miroslav Grepl 2011-09-19 12:54:52 UTC
Ok, I will add

dev_dontaudit_getattr_all(passwd_t)

Comment 5 Mads Kiilerich 2011-09-21 14:56:05 UTC
This might have shown up as a consequence of bug 739307. I don't know if the workaround is necessary when that has been solved.

Comment 6 Daniel Walsh 2011-09-21 15:00:32 UTC
No I actually think this is caused by a pam module

Comment 7 Daniel Walsh 2011-09-21 15:05:12 UTC
Fixed in selinux-policy-3.10.0-33.fc16

Comment 8 Mads Kiilerich 2011-09-21 15:17:08 UTC
(In reply to comment #6)
> No I actually think this is caused by a pam module

Bug 739302 agree that it is caused by a pam module (calling glibc ttyname), but also that it stats everything because the first stat fails.

Comment 9 Tomas Mraz 2011-09-21 15:19:47 UTC
What pam module caused what? I do not think so as there was no related change in a pam module.

Again, I have to repeat that the passwd_t must be able to getattr on user_devpts_t, otherwise ttyname() as called by passwd and pam modules will not work correctly.

Comment 10 Daniel Walsh 2011-09-21 15:31:51 UTC
RIght, but there was a labeling problem, so It was denied and then went nuts searching for a device it could write.

Comment 11 Tomas Mraz 2011-09-21 15:40:14 UTC
Is user_devpts_t correct labelling? If so, then passwd_t is still prevented from getattr it on my F16 install.

Comment 12 Daniel Walsh 2011-09-21 16:11:19 UTC
sesearch -A -s passwd_t -t user_devpts_t -C
Found 2 semantic av rules:
   allow passwd_t user_devpts_t : chr_file { ioctl read write getattr append } ;

THis is what I see.  What AVC are you seeing?  What policy do you have installed?

Comment 13 Tomas Mraz 2011-09-21 19:39:37 UTC
Hmm maybe the real reason is that the passwd_t is not allowed to search devpts_t dir?
sesearch -A -s passwd_t -t devpts_t -C
Found 1 semantic av rules:
   allow passwd_t devpts_t : chr_file { ioctl read write getattr append } ; 

No dir class above and the /dev/pts is directory with devpts_t type.

Comment 14 Daniel Walsh 2011-09-21 19:52:03 UTC
Ok I will allow this access.

Fixed in selinux-policy-3.10.0-33.fc16

Comment 15 Mads Kiilerich 2011-09-21 23:24:37 UTC
Just another observation - that might be implied by your discussion above:

There is no problem when running passwd as root logged in on tty2 - passwd can do what it wants to do without statting everything.

When logged in as an ordinary user in X and running "su -" in a console I see the reported behaviour with 28 AVCs.

That is using selinux-policy-3.10.0.32, which (except for /dev/pts/ptmx) works fine.

Comment 16 Daniel Walsh 2011-09-29 19:07:58 UTC
Mads have you tried this with the latest policy?

Comment 17 Mads Kiilerich 2011-09-29 20:16:29 UTC
I don't see this any more after upgrading to selinux-policy-3.10.0-35.fc16.noarch

When I upgraded I saw:

Sep 29 15:19:11 fladmast setroubleshoot: Deleting alert 058b5219-80ff-4a3f-a7fd-5428e131f648, it is dontaudit'd in current policy
Sep 29 15:19:11 fladmast setroubleshoot: Deleting alert d353df85-ec9f-4f8b-9120-bb738b0e297c, it is dontaudit'd in current policy
Sep 29 15:19:12 fladmast setroubleshoot: [server.ERROR] Unable to add audit event: node=fladmast type=AVC msg=audit(1317323878.830:1284): avc:  denied  { getattr } for  pid=7938 comm="passwd" path="/dev/vga_arbiter" dev=devtmpfs ino=1026 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xserver_misc_device_t:s0 tclass=chr_file#012 #012**** Invalid AVC dontaudited in current policy.  'semodule -B' will turn on dontaudit rules. ***

The last one seems a bit strange - I don't know if it indicates a real problem.

Comment 18 Fedora Update System 2011-10-04 11:16:49 UTC
selinux-policy-3.10.0-36.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-36.fc16

Comment 19 Fedora Update System 2011-10-04 20:49:26 UTC
Package selinux-policy-3.10.0-36.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-36.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-36.fc16
then log in and leave karma (feedback).

Comment 20 Fedora Update System 2011-10-09 19:35:54 UTC
selinux-policy-3.10.0-38.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.