Description of problem: I'm noticing spurious selinux AVC deny messages in my logs whenever I run 'semodule' or 'setsebool' commands. I traced this to attempts by 'genhomedircon' to try to traverse my NFS- or autofs-mounted directories. I see errors of the form type=AVC msg=audit(1151948728.555:8393): avc: denied { read } for pid=18761 comm="genhomedircon" name="resolv.conf" dev=dm-4 ino=918606 tcontext=user_u:system_r:semanage_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file type=SYSCALL msg=audit(1151948728.555:8393): arch=14 syscall=5 success=yes exit=-13 a0=ff90fa4 a1=0 a2=1b6 a3=1b6 items=1 pid=18761 auid=5000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="genhomedircon" exe="/usr/bin/python" subj=user_u:system_r:semanage_t:s0 and others of the form type=AVC msg=audit(1151948852.607:8407): avc: denied { create } for pid=18761 comm="genhomedircon" scontext=user_u:system_r:semanage_t:s0 tcontext=user_u:system_r:semanage_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1151948852.607:8407): arch=14 syscall=102 success=yes exit=-13 a0=1 a1=7f9a0234 a2=0 a3=0 items=0 pid=18761 auid=5000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="genhomedircon" exe="/usr/bin/python" subj=user_u:system_r:semanage_t:s0 type=AVC msg=audit(1151948852.607:8406): avc: denied { create } for pid=18761 comm="genhomedircon" scontext=user_u:system_r:semanage_t:s0 tcontext=user_u:system_r:semanage_t:s0 tclass=netlink_route_socket type=SYSCALL msg=audit(1151948852.607:8406): arch=14 syscall=102 success=yes exit=-13 a0=1 a1=7f9a00f4 a2=0 a3=7f9a0164 items=0 pid=18761 auid=5000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="genhomedircon" exe="/usr/bin/python" subj=user_u:system_r:semanage_t:s0 I don't think it's the case that 'genhomedircon' should be accessing or labeling any directories mounted via NFS or autofs. I think it would be reasonable to include the following in the selinux policy to suppress these messages: dontaudit semanage_t self:tcp_socket create_socket_perms; dontaudit semanage_t self:netlink_route_socket create_socket_perms; dontaudit semanage_t net_conf_t:file r_file_perms; Version-Release number of selected component (if applicable): This is for selinux-policy-targeted-2.2.43-4.fc5 on a PPC. How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Fixed in Rawhide selinux-policy-2.3.2-2. You can build a loadable module for this using audit2allow -M genhomedircon -i /var/log/messages Or wait until the next policy backport for FC5.
We're also seeing this sort of message. Though we think this is because we're useing ldap/nscd.
Closing bugs