The current version of policy in fc3-updates-testing (1.17.30-3.14) seems to have quite a few issues with the 2.6.12 update for FC3. a number of daemons fail to start.. here's what I got in dmesg after a boot.. inode_doinit_with_dentry: context_to_sid(system_u:object_r:named_checkconf_exec_t) returned 22 for dev=dm-0 ino=102367 inode_doinit_with_dentry: context_to_sid(system_u:object_r:dnssec_t) returned 22 for dev=dm-0 i no=167169 audit(1120870460.773:2): avc: denied { read } for pid=2549 comm="named" name="rndc.key" dev=d m-0 ino=167169 scontext=user_u:system_r:named_t tcontext=system_u:object_r:unlabeled_t tclass=fi le i2c /dev entries driver inode_doinit_with_dentry: context_to_sid(system_u:object_r:sendmail_exec_t) returned 22 for dev =dm-0 ino=106040 inode_doinit_with_dentry: context_to_sid(system_u:object_r:etc_mail_t) returned 22 for dev=dm-0 ino=181526 inode_doinit_with_dentry: context_to_sid(system_u:object_r:etc_mail_t) returned 22 for dev=dm-0 ino=181527 inode_doinit_with_dentry: context_to_sid(root:object_r:etc_mail_t) returned 22 for dev=dm-0 ino =181041 inode_doinit_with_dentry: context_to_sid(system_u:object_r:etc_mail_t) returned 22 for dev=dm-0 ino=181035 inode_doinit_with_dentry: context_to_sid(root:object_r:etc_mail_t) returned 22 for dev=dm-0 ino =181042 inode_doinit_with_dentry: context_to_sid(system_u:object_r:etc_mail_t) returned 22 for dev=dm-0 ino=181536 inode_doinit_with_dentry: context_to_sid(root:object_r:etc_mail_t) returned 22 for dev=dm-0 ino =181034 inode_doinit_with_dentry: context_to_sid(system_u:object_r:etc_mail_t) returned 22 for dev=dm-0 ino=181538 inode_doinit_with_dentry: context_to_sid(root:object_r:etc_mail_t) returned 22 for dev=dm-0 ino =181036 inode_doinit_with_dentry: context_to_sid(system_u:object_r:etc_mail_t) returned 22 for dev=dm-0 ino=181528 inode_doinit_with_dentry: context_to_sid(root:object_r:etc_mail_t) returned 22 for dev=dm-0 ino =181037 inode_doinit_with_dentry: context_to_sid(system_u:object_r:etc_mail_t) returned 22 for dev=dm-0 ino=181529 inode_doinit_with_dentry: context_to_sid(root:object_r:etc_mail_t) returned 22 for dev=dm-0 ino =181038 inode_doinit_with_dentry: context_to_sid(system_u:object_r:etc_mail_t) returned 22 for dev=dm-0 ino=181532 inode_doinit_with_dentry: context_to_sid(system_u:object_r:etc_mail_t) returned 22 for dev=dm-0 ino=181044 inode_doinit_with_dentry: context_to_sid(system_u:object_r:etc_mail_t) returned 22 for dev=dm-0 ino=181537 As an experiment, I upgraded the policy to 1.25.1-7 from FC4. Things went a lot smoother. Daemons started up as normal, though there were still a number of avc warnings in dmesg. audit(1120856907.787:2): avc: denied { use } for pid=770 comm="minilogd" name="init" dev=rootfs ino=7 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:kernel_t tclass=fd audit(1120871345.334:3): avc: denied { use } for pid=2536 comm="named-checkconf" name="init" dev=rootfs ino=7 scontext=system_u:system_r:named_t tcontext=system_u:system_r:kernel_t tclass=fd audit(1120871352.977:4): avc: denied { use } for pid=2777 comm="mingetty" name="init" dev=rootfs ino=7 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=fd audit(1120871352.988:5): avc: denied { use } for pid=2778 comm="mingetty" name="init" dev=rootfs ino=7 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=fd audit(1120871352.999:6): avc: denied { use } for pid=2779 comm="mingetty" name="init" dev=rootfs ino=7 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=fd audit(1120871353.299:7): avc: denied { use } for pid=2780 comm="mingetty" name="init" dev=rootfs ino=7 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=fd audit(1120871353.887:8): avc: denied { use } for pid=2767 comm="mingetty" name="init" dev=rootfs ino=7 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=fd audit(1120871354.189:9): avc: denied { use } for pid=2781 comm="mingetty" name="init" dev=rootfs ino=7 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=fd
selinux-policy-targeted-1.17.30-3.16 is the released version of policy for fc3. Looks like your kernel is leaking a fd also.
whoops. 3.16 seems to work just fine in my testing so far. Thanks.