Description of problem: While doing "su -" after an upgrade of selinux-policy-targeted, I got the following messages in syslog: type=AVC msg=audit(1136412775.423:520212): avc: denied { read } for pid=9839 comm="su" name="mtab" dev=cciss/c0d0p2 ino=262191 scontext=user_u:system_r: sysadm_su_t:s0-s0:c0.c255 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=SYSCALL msg=audit(1136412775.423:520212): arch=40000003 syscall=5 success=yes exit=3 a0=29528c a1=0 a2=1b6 a3=8b2b230 items=1 pid=9839 auid=500 uid=500 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 comm="su" exe="/bin/su" type=CWD msg=audit(1136412775.423:520212): cwd="/home/robert" type=PATH msg=audit(1136412775.423:520212): item=0 name="/etc/mtab" flags=101 inode=262191 dev=68:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1136412775.423:520213): avc: denied { getattr } for pid=9839 comm="su" name="mtab" dev=cciss/c0d0p2 ino=262191 scontext=user_u: system_r:sysadm_su_t:s0-s0:c0.c255 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=SYSCALL msg=audit(1136412775.423:520213): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bfcda354 a2=2a1ff4 a3=3 items=0 pid=9839 auid=500 uid=500 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 comm="su" exe="/bin/su" type=AVC_PATH msg=audit(1136412775.423:520213): path="/etc/mtab" type=AVC msg=audit(1136412775.427:520214): avc: denied { getattr } for pid=9839 comm="su" name="tmp" dev=cciss/c0d0p2 ino=344065 scontext=user_u: system_r:sysadm_su_t:s0-s0:c0.c255 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1136412775.427:520214): arch=40000003 syscall=195 success=yes exit=0 a0=82417d a1=bfcdc74c a2=2a1ff4 a3=64 items=1 pid=9839 auid=500 uid=500 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 comm="su" exe="/bin/su" type=AVC_PATH msg=audit(1136412775.427:520214): path="/var/tmp" type=CWD msg=audit(1136412775.427:520214): cwd="/home/robert" type=PATH msg=audit(1136412775.427:520214): item=0 name="/var/tmp" flags=1 inode=344065 dev=68:02 mode=041777 ouid=0 ogid=0 rdev=00:00 Version-Release number of selected component (if applicable): selinux-policy-targeted-2.1.6-24 pam_abl-0.2.3 Actual results: As far as I can see, it is a leftover of bug #172496 (comment #24 and #31). Expected results: Something like my files_dontaudit_getattr_tmp_dir(sysadm_su_t) files_dontaudit_read_etc_runtime_files(sysadm_su_t) or even better, of course :)
This looks like a mislabeled mtab file. restorecon /etc/mtab /etc/mtab should not be labeled tmp_t.
Ey, that were three different avc denied messages above and labeling of my /etc/mtab was already and is correct - so restorecon didn't change anything: -rw-r--r-- root root system_u:object_r:etc_runtime_t /etc/mtab Reopening...
Fixed in 2.1.7-2
Works...thank you!