Description of problem: A few denials in audit.log. They occurred coincident with a log rotation initiated by anacron, even though audit.log didn't get rotated itself. Version-Release number of selected component (if applicable): selinux-policy-3.6.12-34 How reproducible: Sometimes (?) Steps to Reproduce: 1. boot 2. look in audit.log Actual results: AVC denials (see below) Expected results: No AVC denials Additional info: I haven't succeeded in reproducing the denials, even though audit2why says there's not an enforcement rule to allow the actions. Nevertheless, here they are. node=ack607 type=AVC msg=audit(1242260032.181:24): avc: denied { read } for pid=8345 comm="readahead" name="auditd.conf" dev=dm-7 ino=41387 scontext=system_u:system_r:readahead_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=file node=ack607 type=AVC msg=audit(1242260032.181:24): avc: denied { open } for pid=8345 comm="readahead" name="auditd.conf" dev=dm-7 ino=41387 scontext=system_u:system_r:readahead_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=file node=ack607 type=AVC msg=audit(1242260032.188:25): avc: denied { getattr } for pid=8345 comm="readahead" path="/etc/audit/auditd.conf" dev=dm-7 ino=41387 scontext=system_u:system_r:readahead_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=file
Fixed in selinux-policy-3.6.12-36.fc11.noarch
Created attachment 344314 [details] setroublshooter denial report early.sorted (In reply to comment #1) > Fixed in selinux-policy-3.6.12-36.fc11.noarch I'm on selinux-policy-3.6.12-34 and saw these two, but I'm not sure if they are exactly the same as the reporter
Created attachment 344315 [details] setroublshooter denial report later.sorted
David: early.sorted on my system is in /var/lib/readahead and has context readahead_var_lib_t, not etc_t, which is what sealert is trying to tell you when it says You can attempt to fix file context by executing restorecon -v early.sorted Ditto later.sorted. Somehow your contexts got messed up. restorecon is your friend. HTH
Tested against selinux-policy-3.6.12-39. Verified that all those events are now "dontaudit" Closing ...