I updated to selinux-policy-strict-1.13.9-1 off of the development tree, and immediately had problems: 'su' no longer is accessible graphical login/X no longer works.
I bugzilla'ed this (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126788) and attached a copy of the AVCs produced when rebooting with 'enforcing=0'.
tom
Tom London wrote:
I updated to selinux-policy-strict-1.13.9-1 off of the development tree, and immediately had problems: 'su' no longer is accessible graphical login/X no longer works.
I bugzilla'ed this (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126788) and attached a copy of the AVCs produced when rebooting with 'enforcing=0'.
tom
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
I'm not having the same problem, having just finished doing a "yum update" from the /development tree(including the above policy). The procedure I followed (because of the new policy) was immediately reboot with "a" selected at the grub menu and adding 'single' to the kernel line. doing fixfile relabel(delete /tmp? y) and then doing "reboot" at the prompt. the system comes up in enforcing mode to runlevel 5, I can do the graphical loging and su -. There are many more avc denied messages in /var/log/messages than previously(many having to do with hotplug). Perhaps trying the above approach to relabeling will at least get you logged in. HTH Richard Hally
Test Results: selinux-policy-strict-1.13.9-1 Kernel: 2.6.7-1.456
I relabeled in permissive mode prior to running in enforcing mode. However, I notice things that didn't get labeled. I've been running the targeted policy prior to this - perhaps that's a factor. Also I use tmpfs, which I think causes some of the issues (but def. not all).
In /var/log/dmesg (early before init):
UNLABELED:
path = /initrd/dev/root dev = ram0 tclass = blk_file denied { getattr } exe = /bin/bash scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:unabeled_t
HOTPLUG:
path = /etc/hotplug.d/default/udev.hotplug tclass = file denied { getattr } exe = /bin/bash scontext = system_u:system_r:hotplug_t tcontext = system_u:object_r:udev_helper_exec_t
name = dbus tclass = dir denied { search } exe = /usr/libexec/hal.hotplug scontext = system_u:system_r:hotplug_t tcontext = system_u:object_r:dbus_var_run_t
LVM: name = control tclass = chr_file denied { unlink } exe = /bin/rm scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:lvm_control_t
name = selinux or var tclass = dir denied { search } exe = /sbin/lvm.static scontext = system_u:system_r:lvm_t tcontext = system_u:object_r:selinux_config_t (for selinux) tcontext = system_u:object_r:var_t (for var)
Others:
name = config tclass = file denied { read } exe = /usr/bin/id scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:selinux_config_t
tmpfs being a problem? ====================== dev = tmpfs tclass = dir denied { read } exe = /bin/bash scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:tmpfs_t
===============================================
In /var/log/messages:
UNLABELED: path = /etc/ld.so.cache tclass = file denied { getattr } exe = /bin/env scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:unlabeled_t
dev = pipefs path = pipe:[851] tclass = fifo_file denied { getattr } { write } exe = /bin/env scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:unabeled_t
path = /lib/ld-2.3.3.so tlcass = file denied { read } exe = /bin/bash scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:unlabeled_t
HOTPLUG:
name = hotplug tclass = dir denied { search } exe = /bin/bash scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:hotplug_etc_t
name = hal.hotplug tclass = lnk_file denied { read } exe = /bin/bash scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:etc_t
path = /etc/hotplug.d/default/udev.hotplug tclass = file denied { getattr } exe = /bin/bash scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:udev_helper_exec_t
VAR name = var tclass = dir denied { search } exe = /bin/bash denied { search } exe = /sbin/lvm_static scontext = system_u:system_r:kernel_t (bash) scontext = system_u:system_r:lvm_t (lvm_static) tcontext = system_u:object_r:var_t
...some of the errors from /var/log/dmesg repeat... Also dev = selinuxfs tclass = dir denied { search } exe = /bin/bash scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:security_t
More tmpfs denies...
READAHEAD:
name = aliases tclass = file denied { read } exe = /usr/sbin/readahead scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:etc_aliases_t
name = crontab tclass = file denied { read } exe = /usr/sbin/readahead scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:system_cron_spool_t
name = ssh_host_dsa_key, ssh_host_key, ssh_host_rsa_key tclass = file denied { read } exe = /usr/sbin/readahead scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:sshd_key_t
name = dhclient-eth0.leases tclass = file denied { read } exe = /usr/sbin/readahead scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:dhcpc_state_t
name = state tclass = file denied { read } exe = /usr/sbin/readahead scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:var_lib_nfs_t
MODPROBE dev = proc path = /proc/sys/dev/parport/parport0/autoprobe tclass = file denied { read } exe = /sbin/modprobe scontext = system_u:system_r:insmod_t tcontext = system_u:object_r:sysctl_dev_t
KLOGD (this was there in the last version too) name = System.map tclass = lnk_file denied { read } exe = /sbin/klogd scontext = system_u:system_r:klogd_t tcontext = system_u:object_r:boot_t
SELINUX
name = config tclass = file denied { read } exe = /usr/bin/selinuxenabled scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:selinux_config_t
I think there was one for ls trying to read selinux files too, but I lost it. Also:
name = config tclass = file denied { read } exe = /usr/bin/find scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:selinux_config_t
Then there's all the httpd errors I posted in my other two mails (on previous versions).
Then I get about a million of those:
class = tcp_socket denied { name_bind } exe = /usr/sbin/htt_server scontext = user_u:user_r:user_t tcontext = system_u:object_r:port_t
until I log in and kill htt_server.\
Sorry for the long post :) I won't test the target policy anymore since it isn't very interesting in my case - the only daemon I have that it protects is httpd.
On Sun, 27 Jun 2004 09:24, Ivan Gyurdiev ivg2@cornell.edu wrote:
In /var/log/dmesg (early before init):
We have given up on the idea of loading policy in the initrd. Therefore policy should not be loaded before init and you should not have any AVC messages before init loads the policy.
On Sun, 2004-06-27 at 19:06 +1000, Russell Coker wrote:
On Sun, 27 Jun 2004 09:24, Ivan Gyurdiev ivg2@cornell.edu wrote:
In /var/log/dmesg (early before init):
We have given up on the idea of loading policy in the initrd. Therefore policy should not be loaded before init and you should not have any AVC messages before init loads the policy
Ok, you're right - my mistake. The messages occur immediately after init starts but are logged in /var/ log/dmesg and not /var/log/messages.
Strange - I can't log in anymore either. I used to be able to immediately after relabel and reboot. I also seem to get more messages. Not quite sure what's going on.
Ivan Gyurdiev wrote:
Test Results: selinux-policy-strict-1.13.9-1 Kernel: 2.6.7-1.456
I relabeled in permissive mode prior to running in enforcing mode. However, I notice things that didn't get labeled. I've been running the targeted policy prior to this - perhaps that's a factor. Also I use tmpfs, which I think causes some of the issues (but def. not all).
In /var/log/dmesg (early before init):
UNLABELED:
path = /initrd/dev/root dev = ram0 tclass = blk_file denied { getattr } exe = /bin/bash scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:unabeled_t
HOTPLUG:
path = /etc/hotplug.d/default/udev.hotplug tclass = file denied { getattr } exe = /bin/bash scontext = system_u:system_r:hotplug_t tcontext = system_u:object_r:udev_helper_exec_t name = dbus tclass = dir denied { search } exe = /usr/libexec/hal.hotplug scontext = system_u:system_r:hotplug_t tcontext = system_u:object_r:dbus_var_run_t
LVM: name = control tclass = chr_file denied { unlink } exe = /bin/rm scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:lvm_control_t
name = selinux or var tclass = dir denied { search } exe = /sbin/lvm.static scontext = system_u:system_r:lvm_t tcontext = system_u:object_r:selinux_config_t (for selinux) tcontext = system_u:object_r:var_t (for var)
Others:
name = config tclass = file denied { read } exe = /usr/bin/id scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:selinux_config_t tmpfs being a problem? ====================== dev = tmpfs tclass = dir denied { read } exe = /bin/bash scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:tmpfs_t
===============================================
In /var/log/messages:
UNLABELED:
path = /etc/ld.so.cache tclass = file denied { getattr } exe = /bin/env scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:unlabeled_t dev = pipefs path = pipe:[851] tclass = fifo_file denied { getattr } { write } exe = /bin/env scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:unabeled_t path = /lib/ld-2.3.3.so tlcass = file denied { read } exe = /bin/bash scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:unlabeled_t
HOTPLUG:
name = hotplug tclass = dir denied { search } exe = /bin/bash scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:hotplug_etc_t name = hal.hotplug tclass = lnk_file denied { read } exe = /bin/bash scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:etc_t path = /etc/hotplug.d/default/udev.hotplug tclass = file denied { getattr } exe = /bin/bash scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:udev_helper_exec_t
VAR name = var tclass = dir denied { search } exe = /bin/bash denied { search } exe = /sbin/lvm_static scontext = system_u:system_r:kernel_t (bash) scontext = system_u:system_r:lvm_t (lvm_static) tcontext = system_u:object_r:var_t
...some of the errors from /var/log/dmesg repeat... Also dev = selinuxfs tclass = dir denied { search } exe = /bin/bash scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:security_t
More tmpfs denies...
READAHEAD:
name = aliases tclass = file denied { read } exe = /usr/sbin/readahead scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:etc_aliases_t
name = crontab tclass = file denied { read } exe = /usr/sbin/readahead scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:system_cron_spool_t
name = ssh_host_dsa_key, ssh_host_key, ssh_host_rsa_key tclass = file denied { read } exe = /usr/sbin/readahead scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:sshd_key_t
name = dhclient-eth0.leases tclass = file denied { read } exe = /usr/sbin/readahead scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:dhcpc_state_t
name = state tclass = file denied { read } exe = /usr/sbin/readahead scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:var_lib_nfs_t
MODPROBE
dev = proc path = /proc/sys/dev/parport/parport0/autoprobe tclass = file denied { read } exe = /sbin/modprobe scontext = system_u:system_r:insmod_t tcontext = system_u:object_r:sysctl_dev_t
KLOGD (this was there in the last version too) name = System.map tclass = lnk_file denied { read } exe = /sbin/klogd scontext = system_u:system_r:klogd_t tcontext = system_u:object_r:boot_t
SELINUX
name = config tclass = file denied { read } exe = /usr/bin/selinuxenabled scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:selinux_config_t
I think there was one for ls trying to read selinux files too, but I lost it. Also:
name = config tclass = file denied { read } exe = /usr/bin/find scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:selinux_config_t
Then there's all the httpd errors I posted in my other two mails (on previous versions).
Then I get about a million of those:
class = tcp_socket denied { name_bind } exe = /usr/sbin/htt_server scontext = user_u:user_r:user_t tcontext = system_u:object_r:port_t
until I log in and kill htt_server.\
Sorry for the long post :) I won't test the target policy anymore since it isn't very interesting in my case - the only daemon I have that it protects is httpd.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Please attach the AVC Messages. The problems are probably being caused by update to other applications like hotplug.
Dan
Daniel J Walsh wrote:
Ivan Gyurdiev wrote:
Test Results: selinux-policy-strict-1.13.9-1 Kernel: 2.6.7-1.456
I relabeled in permissive mode prior to running in enforcing mode. However, I notice things that didn't get labeled. I've been running the targeted policy prior to this - perhaps that's a factor. Also I use tmpfs, which I think causes some of the issues (but def. not all).
In /var/log/dmesg (early before init):
UNLABELED:
path = /initrd/dev/root dev = ram0 tclass = blk_file denied { getattr } exe = /bin/bash scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:unabeled_t
HOTPLUG:
path = /etc/hotplug.d/default/udev.hotplug tclass = file denied { getattr } exe = /bin/bash scontext = system_u:system_r:hotplug_t tcontext = system_u:object_r:udev_helper_exec_t name = dbus tclass = dir denied { search } exe = /usr/libexec/hal.hotplug scontext = system_u:system_r:hotplug_t tcontext = system_u:object_r:dbus_var_run_t
LVM: name = control tclass = chr_file denied { unlink } exe = /bin/rm scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:lvm_control_t
name = selinux or var tclass = dir denied { search } exe = /sbin/lvm.static scontext = system_u:system_r:lvm_t tcontext = system_u:object_r:selinux_config_t (for selinux) tcontext = system_u:object_r:var_t (for var)
Others:
name = config tclass = file denied { read } exe = /usr/bin/id scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:selinux_config_t tmpfs being a problem? ====================== dev = tmpfs tclass = dir denied { read } exe = /bin/bash scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:tmpfs_t
===============================================
In /var/log/messages:
UNLABELED:
path = /etc/ld.so.cache tclass = file denied { getattr } exe = /bin/env scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:unlabeled_t dev = pipefs path = pipe:[851] tclass = fifo_file denied { getattr } { write } exe = /bin/env scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:unabeled_t path = /lib/ld-2.3.3.so tlcass = file denied { read } exe = /bin/bash scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:unlabeled_t
HOTPLUG:
name = hotplug tclass = dir denied { search } exe = /bin/bash scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:hotplug_etc_t name = hal.hotplug tclass = lnk_file denied { read } exe = /bin/bash scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:etc_t path = /etc/hotplug.d/default/udev.hotplug tclass = file denied { getattr } exe = /bin/bash scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:udev_helper_exec_t
VAR name = var tclass = dir denied { search } exe = /bin/bash denied { search } exe = /sbin/lvm_static scontext = system_u:system_r:kernel_t (bash) scontext = system_u:system_r:lvm_t (lvm_static) tcontext = system_u:object_r:var_t
...some of the errors from /var/log/dmesg repeat... Also dev = selinuxfs tclass = dir denied { search } exe = /bin/bash scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:security_t
More tmpfs denies...
READAHEAD:
name = aliases tclass = file denied { read } exe = /usr/sbin/readahead scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:etc_aliases_t name = crontab tclass = file denied { read } exe = /usr/sbin/readahead scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:system_cron_spool_t name = ssh_host_dsa_key, ssh_host_key, ssh_host_rsa_key tclass = file denied { read } exe = /usr/sbin/readahead scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:sshd_key_t name = dhclient-eth0.leases tclass = file denied { read } exe = /usr/sbin/readahead scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:dhcpc_state_t name = state tclass = file denied { read } exe = /usr/sbin/readahead scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:var_lib_nfs_t
MODPROBE
dev = proc path = /proc/sys/dev/parport/parport0/autoprobe tclass = file denied { read } exe = /sbin/modprobe scontext = system_u:system_r:insmod_t tcontext = system_u:object_r:sysctl_dev_t
KLOGD (this was there in the last version too) name = System.map tclass = lnk_file denied { read } exe = /sbin/klogd scontext = system_u:system_r:klogd_t tcontext = system_u:object_r:boot_t
SELINUX
name = config tclass = file denied { read } exe = /usr/bin/selinuxenabled scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:selinux_config_t
I think there was one for ls trying to read selinux files too, but I lost it. Also:
name = config tclass = file denied { read } exe = /usr/bin/find scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:selinux_config_t
Then there's all the httpd errors I posted in my other two mails (on previous versions).
Then I get about a million of those:
class = tcp_socket denied { name_bind } exe = /usr/sbin/htt_server scontext = user_u:user_r:user_t tcontext = system_u:object_r:port_t until I log in and kill htt_server.\
Sorry for the long post :) I won't test the target policy anymore since it isn't very interesting in my case - the only daemon I have that it protects is httpd.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Please attach the AVC Messages. The problems are probably being caused by update to other applications like hotplug.
Dan
1.13.9 went out with tunables turned off. 1.13.10 fixes this problem.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
1.13.9 went out with tunables turned off. 1.13.10 fixes this problem.
Yes, that fixes 90% of all problems. The AVCs left look familiar. Here's all of them. I left one of each kind.
Udev:
audit(1088316302.804:0): avc: denied { execute } for pid=260 exe=/ bin/bash name=udev.hotplug dev=hda7 ino=35718314 scontext=system_u: system_r:kernel_t tcontext=system_u:object_r:udev_helper_exec_t tclass=file
Lvm.static:
audit(1088337913.192:0): avc: denied { search } for pid=854 exe=/ sbin/lvm.static name=selinux dev=hda7 ino=21763330 scontext=system_u: system_r:lvm_t tcontext=system_u:object_r:selinux_config_t tclass=d audit(1088337922.000:0): avc: denied { getattr } for pid=854 exe=/
sbin/lvm.static path=/dev/vcsa01 dev=hda7 ino=12734292 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:device_t tclass=file
audit(1088337922.006:0): avc: denied { getattr } for pid=854 exe=/ sbin/lvm.static path=/dev/vcsa05 dev=hda7 ino=12613346 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:device_t tclass=fileir
Hal:
audit(1088337915.701:0): avc: denied { search } for pid=903 exe=/usr/ libexec/hal.dev name=dbus dev=hda7 ino=2677359 scontext=system_u: system_r:udev_t tcontext=system_u:object_r:dbusd_var_run_t tclass=dir
Restorecon:
audit(1088337917.431:0): avc: denied { use } for pid=912 exe=/sbin/ restorecon path=/dev/null dev=hda7 ino=15237714 scontext=system_u: system_r:restorecon_t tcontext=system_u:system_r:hotplug_t tclass=fd
audit(1088337917.431:0): avc: denied { read write } for pid=912 exe=/ sbin/restorecon path=socket:[966] dev=sockfs ino=966 scontext=system_u: system_r:restorecon_t tcontext=system_u:system_r:udev_t tclass=unix_dgram_socket
Sulogin:
Jun 27 06:17:21 cobra kernel: audit(1088337927.587:0): avc: denied { search } for pid=1605 exe=/sbin/sulogin name=selinux dev=hda7 ino=21763330 scontext=system_u:system_r:sulogin_t tcontext=system_u: object_r:selinux_config_t tclass=dir
Klogd:
Jun 27 06:17:21 cobra kernel: audit(1088338640.308:0): avc: denied { read } for pid=2222 exe=/sbin/klogd name=System.map dev=hda1 ino=13 scontext=system_u:system_r:klogd_t tcontext=system_u:object_r:boot_t tclass=lnk_file
Lock:
Jun 27 06:17:34 cobra kernel: audit(1088338654.709:0): avc: denied { search } for pid=2439 exe=/bin/bash name=lock dev=hda7 ino=31349249 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:var_lock_t tclass=dir
Httpd:
Jun 27 06:17:39 cobra kernel: audit(1088338659.767:0): avc: denied { getattr } for pid=2429 exe=/usr/sbin/httpd path=/sbin dev=hda7 ino=4283144 scontext=system_u:system_r:httpd_t tcontext=system_u: object_r:sbin_t tclass=dir
Jun 27 06:17:39 cobra kernel: audit(1088338659.767:0): avc: denied { getattr } for pid=2429 exe=/usr/sbin/httpd path=/usr/sbin dev=hda7 ino=1662509 scontext=system_u:system_r:httpd_t tcontext=system_u: object_r:sbin_t tclass=dir
Jun 27 06:17:39 cobra kernel: audit(1088338659.768:0): avc: denied { getattr } for pid=2429 exe=/usr/sbin/httpd path=/bin dev=hda7 ino=132 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:bin_t tclass=dir
Jun 27 06:17:39 cobra kernel: audit(1088338659.768:0): avc: denied { getattr } for pid=2429 exe=/usr/sbin/httpd path=/usr/bin dev=hda7 ino=4283629 scontext=system_u:system_r:httpd_t tcontext=system_u: object_r:bin_t tclass=dir
Jun 27 06:17:39 cobra kernel: audit(1088338659.768:0): avc: denied { getattr } for pid=2429 exe=/usr/sbin/httpd path=/usr/X11R6/bin dev=hda7 ino=5645421 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:bin_t tclass=dir
Jun 27 06:17:41 cobra kernel: audit(1088338661.210:0): avc: denied { getattr } for pid=2451 exe=/usr/sbin/httpd path=/sbin dev=hda7 ino=4283144 scontext=system_u:system_r:httpd_t tcontext=system_u: object_r:sbin_t tclass=dir
Jun 27 06:17:41 cobra kernel: audit(1088338661.441:0): avc: denied { write } for pid=2451 exe=/usr/sbin/httpd name=jk2.shm dev=hda7 ino=22857853 scontext=system_u:system_r:httpd_t tcontext=system_u: object_r:httpd_log_t tclass=file
Jun 27 06:17:50 cobra kernel: audit(1088338670.336:0): avc: denied { getattr } for pid=2451 exe=/usr/sbin/httpd path=/usr/share/snmp/ mibs/.index dev=hda7 ino=5977546 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:snmpd_var_lib_t tclass=file
Jun 27 06:17:50 cobra kernel: audit(1088338670.337:0): avc: denied { write } for pid=2451 exe=/usr/sbin/httpd name=.index dev=hda7 ino=5977546 scontext=system_u:system_r:httpd_t tcontext=system_u: object_r:snmpd_var_lib_t tclass=file
xfs:
Jun 27 06:18:30 cobra kernel: audit(1088338710.740:0): avc: denied { search } for pid=2672 exe=/usr/X11R6/bin/xfs dev=tmpfs ino=2786 scontext=system_u:system_r:xfs_t tcontext=system_u:object_r:tmpfs_t tclass=dir
Xorg:
Jun 27 06:18:57 cobra kernel: audit(1088338737.144:0): avc: denied { getattr } for pid=3276 exe=/usr/X11R6/bin/Xorg path=/tmp/.X11-unix dev=tmpfs ino=6547 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:xdm_tmpfs_t tclass=dir
selinux@lists.fedoraproject.org