From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051202 Fedora/1.5-1 Firefox/1.5 Description of problem: unlabeled_t object within unlabeled_t directory not accessible by restorecon. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.1.6-3 How reproducible: Always Steps to Reproduce: root@flood serefpolicy-2.1.6]# semodule --list swish 2.4.2 [root@flood serefpolicy-2.1.6]# semodule -i ./bnetd.pp -s targeted [root@flood serefpolicy-2.1.6]# echo $? 0 [root@flood serefpolicy-2.1.6]# restorecon -R /var/lib/pvpgn [root@flood serefpolicy-2.1.6]# ls -aldZ /var/lib/pvpgn drwxr-xr-x pvpgn pvpgn system_u:object_r:bnetd_var_lib_t /var/lib/pvpgn [root@flood serefpolicy-2.1.6]# semodule -r bnetd libsepol.sepol_genbools_array: boolean bnetd_disable_trans no longer in policy [root@flood serefpolicy-2.1.6]# ls -aldZ /var/lib/pvpgn drwxr-xr-x pvpgn pvpgn system_u:object_r:unlabeled_t /var/lib/pvpgn [root@flood serefpolicy-2.1.6]# restorecon -R /var/lib/pvpgn restorecon: unable to read directory /var/lib/pvpgn [root@flood serefpolicy-2.1.6]# restorecon /var/lib/pvpgn [root@flood serefpolicy-2.1.6]# exit Actual Results: restorecon failed. Expected Results: retorecon should have succeeded. Additional info: BEGIN audit.log type=AVC msg=audit(1134778414.325:351): avc: granted { load_policy } for pid=8282 comm="load_policy" scontext=root:system_r:unconfined_t:s0-s0:c0.c255 tcontext=system_u:object_r:security_t:s0 tclass=security type=SYSCALL msg=audit(1134778414.325:351): arch=40000003 syscall=4 success=yes exit=659839 a0=6 a1=b7f28000 a2=a117f a3=bfde1488 items=0 pid=8282 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="load_policy" exe="/usr/sbin/load_policy" type=AVC msg=audit(1134778456.680:352): avc: granted { load_policy } for pid=8315 comm="load_policy" scontext=root:system_r:unconfined_t:s0-s0:c0.c255 tcontext=system_u:object_r:security_t:s0 tclass=security type=SYSCALL msg=audit(1134778456.680:352): arch=40000003 syscall=4 success=yes exit=654842 a0=6 a1=b7e72000 a2=9fdfa a3=bfc28f88 items=0 pid=8315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="load_policy" exe="/usr/sbin/load_policy" type=AVC msg=audit(1134778481.705:353): avc: denied { read } for pid=8346 comm="restorecon" name="pvpgn" dev=dm-0 ino=1042470 scontext=root:system_r:restorecon_t:s0-s0:c0.c255 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir type=SYSCALL msg=audit(1134778481.705:353): arch=40000003 syscall=5 success=no exit=-13 a0=82dd9e8 a1=18800 a2=0 a3=82dd9e8 items=1 pid=8346 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="restorecon" exe="/sbin/restorecon" type=CWD msg=audit(1134778481.705:353): cwd="/home/bkyoung/proj/policy/BUILD/serefpolicy-2.1.6" type=PATH msg=audit(1134778481.705:353): item=0 name="/var/lib/pvpgn" flags=103 inode=1042470 dev=fd:00 mode=040755 ouid=502 ogid=502 rdev=00:00 END audit.log
Fixed in selinux-policy-2.1.6-21
Closing as these have been marked as modified, for a while. Feel free to reopen if not fixed