trying to log in on the console gets me a flash of AVC msgs, and then an instant respawn of the getty. Logging in in gdm works fine. There's a bunch of other unrelated AVCs during boot too. all below. This was after I did a fixfiles relabel and reboot. audit(1155683967.998:5): avc: denied { audit_write } for pid=443 comm="hwclock" capability=29 scontext=system_u:system_r:hwclock_t:s0 tcontext=system_u:system_r:hwclock_t:s0 tclass=capability audit(1155683973.038:6): avc: denied { getattr } for pid=1708 comm="pam_console_app" name="adsp1" dev=tmpfs ino=7318 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:device_t:s0 tclass=chr_file audit(1155683976.614:7): avc: denied { getattr } for pid=2055 comm="pam_console_app" name="adsp1" dev=tmpfs ino=7318 scontext=system_u:system_r:pam_console_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file audit(1155683982.282:13): avc: denied { sys_resource } for pid=2550 comm="mcstransd" capability=24 scontext=system_u:system_r:setrans_t:s0 tcontext=system_u:system_r:setrans_t:s0 tclass=capability audit(1155683982.290:14): avc: denied { setcap } for pid=2550 comm="mcstransd" scontext=system_u:system_r:setrans_t:s0 tcontext=system_u:system_r:setrans_t:s0 tclass=process audit(1155684001.078:15): avc: denied { search } for pid=2737 comm="ntpd" name="net" dev=proc ino=4026531864 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir audit(1155684032.301:20): avc: denied { getattr } for pid=3053 comm="pam_console_app" name="adsp1" dev=tmpfs ino=7318 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:device_t:s0 tclass=chr_file audit(1155684049.349:28): avc: denied { write } for pid=3145 comm="bluez-pin" name="[13413]" dev=pipefs ino=13413 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fifo_file audit(1155684049.349:28): avc: denied { write } for pid=3145 comm="bluez-pin" name="[13413]" dev=pipefs ino=13413 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fifo_file audit(1155684049.905:29): avc: denied { read } for pid=3145 comm="bluez-pin" name=".gdmLN19DT" dev=dm-0 ino=17432580 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file /var/log/messages also had this: Aug 14 03:40:43 nwo kernel: audit(1155541243.281:26): user pid=2857 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c255 msg='PAM: bad_ident acct=? : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=pts/0 res=failed)' Aug 15 19:10:29 nwo kernel: audit(1155683428.952:26): user pid=2839 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c255 msg='PAM: bad_ident acct=? : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=pts/0 res=failed)' Aug 15 19:10:47 nwo kernel: audit(1155683446.987:31): user pid=2828 uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c255 msg='PAM: session open acct=davej : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=failed)' Aug 15 19:20:12 nwo kernel: audit(1155684012.617:16): user pid=2974 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c255 msg='PAM: bad_ident acct=? : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=console res=failed)' Aug 15 19:20:32 nwo kernel: audit(1155684032.397:21): user pid=2907 uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c255 msg='PAM: session open acct=davej : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=failed)' Aug 15 19:23:29 nwo kernel: audit(1155684209.070:33): user pid=3054 uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c255 msg='PAM: session open acct=davej : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=failed)'
All of these look like they are fixes in the latest policy. Which version of policy are you running?
I did a fresh reinstall of test2, and its now running selinux-policy-targeted-2.3.7-1 It lets me log in now, but I see a splurge of AVCs on each login.. audit(1155860785.709:4): avc: denied { getattr } for pid=1713 comm="pam_console_app" name="adsp1" dev=tmpfs ino=7173 scontext=system_u:system_r:pam_consol e_t:s0-s0:c0.c255 tcontext=system_u:object_r:device_t:s0 tclass=chr_file audit(1155860788.985:5): avc: denied { getattr } for pid=1940 comm="pam_console_app" name="adsp1" dev=tmpfs ino=7173 scontext=system_u:system_r:pam_consol e_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file Given I'm currently 3000 miles away from that box which hosts my email, I'm reluctant to update it remotely right now. I'll update and take a look again when I get back from vacation.
This looks like a bug in policy. You can fix this by executing semanage fcontext -a -f-c -t sound_device_t "/dev/adsp.*" I will update the next policy with this fix.
Fixed in selinux-policy-2.3.14-3