Description of problem: A patch was added to the shutdown/reboot/runlevel tools to talk to the audit daemon in F-11, to create audit events for reboot and runlevel changes. Ergo, any confined domain that executes these commands needs policy like: require { type consolekit_t; class capability audit_write; class netlink_audit_socket { write nlmsg_relay create read }; } #============= consolekit_t ============== allow consolekit_t self:capability audit_write; allow consolekit_t self:netlink_audit_socket { write nlmsg_relay create read }; I suspect there's other apps that can call shutdwon besides consolekit_t ; as it states in the sample policy, creating a shutdown domain may be useful in the future. Version-Release number of selected component (if applicable): selinux-policy-3.6.12-23.fc11.noarch
Fixed in selinux-policy-3.6.12-25.fc11.noarch