Description of problem: During booting of FC6, we create a seperate /var/log/ partition for limits on audit growth. After rebooting, FC6 complained that it could not mount volgroup03 and tried to mount it read-only. It could not do this either and various other programs failed to start running (psacct) because their sub-directories were not available. Was able to get system to boot by turning selinux off. Changed it temporarily to just complain Complaints are: SELinux: initialized (dev ramfs, type ramfs), uses genfs_contexts audit(1161986094.677:3): avc: denied { execute } for pid=1227 comm="bash" name="bash" dev=dm-0 ino=463972 scontext=system_u:system_r:rhgb_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file NET: Registered protocol family 10 lo: Disabled Privacy Extensions IPv6 over IPv4 tunneling driver ACPI: Power Button (FF) [PWRF] ACPI: Power Button (CM) [VBTN] md: Autodetecting RAID arrays. md: autorun ... md: ... autorun DONE. device-mapper: multipath: version 1.0.4 loaded EXT3 FS on dm-0, internal journal audit(1161986103.613:4): avc: denied { mounton } for pid=1357 comm="mount" name="log" dev=dm-0 ino=1507330 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir [The first one I don't know where it is yet. THe second is when it trying to mount other sub-directories.] Version-Release number of selected component (if applicable): initscripts-8.45.3-1 How reproducible: 100% [Did 2 installs of FC6] Steps to Reproduce: 1. Install FC6 2. Create a /var/log partition 3. Watch it fail to mount
[root@glasya ~]# audit2allow -d allow mount_t var_log_t:dir mounton; allow rhgb_t usr_t:file execute; I forgot to add that.
This looks like it should be allowed by policy - reassigning. The rhgb one is odd, though - why is it trying to execute bash?
the rhgb code is some loony thing I came up with and regretted later. There should be an rhgb in testing soon that will drop that (and fix other issues)