When I run with SELinux enabled, I cannot run more X servers than one xfs server can support (10 by default). When I reach this limit, and xfs is supposed to spawn another server, I see this in the log: May 16 09:11:36 dhcp-254-166 kernel: audit(1147763496.512:758): avc: denied { search } for pid=1736 comm="xfs" name="sbin" dev=dm-0 ino=65281 scontext=system_u:system_r:xfs_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir May 16 09:11:36 dhcp-254-166 kernel: audit(1147763496.516:759): avc: denied { search } for pid=1736 comm="xfs" name="sbin" dev=dm-0 ino=1436162 scontext=system_u:system_r:xfs_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir May 16 09:11:36 dhcp-254-166 kernel: audit(1147763496.520:760): avc: denied { search } for pid=1736 comm="xfs" name="bin" dev=dm-0 ino=1207681 scontext=system_u:system_r:xfs_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir May 16 09:11:36 dhcp-254-166 kernel: audit(1147763496.520:761): avc: denied { search } for pid=1736 comm="xfs" name="bin" dev=dm-0 ino=1436170 scontext=system_u:system_r:xfs_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir I guess it's searching its path for the xfs binary.
Can you do this with setenforce 0 to generate all of the avc messages and then attach them. Thanks.
These are generated when the server is restarted: May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.685:811): avc: denied { read } for pid=13217 comm="xfs" name="resolv.conf" dev=dm-0 ino=1601186 scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.685:812): avc: denied { getattr } for pid=13217 comm="xfs" name="resolv.conf" dev=dm-0 ino=1601186 scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.689:813): avc: denied { create } for pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0 tcontext=root:system_r:xfs_t:s0 tclass=udp_socket May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.689:814): avc: denied { connect } for pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0 tcontext=root:system_r:xfs_t:s0 tclass=udp_socket May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.689:815): avc: denied { write } for pid=13217 comm="xfs" laddr=10.47.254.166 lport=32837 faddr=10.47.255.22 fport=53 scontext=root:system_r:xfs_t:s0 tcontext=root:system_r:xfs_t:s0 tclass=udp_socket May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.689:816): avc: denied { udp_send } for pid=13217 comm="xfs" saddr=10.47.254.166 src=32837 daddr=10.47.255.22 dest=53 netif=eth0 scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:netif_t:s0 tclass=netif May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.689:817): avc: denied { udp_send } for pid=13217 comm="xfs" saddr=10.47.254.166 src=32837 daddr=10.47.255.22 dest=53 netif=eth0 scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=node May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.689:818): avc: denied { send_msg } for pid=13217 comm="xfs" saddr=10.47.254.166 src=32837 daddr=10.47.255.22 dest=53 netif=eth0 scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:dns_port_t:s0 tclass=udp_socket May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.693:819): avc: denied { sendto } for pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=association May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.693:820): avc: denied { udp_recv } for pid=1341 comm="klogd" saddr=10.47.255.22 src=53 daddr=10.47.254.166 dest=32837 netif=eth0 scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:netif_t:s0 tclass=netif May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.693:821): avc: denied { udp_recv } for pid=1341 comm="klogd" saddr=10.47.255.22 src=53 daddr=10.47.254.166 dest=32837 netif=eth0 scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=node May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.693:822): avc: denied { recv_msg } for pid=1341 comm="klogd" saddr=10.47.255.22 src=53 daddr=10.47.254.166 dest=32837 netif=eth0 scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:dns_port_t:s0 tclass=udp_socket May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.693:823): avc: denied { recvfrom } for pid=1341 comm="klogd" scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=association May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.693:824): avc: denied { getattr } for pid=13217 comm="xfs" name="[361337]" dev=sockfs ino=361337 scontext=root:system_r:xfs_t:s0 tcontext=root:system_r:xfs_t:s0 tclass=udp_socket May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.693:825): avc: denied { read } for pid=13217 comm="xfs" laddr=10.47.254.166 lport=32837 faddr=10.47.255.22 fport=53 scontext=root:system_r:xfs_t:s0 tcontext=root:system_r:xfs_t:s0 tclass=udp_socket May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.717:826): avc: denied { create } for pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0 tcontext=root:system_r:xfs_t:s0 tclass=netlink_route_socket May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.717:827): avc: denied { bind } for pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0 tcontext=root:system_r:xfs_t:s0 tclass=netlink_route_socket May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.717:828): avc: denied { getattr } for pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0 tcontext=root:system_r:xfs_t:s0 tclass=netlink_route_socket May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.717:829): avc: denied { write } for pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0 tcontext=root:system_r:xfs_t:s0 tclass=netlink_route_socket May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.721:830): avc: denied { nlmsg_read } for pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0 tcontext=root:system_r:xfs_t:s0 tclass=netlink_route_socket May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.721:831): avc: denied { read } for pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0 tcontext=root:system_r:xfs_t:s0 tclass=netlink_route_socket May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.725:832): avc: denied { create } for pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0 tcontext=root:system_r:xfs_t:s0 tclass=tcp_socket May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.725:833): avc: denied { setopt } for pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0 tcontext=root:system_r:xfs_t:s0 tclass=tcp_socket May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.729:834): avc: denied { connect } for pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0 tcontext=root:system_r:xfs_t:s0 tclass=tcp_socket May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.729:835): avc: denied { name_connect } for pid=13217 comm="xfs" dest=389 scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.729:836): avc: denied { tcp_send } for pid=13217 comm="xfs" saddr=10.47.254.166 src=35676 daddr=10.47.3.174 dest=389 netif=eth0 scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:netif_t:s0 tclass=netif May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.733:837): avc: denied { tcp_send } for pid=13217 comm="xfs" saddr=10.47.254.166 src=35676 daddr=10.47.3.174 dest=389 netif=eth0 scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=node May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.733:838): avc: denied { send_msg } for pid=13217 comm="xfs" saddr=10.47.254.166 src=35676 daddr=10.47.3.174 dest=389 netif=eth0 scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.737:839): avc: denied { tcp_recv } for pid=13217 comm="xfs" saddr=10.47.3.174 src=389 daddr=10.47.254.166 dest=35676 netif=eth0 scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:netif_t:s0 tclass=netif May 16 14:06:30 dhcp-254-166 kernel: audit(1147781189.737:840): avc: denied { tcp_recv } for pid=13217 comm="xfs" saddr=10.47.3.174 src=389 daddr=10.47.254.166 dest=35676 netif=eth0 scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=node May 16 14:06:30 dhcp-254-166 kernel: audit(1147781189.737:841): avc: denied { recv_msg } for pid=13217 comm="xfs" saddr=10.47.3.174 src=389 daddr=10.47.254.166 dest=35676 netif=eth0 scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket May 16 14:06:30 dhcp-254-166 kernel: audit(1147781189.737:842): avc: denied { getattr } for pid=13217 comm="xfs" laddr=10.47.254.166 lport=35676 faddr=10.47.3.174 fport=389 scontext=root:system_r:xfs_t:s0 tcontext=root:system_r:xfs_t:s0 tclass=tcp_socket May 16 14:06:30 dhcp-254-166 kernel: audit(1147781189.737:843): avc: denied { write } for pid=13217 comm="xfs" name="[361345]" dev=sockfs ino=361345 scontext=root:system_r:xfs_t:s0 tcontext=root:system_r:xfs_t:s0 tclass=tcp_socket May 16 14:06:30 dhcp-254-166 kernel: audit(1147781189.741:844): avc: denied { read } for pid=13217 comm="xfs" name="[361345]" dev=sockfs ino=361345 scontext=root:system_r:xfs_t:s0 tcontext=root:system_r:xfs_t:s0 tclass=tcp_socket And these when the new server is spawned: May 16 14:09:03 dhcp-254-166 kernel: audit(1147781343.779:845): avc: denied { search } for pid=13217 comm="xfs" name="sbin" dev=dm-0 ino=65281 scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir May 16 14:09:03 dhcp-254-166 kernel: audit(1147781343.779:846): avc: denied { search } for pid=13217 comm="xfs" name="bin" dev=dm-0 ino=1207681 scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir May 16 14:09:03 dhcp-254-166 kernel: audit(1147781343.779:847): avc: denied { execute_no_trans } for pid=13217 comm="xfs" name="xfs" dev=dm-0 ino=1442279 scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:xfs_exec_t:s0 tclass=file
Why is xfs communicating with ldap/dns? I am adding to policy xfs can execute it self. But the start up stuff is confusing.
nss perhaps? The machine has its user db in ldap. As to why it's doing lookups, I have no idea.
Fixed in selinux-policy-2.2.42-2.fc5
In case you're waiting for a reply from me, I can confirm that the update solved the bug.
Closing bugs