Description of problem: The following update yesterday: Apr 02 10:28:17 Updated: selinux-policy - 3.0.8-97.fc8.noarch Apr 02 10:29:05 Updated: selinux-policy-devel - 3.0.8-97.fc8.noarch Apr 02 10:30:29 Updated: selinux-policy-targeted - 3.0.8-97.fc8.noarch Produces thousands: *** Denials *** unconfined_u system_u (lnk_file): 21020 times unconfined_u unconfined_u (capability): 36765 times of the following: audit(1207153826.829:57212): avc: denied { read } for pid=991 comm="restorecon" name="local" dev=sda8 ino=130824 scontext=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file audit(1207153953.539:77487): avc: denied { sys_resource } for pid=1201 comm="semanage" capability=24 scontext=unconfined_u:system_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:semanage_t:s0-s0:c0.c1023 tclass=capability The above link is the following: # ls -li /opt total 12 130988 drwxr-xr-x 5 root root 4096 2008-01-15 16:47 Adobe 130824 lrwxrwxrwx 1 root root 10 2007-10-24 08:19 local -> /nfs/local
You can allow this for now by executing # audit2allow -M mypol -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.0.8-98.fc8
Those denials are gone, but restorecon during the update is still trying to walk /opt/local, which points to /nfs/local which is a nfs mounted filesystem. Really shouldn't be operating on network filesystems.
This seems to be fixed.