Source Context: system_u:system_r:pam_console_t:s0-s0:c0.c1023Target Context: system_u:object_r:cpu_device_t:s0Target Objects: /dev/cpu/1/msr [ chr_file ]Source: pam_console_appSource Path: /sbin/pam_console_applyPort: <Unknown>Host: sobolevSource RPM Packages: pam-0.99.8.1-17.1.fc8Target RPM Packages: Policy RPM: selinux-policy-3.0.8-98.fc8Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: EnforcingPlugin Name: catchall_fileHost Name: sobolevPlatform: Linux sobolev 2.6.24.5-85.fc8 #1 SMP Sat Apr 19 11:18:09 EDT 2008 x86_64 x86_64Alert Count: 1First Seen: Thu 01 May 2008 09:14:11 AM PDTLast Seen: Thu 01 May 2008 09:14:11 AM PDTLocal ID: 92a10298-10e8-495b-85ca-ea395388d8cdLine Numbers: Raw Audit Messages :host=sobolev type=AVC msg=audit(1209658451.363:39): avc: denied { getattr } for pid=12959 comm="pam_console_app" path="/dev/cpu/1/msr" dev=tmpfs ino=122003 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file host=sobolev type=SYSCALL msg=audit(1209658451.363:39): arch=c000003e syscall=4 success=no exit=-13 a0=810540 a1=7fff01338d30 a2=7fff01338d30 a3=349a3529f0 items=0 ppid=12957 pid=12959 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="pam_console_app" exe="/sbin/pam_console_apply" subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 key=(null)
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /dev/cpu/1/msr, restorecon -v '/dev/cpu/1/msr' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package.
pam_console_apply should be able to getattr cpu_device_t
You can allow this for now. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.0.8-102.fc8