Description of problem: Example audit2why entry: type=AVC msg=audit(1271188810.713:38): avc: denied { ioctl } for pid=3774 comm="grep" path="/proc/1542/status" dev=proc ino=21563 scontext=system_u:system_r:munin_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=file Was caused by: Policy constraint violation. May require adding a type attribute to the domain or type to satisfy the constraint. Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS). type=AVC msg=audit(1271188810.719:39): avc: denied { ioctl } for pid=3774 comm="grep" path="/proc/1564/status" dev=proc ino=21569 scontext=system_u:system_r:munin_t:s0 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=file Was caused by: Policy constraint violation. May require adding a type attribute to the domain or type to satisfy the constraint. Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS). type=AVC msg=audit(1271188810.719:40): avc: denied { ioctl } for pid=3774 comm="grep" path="/proc/1599/status" dev=proc ino=21575 scontext=system_u:system_r:munin_t:s0 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=file Was caused by: Policy constraint violation. May require adding a type attribute to the domain or type to satisfy the constraint. Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS). Version-Release number of selected component (if applicable): munin-1.4.4-1.fc12 + selinux-policy-targeted-3.6.32-110.fc12 How reproducible: 100% Steps to Reproduce: 1. install munin-node. 2. wait 5mins for polling cycle. 3. ausearch -m avc -ts recent | audit2why Actual results: I have 13044 AVCs in the span of a few hours if you need more samples than the above. Expected results: AVCs should not be generated. Additional info: All AVCs went away by adding this module: # cat mymunin2.te policy_module(mymunin2, 1.0.0) gen_require(` type munin_t, munin_exec_t; ') init_ranged_daemon_domain(munin_t, munin_exec_t, s0 - mcs_systemhigh)
Miroslav, grab the mcs definition from F13.
Fixed in selinux-policy-3.6.32-113.fc12
selinux-policy-3.6.32-113.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-113.fc12
selinux-policy-3.6.32-113.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-113.fc12
selinux-policy-3.6.32-113.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.