> No, the vast majority of the 'denials' aren't
actually
> denials. Dan
> removed all unconfined domains and replaced them with
> permissive
> domains. An unconfined domain allows everything and
> audits nothing. A
> permissive domain allows everything but audits every
time
> there is no
> allow rule for a given request.
>
> This has helped to define the actual needs of many of
the
> unconfined
> domains. And hopefully we can remove them entirely
in
> the future.
> Please keep filing bugs.
>
Here's one for modprobe.d
https://bugzilla.redhat.com/show_bug.cgi?id=523039
https://bugzilla.redhat.com/show_bug.cgi?id=523040
some from dmesg to support ones on top
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
type=1403 audit(1252857173.233:3): policy loaded auid=4294967295 ses=4294967295
load_policy used greatest stack depth: 5448 bytes left
dracut: Switching root
type=1305 audit(1252857175.267:6): audit_enabled=0 old=1 auid=4294967295 ses=4294967295
subj=system_u:system_r:readahead_t:s0 res=1
udev: starting version 145
type=1400 audit(1252857180.016:7): avc: denied { read } for pid=334
comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985
scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
type=1400 audit(1252857180.017:8): avc: denied { open } for pid=334
comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985
scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
end_request: I/O error, dev fd0, sector 0
sis900.c: v1.08.10 Apr. 2 2006
sis900 0000:00:04.0: PCI INT A -> GSI 19 (level, low) -> IRQ 19
0000:00:04.0: Realtek RTL8201 PHY transceiver found at address 1.
0000:00:04.0: Using transceiver found at address 1 as default
eth0: SiS 900 PCI Fast Ethernet at 0xb000, IRQ 19, 00:16:ec:7d:be:bd
parport_pc 00:09: reported by Plug and Play ACPI
parport0: PC-style at 0x378 (0x778), irq 7 [PCSPP,TRISTATE]
ppdev: user-space parallel port driver
Intel ICH 0000:00:02.7: PCI INT C -> GSI 18 (level, low) -> IRQ 18
intel8x0_measure_ac97_clock: measured 50745 usecs (2442 samples)
intel8x0: clocking to 48000
type=1400 audit(1252857184.249:9): avc: denied { read } for pid=587
comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985
scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0
tclass=dir
type=1400 audit(1252857184.249:10): avc: denied { open } for pid=587
comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985
scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0
tclass=dir
device-mapper: multipath: version 1.1.0 loaded
EXT4-fs (dm-0): internal journal on dm-0:8
kjournald starting. Commit interval 5 seconds
EXT3 FS on sda1, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev sda1, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Adding 950264k swap on /dev/mapper/vg_n63552-lv_swap. Priority:-1 extents:1
across:950264k
SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
microcode: CPU0 sig=0xf29, pf=0x4, revision=0x0
platform microcode: firmware: requesting intel-ucode/0f-02-09
type=1400 audit(1252857189.780:11): avc: denied { read } for pid=725
comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985
scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
type=1400 audit(1252857189.780:12): avc: denied { open } for pid=725
comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985
scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
microcode: CPU1 sig=0xf29, pf=0x4, revision=0x0
platform microcode: firmware: requesting intel-ucode/0f-02-09
Microcode Update Driver: v2.00 <tigran(a)aivazian.fsnet.co.uk>, Peter Oruba
microcode: CPU0 updated to revision 0x2e, date = 2004-08-11
microcode: CPU1 updated to revision 0x2e, date = 2004-08-11
Microcode Update Driver: v2.00 removed.
p4-clockmod: P4/Xeon(TM) CPU On-Demand Clock Modulation available
type=1400 audit(1252857190.717:13): avc: denied { read } for pid=795
comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985
scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0
tclass=dir
type=1400 audit(1252857190.717:14): avc: denied { open } for pid=795
comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985
scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0
tclass=dir
NET: Registered protocol family 10
lo: Disabled Privacy Extensions
ip6_tables: (C) 2000-2006 Netfilter Core Team
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts
eth0: Media Link On 100mbps full-duplex
Installing knfsd (copyright (C) 1996 okir(a)monad.swb.de).
SELinux: initialized (dev nfsd, type nfsd), uses genfs_contexts
eth0: no IPv6 routers present
CPU0 attaching NULL sched-domain.
CPU1 attaching NULL sched-domain.
CPU0 attaching sched-domain:
domain 0: span 0-1 level SIBLING
groups: 0 1
CPU1 attaching sched-domain:
domain 0: span 0-1 level SIBLING
groups: 1 0
canberra-gtk-pl used greatest stack depth: 5236 bytes left
fuse init (API version 7.12)
SELinux: initialized (dev fuse, type fuse), uses genfs_contexts
[root@n6355-2 ~]# uname -r
2.6.31-2.fc12.i686
Another one filed,but cut + paste failed :(
Regards,
Antonio