Description of problem: $ dmesg | grep avc audit(1124008599.700:2): avc: denied { read } for pid=458 comm="restorecon" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1124008601.713:3): avc: denied { use } for pid=902 comm="kmodule" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:kudzu_t tcontext=system_u:system_r:kernel_t tclass=fd audit(1124008612.409:4): avc: denied { read } for pid=1335 comm="ifconfig" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1124008621.874:5): avc: denied { use } for pid=1364 comm="hwclock" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:hwclock_t tcontext=system_u:system_r:kernel_t tclass=fd audit(1123976222.716:6): avc: denied { read } for pid=1415 comm="restorecon" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976223.472:7): avc: denied { use } for pid=1422 comm="fsck" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:fsadm_t tcontext=system_u:system_r:kernel_t tclass=fd audit(1123976223.596:8): avc: denied { read } for pid=1428 comm="restorecon" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976223.712:9): avc: denied { read } for pid=1429 comm="restorecon" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976224.616:10): avc: denied { read } for pid=1468 comm="restorecon" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976224.820:11): avc: denied { read } for pid=1473 comm="restorecon" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976224.952:12): avc: denied { use } for pid=1475 comm="swapon" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:fsadm_t tcontext=system_u:system_r:kernel_t tclass=fd audit(1123976225.896:13): avc: denied { read } for pid=1532 comm="ip" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976225.916:14): avc: denied { read } for pid=1534 comm="ip" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976225.944:15): avc: denied { read } for pid=1536 comm="iwconfig" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976226.004:16): avc: denied { read } for pid=1538 comm="ethtool" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976226.036:17): avc: denied { read } for pid=1541 comm="ip" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976226.056:18): avc: denied { use } for pid=1542 comm="arping" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:netutils_t tcontext=system_u:system_r:kernel_t tclass=fd audit(1123976226.056:19): avc: denied { read } for pid=1543 comm="ip" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976226.076:20): avc: denied { use } for pid=1545 comm="arping" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:netutils_t tcontext=system_u:system_r:kernel_t tclass=fd audit(1123976226.084:21): avc: denied { read } for pid=1549 comm="ethtool" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976226.088:22): avc: denied { read } for pid=1551 comm="ip" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976226.176:23): avc: denied { read } for pid=1563 comm="ifconfig" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976226.280:24): avc: denied { read } for pid=1601 comm="ip" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976226.288:25): avc: denied { read } for pid=1604 comm="ip" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976226.296:26): avc: denied { read } for pid=1607 comm="ip" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976226.300:27): avc: denied { read } for pid=1609 comm="iwconfig" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976226.304:28): avc: denied { read } for pid=1611 comm="ethtool" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976226.324:29): avc: denied { read } for pid=1616 comm="ip" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976226.328:30): avc: denied { read } for pid=1618 comm="ip" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976226.348:31): avc: denied { read } for pid=1620 comm="mii-tool" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976226.356:32): avc: denied { read } for pid=1626 comm="ethtool" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976226.380:33): avc: denied { read } for pid=1629 comm="dhclient" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976228.124:34): avc: denied { use } for pid=1678 comm="arping" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:netutils_t tcontext=system_u:system_r:kernel_t tclass=fd audit(1123976228.236:35): avc: denied { read } for pid=1705 comm="ethtool" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976228.240:36): avc: denied { read } for pid=1707 comm="ip" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976228.268:37): avc: denied { read } for pid=1718 comm="ifconfig" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976228.364:38): avc: denied { read } for pid=1753 comm="ip" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976228.368:39): avc: denied { read } for pid=1756 comm="ip" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976228.376:40): avc: denied { read } for pid=1759 comm="ip" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976228.380:41): avc: denied { read } for pid=1761 comm="iwconfig" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976228.384:42): avc: denied { read } for pid=1763 comm="ethtool" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976228.396:43): avc: denied { read } for pid=1768 comm="ip" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976228.400:44): avc: denied { use } for pid=1769 comm="arping" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:netutils_t tcontext=system_u:system_r:kernel_t tclass=fd audit(1123976232.428:45): avc: denied { read } for pid=1770 comm="ip" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976232.432:46): avc: denied { read } for pid=1772 comm="ip" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976232.436:47): avc: denied { use } for pid=1773 comm="arping" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:netutils_t tcontext=system_u:system_r:kernel_t tclass=fd audit(1123976232.452:48): avc: denied { read } for pid=1778 comm="ethtool" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976232.456:49): avc: denied { read } for pid=1780 comm="ip" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976232.488:50): avc: denied { read } for pid=1791 comm="ifconfig" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file audit(1123976232.636:51): avc: denied { use } for pid=1810 comm="syslogd" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:kernel_t tclass=fd audit(1123976232.736:52): avc: denied { use } for pid=1812 comm="klogd" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:klogd_t tcontext=system_u:system_r:kernel_t tclass=fd audit(1123976234.452:53): avc: denied { use } for pid=1856 comm="arping" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:netutils_t tcontext=system_u:system_r:kernel_t tclass=fd audit(1123976235.296:54): avc: denied { use } for pid=1879 comm="portmap" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:portmap_t tcontext=system_u:system_r:kernel_t tclass=fd audit(1123976236.144:55): avc: denied { use } for pid=1888 comm="auditd" name="hda7" dev=tmpfs ino=634 scontext=system_u:system_r:auditd_t tcontext=system_u:system_r:kernel_t tclass=fd Version-Release number of selected component (if applicable): selinux-policy-targeted-1.25.4-1 How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: kernel-2.6.12-1.1482_FC5
This indicates the kernel is leaking a file descriptor.
(In reply to comment #1) > This indicates the kernel is leaking a file descriptor. How does it indicate this? Please provide more details and logging information. You probably need to enable auditing to find the pathnames etc.
Also, when did this start happening? After a kernel upgrade, policy upgrade? If so, which versions?
(In reply to comment #2) The audit messages show denials on: - an open file descriptor labeled with the kernel's domain (kernel_t) that refers to a file named "hda7", and - the "hda7" file referenced by that descriptor, labeled with the fixed_disk_device_t type and the blk_file (block device file) class. This implies that a kernel thread (or subsequent usermode helper run by a kernel thread without performing a domain transition, although such helpers typically have their own domains, at least under strict) has opened a descriptor to that device and failed to close it, such that all descendants end up trying to inherit it and run into the SELinux denials (which would close the descriptor and replace it with a reference to the null device if in enforcing mode).
Created attachment 118239 [details] dmesg in kernel-2.6.13-1.1525_FC5 This problem still happenes in kernel-2.6.13-1.1525_FC5. selinux-policy-targeted-1.25.4-11, audit-1.0.3-1
$fdisk /dev/hda The number of cylinders for this disk is set to 9729. There is nothing wrong with that, but this is larger than 1024, and could in certain setups cause problems with: 1) software that runs at boot time (e.g., old versions of LILO) 2) booting and partitioning software from other OSs (e.g., DOS FDISK, OS/2 FDISK) Command (m for help): p Disk /dev/hda: 80.0 GB, 80026361856 bytes 255 heads, 63 sectors/track, 9729 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/hda1 * 1 1912 15358108+ 7 HPFS/NTFS /dev/hda2 1913 9728 62782020 f W95 Ext'd (LBA) /dev/hda5 1913 5099 25599546 c W95 FAT32 (LBA) /dev/hda6 5100 8286 25599546 c W95 FAT32 (LBA) /dev/hda7 8287 8384 787153+ 82 Linux swap / Solaris /dev/hda8 8385 9727 10787616 83 Linux /dev/hda7 partion type is linux swap in my linux system.
I'm seeing something similar with s.p.t. 1.27.1-2.3. Whenever I enable SELinux (permissive), I get messages like the following: Oct 13 18:30:33 localhost kernel: audit(1129227906.025:2): avc: denied { read write } for pid=998 comm="hwclock" name="console" dev=tmpfs ino=487 scontext=system_u:system_r:hwclock_t tcontext=system_u:object_r:tmpfs_t tclass=chr_file Oct 13 18:30:33 localhost kernel: audit(1129227906.113:3): avc: denied { search } for pid=998 comm="hwclock" name="/" dev=tmpfs ino=486 scontext=system_u:system_r:hwclock_t tcontext=system_u:object_r:tmpfs_t tclass=dir Oct 13 18:30:33 localhost kernel: audit(1129227906.113:4): avc: denied { ioctl } for pid=998 comm="hwclock" name="rtc" dev=tmpfs ino=1321 scontext=system_u:system_r:hwclock_t tcontext=system_u:object_r:tmpfs_t tclass=chr_file Oct 13 18:30:34 localhost kernel: audit(1129224307.208:5): avc: denied { read write } for pid=1030 comm="fsck" name="console" dev=tmpfs ino=487 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:tmpfs_t tclass=chr_file Oct 13 18:30:34 localhost kernel: audit(1129224307.208:6): avc: denied { read } for pid=1030 comm="fsck" name="hda6" dev=tmpfs ino=1488 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:tmpfs_t tclass=blk_file Oct 13 18:30:34 localhost kernel: audit(1129224307.208:7): avc: denied { getattr } for pid=1030 comm="fsck" name="hda6" dev=tmpfs ino=1488 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:tmpfs_t tclass=blk_file Oct 13 18:30:34 localhost kernel: audit(1129224307.296:8): avc: denied { ioctl } for pid=1031 comm="fsck.ext3" name="console" dev=tmpfs ino=487 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:tmpfs_t tclass=chr_file Oct 13 18:30:34 localhost kernel: audit(1129224307.300:9): avc: denied { write } for pid=1031 comm="fsck.ext3" name="hda6" dev=tmpfs ino=1488 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:tmpfs_t tclass=blk_file Oct 13 18:30:34 localhost kernel: audit(1129224307.300:10): avc: denied { ioctl } for pid=1031 comm="fsck.ext3" name="hda6" dev=tmpfs ino=1488 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:tmpfs_t tclass=blk_file Oct 13 18:30:34 localhost kernel: audit(1129224308.608:11): avc: denied { read write } for pid=1072 comm="setfiles" name="console" dev=tmpfs ino=487 scontext=system_u:system_r:setfiles_t tcontext=system_u:object_r:tmpfs_t tclass=chr_file Oct 13 18:30:35 localhost kernel: audit(1129224620.927:12): avc: denied { search } for pid=1551 comm="cardmgr" name="/" dev=tmpfs ino=486 scontext=system_u:system_r:cardmgr_t tcontext=system_u:object_r:tmpfs_t tclass=dir Oct 13 18:30:35 localhost kernel: audit(1129224621.791:13): avc: denied { write } for pid=1653 comm="syslogd" name="/" dev=tmpfs ino=486 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir Oct 13 18:30:35 localhost kernel: audit(1129224621.791:14): avc: denied { add_name } for pid=1653 comm="syslogd" name="log" scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir Oct 13 18:30:35 localhost kernel: audit(1129224621.791:15): avc: denied { create } for pid=1653 comm="syslogd" name="log" scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file Oct 13 18:30:35 localhost kernel: audit(1129224621.791:16): avc: denied { setattr } for pid=1653 comm="syslogd" name="log" dev=tmpfs ino=5272 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file Oct 13 18:30:35 localhost kernel: audit(1129224621.839:17): avc: denied { search } for pid=1655 comm="klogd" name="/" dev=tmpfs ino=486 scontext=system_u:system_r:klogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir Oct 13 18:30:35 localhost kernel: audit(1129224621.839:18): avc: denied { write } for pid=1655 comm="klogd" name="log" dev=tmpfs ino=5272 scontext=system_u:system_r:klogd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file Oct 13 18:30:35 localhost kernel: audit(1129224622.135:19): avc: denied { search } for pid=1669 comm="auditd" name="/" dev=tmpfs ino=486 scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:tmpfs_t tclass=dir whenever I boot the system, and similar things upon shutdown. Oddly, I don't believe I ever get them when using the system. I've tried relabeling several times, rebuilding the policy from sources, and even rebuilt the initrd, to no avail. If I try to enable enforcing, the system becomes unbootable as fsck is denied the access necessary to do its business. [This is with a kernel built from 2.6.13-1.1528_FC4 (with revision 19 of John Linville's patches), but I've seen it with official kernels as well.]
I see alot selinux related messages since I updated to rawhide from FC4. I am running selinux-policy-targeted-1.27.1-22. I see these messages during boot and shutdown. I did a touch /autorelabel and reboot to see if things got better but they remained the same. The first and third messages (hwclock and fsck) have me concerned the most. I am running kernel 2.6.13-1.1621_FC5. Here are the messages: Oct 20 15:52:47 pcjason kernel: audit(1129823524.869:2): avc: denied { use } for pid=417 comm="hwclock" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:hwclock_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fd Oct 20 15:52:50 pcjason kernel: audit(1129841541.911:3): avc: denied { read } for pid=1164 comm="restorecon" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Oct 20 15:52:51 pcjason kernel: audit(1129841544.332:4): avc: denied { use } for pid=1204 comm="fsck" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fd Oct 20 15:52:51 pcjason kernel: audit(1129841544.660:5): avc: denied { read } for pid=1214 comm="restorecon" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Oct 20 15:52:51 pcjason kernel: audit(1129841544.948:6): avc: denied { read } for pid=1215 comm="restorecon" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Oct 20 15:52:51 pcjason kernel: audit(1129841546.084:7): avc: denied { read } for pid=1257 comm="restorecon" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Oct 20 15:52:51 pcjason kernel: audit(1129841546.456:8): avc: denied { read } for pid=1262 comm="restorecon" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Oct 20 15:52:51 pcjason kernel: audit(1129841546.772:9): avc: denied { use } for pid=1263 comm="swapon" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fd Oct 20 15:52:51 pcjason kernel: audit(1129841551.160:10): avc: denied { read } for pid=1439 comm="ip" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Oct 20 15:52:51 pcjason kernel: audit(1129841551.228:11): avc: denied { read } for pid=1441 comm="ip" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Oct 20 15:52:51 pcjason kernel: audit(1129841551.256:12): avc: denied { read } for pid=1443 comm="iwconfig" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Oct 20 15:52:51 pcjason kernel: audit(1129841551.320:13): avc: denied { read } for pid=1445 comm="ethtool" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Oct 20 15:52:51 pcjason kernel: audit(1129841551.360:14): avc: denied { read } for pid=1448 comm="ip" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Oct 20 15:52:51 pcjason kernel: audit(1129841551.388:15): avc: denied { use } for pid=1449 comm="arping" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:netutils_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fd Oct 20 15:52:51 pcjason kernel: audit(1129841551.392:16): avc: denied { read } for pid=1450 comm="ip" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Oct 20 15:52:51 pcjason kernel: audit(1129841551.424:17): avc: denied { use } for pid=1452 comm="arping" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:netutils_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fd Oct 20 15:52:51 pcjason kernel: audit(1129841551.436:18): avc: denied { read } for pid=1456 comm="ethtool" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Oct 20 15:52:51 pcjason kernel: audit(1129841551.444:19): avc: denied { read } for pid=1458 comm="ip" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Oct 20 15:52:51 pcjason kernel: audit(1129841551.584:20): avc: denied { read } for pid=1470 comm="ifconfig" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Oct 20 15:52:51 pcjason kernel: audit(1129841551.816:21): avc: denied { read } for pid=1508 comm="ip" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Oct 20 15:52:51 pcjason kernel: audit(1129841551.828:22): avc: denied { read } for pid=1511 comm="ip" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Oct 20 15:52:51 pcjason kernel: audit(1129841551.844:23): avc: denied { read } for pid=1514 comm="ip" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Oct 20 15:52:51 pcjason kernel: audit(1129841551.856:24): avc: denied { read } for pid=1516 comm="iwconfig" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Oct 20 15:52:51 pcjason kernel: audit(1129841551.868:25): avc: denied { read } for pid=1518 comm="ethtool" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Oct 20 15:52:51 pcjason kernel: audit(1129841551.884:26): avc: denied { read } for pid=1521 comm="ip" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Oct 20 15:52:51 pcjason kernel: audit(1129841551.892:27): avc: denied { use } for pid=1522 comm="arping" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:netutils_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fd Oct 20 15:52:51 pcjason kernel: audit(1129841553.480:28): avc: denied { use } for pid=1523 comm="arping" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:netutils_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fd Oct 20 15:52:51 pcjason kernel: audit(1129841555.920:29): avc: denied { read } for pid=1524 comm="ip" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Oct 20 15:52:51 pcjason kernel: audit(1129841555.932:30): avc: denied { read } for pid=1526 comm="ip" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Oct 20 15:52:51 pcjason kernel: audit(1129841555.936:31): avc: denied { use } for pid=1527 comm="arping" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:netutils_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fd Oct 20 15:52:52 pcjason kernel: audit(1129841555.960:32): avc: denied { read } for pid=1532 comm="ip" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Oct 20 15:52:52 pcjason kernel: audit(1129841555.968:33): avc: denied { read } for pid=1533 comm="ethtool" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Oct 20 15:52:52 pcjason kernel: audit(1129841555.976:34): avc: denied { read } for pid=1535 comm="ip" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Oct 20 15:52:52 pcjason kernel: audit(1129841556.048:35): avc: denied { read } for pid=1546 comm="ifconfig" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Oct 20 15:52:52 pcjason kernel: audit(1129841556.308:36): avc: denied { use } for pid=1563 comm="syslogd" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fd Oct 20 15:52:52 pcjason kernel: audit(1129841556.444:37): avc: denied { use } for pid=1566 comm="klogd" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:klogd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fd Oct 20 15:52:52 pcjason kernel: audit(1129841556.748:38): avc: denied { use } for pid=1583 comm="portmap" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:portmap_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fd Oct 20 15:52:52 pcjason kernel: audit(1129841557.492:39): avc: denied { use } for pid=1592 comm="auditd" name="VolGroup00-LogVol01" dev=tmpfs ino=760 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fd Thanks, Jason
I'd suggest re-assigning component to lvm, as I think that this is just a descriptor leak by it. From the various reports, it sounds like lvm is opening the swap device and never closing it (or marking it close-on-exec), so all descendants end up inheriting the descriptor and SELinux correctly stomps on it.
lvm2 doesn't fork so how can it affect other processes like that? Could this be another nash initrd bug? Does the boot log show any lvm2 "File descriptor N left open" warning messages?
Does 'lsof' reveal anything? [e.g. 'lsof -p1' will show if the nash bug has reappeared]
Duplicate of bug 169427 perhaps? That's nash sometimes keeping a swap partition fd open before exec-ing init.
Here is the output from lsof -p1 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME init 1 root cwd DIR 253,0 4096 2 / init 1 root rtd DIR 253,0 4096 2 / init 1 root txt REG 253,0 27120 1933423 /sbin/init init 1 root mem REG 0,0 0 [vdso] (stat: No such file or directory) init 1 root mem REG 253,0 6804 360467 /lib/libsetrans.so.0 init 1 root mem REG 253,0 13892 360521 /lib/libdl-2.3.90.so init 1 root mem REG 253,0 207304 360466 /lib/libsepol.so.1 init 1 root mem REG 253,0 80580 360474 /lib/libselinux.so.1 init 1 root mem REG 253,0 1458948 360497 /lib/libc-2.3.90.so init 1 root mem REG 253,0 118280 360463 /lib/ld-2.3.90.so init 1 root 10u FIFO 0,15 911 /dev/initctl init 1 root 42r BLK 253,1 781 /mapper/VolGroup00-LogVol01
That's the same nash bug then. *** This bug has been marked as a duplicate of 169427 ***