Description of problem: I'm Currently seeing these denials during startup on this rawhide system Version-Release number of selected component (if applicable): selinux-policy-3.3.1-26.fc9.noarch How reproducible: start system Steps to Reproduce: 1. start system 2. 3. Actual results: denials Expected results: no denials Additional info: please see attached dmesg
Created attachment 300013 [details] dmesg
This looks like /sbin/hwclock does not have the correct label on it? ls -lZ /sbin/hwclock I am also not seeing these errors in the latest -28 policy. Please make sure there is only one policy file in /etc/selinux/targeted/policy Remove the lower.
ls -lZ /sbin/hwclock -rwxr-xr-x root root system_u:object_r:hwclock_exec_t:s0 /sbin/hwclock looks ok to my untrained eye. Also no change with -28 same set of avc's after a relabel :-(
udev is supposed to be transitioning to hwclock_t Are you sure udev is executing /sbin/hwclock? Is /usr/sbin/hwclock a symlink?
(In reply to comment #4) > udev is supposed to be transitioning to hwclock_t > > > Are you sure udev is executing /sbin/hwclock? How can I verify this, > Is /usr/sbin/hwclock a symlink? yes lrwxrwxrwx root root system_u:object_r:bin_t:s0 /usr/sbin/hwclock -> ../../sbin/hwclock policy -29
# yum install setools # sesearch --allow | grep udev | grep hwclock allow udev_t hwclock_t : process transition ; allow hwclock_t udev_t : process sigchld ; allow hwclock_t udev_t : fd use ; allow hwclock_t udev_t : fifo_file { ioctl read write getattr lock append }; allow udev_t hwclock_exec_t : file { read getattr execute }; allow hwclock_t udev_tbl_t : file { ioctl read getattr lock }; Also verify that there is only one policy file in /etc/selinux/targeted/policy/policy* If there are more then one, please delete all but the greatest.