-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/29/2012 05:39 PM, Dominick Grift wrote:
On Sun, 2012-01-29 at 09:48 -0800, David Highley wrote:
> "Dominick Grift wrote:"
>>
>> On Sat, 2012-01-28 at 14:55 -0800, David Highley wrote:
>>> "Daniel J Walsh wrote:"
>>>>
On 01/28/2012 02:15 PM, David Highley wrote:
>>>>>> "David Highley wrote:"
>>>>>>>
>>>>>>> "Miroslav Grepl wrote:"
>>>>>>>>
>>>>>>>> On 01/26/2012 05:33 AM, David Highley wrote:
>>>>>>>>> "Daniel J Walsh wrote:"
>>>>>> On 01/25/2012 01:38 PM, David Highley wrote:
>>>>>>>>>>>> "Daniel J Walsh wrote:" On
01/24/2012 10:39
>>>>>>>>>>>> PM, David Highley wrote:
>>>>>>>>>>>>>>> time->Tue Jan 24 06:17:02
2012
>>>>>>>>>>>>>>> type=SYSCALL
>>>>>>>>>>>>>>>
msg=audit(1327414622.867:2517):
>>>>>>>>>>>>>>> arch=c000003e syscall=59
success=yes
>>>>>>>>>>>>>>> exit=0 a0=9669f0 a1=cc8170
>>>>>>>>>>>>>>> a2=7fff1bf396c8 a3=1f
items=0
>>>>>>>>>>>>>>> ppid=5248 pid=5253 auid=0
uid=0 gid=0
>>>>>>>>>>>>>>> euid=0 suid=0 fsuid=0 egid=0
sgid=0
>>>>>>>>>>>>>>> fsgid=0 tty=(none) ses=293
comm="sh"
>>>>>>>>>>>>>>> exe="/bin/bash"
>>>>>>>>>>>>>>>
subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
key=(null) type=AVC
msg=audit(1327414622.867:2517): avc:
>>>>>>>>>>>>>>> denied {
transition } for pid=5253
>>>>>>>>>>>>>>> comm="rpm"
path="/bin/bash" dev=dm-1
>>>>>>>>>>>>>>> ino=393240
>>>>>>>>>>>>>>>
scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
>>>>>>>>>>>>>>>
tclass=process ---- time->Tue Jan 24
>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
>>>>>>>>>>>>>>> msg=audit(1327415018.410:38):
>>>>>>>>>>>>>>> arch=c000003e syscall=2
success=no
>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50
a1=0
>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68
items=0
>>>>>>>>>>>>>>> ppid=1180 pid=1359
auid=4294967295
>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0
fsuid=0
>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48
tty=(none)
>>>>>>>>>>>>>>> ses=4294967295
comm="/usr/sbin/httpd"
>>>>>>>>>>>>>>>
exe="/usr/sbin/httpd"
>>>>>>>>>>>>>>>
subj=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>> key=(null) type=AVC
>>>>>>>>>>>>>>> msg=audit(1327415018.410:38):
avc:
>>>>>>>>>>>>>>> denied { search } for
pid=1359
>>>>>>>>>>>>>>>
comm="/usr/sbin/httpd" name="yp"
>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
>>>>>>>>>>>>>>>
scontext=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
tcontext=system_u:object_r:var_yp_t:s0
>>>>>>>>>>>>>>> tclass=dir ---- time->Tue
Jan 24
>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
>>>>>>>>>>>>>>>
msg=audit(1327415018.410:39):
>>>>>>>>>>>>>>> arch=c000003e syscall=2
success=no
>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50
a1=0
>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68
items=0
>>>>>>>>>>>>>>> ppid=1180 pid=1360
auid=4294967295
>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0
fsuid=0
>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48
tty=(none)
>>>>>>>>>>>>>>> ses=4294967295
>>>>>>>>>>>>>>>
comm="/usr/sbin/httpd"
>>>>>>>>>>>>>>>
exe="/usr/sbin/httpd"
>>>>>>>>>>>>>>>
subj=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>> key=(null) type=AVC
>>>>>>>>>>>>>>> msg=audit(1327415018.410:39):
avc:
>>>>>>>>>>>>>>> denied { search } for
pid=1360
>>>>>>>>>>>>>>>
comm="/usr/sbin/httpd" name="yp"
>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
>>>>>>>>>>>>>>>
scontext=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
tcontext=system_u:object_r:var_yp_t:s0
>>>>>>>>>>>>>>> tclass=dir ---- time->Tue
Jan 24
>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
>>>>>>>>>>>>>>>
msg=audit(1327415018.411:40):
>>>>>>>>>>>>>>> arch=c000003e syscall=2
success=no
>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50
a1=0
>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68
items=0
>>>>>>>>>>>>>>> ppid=1180 pid=1361
auid=4294967295
>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0
fsuid=0
>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48
tty=(none)
>>>>>>>>>>>>>>> ses=4294967295
>>>>>>>>>>>>>>>
comm="/usr/sbin/httpd"
>>>>>>>>>>>>>>>
exe="/usr/sbin/httpd"
>>>>>>>>>>>>>>>
subj=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>> key=(null) type=AVC
>>>>>>>>>>>>>>> msg=audit(1327415018.411:40):
avc:
>>>>>>>>>>>>>>> denied { search } for
pid=1361
>>>>>>>>>>>>>>>
comm="/usr/sbin/httpd" name="yp"
>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
>>>>>>>>>>>>>>>
scontext=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
tcontext=system_u:object_r:var_yp_t:s0
>>>>>>>>>>>>>>> tclass=dir ---- time->Tue
Jan 24
>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
>>>>>>>>>>>>>>>
msg=audit(1327415018.411:41):
>>>>>>>>>>>>>>> arch=c000003e syscall=2
success=no
>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50
a1=0
>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68
items=0
>>>>>>>>>>>>>>> ppid=1180 pid=1362
auid=4294967295
>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0
fsuid=0
>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48
tty=(none)
>>>>>>>>>>>>>>> ses=4294967295
>>>>>>>>>>>>>>>
comm="/usr/sbin/httpd"
>>>>>>>>>>>>>>>
exe="/usr/sbin/httpd"
>>>>>>>>>>>>>>>
subj=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>> key=(null) type=AVC
>>>>>>>>>>>>>>> msg=audit(1327415018.411:41):
avc:
>>>>>>>>>>>>>>> denied { search } for
pid=1362
>>>>>>>>>>>>>>>
comm="/usr/sbin/httpd" name="yp"
>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
>>>>>>>>>>>>>>>
scontext=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
tcontext=system_u:object_r:var_yp_t:s0
>>>>>>>>>>>>>>> tclass=dir ---- time->Tue
Jan 24
>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
>>>>>>>>>>>>>>>
msg=audit(1327415018.414:42):
>>>>>>>>>>>>>>> arch=c000003e syscall=2
success=no
>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50
a1=0
>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68
items=0
>>>>>>>>>>>>>>> ppid=1180 pid=1365
auid=4294967295
>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0
fsuid=0
>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48
tty=(none)
>>>>>>>>>>>>>>> ses=4294967295
>>>>>>>>>>>>>>>
comm="/usr/sbin/httpd"
>>>>>>>>>>>>>>>
exe="/usr/sbin/httpd"
>>>>>>>>>>>>>>>
subj=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>> key=(null) type=AVC
>>>>>>>>>>>>>>> msg=audit(1327415018.414:42):
avc:
>>>>>>>>>>>>>>> denied { search } for
pid=1365
>>>>>>>>>>>>>>>
comm="/usr/sbin/httpd" name="yp"
>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
>>>>>>>>>>>>>>>
scontext=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
tcontext=system_u:object_r:var_yp_t:s0
>>>>>>>>>>>>>>> tclass=dir ---- time->Tue
Jan 24
>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
>>>>>>>>>>>>>>>
msg=audit(1327415018.414:43):
>>>>>>>>>>>>>>> arch=c000003e syscall=2
success=no
>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50
a1=0
>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68
items=0
>>>>>>>>>>>>>>> ppid=1180 pid=1364
auid=4294967295
>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0
fsuid=0
>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48
tty=(none)
>>>>>>>>>>>>>>> ses=4294967295
>>>>>>>>>>>>>>>
comm="/usr/sbin/httpd"
>>>>>>>>>>>>>>>
exe="/usr/sbin/httpd"
>>>>>>>>>>>>>>>
subj=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>> key=(null) type=AVC
>>>>>>>>>>>>>>> msg=audit(1327415018.414:43):
avc:
>>>>>>>>>>>>>>> denied { search } for
pid=1364
>>>>>>>>>>>>>>>
comm="/usr/sbin/httpd" name="yp"
>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
>>>>>>>>>>>>>>>
scontext=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
tcontext=system_u:object_r:var_yp_t:s0
>>>>>>>>>>>>>>> tclass=dir ---- time->Tue
Jan 24
>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
>>>>>>>>>>>>>>>
msg=audit(1327415018.415:44):
>>>>>>>>>>>>>>> arch=c000003e syscall=2
success=no
>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50
a1=0
>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68
items=0
>>>>>>>>>>>>>>> ppid=1180 pid=1366
auid=4294967295
>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0
fsuid=0
>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48
tty=(none)
>>>>>>>>>>>>>>> ses=4294967295
>>>>>>>>>>>>>>>
comm="/usr/sbin/httpd"
>>>>>>>>>>>>>>>
exe="/usr/sbin/httpd"
>>>>>>>>>>>>>>>
subj=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>> key=(null) type=AVC
>>>>>>>>>>>>>>> msg=audit(1327415018.415:44):
avc:
>>>>>>>>>>>>>>> denied { search } for
pid=1366
>>>>>>>>>>>>>>>
comm="/usr/sbin/httpd" name="yp"
>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
>>>>>>>>>>>>>>>
scontext=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
tcontext=system_u:object_r:var_yp_t:s0
>>>>>>>>>>>>>>> tclass=dir ---- time->Tue
Jan 24
>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
>>>>>>>>>>>>>>>
msg=audit(1327415018.416:45):
>>>>>>>>>>>>>>> arch=c000003e syscall=2
success=no
>>>>>>>>>>>>>>> exit=-13 a0=7fff0fc10e50
a1=0
>>>>>>>>>>>>>>> a2=7fff0fc10e79 a3=68
items=0
>>>>>>>>>>>>>>> ppid=1180 pid=1363
auid=4294967295
>>>>>>>>>>>>>>> uid=0 gid=48 euid=0 suid=0
fsuid=0
>>>>>>>>>>>>>>> egid=48 sgid=48 fsgid=48
tty=(none)
>>>>>>>>>>>>>>> ses=4294967295
>>>>>>>>>>>>>>>
comm="/usr/sbin/httpd"
>>>>>>>>>>>>>>>
exe="/usr/sbin/httpd"
>>>>>>>>>>>>>>>
subj=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>> key=(null) type=AVC
>>>>>>>>>>>>>>> msg=audit(1327415018.416:45):
avc:
>>>>>>>>>>>>>>> denied { search } for
pid=1363
>>>>>>>>>>>>>>>
comm="/usr/sbin/httpd" name="yp"
>>>>>>>>>>>>>>> dev=dm-1 ino=1313161
>>>>>>>>>>>>>>>
scontext=system_u:system_r:httpd_t:s0
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
tcontext=system_u:object_r:var_yp_t:s0
>>>>>>>>>>>>>>> tclass=dir ---- time->Tue
Jan 24
>>>>>>>>>>>>>>> 06:23:38 2012 type=SYSCALL
>>>>>>>>>>>>>>>
msg=audit(1327415018.418:46):
>>>>>>>>>>>>>>> arch=c000003e syscall=42
success=no
>>>>>>>>>>>>>>> exit=-13 a0=3 a1=7fff071131f0
a2=10
>>>>>>>>>>>>>>> a3=98 items=0 ppid=1367
pid=1369
>>>>>>>>>>>>>>> auid=4294967295 uid=81 gid=81
euid=0
>>>>>>>>>>>>>>> suid=0 fsuid=0 egid=81
sgid=81
>>>>>>>>>>>>>>> fsgid=81 tty=(none)
ses=4294967295
>>>>>>>>>>>>>>>
comm="dbus-daemon-lau"
>>>>>>>>>>>>>>>
exe="/lib64/dbus-1/dbus-daemon-launch-helper"
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
key=(null) type=AVC
msg=audit(1327415018.418:46): avc:
>>>>>>>>>>>>>>> denied {
name_connect } for
>>>>>>>>>>>>>>> pid=1369
comm="dbus-daemon-lau"
>>>>>>>>>>>>>>> dest=111
>>>>>>>>>>>>>>>
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
tcontext=system_u:object_r:portmap_port_t:s0
>>>>>>>>>>>>>>>
tclass=tcp_socket ---- time->Tue Jan
>>>>>>>>>>>>>>> 24 06:23:38 2012
type=SYSCALL
>>>>>>>>>>>>>>> msg=audit(1327415018.418:47):
>>>>>>>>>>>>>>> arch=c000003e syscall=49
success=no
>>>>>>>>>>>>>>> exit=-13 a0=3 a1=7fff07112f60
a2=10
>>>>>>>>>>>>>>> a3=98 items=0 ppid=1367
pid=1369
>>>>>>>>>>>>>>> auid=4294967295 uid=81 gid=81
euid=0
>>>>>>>>>>>>>>> suid=0 fsuid=0 egid=81
sgid=81
>>>>>>>>>>>>>>> fsgid=81 tty=(none)
ses=4294967295
>>>>>>>>>>>>>>>
comm="dbus-daemon-lau"
>>>>>>>>>>>>>>>
exe="/lib64/dbus-1/dbus-daemon-launch-helper"
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
key=(null) type=AVC
msg=audit(1327415018.418:47): avc:
>>>>>>>>>>>>>>> denied {
name_bind } for pid=1369
>>>>>>>>>>>>>>>
comm="dbus-daemon-lau" src=697
>>>>>>>>>>>>>>>
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
tcontext=system_u:object_r:hi_reserved_port_t:s0
>>>>>>>>>>>>>>>
tclass=tcp_socket ---- time->Tue Jan
>>>>>>>>>>>>>>> 24 06:23:38 2012
type=SYSCALL
>>>>>>>>>>>>>>> msg=audit(1327415018.418:48):
>>>>>>>>>>>>>>> arch=c000003e syscall=42
success=no
>>>>>>>>>>>>>>> exit=-13 a0=3 a1=7fff071131f0
a2=10
>>>>>>>>>>>>>>> a3=98 items=0 ppid=1367
pid=1369
>>>>>>>>>>>>>>> auid=4294967295 uid=81 gid=81
euid=0
>>>>>>>>>>>>>>> suid=0 fsuid=0 egid=81
sgid=81
>>>>>>>>>>>>>>> fsgid=81 tty=(none)
ses=4294967295
>>>>>>>>>>>>>>>
comm="dbus-daemon-lau"
>>>>>>>>>>>>>>>
exe="/lib64/dbus-1/dbus-daemon-launch-helper"
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
key=(null) type=AVC
msg=audit(1327415018.418:48): avc:
>>>>>>>>>>>>>>> denied {
name_connect } for
>>>>>>>>>>>>>>> pid=1369
comm="dbus-daemon-lau"
>>>>>>>>>>>>>>> dest=111
>>>>>>>>>>>>>>>
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
tcontext=system_u:object_r:portmap_port_t:s0
>>>>>>>>>>>>>>>
tclass=tcp_socket
>>>>>>>>>>>> Do you have the allow_ypbind boolean
>>>>>>>>>>>> permanantly turned on
>>>>>>>>>>>>
>>>>>>>>>>>> setsebool -P allow_ypbind 1
>>>>>>>>>>>>
>>>>>>>>>>>>> Yes, we permanently set this bool.
>>>>>>>>>>>> If the init script is turning it on, you
>>>>>>>>>>>> could see avc's like this.
>>>>>>>>>>>>
>>>>>>>>>>>> Have no idea what the
>>>>>>>>>>>> bootloader->rpm_script one is.
>>>>>>>>>>>>
>>>>>>>>>>>> There used to be some kernel update
scripts
>>>>>>>>>>>> that were labeled as bootloader_exec_t?
--
>>>>>>>>>>>> selinux mailing list
>>>>>>>>>>>> selinux(a)lists.fedoraproject.org
>>>>>>>>>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
Strange and these happen on every
boot, and then stop?
>>>>>>>>>> Just tried another reboot and
got the same
>>>>>>>>>> results so I would say that it happens on every
>>>>>>>>>> boot.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> -- selinux mailing list
>>>>>>>>> selinux(a)lists.fedoraproject.org
>>>>>>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>>
>>>>>>>>>
Could you make sure that the policy is
installed correctly.
>>>>>>>>
>>>>>>>> # yum reinstall selinux-policy-targeted
>>>>>>>>
>>>>>>>> and see if something blows up.
>>>>>>>
>>>>>>> Same results as before. Did get a new avc just before
>>>>>>> the reboot doing a yum update.
>>>>>>
>>>>>> To add more clarity to the boot up AVC, we did check
>>>>>> for any sign of AVC when we reinstalled
>>>>>> selinux-policy-targeted.
>>>>>>
>>>>>>> allow bootloader_t rpm_script_t:process transition;
>>>>>>> ---- time->Sat Jan 28 07:47:51 2012 type=SYSCALL
>>>>>>> msg=audit(1327765671.705:3395): arch=c000003e
>>>>>>> syscall=59 success=ye s exit=0 a0=1429290 a1=12e3550
>>>>>>> a2=7fffd4c974c8 a3=20 items=0 ppid=24868 pid=2487 8
>>>>>>> auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>>>>>> sgid=0 fsgid=0 tty=pts0 ses =404 comm="sh"
>>>>>>> exe="/bin/bash"
>>>>>>> subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.
>>>>>>> c1023 key=(null) type=AVC
>>>>>>> msg=audit(1327765671.705:3395): avc: denied {
>>>>>>> transition } for pid=24878 comm="rpm"
>>>>>>> path="/bin/bash" dev=dm-1 ino=393240
>>>>>>> scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023
>>>>>>>
>>>>>>> tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
>>>>>>> tclass=process
>>>>>>
>>>>>> Packages in this update were: Jan 28 07:46:28 Updated:
>>>>>> libuuid-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:29
>>>>>> Updated: libblkid-2.20.1-2.2.fc16.x86_64 Jan 28
>>>>>> 07:46:29 Updated: 12:dhcp-libs-4.2.3-6.P2.fc16.x86_64
>>>>>> Jan 28 07:46:29 Updated: libcurl-7.21.7-6.fc16.x86_64
>>>>>> Jan 28 07:46:30 Updated: curl-7.21.7-6.fc16.x86_64 Jan
>>>>>> 28 07:46:30 Updated:
>>>>>> 12:dhcp-common-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:31
>>>>>> Updated: libmount-2.20.1-2.2.fc16.x86_64 Jan 28
>>>>>> 07:46:32 Updated:
>>>>>> setroubleshoot-server-3.1.2-1.fc16.x86_64 Jan 28
>>>>>> 07:46:32 Installed: python-tornado-2.1.1-1.fc16.noarch
>>>>>> Jan 28 07:46:33 Updated:
>>>>>> python-kitchen-1.1.0-1.fc16.noarch Jan 28 07:46:33
>>>>>> Updated: pyrpkg-1.11-1.fc16.noarch Jan 28 07:46:34
>>>>>> Updated:
>>>>>> mozilla-firetray-core-0.3.6-0.1.143svn.fc16.x86_64 Jan
>>>>>> 28 07:46:39 Installed: kernel-3.2.2-1.fc16.x86_64 Jan
>>>>>> 28 07:46:40 Updated:
>>>>>> xorg-x11-drv-intel-2.17.0-8.fc16.x86_64 Jan 28 07:46:40
>>>>>> Updated:
>>>>>> mozilla-firetray-thunderbird-0.3.6-0.1.143svn.fc16.x86_64
>>>>>> Jan 28 07:46:40 Updated: fedpkg-1.7-1.fc16.noarch Jan
>>>>>> 28 07:46:42 Updated: ipython-0.12-2.fc16.noarch Jan 28
>>>>>> 07:46:43 Updated: setroubleshoot-3.1.2-1.fc16.x86_64
>>>>>> Jan 28 07:46:44 Updated:
>>>>>> util-linux-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:44
>>>>>> Updated: 12:dhclient-4.2.3-6.P2.fc16.x86_64 Jan 28
>>>>>> 07:46:46 Updated: libcurl-devel-7.21.7-6.fc16.x86_64
>>>>>> Jan 28 07:46:47 Updated: rsyslog-5.8.7-1.fc16.x86_64
>>>>>> Jan 28 07:46:48 Updated: t1lib-5.1.2-9.fc16.x86_64 Jan
>>>>>> 28 07:46:49 Updated: kernel-headers-3.2.2-1.fc16.x86_64
>>>>>> Jan 28 07:46:59 Installed:
>>>>>> kernel-devel-3.2.2-1.fc16.x86_64 Jan 28 07:47:00
>>>>>> Updated: mdadm-3.2.3-3.fc16.x86_64
>>>>>>> -- selinux mailing list
>>>>>>> selinux(a)lists.fedoraproject.org
>>>>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>
>>>>>>
>>>>>>
>>>>>>>
Any idea of what process is running as bootloader_t?
ps -eZ | grep bootloader_t or find /sbin/ -context
"*:bootloader_exec_t*"
>>>>
>>>> Since we were running yum update and there was a kernel
>>>> update involved it could be several from the list below.
>>>>
>>>> /sbin/grub2-setup /sbin/installkernel /sbin/grub2-reboot
>>>> /sbin/grub2-probe /sbin/grub2-mkdevicemap
>>>> /sbin/grub2-set-default /sbin/grubby /sbin/grub2-install
>>>> /sbin/grub2-mkconfig /sbin/grub2-mknetdir
>>>> /sbin/new-kernel-pkg
>>>
>>> Do you have any (a)?kmod packages installed from rpmfusion.
>>
>> Yes, we run akmod for nvidia on that system and it also has the
>> new ueif BIOS. You mentioned modifying grub for the BIOS, is
>> that something that may need to be done? If so is there
>> documentation about what needs to be changed?
> I meant "i also do not have a default grub config because i am
> using uefi setup." because a uefi setup requires package grub-efi
> which is not installed if you do not use uefi. I have not
> modified grub manually in any way.
> I suspect above issue might be related to akmod. Not sure though.
> I use to have a policy module for akmod back in the day. Would
> maybe have been useful now to be able to determine whether this
> is actually akmod or something else running in the bootloader
> domain.
>>> I have specified labels for the above files bootloader_exec_t
>>> a while ago and i was not sure whether this would be a good
>>> idea.
>>>
>>> I have not had any AVC denials related to this but i do not
>>> use grub manually often and i also do not have a default grub
>>> config because i am using uefi setup.
>>>
>>>>
>>> -- selinux mailing list selinux(a)lists.fedoraproject.org
>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>> -- selinux mailing list selinux(a)lists.fedoraproject.org
>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
> -- selinux mailing list selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
These files are mislabeled. They should not be labeled grub_exec_t.
/sbin/installkernel
/sbin/new-kernel-pkg
If restorecon does not fix the labels, then you need to update policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
iEYEARECAAYFAk8m4a8ACgkQrlYvE4MpobPUcgCffvdg9eDYd3Gnj4vV2pxYW+HB
CuMAoKg32tl1hxMkE3aNR3qYS3+IwCdx
=n2Is
-----END PGP SIGNATURE-----