after grepping out some of the AVCs I already filed, I found these leftover in my audit log. sdb is my ipod. ype=AVC msg=audit(1238716622.663:9513): avc: denied { write } for pid=10100 comm="touch" name="/" dev=tmpfs ino=481 scontext=system_u:system_r:devicekit_disk_t:s0-s 0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir type=AVC msg=audit(1238716622.663:9513): avc: denied { add_name } for pid=10100 comm="touch" name="sdb1" scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 t context=system_u:object_r:device_t:s0 tclass=dir type=AVC msg=audit(1238716622.663:9513): avc: denied { create } for pid=10100 comm="touch" name="sdb1" scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tco ntext=system_u:object_r:device_t:s0 tclass=file type=AVC msg=audit(1238716622.663:9513): avc: denied { write open } for pid=10100 comm="touch" name="sdb1" dev=tmpfs ino=87590 scontext=system_u:system_r:devicekit_d isk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=file type=AVC msg=audit(1238716845.759:12165): avc: denied { create } for pid=12171 comm="touch" name="sdb2" scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tc ontext=system_u:object_r:device_t:s0 tclass=file type=AVC msg=audit(1238716845.759:12165): avc: denied { write open } for pid=12171 comm="touch" name="sdb2" dev=tmpfs ino=105789 scontext=system_u:system_r:devicekit _disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=file
these get spewed when the ipod gets unplugged.
here's another related one (from insertion). node=vaio type=AVC msg=audit(1238872679.282:287): avc: denied { signal } for pid=20631 comm="mono" scontext=system_u:system_r:podsleuth_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_mono_t:s0 tclass=process node=vaio type=SYSCALL msg=audit(1238872679.282:287): arch=c000003e syscall=62 success=no exit=-2067136552 a0=c2c a1=12 a2=0 a3=c2c items=0 ppid=20625 pid=20631 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mono" exe="/usr/bin/mono" subj=system_u:system_r:podsleuth_t:s0 key=(null)
so I see these on a machine that was f10 -> yum updated to rawhide, and then did a relabel. On another machine that is an install of rawhide, I don't get these. What's the difference?
I don't know, but the ones you reported have been added to rawhide policy. Fixed in selinux-policy-3.6.10-9.fc11.noarch