Here's the simplest way to explain the problem: May 27 10:58:57 hostname kernel: type=1400 audit(1211900331.181:3): avc: denied { read write } for pid=1957 comm="brctl" path="/dev/console" dev=tmpfs ino=230 scontext=system_u:system_r:brctl_t:s0 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file This occurs when networking comes up (e.g., at system startup). I suspect it happens because my primary network interface, eth0, is actually a bridge; my /etc/sysconfig/network-scripts configuration files for br0/eth0 are: DEVICE=br0 TYPE=Bridge ONBOOT=yes [...] DEVICE=eth0 TYPE=Ethernet ONBOOT=yes BRIDGE=br0 Now, I can work around this problem by loading a custom module that contains: allow brctl_t console_device_t:chr_file { read write }; But I'm thinking that since bridging the network interface is necessary for creating a KVM guest that uses shared physical networking, this policy update should really go into the targeted policy. (Alternatively, one might be able to argue that it's a bug that brctl wants to read/write /dev/console. But I'm not familiar enough with brctl to make that assertion.)
You can allow this for now by executing # audit2allow -M mypol -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.3.1-56.fc9
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.