Description of problem: Freshly installed FC5T3 x86_64 with Xen and Software Development installed. audit(1140563214.611:2): avc: denied { getattr } for pid=1297 comm="fsck" name="hpet" dev=tmpfs ino=3124 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file audit(1140563214.611:3): avc: denied { getattr } for pid=1297 comm="fsck" name="evtchn" dev=tmpfs ino=3077 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file audit(1140563214.611:4): avc: denied { getattr } for pid=1297 comm="fsck" name="kmsg" dev=tmpfs ino=2290 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file audit(1140563214.611:5): avc: denied { getattr } for pid=1297 comm="fsck" name="kcore" dev=proc ino=4026531861 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file audit(1140563214.611:6): avc: denied { getattr } for pid=1297 comm="fsck" name=".in_sysinit" dev=tmpfs ino=1063 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file audit(1140563214.611:7): avc: denied { getattr } for pid=1297 comm="fsck" name="initctl" dev=tmpfs ino=1018 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file audit(1140563214.635:8): avc: denied { getattr } for pid=1297 comm="fsck" name="hpet" dev=tmpfs ino=3124 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file audit(1140563214.635:9): avc: denied { getattr } for pid=1297 comm="fsck" name="evtchn" dev=tmpfs ino=3077 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file audit(1140563214.635:10): avc: denied { getattr } for pid=1297 comm="fsck" name="kmsg" dev=tmpfs ino=2290 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file audit(1140563214.635:11): avc: denied { getattr } for pid=1297 comm="fsck" name="kcore" dev=proc ino=4026531861 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file audit(1140563214.635:12): avc: denied { getattr } for pid=1297 comm="fsck" name=".in_sysinit" dev=tmpfs ino=1063 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file audit(1140563214.635:13): avc: denied { getattr } for pid=1297 comm="fsck" name="initctl" dev=tmpfs ino=1018 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file audit(1140563215.111:14): avc: denied { getattr } for pid=1313 comm="mount" name="sg0" dev=tmpfs ino=3953 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file audit(1140563215.111:15): avc: denied { getattr } for pid=1313 comm="mount" name="hpet" dev=tmpfs ino=3124 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file audit(1140563215.111:16): avc: denied { getattr } for pid=1313 comm="mount" name="evtchn" dev=tmpfs ino=3077 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file audit(1140563215.115:17): avc: denied { getattr } for pid=1313 comm="mount" name="urandom" dev=tmpfs ino=2293 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file audit(1140563215.115:18): avc: denied { getattr } for pid=1313 comm="mount" name="kmsg" dev=tmpfs ino=2290 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file audit(1140563215.115:19): avc: denied { getattr } for pid=1313 comm="mount" name="random" dev=tmpfs ino=2283 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file audit(1140563215.115:20): avc: denied { getattr } for pid=1313 comm="mount" name="ppp" dev=tmpfs ino=1182 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:ppp_device_t:s0 tclass=chr_file audit(1140563215.115:21): avc: denied { getattr } for pid=1313 comm="mount" name="parport3" dev=tmpfs ino=1179 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file audit(1140563215.115:22): avc: denied { getattr } for pid=1313 comm="mount" name="parport2" dev=tmpfs ino=1178 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file audit(1140563215.115:23): avc: denied { getattr } for pid=1313 comm="mount" name="parport1" dev=tmpfs ino=1177 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file audit(1140563215.115:24): avc: denied { getattr } for pid=1313 comm="mount" name="parport0" dev=tmpfs ino=1176 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file audit(1140563215.115:25): avc: denied { getattr } for pid=1313 comm="mount" name="kcore" dev=proc ino=4026531861 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file audit(1140563215.115:26): avc: denied { getattr } for pid=1313 comm="mount" name="initctl" dev=tmpfs ino=1018 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file audit(1140563215.115:27): avc: denied { getattr } for pid=1313 comm="mount" name="sg0" dev=tmpfs ino=3953 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file audit(1140563215.115:28): avc: denied { getattr } for pid=1313 comm="mount" name="hpet" dev=tmpfs ino=3124 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file audit(1140563215.115:29): avc: denied { getattr } for pid=1313 comm="mount" name="evtchn" dev=tmpfs ino=3077 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file audit(1140563215.119:30): avc: denied { getattr } for pid=1313 comm="mount" name="urandom" dev=tmpfs ino=2293 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file audit(1140563215.119:31): avc: denied { getattr } for pid=1313 comm="mount" name="kmsg" dev=tmpfs ino=2290 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file audit(1140563215.119:32): avc: denied { getattr } for pid=1313 comm="mount" name="random" dev=tmpfs ino=2283 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file audit(1140563215.119:33): avc: denied { getattr } for pid=1313 comm="mount" name="ppp" dev=tmpfs ino=1182 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:ppp_device_t:s0 tclass=chr_file audit(1140563215.119:34): avc: denied { getattr } for pid=1313 comm="mount" name="parport3" dev=tmpfs ino=1179 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file audit(1140563215.119:35): avc: denied { getattr } for pid=1313 comm="mount" name="parport2" dev=tmpfs ino=1178 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file audit(1140563215.119:36): avc: denied { getattr } for pid=1313 comm="mount" name="parport1" dev=tmpfs ino=1177 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file audit(1140563215.119:37): avc: denied { getattr } for pid=1313 comm="mount" name="parport0" dev=tmpfs ino=1176 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file audit(1140563215.119:38): avc: denied { getattr } for pid=1313 comm="mount" name="kcore" dev=proc ino=4026531861 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file audit(1140563215.119:39): avc: denied { getattr } for pid=1313 comm="mount" name="initctl" dev=tmpfs ino=1018 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file
After updating to selinux-policy-targeted-2.2.17-2, I'm down to: audit(1140624078.890:2): avc: denied { write } for pid=1318 comm="mount" name="blkid.tab" dev=dm-0 ino=10192280 scontext=system_u:system_r:mount_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file audit(1140624079.666:3): avc: denied { write } for pid=1367 comm="swapon" name="blkid.tab" dev=dm-0 ino=10192280 scontext=system_u:system_r:fsadm_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
Yes this is a labeling problem. There should be a fix in mkinitrd and the initscripts to fix this problem For now you can restorecon /etc/blkid.*
Getting somewhat different ones now with today's rawhide: audit(1140799735.426:2): avc: denied { relabelfrom } for pid=1312 comm="mount" name="blkid.tab" dev=dm-0 ino=48370 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file audit(1140799743.586:3): avc: denied { relabelfrom } for pid=1387 comm="swapon" name="blkid.tab" dev=dm-0 ino=48367 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file audit(1140799744.694:4): avc: denied { dac_override } for pid=1419 comm="readahead" capability=1 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:system_r:readahead_t:s0 tclass=capability audit(1140799744.694:5): avc: denied { dac_read_search } for pid=1419 comm="readahead" capability=2 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:system_r:readahead_t:s0 tclass=capability
Does the blkid.tab AVC message still occur? With the readahead AVC message, if it still occurs then please boot the machine with audit=1 on the kernel command line so we can get more information on what's happening.
(In reply to comment #4) > Does the blkid.tab AVC message still occur? > Not since Mar 9. Probably fixed by: Mar 10 12:35:05 Updated: selinux-policy-targeted.noarch 2.2.23-15 > With the readahead AVC message, if it still occurs then please boot the > machine with audit=1 on the kernel command line so we can get more information > on what's happening. Do not see readahead messages either with latest rawhide.