Description of problem: After upgrade from F18 to F20 I've gathered few interesting denied entries in audit.log. I was running with SELinux disabled, then switched to permissive and relabeled (after reboot) - from that the first lines (systemd-tmpfile) probably. Other denials appeared during few days of usage and because of permissive I'm not sure what they would/could really break. > type=AVC msg=audit(1382389290.662:9): avc: denied { setattr } for pid=592 comm="systemd-tmpfile" name="journal" dev="dm-1" ino=33554674 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir > type=AVC msg=audit(1382389290.663:10): avc: denied { relabelfrom } for pid=592 comm="systemd-tmpfile" name="journal" dev="dm-1" ino=33554674 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir > type=AVC msg=audit(1382389290.663:11): avc: denied { relabelto } for pid=592 comm="systemd-tmpfile" name="journal" dev="dm-1" ino=33554674 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir > type=AVC msg=audit(1382389290.950:17): avc: denied { getattr } for pid=614 comm="sulogin" path="/dev/initctl" dev="devtmpfs" ino=11280 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file > type=AVC msg=audit(1382389290.950:18): avc: denied { getattr } for pid=614 comm="sulogin" path="/proc/kcore" dev="proc" ino=4026532044 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file > type=AVC msg=audit(1382392266.078:29): avc: denied { read } for pid=430 comm="systemd-readahe" name="urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file > type=AVC msg=audit(1382392266.078:30): avc: denied { open } for pid=430 comm="systemd-readahe" path="/dev/urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file > type=AVC msg=audit(1382392288.000:720): avc: denied { read } for pid=1702 comm="console-kit-dae" name="machine-id" dev="dm-1" ino=3052602 scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file > type=AVC msg=audit(1382392292.537:726): avc: denied { read } for pid=430 comm="systemd-readahe" name="urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file > type=AVC msg=audit(1382392292.537:727): avc: denied { open } for pid=430 comm="systemd-readahe" path="/dev/urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file > type=AVC msg=audit(1382468137.663:1724): avc: denied { read } for pid=1702 comm="console-kit-dae" name="machine-id" dev="dm-1" ino=3052602 scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file > type=AVC msg=audit(1382477977.881:1881): avc: denied { read } for pid=1702 comm="console-kit-dae" name="machine-id" dev="dm-1" ino=3052602 scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file > type=AVC msg=audit(1382491020.367:2134): avc: denied { read } for pid=1702 comm="console-kit-dae" name="machine-id" dev="dm-1" ino=3052602 scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file Version-Release number of selected component (if applicable): libselinux.i686 2.1.13-19.fc20 @System libselinux.x86_64 2.1.13-19.fc20 @System libselinux-devel.x86_64 2.1.13-19.fc20 @System libselinux-python.x86_64 2.1.13-19.fc20 @System libselinux-ruby.x86_64 2.1.13-19.fc20 @System libselinux-utils.x86_64 2.1.13-19.fc20 @System selinux-policy.noarch 3.12.1-75.fc20 @System selinux-policy-targeted.noarch 3.12.1-75.fc20 @System systemd.x86_64 208-2.fc20 @System ConsoleKit.x86_64 0.4.5-7.fc20 @System util-linux.x86_64 2.24-0.1.fc20 @System Sorry if it's an issue that I put it in one general bug, not sure how avc denials should be reported properly.
Pavel, could you try to update to the latest policy?
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days