AVC occurs when attempting to Restart or Shutdown while in Gnome (user does have correct polkit authorization) and also the same occurs from GDM. I've restored context on the file: -r--rw-r-- 500 87 unconfined_u:object_r:polkit_var_lib_t:s0 /var/lib/PolicyKit-public/org.freedesktop.hal.device-access.sound.override Summary: SELinux is preventing console-kit-dae (consolekit_t) "read" to ./org.freedesktop.hal.device-access.sound.override (polkit_var_lib_t). Detailed Description: SELinux denied access requested by console-kit-dae. It is not expected that this access is required by console-kit-dae and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./org.freedesktop.hal.device-access.sound.override, restorecon -v './org.freedesktop.hal.device-access.sound.override' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:polkit_var_lib_t:s0 Target Objects ./org.freedesktop.hal.device-access.sound.override [ file ] Source console-kit-dae Source Path /usr/sbin/console-kit-daemon Port <Unknown> Host cirithungol Source RPM Packages ConsoleKit-0.2.10-3.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-28.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name cirithungol Platform Linux cirithungol 2.6.25-0.200.rc8.git3.fc9.i686 #1 SMP Sat Apr 5 00:00:10 EDT 2008 i686 i686 Alert Count 37 First Seen Wed 02 Apr 2008 12:00:41 AM PDT Last Seen Mon 07 Apr 2008 07:22:12 PM PDT Local ID bade6013-09c9-4ca8-afba-3632172a3fc9 Line Numbers Raw Audit Messages host=cirithungol type=AVC msg=audit(1207621332.645:285): avc: denied { read } for pid=2503 comm="console-kit-dae" name="org.freedesktop.hal.device-access.sound.override" dev=dm-0 ino=727047 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:polkit_var_lib_t:s0 tclass=file host=cirithungol type=SYSCALL msg=audit(1207621332.645:285): arch=40000003 syscall=5 success=no exit=-13 a0=8aaea00 a1=8000 a2=0 a3=8000 items=0 ppid=1 pid=2503 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)
Created attachment 301602 [details] policy module audit2allow creates this module which works to let me initiate reboot from gnome menu. module consolekitrestartfix 1.0; require { type polkit_var_lib_t; type consolekit_t; class file read; } #============= consolekit_t ============== allow consolekit_t polkit_var_lib_t:file read;
This should be in the policy. If you have multiple policy files in /etc/selinux/targeted/policy/ Please remove all but the largest number. I think this is the bug.
Thanks Dan you were right, there was a left over policy.22 and policy.23.