many avcs at startup, readahead and several others

Tom London selinux at gmail.com
Tue Sep 2 23:28:27 UTC 2008 

On Tue, Sep 2, 2008 at 4:12 PM, Antonio Olivares
<olivares14031 at yahoo.com> wrote:
> Dear fellow selinux troubleshooters and testers,
>
> Using rawhide, I have seen several avcs at startup namely readahead and others,  while I found out that the sound problem is due to selinux getting in the way of pulse.  Here's a few avcs.  Advise and/or workarounds appreciated, setroubleshoot has not kicked in, these are from dmesg | grep 'avcs'
>
> [root at localhost ~]# dmesg | grep 'avc'
> type=1400 audit(1220390408.063:4): avc:  denied  { read write } for  pid=611 comm="readahead" path="/dev/console" dev=tmpfs ino=408 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file
> type=1400 audit(1220390408.064:5): avc:  denied  { read write } for  pid=611 comm="readahead" path="/dev/console" dev=tmpfs ino=408 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file
> type=1400 audit(1220390408.064:6): avc:  denied  { read write } for  pid=611 comm="readahead" path="/dev/console" dev=tmpfs ino=408 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file
> type=1400 audit(1220390408.788:7): avc:  denied  { fowner } for  pid=611 comm="readahead" capability=3 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:system_r:readahead_t:s0 tclass=capability
> type=1400 audit(1220390408.837:8): avc:  denied  { fowner } for  pid=611 comm="readahead" capability=3 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:system_r:readahead_t:s0 tclass=capability
> type=1400 audit(1220390408.838:9): avc:  denied  { fowner } for  pid=611 comm="readahead" capability=3 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:system_r:readahead_t:s0 tclass=capability
> type=1400 audit(1220390409.131:10): avc:  denied  { fowner } for  pid=611 comm="readahead" capability=3 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:system_r:readahead_t:s0 tclass=capability
> type=1400 audit(1220390433.392:11): avc:  denied  { write } for  pid=1457 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
> type=1400 audit(1220390434.665:12): avc:  denied  { write } for  pid=1679 comm="ip" path="/0" dev=devpts ino=2 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
> type=1400 audit(1220390483.087:13): avc:  denied  { search } for  pid=1941 comm="pcscd" name="dbus" dev=dm-0 ino=3276848 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
> type=1400 audit(1220390498.350:14): avc:  denied  { execute } for  pid=2393 comm="gdm" name="rpm" dev=dm-0 ino=24117303 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file
> type=1400 audit(1220390498.351:15): avc:  denied  { getattr } for  pid=2393 comm="gdm" path="/bin/rpm" dev=dm-0 ino=24117303 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file
> type=1400 audit(1220390498.351:16): avc:  denied  { getattr } for  pid=2393 comm="gdm" path="/bin/rpm" dev=dm-0 ino=24117303 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file
> type=1400 audit(1220391361.963:17): avc:  denied  { setattr } for  pid=3251 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220391361.965:18): avc:  denied  { setattr } for  pid=3251 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220391361.965:19): avc:  denied  { setattr } for  pid=3251 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220391361.966:20): avc:  denied  { setattr } for  pid=3251 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220391361.966:21): avc:  denied  { write } for  pid=3251 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220391480.205:22): avc:  denied  { setattr } for  pid=3267 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220391480.206:23): avc:  denied  { setattr } for  pid=3267 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220391480.206:24): avc:  denied  { setattr } for  pid=3267 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220391480.206:25): avc:  denied  { setattr } for  pid=3267 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220391480.206:26): avc:  denied  { write } for  pid=3267 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220396664.211:27): avc:  denied  { setattr } for  pid=3639 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220396664.211:28): avc:  denied  { setattr } for  pid=3639 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220396664.212:29): avc:  denied  { setattr } for  pid=3639 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220396664.212:30): avc:  denied  { setattr } for  pid=3639 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220396664.212:31): avc:  denied  { write } for  pid=3639 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220396675.758:32): avc:  denied  { setattr } for  pid=3655 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220396675.759:33): avc:  denied  { setattr } for  pid=3655 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220396675.759:34): avc:  denied  { setattr } for  pid=3655 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220396675.760:35): avc:  denied  { setattr } for  pid=3655 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220396675.760:36): avc:  denied  { write } for  pid=3655 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220396688.315:37): avc:  denied  { setattr } for  pid=3667 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220396688.316:38): avc:  denied  { setattr } for  pid=3667 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220396688.317:39): avc:  denied  { setattr } for  pid=3667 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220396688.317:40): avc:  denied  { setattr } for  pid=3667 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220396688.318:41): avc:  denied  { write } for  pid=3667 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220396800.645:42): avc:  denied  { setattr } for  pid=3788 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220396800.645:43): avc:  denied  { setattr } for  pid=3788 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220396800.646:44): avc:  denied  { setattr } for  pid=3788 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220396800.646:45): avc:  denied  { setattr } for  pid=3788 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220396800.647:46): avc:  denied  { write } for  pid=3788 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220396814.195:47): avc:  denied  { setattr } for  pid=3800 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220396814.196:48): avc:  denied  { setattr } for  pid=3800 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220396814.196:49): avc:  denied  { setattr } for  pid=3800 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220396814.197:50): avc:  denied  { setattr } for  pid=3800 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1220396814.197:51): avc:  denied  { write } for  pid=3800 comm="npviewer.bin" name=".pulse" dev=dm-0 ino=7176200 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
>
>
> Thanks,
>
> Antonio
>
Try "restorecon -v -R ~"

-- 
Tom London

More information about the fedora-test-list mailing list