mknod denials, avcs from dmesg please help

Dear Selinux experts, I have successfully loaded Fedora 7 on a machine that refused to boot it with a kernel panic. I am on track with it but selinux is getting in my way. I have done [root@localhost ~]# restorecon -v / [root@localhost ~]# touch /.autorelabel; reboot three times and still these avcs refuse to go away. Summary SELinux is preventing access to files with the default label, default_t. Detailed Description SELinux permission checks on files labeled default_t are being denied. These files/directories have the default label on them. This can indicate a labeling problem, especially if the files being referred to are not top level directories. Any files/directories under standard system directories, /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. The default label is for files/directories which do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label. Allowing Access If you want a confined domain to use these files you will probably need to relabel the file/directory with chcon. In some cases it is just easier to relabel the system, to relabel execute: "touch /.autorelabel; reboot" Additional Information Source Context system_u:system_r:consolekit_t Target Context system_u:object_r:default_t Target Objects root [ dir ] Affected RPM Packages ConsoleKit-x11-0.2.1-2.fc7 [application]filesystem-2.4.6-1.fc7 [target] Policy RPM selinux-policy-2.6.4-8.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.default Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 athlon Alert Count 1 First Seen Sun 03 Jun 2007 11:10:16 PM CDT Last Seen Sun 03 Jun 2007 11:10:16 PM CDT Local ID 2ea0300c-de6c-4cb1-a4a7-edbca6d8fcf1 Line Numbers Raw Audit Messages avc: denied { search } for comm="ck-get-x11-serv" dev=dm-0 egid=0 euid=0 exe="/usr/libexec/ck-get-x11-server-pid" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="root" pid=2512 scontext=system_u:system_r:consolekit_t:s0 sgid=0 subj=system_u:system_r:consolekit_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:default_t:s0 tty=(none) uid=0 Summary SELinux is preventing /bin/mknod (insmod_t) "write" to / (device_t). Detailed Description SELinux denied access requested by /bin/mknod. It is not expected that this access is required by /bin/mknod and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /, restorecon -v / If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:insmod_t Target Context system_u:object_r:device_t Target Objects / [ dir ] Affected RPM Packages coreutils-6.9-2.fc7 [application]filesystem-2.4.6-1.fc7 [target] Policy RPM selinux-policy-2.6.4-8.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 athlon Alert Count 1 First Seen Sun 03 Jun 2007 11:52:01 PM CDT Last Seen Sun 03 Jun 2007 11:52:01 PM CDT Local ID 2f4ccd0d-5eab-4194-9ce2-9b424aed8163 Line Numbers Raw Audit Messages avc: denied { write } for comm="mknod" dev=tmpfs egid=0 euid=0 exe="/bin/mknod" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=2893 scontext=system_u:system_r:insmod_t:s0 sgid=0 subj=system_u:system_r:insmod_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0 Here are them again from dmesg. audit(1180944508.786:4): avc: denied { write } for pid=655 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir and SELinux: initialized (dev sda1, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs audit(1180944512.785:5): enforcing=0 old_enforcing=1 auid=4294967295 audit(1180944712.754:6): avc: denied { getattr } for pid=996 comm="setfiles" name="mdstat" dev=proc ino=-268435296 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_mdstat_t:s0 tclass=file audit(1180944712.754:7): avc: denied { getattr } for pid=996 comm="setfiles" name="irq" dev=proc ino=-268435418 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1180944712.754:8): avc: denied { read } for pid=996 comm="setfiles" name="irq" dev=proc ino=-268435418 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1180944712.754:9): avc: denied { search } for pid=996 comm="setfiles" name="irq" dev=proc ino=-268435418 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1180944712.754:10): avc: denied { getattr } for pid=996 comm="setfiles" name="smp_affinity" dev=proc ino=-268435372 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=file audit(1180944712.754:11): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file audit(1180944712.754:12): avc: denied { search } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir audit(1180944712.754:13): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file audit(1180944712.754:14): avc: denied { search } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir audit(1180944712.754:15): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file audit(1180944712.754:16): avc: denied { search } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir audit(1180944712.754:17): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file audit(1180944712.754:18): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=file audit(1180944712.754:19): avc: denied { search } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=dir audit(1180944712.754:20): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file audit(1180944712.754:21): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=file audit(1180944712.754:22): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_dev_t:s0 tclass=file audit(1180944712.754:23): avc: denied { search } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_dev_t:s0 tclass=dir audit(1180944712.754:24): avc: denied { getattr } for pid=996 comm="setfiles" name="net" dev=proc ino=-268435431 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir audit(1180944712.754:25): avc: denied { read } for pid=996 comm="setfiles" name="net" dev=proc ino=-268435431 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir audit(1180944712.754:26): avc: denied { search } for pid=996 comm="setfiles" name="net" dev=proc ino=-268435431 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir audit(1180944712.754:27): avc: denied { getattr } for pid=996 comm="setfiles" name="packet" dev=proc ino=-268435293 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file audit(1180944712.754:28): avc: denied { getattr } for pid=996 comm="setfiles" name="kcore" dev=proc ino=-268435434 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file audit(1180944712.754:29): avc: denied { getattr } for pid=996 comm="setfiles" name="kmsg" dev=proc ino=-268435447 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file audit(1180944712.754:30): avc: denied { getattr } for pid=996 comm="setfiles" name="1" dev=proc ino=1288 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir audit(1180944712.754:31): avc: denied { read } for pid=996 comm="setfiles" name="1" dev=proc ino=1288 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir audit(1180944712.754:32): avc: denied { search } for pid=996 comm="setfiles" name="1" dev=proc ino=1288 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir audit(1180944712.754:33): avc: denied { getattr } for pid=996 comm="setfiles" name="10" dev=proc ino=7925 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file audit(1180944712.754:34): avc: denied { getattr } for pid=996 comm="setfiles" name="environ" dev=proc ino=7905 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file audit(1180944712.754:35): avc: denied { getattr } for pid=996 comm="setfiles" name="2" dev=proc ino=1289 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir audit(1180944712.754:36): avc: denied { read } for pid=996 comm="setfiles" name="2" dev=proc ino=1289 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir audit(1180944712.754:37): avc: denied { search } for pid=996 comm="setfiles" name="2" dev=proc ino=1289 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir audit(1180944712.754:38): avc: denied { getattr } for pid=996 comm="setfiles" name="environ" dev=proc ino=7962 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=file audit(1180944712.754:39): avc: denied { getattr } for pid=996 comm="setfiles" name="cwd" dev=proc ino=7970 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=lnk_file audit(1180944716.754:40): avc: denied { getattr } for pid=996 comm="setfiles" name="292" dev=proc ino=1195 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir audit(1180944716.754:41): avc: denied { read } for pid=996 comm="setfiles" name="292" dev=proc ino=1195 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir audit(1180944716.754:42): avc: denied { search } for pid=996 comm="setfiles" name="292" dev=proc ino=1195 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir audit(1180944716.754:43): avc: denied { getattr } for pid=996 comm="setfiles" name="0" dev=proc ino=9478 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=lnk_file audit(1180944716.754:44): avc: denied { getattr } for pid=996 comm="setfiles" name="environ" dev=proc ino=9458 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=file audit(1180944716.754:45): avc: denied { getattr } for pid=996 comm="setfiles" name="360" dev=proc ino=1549 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir audit(1180944716.754:46): avc: denied { read } for pid=996 comm="setfiles" name="360" dev=proc ino=1549 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir audit(1180944716.754:47): avc: denied { search } for pid=996 comm="setfiles" name="360" dev=proc ino=1549 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir audit(1180944716.754:48): avc: denied { getattr } for pid=996 comm="setfiles" name="0" dev=proc ino=9597 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=lnk_file audit(1180944716.754:49): avc: denied { getattr } for pid=996 comm="setfiles" name="environ" dev=proc ino=9577 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=file audit(1180944820.238:50): avc: denied { create } for pid=995 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket audit(1180944820.238:51): avc: denied { write } for pid=995 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket audit(1180944820.238:52): avc: denied { nlmsg_relay } for pid=995 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket audit(1180944820.238:53): avc: denied { audit_write } for pid=995 comm="setfiles" capability=29 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=capability audit(1180944820.238:54): avc: denied { read } for pid=995 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket audit(1180944820.238:55): enforcing=1 old_enforcing=0 auid=4294967295 Suggestions/advice as to how to fix this are greatly appreciated. [olivares@localhost ~]$ uname -a Linux localhost.localdomain 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 athlon i386 GNU/Linux [olivares@localhost ~]$ cat /etc/fedora-release Fedora release 7 (Moonshine) [olivares@localhost ~]$ Regards, Antonio ____________________________________________________________________________________ We won't tell. Get more on shows you hate to love (and love to hate): Yahoo! TV's Guilty Pleasures list. http://tv.yahoo.com/collections/265