Created attachment 358916 [details] patch +++ This bug was initially created as a clone of Bug #519748 +++ Created an attachment (id=358915) patch Description of problem: Fedora 11 machine boots /var/run/* is deleted and in particular /var/run/utmp is removed and recreated/chmoded and chgrped. Hoever the security context is not set until the restorecond service starts. During that time the network service starts and networks that provide the nisdomain dhcp option will get the following avc denied messages. kernel: type=1400 audit(1249788594.546:7): avc: denied { read } for pid=3427 comm="runlevel" name="utmp" dev=tmpfs ino=16569 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file kernel: type=1400 audit(1249788594.546:8): avc: denied { read } for pid=3427 comm="runlevel" name="utmp" dev=tmpfs ino=16569 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file The fix is to get the context type set to initrc_var_run_t rather than init_var_run_t which is what rc.sysint creates the file as. Version-Release number of selected component (if applicable): initscripts-8.95-1 How reproducible: Steps to Reproduce: 1. install Fedora 11 with dhcp networking and selinux enforcing/permissive 2. setup dhcp to serve the nisdomain option (for dnsmasq it's "dhcp-option=40,$nisdomain" 3. boot system 4. check /var/log/messages or /var/log/audit/audit.log for avc denied errors like above Actual results: AVC errors in above problem description Expected results: /var/run/* contexts set correctly and no further avc denied errors. Additional info: This doesn't seem to break anything but since it produces unwanted avc errors it should be corrected.
http://git.fedorahosted.org/git/?p=initscripts.git;a=commitdiff;h=9c489daad152a05c2d330f5cb92f49fadf45a084 Thanks for the report.