No, the vast majority of the 'denials' aren't
actually
denials. Dan removed all unconfined domains and replaced them with permissive domains. An unconfined domain allows everything and audits nothing. A permissive domain allows everything but audits every
time
there is no allow rule for a given request.
This has helped to define the actual needs of many of
the
unconfined domains. And hopefully we can remove them entirely
in
the future. Please keep filing bugs.
Here's one for modprobe.d
https://bugzilla.redhat.com/show_bug.cgi?id=523039
https://bugzilla.redhat.com/show_bug.cgi?id=523040
some from dmesg to support ones on top
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts type=1403 audit(1252857173.233:3): policy loaded auid=4294967295 ses=4294967295 load_policy used greatest stack depth: 5448 bytes left dracut: Switching root type=1305 audit(1252857175.267:6): audit_enabled=0 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 res=1 udev: starting version 145 type=1400 audit(1252857180.016:7): avc: denied { read } for pid=334 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir type=1400 audit(1252857180.017:8): avc: denied { open } for pid=334 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir end_request: I/O error, dev fd0, sector 0 sis900.c: v1.08.10 Apr. 2 2006 sis900 0000:00:04.0: PCI INT A -> GSI 19 (level, low) -> IRQ 19 0000:00:04.0: Realtek RTL8201 PHY transceiver found at address 1. 0000:00:04.0: Using transceiver found at address 1 as default eth0: SiS 900 PCI Fast Ethernet at 0xb000, IRQ 19, 00:16:ec:7d:be:bd parport_pc 00:09: reported by Plug and Play ACPI parport0: PC-style at 0x378 (0x778), irq 7 [PCSPP,TRISTATE] ppdev: user-space parallel port driver Intel ICH 0000:00:02.7: PCI INT C -> GSI 18 (level, low) -> IRQ 18 intel8x0_measure_ac97_clock: measured 50745 usecs (2442 samples) intel8x0: clocking to 48000 type=1400 audit(1252857184.249:9): avc: denied { read } for pid=587 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir type=1400 audit(1252857184.249:10): avc: denied { open } for pid=587 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir device-mapper: multipath: version 1.1.0 loaded EXT4-fs (dm-0): internal journal on dm-0:8 kjournald starting. Commit interval 5 seconds EXT3 FS on sda1, internal journal EXT3-fs: mounted filesystem with ordered data mode. SELinux: initialized (dev sda1, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Adding 950264k swap on /dev/mapper/vg_n63552-lv_swap. Priority:-1 extents:1 across:950264k SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts microcode: CPU0 sig=0xf29, pf=0x4, revision=0x0 platform microcode: firmware: requesting intel-ucode/0f-02-09 type=1400 audit(1252857189.780:11): avc: denied { read } for pid=725 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir type=1400 audit(1252857189.780:12): avc: denied { open } for pid=725 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir microcode: CPU1 sig=0xf29, pf=0x4, revision=0x0 platform microcode: firmware: requesting intel-ucode/0f-02-09 Microcode Update Driver: v2.00 tigran@aivazian.fsnet.co.uk, Peter Oruba microcode: CPU0 updated to revision 0x2e, date = 2004-08-11 microcode: CPU1 updated to revision 0x2e, date = 2004-08-11 Microcode Update Driver: v2.00 removed. p4-clockmod: P4/Xeon(TM) CPU On-Demand Clock Modulation available type=1400 audit(1252857190.717:13): avc: denied { read } for pid=795 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir type=1400 audit(1252857190.717:14): avc: denied { open } for pid=795 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir NET: Registered protocol family 10 lo: Disabled Privacy Extensions ip6_tables: (C) 2000-2006 Netfilter Core Team RPC: Registered udp transport module. RPC: Registered tcp transport module. SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts eth0: Media Link On 100mbps full-duplex Installing knfsd (copyright (C) 1996 okir@monad.swb.de). SELinux: initialized (dev nfsd, type nfsd), uses genfs_contexts eth0: no IPv6 routers present CPU0 attaching NULL sched-domain. CPU1 attaching NULL sched-domain. CPU0 attaching sched-domain: domain 0: span 0-1 level SIBLING groups: 0 1 CPU1 attaching sched-domain: domain 0: span 0-1 level SIBLING groups: 1 0 canberra-gtk-pl used greatest stack depth: 5236 bytes left fuse init (API version 7.12) SELinux: initialized (dev fuse, type fuse), uses genfs_contexts [root@n6355-2 ~]# uname -r 2.6.31-2.fc12.i686
Another one filed,but cut + paste failed :(
Regards,
Antonio