https://bugzilla.redhat.com/show_bug.cgi?id=558499
In Fedora 13, we had a rule that said
dontaudit domain rpm_tmp_t:file { read write };
rpm changed the access on rpm_tmp_t to be { read append };
This caused the following avc.
node=(removed) type=AVC msg=audit(1264430091.330:28): avc: denied { read
append } for pid=2933 comm="rpc.statd" path="/tmp/tmp9IF8MN" dev=dm-0
ino=432
scontext=unconfined_u:system_r:rpcd_t:s0
tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file
node=(removed) type=SYSCALL msg=audit(1264430091.330:28): arch=c000003e
syscall=59 success=yes exit=0 a0=28bd8d0 a1=28bdb50 a2=28bc920 a3=7fff07d44c30
items=0 ppid=2932 pid=2933 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=1 comm="rpc.statd"
exe="/sbin/rpc.statd"
subj=unconfined_u:system_r:rpcd_t:s0 key=(null)
Indicating that rpcd_t did not have read append access. When it should have only reported
append access, since the read access should have been dontaudited.