Description of problem: During boot, 3 AVC denials occur (in permissive mode) for dmesg. Presumably dmesg needs access to ld.so.cache. Version-Release number of selected component (if applicable): selinux-policy-3.6.10-4.fc11.noarch How reproducible: Always Steps to Reproduce: 1. boot & watch the messages 2. alternatively, read /var/log/messages, since they occur before auditd starts Actual results: AVC denials (see below) Expected results: No AVC denials Additional info: From /var/log/messages ... vtest kernel: type=1400 audit(1238277800.038:6): avc: denied { read } for pid=1467 comm="dmesg" name="ld.so.cache" dev=dm-0 ino=49672 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file vtest kernel: type=1400 audit(1238277800.038:7): avc: denied { open } for pid=1467 comm="dmesg" name="ld.so.cache" dev=dm-0 ino=49672 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file vtest kernel: type=1400 audit(1238277800.038:8): avc: denied { getattr } for pid=1467 comm="dmesg" path="/etc/ld.so.cache" dev=dm-0 ino=49672 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Fixed in selinux-policy-3.6.10-5.fc11.noarch