* SELinux Policy in OpenSUSE 11.2 @ 2010-04-29 6:43 Justin P. Mattock 2010-04-29 7:01 ` Justin P. Mattock 0 siblings, 1 reply; 113+ messages in thread From: Justin P. Mattock @ 2010-04-29 6:43 UTC (permalink / raw) To: selinux; +Cc: sds o.k. Stephen, bug entry: https://bugzilla.novell.com/show_bug.cgi?id=582399 you were right with some init file not having #! /bin/bash on the top of the head. after looking around and gutting /etc/init.d I found that the files: /etc/rc.status and rc.splash has no such entry, so after adding this entry and rebooting I can get a clean bootup and policy load without the need for init_upstart=1 cheers.. Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-04-29 6:43 SELinux Policy in OpenSUSE 11.2 Justin P. Mattock @ 2010-04-29 7:01 ` Justin P. Mattock 0 siblings, 0 replies; 113+ messages in thread From: Justin P. Mattock @ 2010-04-29 7:01 UTC (permalink / raw) To: selinux; +Cc: sds On 04/28/2010 11:43 PM, Justin P. Mattock wrote: > o.k. Stephen, > > bug entry: > https://bugzilla.novell.com/show_bug.cgi?id=582399 > > you were right with some init > file not having #! /bin/bash > on the top of the head. > after looking around and gutting > /etc/init.d I found > that the files: > /etc/rc.status and rc.splash > has no such entry, so after adding > this entry and rebooting > I can get a clean bootup and policy load > without the need for init_upstart=1 > > cheers.. > > > Justin P. Mattock my bad.. too tired over here the main culprit is /etc/initscript renaming to something else gets me a clean bootup. Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2
@ 2010-02-17 14:04 Thomas
0 siblings, 0 replies; 113+ messages in thread
From: Thomas @ 2010-02-17 14:04 UTC (permalink / raw)
To: Justin P. mattock; +Cc: Alan Rouse, 'selinux@tycho.nsa.gov'
Hello,
I am happy to see someone is working on SELinux for openSUSE.
To make this changes permanent, file the bug and findings in
our bugzilla (https://bugzilla.novell.com) please and put my
address (thomas@novell.com) into the CC list.
If you like to get more control and be more active I encourage
you to join the openSUSE community
(http://en.opensuse.org/How_to_Participate).
We definitely lack skilled SELinux developers! :)
Thanks,
Thomas
Am Mittwoch 17 Februar 2010 08:16:36 schrieb Justin P. mattock:
> o.k. I think I thought too much on the subject
> (I need to stop building systems from scratch
> i.g. all I can think of is/are switches to enable).
>
> Anyways I figured out the problem seems easier
> than I had expected:
>
> with a fresh build of suse 11.2, then
> under yast adding the correct SELinux
> apps/libs, then adjusting grub(in the control
> center thing).
>
> reboot
>
> you hit a broken gdm dbus thing.
>
> under /var/log/gdm/:5-greeter.log
>
> there is an error message with dbus:
>
> Failed to start message bus: Failed to open
> "/etc/selinux/targeted/contexts/dbus_contexts": No such file or directory
> EOF in dbus-launch reading address from dbus daemon.
>
> so after reading that then looking at /etc/selinux/refpolicy-standard
> I decided to just cp -R refpolicy-standard targeted(reboot)
> and voila the system boots gdm starts, life is good with suse
> (I guess there not the darkside after all!!).
>
> as for the real problem I'm guessing whatever is telling
> dbus-launch to look for /etc/selinux/targeted
> is the problem.
>
> Alan does just a simple renaming of refpolicy to targeted
> at least get you up and running(if not use suses policy,
> and rename it to targeted, until I can find what dbus launch script is
> calling for that policy name).
>
> Justin P. Mattock
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with the words "unsubscribe selinux" without quotes as the message.
>
--
Thomas Biege <thomas@suse.de>, SUSE LINUX, Security Support & Auditing
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
--
Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
-- Marie von Ebner-Eschenbach
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 113+ messages in thread* SELinux Policy in OpenSUSE 11.2
@ 2010-02-16 14:55 Alan Rouse
2010-02-16 15:22 ` Dominick Grift
2010-02-16 19:10 ` Stephen Smalley
0 siblings, 2 replies; 113+ messages in thread
From: Alan Rouse @ 2010-02-16 14:55 UTC (permalink / raw)
To: 'selinux@tycho.nsa.gov'
[-- Attachment #1: Type: text/plain, Size: 8491 bytes --]
I've been trying to get SELinux working in OpenSUSE 11.2. So far I can get to runlevel 3 with enforcing=0. Before I start tinkering with audit2allow, I thought I should get some advice.
The 11.2 repository gives me these policy rpms:
http://download.opensuse.org/repositories/openSUSE:/11.2/standard/noarch/selinux-policy-2.20081210-3.1.noarch.rpm
http://download.opensuse.org/repositories/openSUSE:/11.2/standard/src/selinux-policy-2.20081210-3.1.src.rpm
But that version of policy has some issues in OpenSUSE:
1) failure to allow the graphical desktop to load (even with enforcing=0) . The following message appears in the console during boot:
** (gdm:1073): WARNING **: Couldn't connect to system bus: A SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" erro name "(unset)" destination "org.freedesktop.DBus") startproc: exit status of parent of /usr/sbin/gdm: 1
Since enforcing is off, I'm surprised to see a message like that. SELinux shouldn't be preventing anything, so I don't see how modifying policy will solve that. Ideas?
2) Attempting to boot to runlevel 5 with kernel parms "security=selinux selinux=1 enforcing=0", I'm dropped off in runlevel 3 instead. I'm getting a couple of pages of AVC errors after boot (see below).
I've tried several other versions of the policy without luck:
- the version included in Fedora 12 (refpolicy-2.2009117
- the latest release from Tresys
- the latest from the repository at Tresys
They all give basically the same problems. Any advice would be appreciated.
Thanks,
Alan
Following are the AVC messages I've been getting:
type=DAEMON_START msg=audit(1265904613.457:3152): auditd start, ver=1.7.13 format=raw kernel=2.6.31.5-0.1-desktop auid=4294967295 pid=2337 subj=system_u:system_r:sysadm_t res=success
type=AVC msg=audit(1265904613.473:202): avc: denied { write } for pid=2342 comm="auditctl" path="/dev/blog" dev=tmpfs ino=1836 scontext=system_u:system_r:auditctl_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file
type=AVC msg=audit(1265904613.689:203): avc: denied { execstack } for pid=2382 comm="cupsd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=process
type=AVC msg=audit(1265904613.690:204): avc: denied { execmem } for pid=2382 comm="cupsd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=process
type=AVC msg=audit(1265904614.260:205): avc: denied { read write } for pid=2448 comm="smartd" name="sda" dev=tmpfs ino=1749 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
type=AVC msg=audit(1265904614.260:206): avc: denied { open } for pid=2448 comm="smartd" name="sda" dev=tmpfs ino=1749 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
type=AVC msg=audit(1265904614.261:207): avc: denied { ioctl } for pid=2448 comm="smartd" path="/dev/sda" dev=tmpfs ino=1749 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
type=AVC msg=audit(1265904615.964:208): avc: denied { read } for pid=287 comm="stapio" path="/sys/kernel/debug/systemtap/preloadtrace/trace0" dev=debugfs ino=4136 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=file
type=AVC msg=audit(1265904615.964:209): avc: denied { read } for pid=2337 comm="auditd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_audit_socket
type=AVC msg=audit(1265904616.052:210): avc: denied { read } for pid=2728 comm="modprobe" path="/dev/console" dev=tmpfs ino=3969 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:console_device_t tclass=chr_file
type=AVC msg=audit(1265904616.053:211): avc: denied { write } for pid=2728 comm="modprobe" path="/dev/blog" dev=tmpfs ino=1836 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file
type=AVC msg=audit(1265904616.063:212): avc: denied { read } for pid=308 comm="udevd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_kobject_uevent_socket
type=AVC msg=audit(1265904616.063:213): avc: denied { write } for pid=308 comm="udevd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_kobject_uevent_socket
type=AVC msg=audit(1265904616.069:214): avc: denied { write } for pid=2729 comm="mount" path="/dev/blog" dev=tmpfs ino=1836 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file
type=AVC msg=audit(1265904617.858:215): avc: denied { write } for pid=2779 comm="ip6tables" path="/tmp/SuSEfirewall2_iptables.2F1un9MP" dev=sda2 ino=132181 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:user_tmp_t tclass=file
type=AVC msg=audit(1265904617.859:216): avc: denied { write } for pid=2779 comm="ip6tables" path="/dev/blog" dev=tmpfs ino=1836 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file
type=AVC msg=audit(1265904617.889:217): avc: denied { write } for pid=2785 comm="modprobe" path="/tmp/SuSEfirewall2_iptables.2F1un9MP" dev=sda2 ino=132181 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:user_tmp_t tclass=file
type=AVC msg=audit(1265904618.183:218): avc: denied { read } for pid=2831 comm="iptables-batch" name="SuSEfirewall2_iptables.2F1un9MP" dev=sda2 ino=132181 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:user_tmp_t tclass=file
type=AVC msg=audit(1265904618.183:219): avc: denied { open } for pid=2831 comm="iptables-batch" name="SuSEfirewall2_iptables.2F1un9MP" dev=sda2 ino=132181 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:user_tmp_t tclass=file
type=AVC msg=audit(1265904618.183:220): avc: denied { getattr } for pid=2831 comm="iptables-batch" path="/tmp/SuSEfirewall2_iptables.2F1un9MP" dev=sda2 ino=132181 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:user_tmp_t tclass=file
type=AVC msg=audit(1265904618.473:221): avc: denied { setattr } for pid=2853 comm="mingetty" name="tty1" dev=tmpfs ino=3984 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:tty_device_t tclass=chr_file
type=AVC msg=audit(1265904618.480:222): avc: denied { getattr } for pid=2853 comm="mingetty" path="/sys/kernel/debug/systemtap/preloadtrace/.cmd" dev=debugfs ino=4137 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=file
type=AVC msg=audit(1265904621.738:223): avc: denied { write } for pid=286 comm="stapio" path="/sys/kernel/debug/systemtap/preloadtrace/.cmd" dev=debugfs ino=4137 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=file
type=AVC msg=audit(1265904621.783:224): avc: denied { search } for pid=2868 comm="staprun" name="/" dev=debugfs ino=1 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir
type=AVC msg=audit(1265904621.783:225): avc: denied { open } for pid=2868 comm="staprun" name=".cmd" dev=debugfs ino=4137 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=file
type=AVC msg=audit(1265904621.784:226): avc: denied { sys_module } for pid=2868 comm="staprun" capability=16 scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=capability
type=AVC msg=audit(1265904628.319:227): avc: denied { create } for pid=2853 comm="login" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_audit_socket
type=AVC msg=audit(1265904628.320:228): avc: denied { write } for pid=2853 comm="login" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_audit_socket
type=AVC msg=audit(1265904628.320:229): avc: denied { nlmsg_relay } for pid=2853 comm="login" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_audit_socket
type=AVC msg=audit(1265904628.321:230): avc: denied { audit_write } for pid=2853 comm="login" capability=29 scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=capability
type=AVC msg=audit(1265904628.370:231): avc: denied { audit_control } for pid=2853 comm="login" capability=30 scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=capability
[-- Attachment #2: Type: text/html, Size: 11013 bytes --]
^ permalink raw reply [flat|nested] 113+ messages in thread* Re: SELinux Policy in OpenSUSE 11.2 2010-02-16 14:55 Alan Rouse @ 2010-02-16 15:22 ` Dominick Grift 2010-02-16 18:04 ` Alan Rouse 2010-02-16 19:10 ` Stephen Smalley 1 sibling, 1 reply; 113+ messages in thread From: Dominick Grift @ 2010-02-16 15:22 UTC (permalink / raw) To: Alan Rouse; +Cc: 'selinux@tycho.nsa.gov' [-- Attachment #1: Type: text/plain, Size: 2285 bytes --] On 02/16/2010 03:55 PM, Alan Rouse wrote: le > type=AVC msg=audit(1265904613.689:203): avc: denied { execstack } for pid=2382 comm="cupsd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=process > type=AVC msg=audit(1265904613.690:204): avc: denied { execmem } for pid=2382 comm="cupsd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=process > type=AVC msg=audit(1265904614.260:205): avc: denied { read write } for pid=2448 comm="smartd" name="sda" dev=tmpfs ino=1749 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file > type=AVC msg=audit(1265904614.260:206): avc: denied { open } for pid=2448 comm="smartd" name="sda" dev=tmpfs ino=1749 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file > type=AVC msg=audit(1265904614.261:207): avc: denied { ioctl } for pid=2448 comm="smartd" path="/dev/sda" dev=tmpfs ino=1749 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file > type=AVC msg=audit(1265904615.964:209): avc: denied { read } for pid=2337 comm="auditd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_audit_socket > type=AVC msg=audit(1265904616.063:212): avc: denied { read } for pid=308 comm="udevd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_kobject_uevent_socket > type=AVC msg=audit(1265904616.063:213): avc: denied { write } for pid=308 comm="udevd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_kobject_uevent_socket With regard to the AVC denials above it seems that these services (cupsd, smartd, auditd and udevd) run in the wrong domain. When you restart services manually, you should use "run_init". run_init /etc/rc.d/init.d/cupsd start Besides that some if this might still not work. For example execstack and execmem permissions for cupsd, but start by executing these daemons in the proper domains first. As for dbus i have not noticed any dbus specific AVC denials. It may be the dbus denials are directed to /var/log/messages, /var/log/audit/audit.log or dmesg. > > > [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 261 bytes --] ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-16 15:22 ` Dominick Grift @ 2010-02-16 18:04 ` Alan Rouse 2010-02-16 18:35 ` Dominick Grift ` (2 more replies) 0 siblings, 3 replies; 113+ messages in thread From: Alan Rouse @ 2010-02-16 18:04 UTC (permalink / raw) To: 'selinux@tycho.nsa.gov' Dominick, thanks for the reply. These AVC messages occur during normal bootup (not from a command line), so it is the boot process which is starting these in the wrong context. OpenSuSE 11.2 is still using System V init startup, but Fedora 12 is using upstart. Perhaps that explains why the recent refpolicy is not starting OpenSuse processes in the right context. Is the current refpolicy known to work in System V init -based systems? -----Original Message----- From: Dominick Grift [mailto:domg472@gmail.com] Sent: Tuesday, February 16, 2010 10:22 AM To: Alan Rouse Cc: 'selinux@tycho.nsa.gov' Subject: Re: SELinux Policy in OpenSUSE 11.2 On 02/16/2010 03:55 PM, Alan Rouse wrote: le > type=AVC msg=audit(1265904613.689:203): avc: denied { execstack } > for pid=2382 comm="cupsd" scontext=system_u:system_r:sysadm_t > tcontext=system_u:system_r:sysadm_t tclass=process type=AVC > msg=audit(1265904613.690:204): avc: denied { execmem } for pid=2382 > comm="cupsd" scontext=system_u:system_r:sysadm_t > tcontext=system_u:system_r:sysadm_t tclass=process type=AVC > msg=audit(1265904614.260:205): avc: denied { read write } for > pid=2448 comm="smartd" name="sda" dev=tmpfs ino=1749 > scontext=system_u:system_r:sysadm_t > tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file > type=AVC msg=audit(1265904614.260:206): avc: denied { open } for > pid=2448 comm="smartd" name="sda" dev=tmpfs ino=1749 > scontext=system_u:system_r:sysadm_t > tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file > type=AVC msg=audit(1265904614.261:207): avc: denied { ioctl } for > pid=2448 comm="smartd" path="/dev/sda" dev=tmpfs ino=1749 > scontext=system_u:system_r:sysadm_t > tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file > type=AVC msg=audit(1265904615.964:209): avc: denied { read } for > pid=2337 comm="auditd" scontext=system_u:system_r:sysadm_t > tcontext=system_u:system_r:sysadm_t tclass=netlink_audit_socket > type=AVC msg=audit(1265904616.063:212): avc: denied { read } for > pid=308 comm="udevd" scontext=system_u:system_r:sysadm_t > tcontext=system_u:system_r:sysadm_t > tclass=netlink_kobject_uevent_socket > type=AVC msg=audit(1265904616.063:213): avc: denied { write } for > pid=308 comm="udevd" scontext=system_u:system_r:sysadm_t > tcontext=system_u:system_r:sysadm_t > tclass=netlink_kobject_uevent_socket With regard to the AVC denials above it seems that these services (cupsd, smartd, auditd and udevd) run in the wrong domain. When you restart services manually, you should use "run_init". run_init /etc/rc.d/init.d/cupsd start Besides that some if this might still not work. For example execstack and execmem permissions for cupsd, but start by executing these daemons in the proper domains first. As for dbus i have not noticed any dbus specific AVC denials. It may be the dbus denials are directed to /var/log/messages, /var/log/audit/audit.log or dmesg. > > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-16 18:04 ` Alan Rouse @ 2010-02-16 18:35 ` Dominick Grift 2010-02-16 18:52 ` Dominick Grift 2010-02-16 19:28 ` Stephen Smalley 2 siblings, 0 replies; 113+ messages in thread From: Dominick Grift @ 2010-02-16 18:35 UTC (permalink / raw) To: Alan Rouse; +Cc: 'selinux@tycho.nsa.gov' [-- Attachment #1: Type: text/plain, Size: 3744 bytes --] On 02/16/2010 07:04 PM, Alan Rouse wrote: > Dominick, thanks for the reply. These AVC messages occur during normal bootup (not from a command line), so it is the boot process which is starting these in the wrong context. > > OpenSuSE 11.2 is still using System V init startup, but Fedora 12 is using upstart. Perhaps that explains why the recent refpolicy is not starting OpenSuse processes in the right context. Is the current refpolicy known to work in System V init -based systems? Oh right sorry, now i see it is system_r not sysadm_r. Looks like init is not in the right domain i guess. I am not sure what the reason for this is but my guess is that its (or some of its) executable(s) is mislabelled, although that still does not explain how it got to sysadm_t. I am interested to hear what others say about this issue. > > -----Original Message----- > From: Dominick Grift [mailto:domg472@gmail.com] > Sent: Tuesday, February 16, 2010 10:22 AM > To: Alan Rouse > Cc: 'selinux@tycho.nsa.gov' > Subject: Re: SELinux Policy in OpenSUSE 11.2 > > On 02/16/2010 03:55 PM, Alan Rouse wrote: > le >> type=AVC msg=audit(1265904613.689:203): avc: denied { execstack } >> for pid=2382 comm="cupsd" scontext=system_u:system_r:sysadm_t >> tcontext=system_u:system_r:sysadm_t tclass=process type=AVC >> msg=audit(1265904613.690:204): avc: denied { execmem } for pid=2382 >> comm="cupsd" scontext=system_u:system_r:sysadm_t >> tcontext=system_u:system_r:sysadm_t tclass=process type=AVC >> msg=audit(1265904614.260:205): avc: denied { read write } for >> pid=2448 comm="smartd" name="sda" dev=tmpfs ino=1749 >> scontext=system_u:system_r:sysadm_t >> tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file >> type=AVC msg=audit(1265904614.260:206): avc: denied { open } for >> pid=2448 comm="smartd" name="sda" dev=tmpfs ino=1749 >> scontext=system_u:system_r:sysadm_t >> tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file >> type=AVC msg=audit(1265904614.261:207): avc: denied { ioctl } for >> pid=2448 comm="smartd" path="/dev/sda" dev=tmpfs ino=1749 >> scontext=system_u:system_r:sysadm_t >> tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file >> type=AVC msg=audit(1265904615.964:209): avc: denied { read } for >> pid=2337 comm="auditd" scontext=system_u:system_r:sysadm_t >> tcontext=system_u:system_r:sysadm_t tclass=netlink_audit_socket >> type=AVC msg=audit(1265904616.063:212): avc: denied { read } for >> pid=308 comm="udevd" scontext=system_u:system_r:sysadm_t >> tcontext=system_u:system_r:sysadm_t >> tclass=netlink_kobject_uevent_socket >> type=AVC msg=audit(1265904616.063:213): avc: denied { write } for >> pid=308 comm="udevd" scontext=system_u:system_r:sysadm_t >> tcontext=system_u:system_r:sysadm_t >> tclass=netlink_kobject_uevent_socket > > With regard to the AVC denials above it seems that these services (cupsd, smartd, auditd and udevd) run in the wrong domain. When you restart services manually, you should use "run_init". > > run_init /etc/rc.d/init.d/cupsd start > > Besides that some if this might still not work. For example execstack and execmem permissions for cupsd, but start by executing these daemons in the proper domains first. > > As for dbus i have not noticed any dbus specific AVC denials. It may be the dbus denials are directed to /var/log/messages, /var/log/audit/audit.log or dmesg. > >> >> >> > > > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 261 bytes --] ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-16 18:04 ` Alan Rouse 2010-02-16 18:35 ` Dominick Grift @ 2010-02-16 18:52 ` Dominick Grift 2010-02-16 19:28 ` Stephen Smalley 2 siblings, 0 replies; 113+ messages in thread From: Dominick Grift @ 2010-02-16 18:52 UTC (permalink / raw) To: Alan Rouse; +Cc: 'selinux@tycho.nsa.gov' [-- Attachment #1: Type: text/plain, Size: 593 bytes --] On 02/16/2010 07:04 PM, Alan Rouse wrote: > Dominick, thanks for the reply. These AVC messages occur during normal bootup (not from a command line), so it is the boot process which is starting these in the wrong context. > > OpenSuSE 11.2 is still using System V init startup, but Fedora 12 is using upstart. Perhaps that explains why the recent refpolicy is not starting OpenSuse processes in the right context. Is the current refpolicy known to work in System V init -based systems? Maybe this is related: http://www.nsa.gov/research/selinux/list-archive/0807/26979.shtml [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 261 bytes --] ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-16 18:04 ` Alan Rouse 2010-02-16 18:35 ` Dominick Grift 2010-02-16 18:52 ` Dominick Grift @ 2010-02-16 19:28 ` Stephen Smalley 2010-02-16 20:06 ` Justin P. mattock 2 siblings, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-16 19:28 UTC (permalink / raw) To: Alan Rouse; +Cc: 'selinux@tycho.nsa.gov' On Tue, 2010-02-16 at 13:04 -0500, Alan Rouse wrote: > Dominick, thanks for the reply. These AVC messages occur during > normal bootup (not from a command line), so it is the boot process > which is starting these in the wrong context. > > OpenSuSE 11.2 is still using System V init startup, but Fedora 12 is > using upstart. Perhaps that explains why the recent refpolicy is not > starting OpenSuse processes in the right context. Is the current > refpolicy known to work in System V init -based systems? Current refpolicy should still work fine for distributions using sysvinit. Distributions using upstart have to enable a policy tunable/boolean. What build.conf settings are you using? I expect that the distro_suse settings are obsolete, as no one has actively maintained support for SUSE in the upstream policy since Thomas Bleher gave up on maintaining SUSE SELinux packages. If you want SELinux to work with SUSE, then: a) you'll need to at least file bugs in their bugzilla so that they have some reason to believe anyone cares, and b) ideally you'll help track down and fix some of the problems and submit those fixes to them (if the fixes involve changes to system packages, not just policy changes) or to refpolicy as appropriate. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-16 19:28 ` Stephen Smalley @ 2010-02-16 20:06 ` Justin P. mattock 0 siblings, 0 replies; 113+ messages in thread From: Justin P. mattock @ 2010-02-16 20:06 UTC (permalink / raw) To: Stephen Smalley; +Cc: Alan Rouse, 'selinux@tycho.nsa.gov' On 02/16/2010 11:28 AM, Stephen Smalley wrote: > On Tue, 2010-02-16 at 13:04 -0500, Alan Rouse wrote: >> Dominick, thanks for the reply. These AVC messages occur during >> normal bootup (not from a command line), so it is the boot process >> which is starting these in the wrong context. >> >> OpenSuSE 11.2 is still using System V init startup, but Fedora 12 is >> using upstart. Perhaps that explains why the recent refpolicy is not >> starting OpenSuse processes in the right context. Is the current >> refpolicy known to work in System V init -based systems? > > Current refpolicy should still work fine for distributions using > sysvinit. Distributions using upstart have to enable a policy > tunable/boolean. > > What build.conf settings are you using? I expect that the distro_suse > settings are obsolete, as no one has actively maintained support for > SUSE in the upstream policy since Thomas Bleher gave up on maintaining > SUSE SELinux packages. > > If you want SELinux to work with SUSE, then: > a) you'll need to at least file bugs in their bugzilla so that they have > some reason to believe anyone cares, and > b) ideally you'll help track down and fix some of the problems and > submit those fixes to them (if the fixes involve changes to system > packages, not just policy changes) or to refpolicy as appropriate. > ahh.. I remember this: http://oss.tresys.com/pipermail/refpolicy/2009-September/001447.html from what I remember I think this had todo with some packages not having switches turned on with SELinux support (but if setsebool -P init_upstart=1 like you had posted works then this has nothing todo with the packages(gnome)). In general I came to the conclusion, well SELinux support is there(more of an mls environment(no xserver)) And figured if I'm going to get this I probably am going to have to re-build all of the gnome stuff(enabling the SELinux switches)which is a pretty big job(but could be wrong). I don't mind giving another go at this, (or if someone else wants to dive in(have at it)) firstly I need to get some bugs taken care of in the kernel. Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-16 14:55 Alan Rouse 2010-02-16 15:22 ` Dominick Grift @ 2010-02-16 19:10 ` Stephen Smalley 2010-02-16 19:19 ` Alan Rouse 1 sibling, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-16 19:10 UTC (permalink / raw) To: Alan Rouse; +Cc: 'selinux@tycho.nsa.gov' On Tue, 2010-02-16 at 09:55 -0500, Alan Rouse wrote: > I've been trying to get SELinux working in OpenSUSE 11.2. So far I > can get to runlevel 3 with enforcing=0. Before I start tinkering with > audit2allow, I thought I should get some advice. > > The 11.2 repository gives me these policy rpms: > > http://download.opensuse.org/repositories/openSUSE:/11.2/standard/noarch/selinux-policy-2.20081210-3.1.noarch.rpm > http://download.opensuse.org/repositories/openSUSE:/11.2/standard/src/selinux-policy-2.20081210-3.1.src.rpm > > But that version of policy has some issues in OpenSUSE: > > 1) failure to allow the graphical desktop to load (even with > enforcing=0) . The following message appears in the console during > boot: > > ** (gdm:1073): WARNING **: Couldn't connect to system bus: A SELinux > policy prevents this sender from sending this message to this > recipient (rejected message had sender "(unset)" interface > "org.freedesktop.DBus" member "Hello" erro name "(unset)" destination > "org.freedesktop.DBus") startproc: exit status of parent > of /usr/sbin/gdm: 1 > > Since enforcing is off, I'm surprised to see a message like that. > SELinux shouldn't be preventing anything, so I don't see how modifying > policy will solve that. Ideas? > > 2) Attempting to boot to runlevel 5 with kernel parms > "security=selinux selinux=1 enforcing=0", I'm dropped off in runlevel > 3 instead. I'm getting a couple of pages of AVC errors after boot (see > below). > > I've tried several other versions of the policy without luck: > - the version included in Fedora 12 (refpolicy-2.2009117 > - the latest release from Tresys > - the latest from the repository at Tresys > > They all give basically the same problems. Any advice would be > appreciated. What does sestatus -v report? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-16 19:10 ` Stephen Smalley @ 2010-02-16 19:19 ` Alan Rouse 2010-02-16 19:38 ` Stephen Smalley 0 siblings, 1 reply; 113+ messages in thread From: Alan Rouse @ 2010-02-16 19:19 UTC (permalink / raw) To: Stephen Smalley; +Cc: 'selinux@tycho.nsa.gov' "sestatus -v" reports the following: SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: refpolicy Process contexts: Current context: system_u:system_r:sysadm_t Init context: system_u:system_r:init_t /sbin/mingetty system_u:system_r:sysadm_t File contexts: Controlling term: system_u:object_r:tty_device_t /etc/passwd system_u:object_r:etc_t /etc/shadow system_u:object_r:shadow_t /bin/bash system_u:object_r:shell_exec_t /bin/login system_u:object_r:login_exec_t /bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t /sbin/agetty system_u:object_r:getty_exec_t /sbin/init system_u:object_r:init_exec_t /sbin/mingetty system_u:object_r:getty_exec_t /usr/sbin/sshd system_u:object_r:sshd_exec_t /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t -----Original Message----- From: Stephen Smalley [mailto:sds@tycho.nsa.gov] Sent: Tuesday, February 16, 2010 2:10 PM To: Alan Rouse Cc: 'selinux@tycho.nsa.gov' Subject: Re: SELinux Policy in OpenSUSE 11.2 On Tue, 2010-02-16 at 09:55 -0500, Alan Rouse wrote: > I've been trying to get SELinux working in OpenSUSE 11.2. So far I > can get to runlevel 3 with enforcing=0. Before I start tinkering with > audit2allow, I thought I should get some advice. > > The 11.2 repository gives me these policy rpms: > > http://download.opensuse.org/repositories/openSUSE:/11.2/standard/noar > ch/selinux-policy-2.20081210-3.1.noarch.rpm > http://download.opensuse.org/repositories/openSUSE:/11.2/standard/src/ > selinux-policy-2.20081210-3.1.src.rpm > > But that version of policy has some issues in OpenSUSE: > > 1) failure to allow the graphical desktop to load (even with > enforcing=0) . The following message appears in the console during > boot: > > ** (gdm:1073): WARNING **: Couldn't connect to system bus: A SELinux > policy prevents this sender from sending this message to this > recipient (rejected message had sender "(unset)" interface > "org.freedesktop.DBus" member "Hello" erro name "(unset)" destination > "org.freedesktop.DBus") startproc: exit status of parent of > /usr/sbin/gdm: 1 > > Since enforcing is off, I'm surprised to see a message like that. > SELinux shouldn't be preventing anything, so I don't see how modifying > policy will solve that. Ideas? > > 2) Attempting to boot to runlevel 5 with kernel parms > "security=selinux selinux=1 enforcing=0", I'm dropped off in runlevel > 3 instead. I'm getting a couple of pages of AVC errors after boot (see > below). > > I've tried several other versions of the policy without luck: > - the version included in Fedora 12 (refpolicy-2.2009117 > - the latest release from Tresys > - the latest from the repository at Tresys > > They all give basically the same problems. Any advice would be > appreciated. What does sestatus -v report? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-16 19:19 ` Alan Rouse @ 2010-02-16 19:38 ` Stephen Smalley 2010-02-16 21:30 ` Alan Rouse 0 siblings, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-16 19:38 UTC (permalink / raw) To: Alan Rouse; +Cc: 'selinux@tycho.nsa.gov' On Tue, 2010-02-16 at 14:19 -0500, Alan Rouse wrote: > "sestatus -v" reports the following: > > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: permissive > Mode from config file: permissive > Policy version: 24 > Policy from config file: refpolicy > > Process contexts: > Current context: system_u:system_r:sysadm_t > Init context: system_u:system_r:init_t > /sbin/mingetty system_u:system_r:sysadm_t Ok, so init is in the right security context, but getty is not. refpolicy has a rule that says if init runs a shell, transition to sysadm_t - that is for single-user mode. But that gets disabled if using upstart since upstart runs everything via a shell. Try: setsebool -P init_upstart=1 reboot pstree -Z output might also be interesting. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-16 19:38 ` Stephen Smalley @ 2010-02-16 21:30 ` Alan Rouse 2010-02-16 22:52 ` Dominick Grift 2010-02-17 13:35 ` Stephen Smalley 0 siblings, 2 replies; 113+ messages in thread From: Alan Rouse @ 2010-02-16 21:30 UTC (permalink / raw) To: Stephen Smalley; +Cc: 'selinux@tycho.nsa.gov' [-- Attachment #1: Type: text/plain, Size: 5434 bytes --] I had been trying various things in this image. So, just to be sure I have a repeatable state, I've rebuilt my system from scratch as follows: 1. standard OpenSuse 11.2 install (using Gnome); boot; start terminal; su - 2. install packages: selinux-tools selinux-policy libselinux* libsemanage* policycoreutils checkpolicy make m4 gcc findutils-locate git 3. add "3 security=selinux selinux=1 enforcing=0" to the grub boot line (boot to runlevel 3 with selinux in permissive mode) and reboot. 4. git clone http://oss.tresys.com/git/refpolicy.git 5. change build.conf: "DIST = suse" and "MONOLITHIC = n" 6. make clean; make conf; make; make install-src; 7. change /etc/refpolicy to point to the just-built policy version, and reboot 8. restorecon -R /; reboot sestatus -v gives: SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: refpolicy Process contexts: Current context: system_u:system_r:sysadm_t Init context: system_u:system_r:init_t /sbin/mingetty system_u:system_r:sysadm_t File contexts: Controlling term: system_u:object_r:tty_device_t /etc/passwd system_u:object_r:etc_t /etc/shadow system_u:object_r:shadow_t /bin/bash system_u:object_r:shell_exec_t /bin/login system_u:object_r:login_exec_t /bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t /sbin/agetty system_u:object_r:getty_exec_t /sbin/init system_u:object_r:init_exec_t /sbin/mingetty system_u:object_r:getty_exec_t /usr/sbin/sshd system_u:object_r:sshd_exec_t /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t pstree- Z gives: init(`system_u:system_r:init_t') |-acpid(`system_u:system_r:sysadm_t') |-auditd(`system_u:system_r:sysadm_t') | |-audispd(`system_u:system_r:sysadm_t') | | `-{audispd}(`system_u:system_r:sysadm_t') | `-{auditd}(`system_u:system_r:sysadm_t') |-cron(`system_u:system_r:sysadm_t') |-cupsd(`system_u:system_r:sysadm_t') |-dbus-daemon(`system_u:system_r:sysadm_dbusd_t') | `-{dbus-daemon}(`system_u:system_r:sysadm_dbusd_t') |-dhcpcd(`system_u:system_r:dhcpc_t') |-login(`system_u:system_r:sysadm_t') | `-bash(`system_u:system_r:sysadm_t') | `-pstree(`system_u:system_r:sysadm_t') |-master(`system_u:system_r:sysadm_t') | |-pickup(`system_u:system_r:sysadm_t') | `-qmgr(`system_u:system_r:sysadm_t') |-mingetty(`system_u:system_r:sysadm_t') |-mingetty(`system_u:system_r:sysadm_t') |-mingetty(`system_u:system_r:sysadm_t') |-mingetty(`system_u:system_r:sysadm_t') |-mingetty(`system_u:system_r:sysadm_t') |-nscd(`system_u:system_r:sysadm_t') |-rpcbind(`system_u:system_r:sysadm_t') |-rsyslogd(`system_u:system_r:sysadm_t') | |-{rsyslogd}(`system_u:system_r:sysadm_t') | |-{rsyslogd}(`system_u:system_r:sysadm_t') | |-{rsyslogd}(`system_u:system_r:sysadm_t') | `-{rsyslogd}(`system_u:system_r:sysadm_t') |-startpar(`system_u:system_r:sysadm_t') |-udevd(`system_u:system_r:sysadm_t') | |-udevd(`system_u:system_r:sysadm_t') | `-udevd(`system_u:system_r:sysadm_t') `-vmtoolsd(`system_u:system_r:sysadm_t') Now, I tried setsebool -P init_upstart=1. It gives an error message: ---------------- Libsemanage.get_home_dirs: nobody homedir /var/lib/nobody or its parent directory conflicts with a file context already specified in the policy. This usually indicates an incorrectly defined system account. If it is a system account please make sure its uid is less than 1000 or its log in shell is /sbin/nologin. ---------------- So I did "usermod -s /sbin/nologin nobody" and repeated the setsebool (no error message returned, and "getsebool init_upstart" reports that it was on. But after reboot it is off again... -----Original Message----- From: Stephen Smalley [mailto:sds@tycho.nsa.gov] Sent: Tuesday, February 16, 2010 2:39 PM To: Alan Rouse Cc: 'selinux@tycho.nsa.gov' Subject: RE: SELinux Policy in OpenSUSE 11.2 On Tue, 2010-02-16 at 14:19 -0500, Alan Rouse wrote: > "sestatus -v" reports the following: > > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: permissive > Mode from config file: permissive > Policy version: 24 > Policy from config file: refpolicy > > Process contexts: > Current context: system_u:system_r:sysadm_t > Init context: system_u:system_r:init_t > /sbin/mingetty system_u:system_r:sysadm_t Ok, so init is in the right security context, but getty is not. refpolicy has a rule that says if init runs a shell, transition to sysadm_t - that is for single-user mode. But that gets disabled if using upstart since upstart runs everything via a shell. Try: setsebool -P init_upstart=1 reboot pstree -Z output might also be interesting. -- Stephen Smalley National Security Agency [-- Attachment #2: opensuse-selinux-0.5.txt --] [-- Type: text/plain, Size: 728 bytes --] 1. Default install of OpenSuse 11.2 (used Gnome desktop) 2. Boot normally to desktop, open terminal, su - 3. Do this: zypper install selinux-tools selinux-policy libselinux* libsemanage* policycoreutils checkpolicy make m4 gcc findutils-locate git vi /boot/grub/menu.lst -- and add to the Desktop kernel boot line: "3 security=selinux selinux=1 enforcing=0" 4. Reboot and log in as root 5. Do this: git clone http://oss.tresys.com/git/refpolicy.git cd refpolicy edit build.conf; set "DIST = suse" and "MONOLITHIC = n" make clean; make conf; make; make install-src vi /etc/selinux/conf -- set =refpolicy reboot 6. restorecon -R /; reboot 7. setsebool -P init_upstart=1; reboot ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-16 21:30 ` Alan Rouse @ 2010-02-16 22:52 ` Dominick Grift 2010-02-17 3:36 ` Justin P. mattock 2010-02-17 7:16 ` Justin P. mattock 2010-02-17 13:35 ` Stephen Smalley 1 sibling, 2 replies; 113+ messages in thread From: Dominick Grift @ 2010-02-16 22:52 UTC (permalink / raw) To: Alan Rouse; +Cc: Stephen Smalley, 'selinux@tycho.nsa.gov' [-- Attachment #1: Type: text/plain, Size: 5818 bytes --] On 02/16/2010 10:30 PM, Alan Rouse wrote: > I had been trying various things in this image. So, just to be sure I have a repeatable state, I've rebuilt my system from scratch as follows: > > 1. standard OpenSuse 11.2 install (using Gnome); boot; start terminal; su - > 2. install packages: > > selinux-tools > selinux-policy > libselinux* > libsemanage* > policycoreutils > checkpolicy > make > m4 > gcc > findutils-locate > git > > 3. add "3 security=selinux selinux=1 enforcing=0" to the grub boot line (boot to runlevel 3 with selinux in permissive mode) and reboot. > 4. git clone http://oss.tresys.com/git/refpolicy.git > 5. change build.conf: "DIST = suse" and "MONOLITHIC = n" > 6. make clean; make conf; make; make install-src; > 7. change /etc/refpolicy to point to the just-built policy version, and reboot > 8. restorecon -R /; reboot > > sestatus -v gives: > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: permissive > Mode from config file: permissive > Policy version: 24 > Policy from config file: refpolicy > > Process contexts: > Current context: system_u:system_r:sysadm_t > Init context: system_u:system_r:init_t > /sbin/mingetty system_u:system_r:sysadm_t > > File contexts: > Controlling term: system_u:object_r:tty_device_t > /etc/passwd system_u:object_r:etc_t > /etc/shadow system_u:object_r:shadow_t > /bin/bash system_u:object_r:shell_exec_t > /bin/login system_u:object_r:login_exec_t > /bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t > /sbin/agetty system_u:object_r:getty_exec_t > /sbin/init system_u:object_r:init_exec_t > /sbin/mingetty system_u:object_r:getty_exec_t > /usr/sbin/sshd system_u:object_r:sshd_exec_t > /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t > /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t > > pstree- Z gives: > init(`system_u:system_r:init_t') > |-acpid(`system_u:system_r:sysadm_t') > |-auditd(`system_u:system_r:sysadm_t') > | |-audispd(`system_u:system_r:sysadm_t') > | | `-{audispd}(`system_u:system_r:sysadm_t') > | `-{auditd}(`system_u:system_r:sysadm_t') > |-cron(`system_u:system_r:sysadm_t') > |-cupsd(`system_u:system_r:sysadm_t') > |-dbus-daemon(`system_u:system_r:sysadm_dbusd_t') > | `-{dbus-daemon}(`system_u:system_r:sysadm_dbusd_t') > |-dhcpcd(`system_u:system_r:dhcpc_t') > |-login(`system_u:system_r:sysadm_t') > | `-bash(`system_u:system_r:sysadm_t') > | `-pstree(`system_u:system_r:sysadm_t') > |-master(`system_u:system_r:sysadm_t') > | |-pickup(`system_u:system_r:sysadm_t') > | `-qmgr(`system_u:system_r:sysadm_t') > |-mingetty(`system_u:system_r:sysadm_t') > |-mingetty(`system_u:system_r:sysadm_t') > |-mingetty(`system_u:system_r:sysadm_t') > |-mingetty(`system_u:system_r:sysadm_t') > |-mingetty(`system_u:system_r:sysadm_t') > |-nscd(`system_u:system_r:sysadm_t') > |-rpcbind(`system_u:system_r:sysadm_t') > |-rsyslogd(`system_u:system_r:sysadm_t') > | |-{rsyslogd}(`system_u:system_r:sysadm_t') > | |-{rsyslogd}(`system_u:system_r:sysadm_t') > | |-{rsyslogd}(`system_u:system_r:sysadm_t') > | `-{rsyslogd}(`system_u:system_r:sysadm_t') > |-startpar(`system_u:system_r:sysadm_t') > |-udevd(`system_u:system_r:sysadm_t') > | |-udevd(`system_u:system_r:sysadm_t') > | `-udevd(`system_u:system_r:sysadm_t') > `-vmtoolsd(`system_u:system_r:sysadm_t') > > Now, I tried setsebool -P init_upstart=1. It gives an error message: > ---------------- > Libsemanage.get_home_dirs: nobody homedir /var/lib/nobody or its parent directory conflicts with a file context already specified in the policy. This usually indicates an incorrectly defined system account. If it is a system account please make sure its uid is less than 1000 or its log in shell is /sbin/nologin. > ---------------- > > So I did "usermod -s /sbin/nologin nobody" and repeated the setsebool (no error message returned, and "getsebool init_upstart" reports that it was on. But after reboot it is off again... If you used the -P option with setsebool than the settings should be persistent across reboots. > -----Original Message----- > From: Stephen Smalley [mailto:sds@tycho.nsa.gov] > Sent: Tuesday, February 16, 2010 2:39 PM > To: Alan Rouse > Cc: 'selinux@tycho.nsa.gov' > Subject: RE: SELinux Policy in OpenSUSE 11.2 > > On Tue, 2010-02-16 at 14:19 -0500, Alan Rouse wrote: >> "sestatus -v" reports the following: >> >> SELinux status: enabled >> SELinuxfs mount: /selinux >> Current mode: permissive >> Mode from config file: permissive >> Policy version: 24 >> Policy from config file: refpolicy >> >> Process contexts: >> Current context: system_u:system_r:sysadm_t >> Init context: system_u:system_r:init_t >> /sbin/mingetty system_u:system_r:sysadm_t > > Ok, so init is in the right security context, but getty is not. > refpolicy has a rule that says if init runs a shell, transition to sysadm_t - that is for single-user mode. But that gets disabled if using upstart since upstart runs everything via a shell. > > Try: > setsebool -P init_upstart=1 > reboot > > pstree -Z output might also be interesting. > > -- > Stephen Smalley > National Security Agency > [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 261 bytes --] ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-16 22:52 ` Dominick Grift @ 2010-02-17 3:36 ` Justin P. mattock 2010-02-17 7:16 ` Justin P. mattock 1 sibling, 0 replies; 113+ messages in thread From: Justin P. mattock @ 2010-02-17 3:36 UTC (permalink / raw) To: Dominick Grift Cc: Alan Rouse, Stephen Smalley, 'selinux@tycho.nsa.gov' On 02/16/2010 02:52 PM, Dominick Grift wrote: > On 02/16/2010 10:30 PM, Alan Rouse wrote: >> I had been trying various things in this image. So, just to be sure I have a repeatable state, I've rebuilt my system from scratch as follows: >> >> 1. standard OpenSuse 11.2 install (using Gnome); boot; start terminal; su - >> 2. install packages: >> >> selinux-tools >> selinux-policy >> libselinux* >> libsemanage* >> policycoreutils >> checkpolicy >> make >> m4 >> gcc >> findutils-locate >> git >> >> 3. add "3 security=selinux selinux=1 enforcing=0" to the grub boot line (boot to runlevel 3 with selinux in permissive mode) and reboot. >> 4. git clone http://oss.tresys.com/git/refpolicy.git >> 5. change build.conf: "DIST = suse" and "MONOLITHIC = n" >> 6. make clean; make conf; make; make install-src; >> 7. change /etc/refpolicy to point to the just-built policy version, and reboot >> 8. restorecon -R /; reboot >> >> sestatus -v gives: >> SELinux status: enabled >> SELinuxfs mount: /selinux >> Current mode: permissive >> Mode from config file: permissive >> Policy version: 24 >> Policy from config file: refpolicy >> >> Process contexts: >> Current context: system_u:system_r:sysadm_t >> Init context: system_u:system_r:init_t >> /sbin/mingetty system_u:system_r:sysadm_t >> >> File contexts: >> Controlling term: system_u:object_r:tty_device_t >> /etc/passwd system_u:object_r:etc_t >> /etc/shadow system_u:object_r:shadow_t >> /bin/bash system_u:object_r:shell_exec_t >> /bin/login system_u:object_r:login_exec_t >> /bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t >> /sbin/agetty system_u:object_r:getty_exec_t >> /sbin/init system_u:object_r:init_exec_t >> /sbin/mingetty system_u:object_r:getty_exec_t >> /usr/sbin/sshd system_u:object_r:sshd_exec_t >> /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t >> /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t >> >> pstree- Z gives: >> init(`system_u:system_r:init_t') >> |-acpid(`system_u:system_r:sysadm_t') >> |-auditd(`system_u:system_r:sysadm_t') >> | |-audispd(`system_u:system_r:sysadm_t') >> | | `-{audispd}(`system_u:system_r:sysadm_t') >> | `-{auditd}(`system_u:system_r:sysadm_t') >> |-cron(`system_u:system_r:sysadm_t') >> |-cupsd(`system_u:system_r:sysadm_t') >> |-dbus-daemon(`system_u:system_r:sysadm_dbusd_t') >> | `-{dbus-daemon}(`system_u:system_r:sysadm_dbusd_t') >> |-dhcpcd(`system_u:system_r:dhcpc_t') >> |-login(`system_u:system_r:sysadm_t') >> | `-bash(`system_u:system_r:sysadm_t') >> | `-pstree(`system_u:system_r:sysadm_t') >> |-master(`system_u:system_r:sysadm_t') >> | |-pickup(`system_u:system_r:sysadm_t') >> | `-qmgr(`system_u:system_r:sysadm_t') >> |-mingetty(`system_u:system_r:sysadm_t') >> |-mingetty(`system_u:system_r:sysadm_t') >> |-mingetty(`system_u:system_r:sysadm_t') >> |-mingetty(`system_u:system_r:sysadm_t') >> |-mingetty(`system_u:system_r:sysadm_t') >> |-nscd(`system_u:system_r:sysadm_t') >> |-rpcbind(`system_u:system_r:sysadm_t') >> |-rsyslogd(`system_u:system_r:sysadm_t') >> | |-{rsyslogd}(`system_u:system_r:sysadm_t') >> | |-{rsyslogd}(`system_u:system_r:sysadm_t') >> | |-{rsyslogd}(`system_u:system_r:sysadm_t') >> | `-{rsyslogd}(`system_u:system_r:sysadm_t') >> |-startpar(`system_u:system_r:sysadm_t') >> |-udevd(`system_u:system_r:sysadm_t') >> | |-udevd(`system_u:system_r:sysadm_t') >> | `-udevd(`system_u:system_r:sysadm_t') >> `-vmtoolsd(`system_u:system_r:sysadm_t') >> >> Now, I tried setsebool -P init_upstart=1. It gives an error message: >> ---------------- >> Libsemanage.get_home_dirs: nobody homedir /var/lib/nobody or its parent directory conflicts with a file context already specified in the policy. This usually indicates an incorrectly defined system account. If it is a system account please make sure its uid is less than 1000 or its log in shell is /sbin/nologin. >> ---------------- >> >> So I did "usermod -s /sbin/nologin nobody" and repeated the setsebool (no error message returned, and "getsebool init_upstart" reports that it was on. But after reboot it is off again... > > If you used the -P option with setsebool than the settings should be > persistent across reboots. > >> -----Original Message----- >> From: Stephen Smalley [mailto:sds@tycho.nsa.gov] >> Sent: Tuesday, February 16, 2010 2:39 PM >> To: Alan Rouse >> Cc: 'selinux@tycho.nsa.gov' >> Subject: RE: SELinux Policy in OpenSUSE 11.2 >> >> On Tue, 2010-02-16 at 14:19 -0500, Alan Rouse wrote: >>> "sestatus -v" reports the following: >>> >>> SELinux status: enabled >>> SELinuxfs mount: /selinux >>> Current mode: permissive >>> Mode from config file: permissive >>> Policy version: 24 >>> Policy from config file: refpolicy >>> >>> Process contexts: >>> Current context: system_u:system_r:sysadm_t >>> Init context: system_u:system_r:init_t >>> /sbin/mingetty system_u:system_r:sysadm_t >> >> Ok, so init is in the right security context, but getty is not. >> refpolicy has a rule that says if init runs a shell, transition to sysadm_t - that is for single-user mode. But that gets disabled if using upstart since upstart runs everything via a shell. >> >> Try: >> setsebool -P init_upstart=1 >> reboot >> >> pstree -Z output might also be interesting. >> >> -- >> Stephen Smalley >> National Security Agency >> > > o.k. after thinking I decided to load up suse 11.2 to see if this was there policy, or if this was from git. (I couldn't remember). So after a simple install, and just using all the SELinux packages they supply(x86_64), I can confirm that this thing does crash and burn when going into the xserver, and gdm. (on my other system I've been able to change policies, without user logins, or names, and file labels completely wrong so I know file labels and such don't make a difference(unless setting in full enforcement)). but you never know. Now to see/find the area of this cause. my guess the last time I looked at this was some build switch for SELinux in either one of the main gnome libs or something else(dbus,hal etc(but could be wrong))... I'll look at this and see what I can find. (if building all of the gnome libs is what's going to get this working I can do(just backbreaking work)). Justin P. mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-16 22:52 ` Dominick Grift 2010-02-17 3:36 ` Justin P. mattock @ 2010-02-17 7:16 ` Justin P. mattock 2010-02-17 13:43 ` Stephen Smalley 2010-02-17 16:34 ` Alan Rouse 1 sibling, 2 replies; 113+ messages in thread From: Justin P. mattock @ 2010-02-17 7:16 UTC (permalink / raw) To: Dominick Grift Cc: Alan Rouse, Stephen Smalley, 'selinux@tycho.nsa.gov' o.k. I think I thought too much on the subject (I need to stop building systems from scratch i.g. all I can think of is/are switches to enable). Anyways I figured out the problem seems easier than I had expected: with a fresh build of suse 11.2, then under yast adding the correct SELinux apps/libs, then adjusting grub(in the control center thing). reboot you hit a broken gdm dbus thing. under /var/log/gdm/:5-greeter.log there is an error message with dbus: Failed to start message bus: Failed to open "/etc/selinux/targeted/contexts/dbus_contexts": No such file or directory EOF in dbus-launch reading address from dbus daemon. so after reading that then looking at /etc/selinux/refpolicy-standard I decided to just cp -R refpolicy-standard targeted(reboot) and voila the system boots gdm starts, life is good with suse (I guess there not the darkside after all!!). as for the real problem I'm guessing whatever is telling dbus-launch to look for /etc/selinux/targeted is the problem. Alan does just a simple renaming of refpolicy to targeted at least get you up and running(if not use suses policy, and rename it to targeted, until I can find what dbus launch script is calling for that policy name). Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-17 7:16 ` Justin P. mattock @ 2010-02-17 13:43 ` Stephen Smalley 2010-02-17 15:35 ` Justin P. mattock 2010-02-17 16:34 ` Alan Rouse 1 sibling, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-17 13:43 UTC (permalink / raw) To: Justin P. mattock Cc: Dominick Grift, Alan Rouse, 'selinux@tycho.nsa.gov' On Tue, 2010-02-16 at 23:16 -0800, Justin P. mattock wrote: > o.k. I think I thought too much on the subject > (I need to stop building systems from scratch > i.g. all I can think of is/are switches to enable). > > Anyways I figured out the problem seems easier > than I had expected: > > with a fresh build of suse 11.2, then > under yast adding the correct SELinux > apps/libs, then adjusting grub(in the control > center thing). > > reboot > > you hit a broken gdm dbus thing. > > under /var/log/gdm/:5-greeter.log > > there is an error message with dbus: > > Failed to start message bus: Failed to open > "/etc/selinux/targeted/contexts/dbus_contexts": No such file or directory > EOF in dbus-launch reading address from dbus daemon. > > so after reading that then looking at /etc/selinux/refpolicy-standard > I decided to just cp -R refpolicy-standard targeted(reboot) > and voila the system boots gdm starts, life is good with suse > (I guess there not the darkside after all!!). > > as for the real problem I'm guessing whatever is telling > dbus-launch to look for /etc/selinux/targeted > is the problem. > > Alan does just a simple renaming of refpolicy to targeted > at least get you up and running(if not use suses policy, > and rename it to targeted, until I can find what dbus launch script is > calling for that policy name). Interesting. On Fedora, /etc/dbus-1/system.conf and session.conf contain this directive to include the selinux configuration for dbus: <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include> This avoids any hardcoded dependency on the location of the configuration file. The dbus code uses the selinux_policy_root() function provided by libselinux to find the root of the policy directory. It should be using the SELINUXTYPE= definition in /etc/selinux/config to select the active policy root. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-17 13:43 ` Stephen Smalley @ 2010-02-17 15:35 ` Justin P. mattock 0 siblings, 0 replies; 113+ messages in thread From: Justin P. mattock @ 2010-02-17 15:35 UTC (permalink / raw) To: Stephen Smalley Cc: Dominick Grift, Alan Rouse, 'selinux@tycho.nsa.gov' On 02/17/2010 05:43 AM, Stephen Smalley wrote: > On Tue, 2010-02-16 at 23:16 -0800, Justin P. mattock wrote: >> o.k. I think I thought too much on the subject >> (I need to stop building systems from scratch >> i.g. all I can think of is/are switches to enable). >> >> Anyways I figured out the problem seems easier >> than I had expected: >> >> with a fresh build of suse 11.2, then >> under yast adding the correct SELinux >> apps/libs, then adjusting grub(in the control >> center thing). >> >> reboot >> >> you hit a broken gdm dbus thing. >> >> under /var/log/gdm/:5-greeter.log >> >> there is an error message with dbus: >> >> Failed to start message bus: Failed to open >> "/etc/selinux/targeted/contexts/dbus_contexts": No such file or directory >> EOF in dbus-launch reading address from dbus daemon. >> >> so after reading that then looking at /etc/selinux/refpolicy-standard >> I decided to just cp -R refpolicy-standard targeted(reboot) >> and voila the system boots gdm starts, life is good with suse >> (I guess there not the darkside after all!!). >> >> as for the real problem I'm guessing whatever is telling >> dbus-launch to look for /etc/selinux/targeted >> is the problem. >> >> Alan does just a simple renaming of refpolicy to targeted >> at least get you up and running(if not use suses policy, >> and rename it to targeted, until I can find what dbus launch script is >> calling for that policy name). > > Interesting. On Fedora, /etc/dbus-1/system.conf and session.conf > contain this directive to include the selinux configuration for dbus: > <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include> > > This avoids any hardcoded dependency on the location of the configuration file. > The dbus code uses the selinux_policy_root() function provided by > libselinux to find the root of the policy directory. > > It should be using the SELINUXTYPE= definition in /etc/selinux/config to > select the active policy root. > I'll go through and look at those files to see what/where is giving the hardcoded call like that. main thing is suse doesn't crap out. I can login, connect function as if nothing was ever wrong. Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-17 7:16 ` Justin P. mattock 2010-02-17 13:43 ` Stephen Smalley @ 2010-02-17 16:34 ` Alan Rouse 2010-02-17 16:58 ` Stephen Smalley 1 sibling, 1 reply; 113+ messages in thread From: Alan Rouse @ 2010-02-17 16:34 UTC (permalink / raw) To: Justin P. mattock, Dominick Grift Cc: Stephen Smalley, 'selinux@tycho.nsa.gov' Renaming didn't work for me in the image we've been discussing... However, after building another clean OpenSuse 11.2 image, installing the previously mentioned list of packages, and editing the grub menu.lst for selinux, I created a symlink named "targeted" to the refpolicy-standard directory, and it now boots into the desktop nicely (using the version of policy in the OpenSuse 11.2 repository.) Sestatus shows selinux active and in permissive mode. There are no AVC messages in /var/log/audit/audit.log. Audit2allow -al gives allow kernel_t file_t:file execmod; allow kernel_t self:process { execstack execmem }; I don't understand why those are suggested since there are no AVC messages... But this looks far better than before! Thanks Justin. Now we just need to find out where it's hard coded to "targeted" and get that fixed... -----Original Message----- From: Justin P. mattock [mailto:justinmattock@gmail.com] Sent: Wednesday, February 17, 2010 2:17 AM To: Dominick Grift Cc: Alan Rouse; Stephen Smalley; 'selinux@tycho.nsa.gov' Subject: Re: SELinux Policy in OpenSUSE 11.2 o.k. I think I thought too much on the subject (I need to stop building systems from scratch i.g. all I can think of is/are switches to enable). Anyways I figured out the problem seems easier than I had expected: with a fresh build of suse 11.2, then under yast adding the correct SELinux apps/libs, then adjusting grub(in the control center thing). reboot you hit a broken gdm dbus thing. under /var/log/gdm/:5-greeter.log there is an error message with dbus: Failed to start message bus: Failed to open "/etc/selinux/targeted/contexts/dbus_contexts": No such file or directory EOF in dbus-launch reading address from dbus daemon. so after reading that then looking at /etc/selinux/refpolicy-standard I decided to just cp -R refpolicy-standard targeted(reboot) and voila the system boots gdm starts, life is good with suse (I guess there not the darkside after all!!). as for the real problem I'm guessing whatever is telling dbus-launch to look for /etc/selinux/targeted is the problem. Alan does just a simple renaming of refpolicy to targeted at least get you up and running(if not use suses policy, and rename it to targeted, until I can find what dbus launch script is calling for that policy name). Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-17 16:34 ` Alan Rouse @ 2010-02-17 16:58 ` Stephen Smalley 2010-02-17 18:34 ` Alan Rouse 0 siblings, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-17 16:58 UTC (permalink / raw) To: Alan Rouse Cc: Justin P. mattock, Dominick Grift, 'selinux@tycho.nsa.gov' On Wed, 2010-02-17 at 11:34 -0500, Alan Rouse wrote: > Renaming didn't work for me in the image we've been discussing... However, after building another clean OpenSuse 11.2 image, installing the previously mentioned list of packages, and editing the grub menu.lst for selinux, I created a symlink named "targeted" to the refpolicy-standard directory, and it now boots into the desktop nicely (using the version of policy in the OpenSuse 11.2 repository.) Sestatus shows selinux active and in permissive mode. There are no AVC messages in /var/log/audit/audit.log. Audit2allow -al gives > > allow kernel_t file_t:file execmod; > allow kernel_t self:process { execstack execmem }; > > I don't understand why those are suggested since there are no AVC messages... But this looks far better than before! > > Thanks Justin. Now we just need to find out where it's hard coded to "targeted" and get that fixed... libselinux will default to "targeted" if there is no SELINUXTYPE= definition in /etc/selinux/config. Or your /etc/dbus-1/system.conf might have a hardcoded path to it rather than using selinux_root_relative="yes". Or the version of dbus shipped in OpenSUSE 11.2 might not support that (I don't know). Check /var/log/messages as well for avc messages; if you aren't running auditd or before auditd starts, the avc messages will go to /var/log/messages or wherever syslog is configured to report kern.warn. What does sestatus -v and pstree -Z show now? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-17 16:58 ` Stephen Smalley @ 2010-02-17 18:34 ` Alan Rouse 2010-02-17 18:50 ` Justin P. mattock 2010-02-17 18:58 ` Stephen Smalley 0 siblings, 2 replies; 113+ messages in thread From: Alan Rouse @ 2010-02-17 18:34 UTC (permalink / raw) To: Stephen Smalley Cc: Justin P. mattock, Dominick Grift, 'selinux@tycho.nsa.gov' Here's some info about the system now (booting successfully to desktop with selinux enabled) /etc/selinux/config: SELINUX=permissive SELINUXTYPE=refpolicy-standard /etc/dbus-1/system.conf contains: <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include> var/log/messages does not have any AVC messages in it. sestatus -v: SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: refpolicy-standard Process contexts: Current context: system_u:system_r:kernel_t Init context: system_u:system_r:kernel_t /sbin/mingetty system_u:system_r:kernel_t File contexts: Controlling term: system_u:object_r:devpts_t /etc/passwd system_u:object_r:file_t /etc/shadow system_u:object_r:file_t /bin/bash system_u:object_r:file_t /bin/login system_u:object_r:file_t /bin/sh system_u:object_r:file_t -> system_u:object_r:file_t /sbin/agetty system_u:object_r:file_t /sbin/init system_u:object_r:file_t /sbin/mingetty system_u:object_r:file_t /usr/sbin/sshd system_u:object_r:file_t /lib/libc.so.6 system_u:object_r:file_t -> system_u:object_r:file_t /lib/ld-linux.so.2 system_u:object_r:file_t -> system_u:object_r:file_t pstree -Z: init(`system_u:system_r:kernel_t') |-acpid(`system_u:system_r:kernel_t') |-auditd(`system_u:system_r:kernel_t') | |-audispd(`system_u:system_r:kernel_t') | | `-{audispd}(`system_u:system_r:kernel_t') | `-{auditd}(`system_u:system_r:kernel_t') |-avahi-daemon(`system_u:system_r:kernel_t') |-bash(`system_u:system_r:kernel_t') | `-tomboy(`system_u:system_r:kernel_t') | |-{tomboy}(`system_u:system_r:kernel_t') | `-{tomboy}(`system_u:system_r:kernel_t') |-bonobo-activati(`system_u:system_r:kernel_t') | `-{bonobo-activati}(`system_u:system_r:kernel_t') |-console-kit-dae(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | |-{console-kit-dae}(`system_u:system_r:kernel_t') | `-{console-kit-dae}(`system_u:system_r:kernel_t') |-cron(`system_u:system_r:kernel_t') |-cupsd(`system_u:system_r:kernel_t') |-dbus-daemon(`system_u:system_r:kernel_t') | `-{dbus-daemon}(`system_u:system_r:kernel_t') |-dbus-daemon(`system_u:system_r:kernel_t') | `-{dbus-daemon}(`system_u:system_r:kernel_t') |-dbus-daemon(`system_u:system_r:kernel_t') | `-{dbus-daemon}(`system_u:system_r:kernel_t') |-dbus-launch(`system_u:system_r:kernel_t') |-dbus-launch(`system_u:system_r:kernel_t') |-dbus-launch(`system_u:system_r:kernel_t') |-devkit-disks-da(`system_u:system_r:kernel_t') | `-devkit-disks-da(`system_u:system_r:kernel_t') |-devkit-power-da(`system_u:system_r:kernel_t') |-dhcpcd(`system_u:system_r:kernel_t') |-gconfd-2(`system_u:system_r:kernel_t') |-gconfd-2(`system_u:system_r:kernel_t') |-gdm(`system_u:system_r:kernel_t') | `-gdm-simple-slav(`system_u:system_r:kernel_t') | |-Xorg(`system_u:system_r:kernel_t') | `-gdm-session-wor(`system_u:system_r:kernel_t') | `-gnome-session(`system_u:system_r:kernel_t') | |-bluetooth-apple(`system_u:system_r:kernel_t') | |-gnome-do(`system_u:system_r:kernel_t') | | `-gnome-do(`system_u:system_r:kernel_t') | | |-{gnome-do}(`system_u:system_r:kernel_t') | | |-{gnome-do}(`system_u:system_r:kernel_t') | | `-{gnome-do}(`system_u:system_r:kernel_t') | |-gnome-panel(`system_u:system_r:kernel_t') | |-gnome-power-man(`system_u:system_r:kernel_t') | |-gnome-volume-co(`system_u:system_r:kernel_t') | |-gpk-update-icon(`system_u:system_r:kernel_t') | |-metacity(`system_u:system_r:kernel_t') | |-nautilus(`system_u:system_r:kernel_t') | |-nm-applet(`system_u:system_r:kernel_t') | |-polkit-gnome-au(`system_u:system_r:kernel_t') | |-python(`system_u:system_r:kernel_t') | |-ssh-agent(`system_u:system_r:kernel_t') | `-{gnome-session}(`system_u:system_r:kernel_t') |-gnome-keyring-d(`system_u:system_r:kernel_t') | |-{gnome-keyring-d}(`system_u:system_r:kernel_t') | `-{gnome-keyring-d}(`system_u:system_r:kernel_t') |-gnome-screensav(`system_u:system_r:kernel_t') |-gnome-settings-(`system_u:system_r:kernel_t') | `-{gnome-settings-}(`system_u:system_r:kernel_t') |-gnome-terminal(`system_u:system_r:kernel_t') | |-bash(`system_u:system_r:kernel_t') | | `-su(`system_u:system_r:kernel_t') | | `-bash(`system_u:system_r:kernel_t') | | `-pstree(`system_u:system_r:kernel_t') | |-gnome-pty-helpe(`system_u:system_r:kernel_t') | `-{gnome-terminal}(`system_u:system_r:kernel_t') |-gvfs-fuse-daemo(`system_u:system_r:kernel_t') | |-{gvfs-fuse-daemo}(`system_u:system_r:kernel_t') | |-{gvfs-fuse-daemo}(`system_u:system_r:kernel_t') | `-{gvfs-fuse-daemo}(`system_u:system_r:kernel_t') |-gvfs-gdu-volume(`system_u:system_r:kernel_t') |-gvfs-gphoto2-vo(`system_u:system_r:kernel_t') |-gvfsd(`system_u:system_r:kernel_t') |-gvfsd-burn(`system_u:system_r:kernel_t') |-gvfsd-trash(`system_u:system_r:kernel_t') |-hald(`system_u:system_r:kernel_t') | `-hald-runner(`system_u:system_r:kernel_t') | |-hald-addon-acpi(`system_u:system_r:kernel_t') | |-hald-addon-inpu(`system_u:system_r:kernel_t') | |-hald-addon-stor(`system_u:system_r:kernel_t') | `-hald-addon-stor(`system_u:system_r:kernel_t') |-main-menu(`system_u:system_r:kernel_t') |-master(`system_u:system_r:kernel_t') | |-pickup(`system_u:system_r:kernel_t') | `-qmgr(`system_u:system_r:kernel_t') |-mingetty(`system_u:system_r:kernel_t') |-mingetty(`system_u:system_r:kernel_t') |-mingetty(`system_u:system_r:kernel_t') |-mingetty(`system_u:system_r:kernel_t') |-mingetty(`system_u:system_r:kernel_t') |-mingetty(`system_u:system_r:kernel_t') |-nm-system-setti(`system_u:system_r:kernel_t') |-notification-da(`system_u:system_r:kernel_t') |-nscd(`system_u:system_r:kernel_t') |-polkitd(`system_u:system_r:kernel_t') |-pulseaudio(`system_u:system_r:kernel_t') | |-gconf-helper(`system_u:system_r:kernel_t') | `-{pulseaudio}(`system_u:system_r:kernel_t') |-pulseaudio(`system_u:system_r:kernel_t') | |-gconf-helper(`system_u:system_r:kernel_t') | `-{pulseaudio}(`system_u:system_r:kernel_t') |-rpcbind(`system_u:system_r:kernel_t') |-rsyslogd(`system_u:system_r:kernel_t') | |-{rsyslogd}(`system_u:system_r:kernel_t') | |-{rsyslogd}(`system_u:system_r:kernel_t') | |-{rsyslogd}(`system_u:system_r:kernel_t') | `-{rsyslogd}(`system_u:system_r:kernel_t') |-rtkit-daemon(`system_u:system_r:kernel_t') | |-{rtkit-daemon}(`system_u:system_r:kernel_t') | `-{rtkit-daemon}(`system_u:system_r:kernel_t') |-seahorse-agent(`system_u:system_r:kernel_t') |-seahorse-daemon(`system_u:system_r:kernel_t') |-startpar(`system_u:system_r:kernel_t') |-startpar(`system_u:system_r:kernel_t') |-udevd(`system_u:system_r:kernel_t') | |-udevd(`system_u:system_r:kernel_t') | `-udevd(`system_u:system_r:kernel_t') |-vmtoolsd(`system_u:system_r:kernel_t') `-vmware-user(`system_u:system_r:kernel_t') -----Original Message----- From: Stephen Smalley [mailto:sds@tycho.nsa.gov] Sent: Wednesday, February 17, 2010 11:58 AM To: Alan Rouse Cc: Justin P. mattock; Dominick Grift; 'selinux@tycho.nsa.gov' Subject: RE: SELinux Policy in OpenSUSE 11.2 On Wed, 2010-02-17 at 11:34 -0500, Alan Rouse wrote: > Renaming didn't work for me in the image we've been discussing... However, after building another clean OpenSuse 11.2 image, installing the previously mentioned list of packages, and editing the grub menu.lst for selinux, I created a symlink named "targeted" to the refpolicy-standard directory, and it now boots into the desktop nicely (using the version of policy in the OpenSuse 11.2 repository.) Sestatus shows selinux active and in permissive mode. There are no AVC messages in /var/log/audit/audit.log. Audit2allow -al gives > > allow kernel_t file_t:file execmod; > allow kernel_t self:process { execstack execmem }; > > I don't understand why those are suggested since there are no AVC messages... But this looks far better than before! > > Thanks Justin. Now we just need to find out where it's hard coded to "targeted" and get that fixed... libselinux will default to "targeted" if there is no SELINUXTYPE= definition in /etc/selinux/config. Or your /etc/dbus-1/system.conf might have a hardcoded path to it rather than using selinux_root_relative="yes". Or the version of dbus shipped in OpenSUSE 11.2 might not support that (I don't know). Check /var/log/messages as well for avc messages; if you aren't running auditd or before auditd starts, the avc messages will go to /var/log/messages or wherever syslog is configured to report kern.warn. What does sestatus -v and pstree -Z show now? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-17 18:34 ` Alan Rouse @ 2010-02-17 18:50 ` Justin P. mattock 2010-02-17 18:58 ` Stephen Smalley 1 sibling, 0 replies; 113+ messages in thread From: Justin P. mattock @ 2010-02-17 18:50 UTC (permalink / raw) To: Alan Rouse Cc: Stephen Smalley, Dominick Grift, 'selinux@tycho.nsa.gov' On 02/17/2010 10:34 AM, Alan Rouse wrote: > Here's some info about the system now (booting successfully to desktop with selinux enabled) > > /etc/selinux/config: > SELINUX=permissive > SELINUXTYPE=refpolicy-standard > > /etc/dbus-1/system.conf contains: > <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include> > > var/log/messages does not have any AVC messages in it. > > sestatus -v: > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: permissive > Mode from config file: permissive > Policy version: 24 > Policy from config file: refpolicy-standard > > Process contexts: > Current context: system_u:system_r:kernel_t > Init context: system_u:system_r:kernel_t > /sbin/mingetty system_u:system_r:kernel_t > > File contexts: > Controlling term: system_u:object_r:devpts_t > /etc/passwd system_u:object_r:file_t > /etc/shadow system_u:object_r:file_t > /bin/bash system_u:object_r:file_t > /bin/login system_u:object_r:file_t > /bin/sh system_u:object_r:file_t -> system_u:object_r:file_t > /sbin/agetty system_u:object_r:file_t > /sbin/init system_u:object_r:file_t > /sbin/mingetty system_u:object_r:file_t > /usr/sbin/sshd system_u:object_r:file_t > /lib/libc.so.6 system_u:object_r:file_t -> system_u:object_r:file_t > /lib/ld-linux.so.2 system_u:object_r:file_t -> system_u:object_r:file_t > > pstree -Z: > init(`system_u:system_r:kernel_t') > |-acpid(`system_u:system_r:kernel_t') > |-auditd(`system_u:system_r:kernel_t') > | |-audispd(`system_u:system_r:kernel_t') > | | `-{audispd}(`system_u:system_r:kernel_t') > | `-{auditd}(`system_u:system_r:kernel_t') > |-avahi-daemon(`system_u:system_r:kernel_t') > |-bash(`system_u:system_r:kernel_t') > | `-tomboy(`system_u:system_r:kernel_t') > | |-{tomboy}(`system_u:system_r:kernel_t') > | `-{tomboy}(`system_u:system_r:kernel_t') > |-bonobo-activati(`system_u:system_r:kernel_t') > | `-{bonobo-activati}(`system_u:system_r:kernel_t') > |-console-kit-dae(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | |-{console-kit-dae}(`system_u:system_r:kernel_t') > | `-{console-kit-dae}(`system_u:system_r:kernel_t') > |-cron(`system_u:system_r:kernel_t') > |-cupsd(`system_u:system_r:kernel_t') > |-dbus-daemon(`system_u:system_r:kernel_t') > | `-{dbus-daemon}(`system_u:system_r:kernel_t') > |-dbus-daemon(`system_u:system_r:kernel_t') > | `-{dbus-daemon}(`system_u:system_r:kernel_t') > |-dbus-daemon(`system_u:system_r:kernel_t') > | `-{dbus-daemon}(`system_u:system_r:kernel_t') > |-dbus-launch(`system_u:system_r:kernel_t') > |-dbus-launch(`system_u:system_r:kernel_t') > |-dbus-launch(`system_u:system_r:kernel_t') > |-devkit-disks-da(`system_u:system_r:kernel_t') > | `-devkit-disks-da(`system_u:system_r:kernel_t') > |-devkit-power-da(`system_u:system_r:kernel_t') > |-dhcpcd(`system_u:system_r:kernel_t') > |-gconfd-2(`system_u:system_r:kernel_t') > |-gconfd-2(`system_u:system_r:kernel_t') > |-gdm(`system_u:system_r:kernel_t') > | `-gdm-simple-slav(`system_u:system_r:kernel_t') > | |-Xorg(`system_u:system_r:kernel_t') > | `-gdm-session-wor(`system_u:system_r:kernel_t') > | `-gnome-session(`system_u:system_r:kernel_t') > | |-bluetooth-apple(`system_u:system_r:kernel_t') > | |-gnome-do(`system_u:system_r:kernel_t') > | | `-gnome-do(`system_u:system_r:kernel_t') > | | |-{gnome-do}(`system_u:system_r:kernel_t') > | | |-{gnome-do}(`system_u:system_r:kernel_t') > | | `-{gnome-do}(`system_u:system_r:kernel_t') > | |-gnome-panel(`system_u:system_r:kernel_t') > | |-gnome-power-man(`system_u:system_r:kernel_t') > | |-gnome-volume-co(`system_u:system_r:kernel_t') > | |-gpk-update-icon(`system_u:system_r:kernel_t') > | |-metacity(`system_u:system_r:kernel_t') > | |-nautilus(`system_u:system_r:kernel_t') > | |-nm-applet(`system_u:system_r:kernel_t') > | |-polkit-gnome-au(`system_u:system_r:kernel_t') > | |-python(`system_u:system_r:kernel_t') > | |-ssh-agent(`system_u:system_r:kernel_t') > | `-{gnome-session}(`system_u:system_r:kernel_t') > |-gnome-keyring-d(`system_u:system_r:kernel_t') > | |-{gnome-keyring-d}(`system_u:system_r:kernel_t') > | `-{gnome-keyring-d}(`system_u:system_r:kernel_t') > |-gnome-screensav(`system_u:system_r:kernel_t') > |-gnome-settings-(`system_u:system_r:kernel_t') > | `-{gnome-settings-}(`system_u:system_r:kernel_t') > |-gnome-terminal(`system_u:system_r:kernel_t') > | |-bash(`system_u:system_r:kernel_t') > | | `-su(`system_u:system_r:kernel_t') > | | `-bash(`system_u:system_r:kernel_t') > | | `-pstree(`system_u:system_r:kernel_t') > | |-gnome-pty-helpe(`system_u:system_r:kernel_t') > | `-{gnome-terminal}(`system_u:system_r:kernel_t') > |-gvfs-fuse-daemo(`system_u:system_r:kernel_t') > | |-{gvfs-fuse-daemo}(`system_u:system_r:kernel_t') > | |-{gvfs-fuse-daemo}(`system_u:system_r:kernel_t') > | `-{gvfs-fuse-daemo}(`system_u:system_r:kernel_t') > |-gvfs-gdu-volume(`system_u:system_r:kernel_t') > |-gvfs-gphoto2-vo(`system_u:system_r:kernel_t') > |-gvfsd(`system_u:system_r:kernel_t') > |-gvfsd-burn(`system_u:system_r:kernel_t') > |-gvfsd-trash(`system_u:system_r:kernel_t') > |-hald(`system_u:system_r:kernel_t') > | `-hald-runner(`system_u:system_r:kernel_t') > | |-hald-addon-acpi(`system_u:system_r:kernel_t') > | |-hald-addon-inpu(`system_u:system_r:kernel_t') > | |-hald-addon-stor(`system_u:system_r:kernel_t') > | `-hald-addon-stor(`system_u:system_r:kernel_t') > |-main-menu(`system_u:system_r:kernel_t') > |-master(`system_u:system_r:kernel_t') > | |-pickup(`system_u:system_r:kernel_t') > | `-qmgr(`system_u:system_r:kernel_t') > |-mingetty(`system_u:system_r:kernel_t') > |-mingetty(`system_u:system_r:kernel_t') > |-mingetty(`system_u:system_r:kernel_t') > |-mingetty(`system_u:system_r:kernel_t') > |-mingetty(`system_u:system_r:kernel_t') > |-mingetty(`system_u:system_r:kernel_t') > |-nm-system-setti(`system_u:system_r:kernel_t') > |-notification-da(`system_u:system_r:kernel_t') > |-nscd(`system_u:system_r:kernel_t') > |-polkitd(`system_u:system_r:kernel_t') > |-pulseaudio(`system_u:system_r:kernel_t') > | |-gconf-helper(`system_u:system_r:kernel_t') > | `-{pulseaudio}(`system_u:system_r:kernel_t') > |-pulseaudio(`system_u:system_r:kernel_t') > | |-gconf-helper(`system_u:system_r:kernel_t') > | `-{pulseaudio}(`system_u:system_r:kernel_t') > |-rpcbind(`system_u:system_r:kernel_t') > |-rsyslogd(`system_u:system_r:kernel_t') > | |-{rsyslogd}(`system_u:system_r:kernel_t') > | |-{rsyslogd}(`system_u:system_r:kernel_t') > | |-{rsyslogd}(`system_u:system_r:kernel_t') > | `-{rsyslogd}(`system_u:system_r:kernel_t') > |-rtkit-daemon(`system_u:system_r:kernel_t') > | |-{rtkit-daemon}(`system_u:system_r:kernel_t') > | `-{rtkit-daemon}(`system_u:system_r:kernel_t') > |-seahorse-agent(`system_u:system_r:kernel_t') > |-seahorse-daemon(`system_u:system_r:kernel_t') > |-startpar(`system_u:system_r:kernel_t') > |-startpar(`system_u:system_r:kernel_t') > |-udevd(`system_u:system_r:kernel_t') > | |-udevd(`system_u:system_r:kernel_t') > | `-udevd(`system_u:system_r:kernel_t') > |-vmtoolsd(`system_u:system_r:kernel_t') > `-vmware-user(`system_u:system_r:kernel_t') > > -----Original Message----- > From: Stephen Smalley [mailto:sds@tycho.nsa.gov] > Sent: Wednesday, February 17, 2010 11:58 AM > To: Alan Rouse > Cc: Justin P. mattock; Dominick Grift; 'selinux@tycho.nsa.gov' > Subject: RE: SELinux Policy in OpenSUSE 11.2 > > On Wed, 2010-02-17 at 11:34 -0500, Alan Rouse wrote: >> Renaming didn't work for me in the image we've been discussing... However, after building another clean OpenSuse 11.2 image, installing the previously mentioned list of packages, and editing the grub menu.lst for selinux, I created a symlink named "targeted" to the refpolicy-standard directory, and it now boots into the desktop nicely (using the version of policy in the OpenSuse 11.2 repository.) Sestatus shows selinux active and in permissive mode. There are no AVC messages in /var/log/audit/audit.log. Audit2allow -al gives >> >> allow kernel_t file_t:file execmod; >> allow kernel_t self:process { execstack execmem }; >> >> I don't understand why those are suggested since there are no AVC messages... But this looks far better than before! >> >> Thanks Justin. Now we just need to find out where it's hard coded to "targeted" and get that fixed... > > libselinux will default to "targeted" if there is no SELINUXTYPE= definition in /etc/selinux/config. > > Or your /etc/dbus-1/system.conf might have a hardcoded path to it rather than using selinux_root_relative="yes". Or the version of dbus shipped in OpenSUSE 11.2 might not support that (I don't know). > > Check /var/log/messages as well for avc messages; if you aren't running auditd or before auditd starts, the avc messages will go to /var/log/messages or wherever syslog is configured to report kern.warn. > > What does sestatus -v and pstree -Z show now? > > -- > Stephen Smalley > National Security Agency > > from what it looks like the policy will boot even if the config is set too refpolicy-standard and you have targeted in /etc/selinux once you remove targeted from there the system craps out. what comes to mind is what Stephen was saying "Or the version of dbus shipped in OpenSUSE 11.2 might not support that" which makes me ask the question "Is there something in dbus that was changed before compiling, that hard wires the binary(dbus-launch) to that location?". but then like Stephen had said: libselinux will default to "targeted" if there is no SELINUXTYPE= definition in /etc/selinux/config. (this might be what this is i.g. libselinux is getting confused with SELINUXTYPE and defaults to targeted question is why/what would cause this?). another issue that might be related is rebooting I get an error with dbus trying to unmount /selinux (even though /selinux is mounted with selinuxfs). error message rebooting could not find /selinux in mtab dbus error's out, then continues to reboot. (adding selinuxfs to fstab does not resolve this issue). Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-17 18:34 ` Alan Rouse 2010-02-17 18:50 ` Justin P. mattock @ 2010-02-17 18:58 ` Stephen Smalley 2010-02-17 19:39 ` Alan Rouse ` (2 more replies) 1 sibling, 3 replies; 113+ messages in thread From: Stephen Smalley @ 2010-02-17 18:58 UTC (permalink / raw) To: Alan Rouse Cc: Justin P. mattock, Dominick Grift, 'selinux@tycho.nsa.gov' On Wed, 2010-02-17 at 13:34 -0500, Alan Rouse wrote: > Here's some info about the system now (booting successfully to desktop with selinux enabled) > > /etc/selinux/config: > SELINUX=permissive > SELINUXTYPE=refpolicy-standard > > /etc/dbus-1/system.conf contains: > <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include> > > var/log/messages does not have any AVC messages in it. > > sestatus -v: > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: permissive > Mode from config file: permissive > Policy version: 24 > Policy from config file: refpolicy-standard > > Process contexts: > Current context: system_u:system_r:kernel_t > Init context: system_u:system_r:kernel_t > /sbin/mingetty system_u:system_r:kernel_t > > File contexts: > Controlling term: system_u:object_r:devpts_t > /etc/passwd system_u:object_r:file_t > /etc/shadow system_u:object_r:file_t > /bin/bash system_u:object_r:file_t > /bin/login system_u:object_r:file_t > /bin/sh system_u:object_r:file_t -> system_u:object_r:file_t > /sbin/agetty system_u:object_r:file_t > /sbin/init system_u:object_r:file_t > /sbin/mingetty system_u:object_r:file_t > /usr/sbin/sshd system_u:object_r:file_t > /lib/libc.so.6 system_u:object_r:file_t -> system_u:object_r:file_t > /lib/ld-linux.so.2 system_u:object_r:file_t -> system_u:object_r:file_t Ok, so all of your processes are still running in kernel_t, and all of your files are labeled file_t. You need to label your filesystems and reboot. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-17 18:58 ` Stephen Smalley @ 2010-02-17 19:39 ` Alan Rouse 2010-02-17 19:47 ` Justin P. mattock [not found] ` <5A5E55DF96F73844AF7DFB0F48721F0F529A780232@EUSAACMS0703.eamcs.ericsson.se> 2 siblings, 0 replies; 113+ messages in thread From: Alan Rouse @ 2010-02-17 19:39 UTC (permalink / raw) To: 'selinux@tycho.nsa.gov' Oops. I'm a bit confused though. What are the scenarios that trigger an autorelabel? I've not had any luck with the -autorelabel kernel boot parameter, nor with the /.autorelabel flag file. OTOH sometimes when I reboot it (apparently) decides to autorelabel. > Ok, so all of your processes are still running in kernel_t, and all of your files are > labeled file_t. You need to label your filesystems and reboot. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-17 18:58 ` Stephen Smalley 2010-02-17 19:39 ` Alan Rouse @ 2010-02-17 19:47 ` Justin P. mattock 2010-02-17 20:00 ` Stephen Smalley [not found] ` <5A5E55DF96F73844AF7DFB0F48721F0F529A780232@EUSAACMS0703.eamcs.ericsson.se> 2 siblings, 1 reply; 113+ messages in thread From: Justin P. mattock @ 2010-02-17 19:47 UTC (permalink / raw) To: Stephen Smalley Cc: Alan Rouse, Dominick Grift, 'selinux@tycho.nsa.gov' On 02/17/2010 10:58 AM, Stephen Smalley wrote: > On Wed, 2010-02-17 at 13:34 -0500, Alan Rouse wrote: >> Here's some info about the system now (booting successfully to desktop with selinux enabled) >> >> /etc/selinux/config: >> SELINUX=permissive >> SELINUXTYPE=refpolicy-standard >> >> /etc/dbus-1/system.conf contains: >> <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include> >> >> var/log/messages does not have any AVC messages in it. >> >> sestatus -v: >> SELinux status: enabled >> SELinuxfs mount: /selinux >> Current mode: permissive >> Mode from config file: permissive >> Policy version: 24 >> Policy from config file: refpolicy-standard >> >> Process contexts: >> Current context: system_u:system_r:kernel_t >> Init context: system_u:system_r:kernel_t >> /sbin/mingetty system_u:system_r:kernel_t >> >> File contexts: >> Controlling term: system_u:object_r:devpts_t >> /etc/passwd system_u:object_r:file_t >> /etc/shadow system_u:object_r:file_t >> /bin/bash system_u:object_r:file_t >> /bin/login system_u:object_r:file_t >> /bin/sh system_u:object_r:file_t -> system_u:object_r:file_t >> /sbin/agetty system_u:object_r:file_t >> /sbin/init system_u:object_r:file_t >> /sbin/mingetty system_u:object_r:file_t >> /usr/sbin/sshd system_u:object_r:file_t >> /lib/libc.so.6 system_u:object_r:file_t -> system_u:object_r:file_t >> /lib/ld-linux.so.2 system_u:object_r:file_t -> system_u:object_r:file_t > > Ok, so all of your processes are still running in kernel_t, and all of > your files are labeled file_t. You need to label your filesystems and > reboot. > o.k. doing a touch .autorelabel doesnt get the filesystem to automatically relabel, so I just did fixfiles relabel now rebooting causes gdm to really crashes and burns i.g. before gdm would try and giveup on the 5 attempt, now it just exits out without even trying like before (i.g. before screen login appears, then goes back to init3, now after relabel just shows an error exit message and thats it.) wow!! never experienced such a failure with wrong file labels on a system(even when running nubuntu).. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-17 19:47 ` Justin P. mattock @ 2010-02-17 20:00 ` Stephen Smalley 2010-02-17 20:03 ` Alan Rouse 2010-02-17 20:08 ` Alan Rouse 0 siblings, 2 replies; 113+ messages in thread From: Stephen Smalley @ 2010-02-17 20:00 UTC (permalink / raw) To: Justin P. mattock Cc: Alan Rouse, Dominick Grift, 'selinux@tycho.nsa.gov' On Wed, 2010-02-17 at 11:47 -0800, Justin P. mattock wrote: > On 02/17/2010 10:58 AM, Stephen Smalley wrote: > > On Wed, 2010-02-17 at 13:34 -0500, Alan Rouse wrote: > >> Here's some info about the system now (booting successfully to desktop with selinux enabled) > >> > >> /etc/selinux/config: > >> SELINUX=permissive > >> SELINUXTYPE=refpolicy-standard > >> > >> /etc/dbus-1/system.conf contains: > >> <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include> > >> > >> var/log/messages does not have any AVC messages in it. > >> > >> sestatus -v: > >> SELinux status: enabled > >> SELinuxfs mount: /selinux > >> Current mode: permissive > >> Mode from config file: permissive > >> Policy version: 24 > >> Policy from config file: refpolicy-standard > >> > >> Process contexts: > >> Current context: system_u:system_r:kernel_t > >> Init context: system_u:system_r:kernel_t > >> /sbin/mingetty system_u:system_r:kernel_t > >> > >> File contexts: > >> Controlling term: system_u:object_r:devpts_t > >> /etc/passwd system_u:object_r:file_t > >> /etc/shadow system_u:object_r:file_t > >> /bin/bash system_u:object_r:file_t > >> /bin/login system_u:object_r:file_t > >> /bin/sh system_u:object_r:file_t -> system_u:object_r:file_t > >> /sbin/agetty system_u:object_r:file_t > >> /sbin/init system_u:object_r:file_t > >> /sbin/mingetty system_u:object_r:file_t > >> /usr/sbin/sshd system_u:object_r:file_t > >> /lib/libc.so.6 system_u:object_r:file_t -> system_u:object_r:file_t > >> /lib/ld-linux.so.2 system_u:object_r:file_t -> system_u:object_r:file_t > > > > Ok, so all of your processes are still running in kernel_t, and all of > > your files are labeled file_t. You need to label your filesystems and > > reboot. > > > > o.k. doing a touch .autorelabel doesnt get the > filesystem to automatically relabel, so I > just did fixfiles relabel > > now rebooting causes gdm to really crashes and burns > i.g. before gdm would try and giveup on the 5 attempt, > now it just exits out without even trying like before > (i.g. before screen login appears, then goes back to init3, now after > relabel just shows an error exit message and thats it.) > > > wow!! never experienced such a failure with wrong file labels > on a system(even when running nubuntu).. Boot with enforcing=0 and look at your avc messages. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-17 20:00 ` Stephen Smalley @ 2010-02-17 20:03 ` Alan Rouse 2010-02-17 20:12 ` Dominick Grift 2010-02-17 20:18 ` Stephen Smalley 2010-02-17 20:08 ` Alan Rouse 1 sibling, 2 replies; 113+ messages in thread From: Alan Rouse @ 2010-02-17 20:03 UTC (permalink / raw) To: Stephen Smalley, Justin P. mattock Cc: Dominick Grift, 'selinux@tycho.nsa.gov' Here are the AVC messages from reboot after relabel: type=DAEMON_START msg=audit(1266436045.285:1584): auditd start, ver=1.7.13 format=raw kernel=2.6.31.5-0.1-desktop auid=4294967295 pid=2191 subj=system_u:system_r:sysadm_t res=success type=AVC msg=audit(1266436045.288:170): avc: denied { nlmsg_read } for pid=2191 comm="auditd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_audit_socket type=AVC msg=audit(1266436045.394:171): avc: denied { ioctl } for pid=2206 comm="rcsmbfs" path="/etc/samba/smbfstab" dev=sda2 ino=110898 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:samba_etc_t tclass=file type=AVC msg=audit(1266436045.400:172): avc: denied { write } for pid=2211 comm="touch" name="smbfs" dev=sda2 ino=129640 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:var_lock_t tclass=file type=AVC msg=audit(1266436045.400:173): avc: denied { open } for pid=2211 comm="touch" name="smbfs" dev=sda2 ino=129640 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:var_lock_t tclass=file type=AVC msg=audit(1266436045.438:174): avc: denied { getattr } for pid=2220 comm="SuSEfirewall2" path="/usr/sbin/iptables" dev=sda2 ino=10435 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:iptables_exec_t tclass=file type=AVC msg=audit(1266436045.439:175): avc: denied { execute } for pid=2220 comm="SuSEfirewall2" name="iptables" dev=sda2 ino=10435 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:iptables_exec_t tclass=file type=AVC msg=audit(1266436045.439:176): avc: denied { read } for pid=2220 comm="SuSEfirewall2" name="iptables" dev=sda2 ino=10435 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:iptables_exec_t tclass=file type=AVC msg=audit(1266436045.441:177): avc: denied { open } for pid=2221 comm="SuSEfirewall2" name="iptables" dev=sda2 ino=10435 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:iptables_exec_t tclass=file type=AVC msg=audit(1266436045.441:178): avc: denied { execute_no_trans } for pid=2221 comm="SuSEfirewall2" path="/usr/sbin/iptables" dev=sda2 ino=10435 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:iptables_exec_t tclass=file type=AVC msg=audit(1266436045.444:179): avc: denied { create } for pid=2221 comm="iptables" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=rawip_socket type=AVC msg=audit(1266436045.444:180): avc: denied { getopt } for pid=2221 comm="iptables" lport=255 scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=rawip_socket type=AVC msg=audit(1266436045.501:181): avc: denied { getattr } for pid=2222 comm="SuSEfirewall2" path="/var/lock/SuSEfirewall2.booting" dev=sda2 ino=129622 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:var_lock_t tclass=file type=AVC msg=audit(1266436280.459:182): avc: denied { associate } for pid=2263 comm="kbd" name="vcs2" scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem type=AVC msg=audit(1266436280.725:183): avc: denied { read } for pid=2293 comm="hwinfo" name="mem" dev=tmpfs ino=1053 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:memory_device_t tclass=chr_file type=AVC msg=audit(1266436280.725:184): avc: denied { open } for pid=2293 comm="hwinfo" name="mem" dev=tmpfs ino=1053 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:memory_device_t tclass=chr_file type=AVC msg=audit(1266436281.245:185): avc: denied { execstack } for pid=2372 comm="cupsd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=process type=AVC msg=audit(1266436281.255:186): avc: denied { execmem } for pid=2372 comm="cupsd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=process type=AVC msg=audit(1266436281.423:187): avc: denied { node_bind } for pid=2380 comm="cupsd" saddr=0000:0000:0000:0000:0000:0000:0000:0001 src=631 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:compat_ipv4_node_t tclass=tcp_socket type=AVC msg=audit(1266436281.423:188): avc: denied { node_bind } for pid=2380 comm="cupsd" saddr=127.0.0.1 src=631 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:lo_node_t tclass=tcp_socket type=AVC msg=audit(1266436281.688:189): avc: denied { read write } for pid=2439 comm="smartd" name="sda" dev=tmpfs ino=1743 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file type=AVC msg=audit(1266436281.688:190): avc: denied { open } for pid=2439 comm="smartd" name="sda" dev=tmpfs ino=1743 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file type=AVC msg=audit(1266436281.689:191): avc: denied { ioctl } for pid=2439 comm="smartd" path="/dev/sda" dev=tmpfs ino=1743 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file type=AVC msg=audit(1266436282.004:192): avc: denied { read } for pid=2101 comm="rsyslogd" path="/proc/kmsg" dev=proc ino=4026531989 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:proc_kmsg_t tclass=file type=AVC msg=audit(1266436317.516:193): avc: denied { node_bind } for pid=2700 comm="master" src=25 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:inaddr_any_node_t tclass=tcp_socket type=AVC msg=audit(1266436317.522:194): avc: denied { node_bind } for pid=2700 comm="master" src=25 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:unspec_node_t tclass=tcp_socket type=AVC msg=audit(1266436317.812:195): avc: denied { write } for pid=2761 comm="ip6tables" path="/tmp/SuSEfirewall2_iptables.ME3rv0dJ" dev=sda2 ino=129882 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:user_tmp_t tclass=file type=AVC msg=audit(1266436317.813:196): avc: denied { read } for pid=2191 comm="auditd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_audit_socket type=AVC msg=audit(1266436317.840:197): avc: denied { write } for pid=2767 comm="modprobe" path="/tmp/SuSEfirewall2_iptables.ME3rv0dJ" dev=sda2 ino=129882 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:user_tmp_t tclass=file type=AVC msg=audit(1266436318.030:198): avc: denied { read } for pid=2806 comm="iptables-batch" name="SuSEfirewall2_iptables.ME3rv0dJ" dev=sda2 ino=129882 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:user_tmp_t tclass=file type=AVC msg=audit(1266436318.030:199): avc: denied { open } for pid=2806 comm="iptables-batch" name="SuSEfirewall2_iptables.ME3rv0dJ" dev=sda2 ino=129882 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:user_tmp_t tclass=file type=AVC msg=audit(1266436318.031:200): avc: denied { getattr } for pid=2806 comm="iptables-batch" path="/tmp/SuSEfirewall2_iptables.ME3rv0dJ" dev=sda2 ino=129882 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:user_tmp_t tclass=file type=AVC msg=audit(1266436318.066:201): avc: denied { read } for pid=286 comm="udevd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266436318.067:202): avc: denied { write } for pid=286 comm="udevd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266436318.335:203): avc: denied { setattr } for pid=2841 comm="mingetty" name="tty1" dev=tmpfs ino=3835 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:tty_device_t tclass=chr_file type=AVC msg=audit(1266436744.301:204): avc: denied { setattr } for pid=2841 comm="login" name="tty1" dev=tmpfs ino=3835 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:tty_device_t tclass=chr_file type=AVC msg=audit(1266436745.371:205): avc: denied { create } for pid=2841 comm="login" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_audit_socket type=AVC msg=audit(1266436745.371:206): avc: denied { write } for pid=2841 comm="login" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_audit_socket type=AVC msg=audit(1266436745.371:207): avc: denied { nlmsg_relay } for pid=2841 comm="login" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_audit_socket type=AVC msg=audit(1266436745.371:208): avc: denied { audit_write } for pid=2841 comm="login" capability=29 scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=capability -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-17 20:03 ` Alan Rouse @ 2010-02-17 20:12 ` Dominick Grift 2010-02-17 20:18 ` Stephen Smalley 1 sibling, 0 replies; 113+ messages in thread From: Dominick Grift @ 2010-02-17 20:12 UTC (permalink / raw) To: Alan Rouse Cc: Stephen Smalley, Justin P. mattock, 'selinux@tycho.nsa.gov' [-- Attachment #1: Type: text/plain, Size: 155 bytes --] On 02/17/2010 09:03 PM, Alan Rouse wrote: > Here are the AVC messages from reboot after relabel: Can you provide a pstree -Z and sestatus -v again? [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 261 bytes --] ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-17 20:03 ` Alan Rouse 2010-02-17 20:12 ` Dominick Grift @ 2010-02-17 20:18 ` Stephen Smalley 2010-02-17 20:17 ` Alan Rouse 2010-02-17 20:25 ` Stephen Smalley 1 sibling, 2 replies; 113+ messages in thread From: Stephen Smalley @ 2010-02-17 20:18 UTC (permalink / raw) To: Alan Rouse Cc: Justin P. mattock, Dominick Grift, 'selinux@tycho.nsa.gov' On Wed, 2010-02-17 at 15:03 -0500, Alan Rouse wrote: > Here are the AVC messages from reboot after relabel: Ok. And sestatus -v and pstree -Z output? Looks like you still have processes running in the wrong context. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-17 20:18 ` Stephen Smalley @ 2010-02-17 20:17 ` Alan Rouse 2010-02-17 20:25 ` Stephen Smalley 1 sibling, 0 replies; 113+ messages in thread From: Alan Rouse @ 2010-02-17 20:17 UTC (permalink / raw) To: Stephen Smalley Cc: Justin P. mattock, Dominick Grift, 'selinux@tycho.nsa.gov' > Ok. And sestatus -v and pstree -Z output? Looks like you still have processes > running in the wrong context.\ sestatus -v: SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: refpolicy-standard Process contexts: Current context: system_u:system_r:sysadm_t Init context: system_u:system_r:init_t /sbin/mingetty system_u:system_r:sysadm_t File contexts: Controlling term: system_u:object_r:tty_device_t /etc/passwd system_u:object_r:etc_t /etc/shadow system_u:object_r:shadow_t /bin/bash system_u:object_r:shell_exec_t /bin/login system_u:object_r:login_exec_t /bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t /sbin/agetty system_u:object_r:getty_exec_t /sbin/init system_u:object_r:init_exec_t /sbin/mingetty system_u:object_r:getty_exec_t /usr/sbin/sshd system_u:object_r:sshd_exec_t /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t pstree -Z: init(`system_u:system_r:init_t') |-acpid(`system_u:system_r:sysadm_t') |-auditd(`system_u:system_r:sysadm_t') | |-audispd(`system_u:system_r:sysadm_t') | | `-{audispd}(`system_u:system_r:sysadm_t') | `-{auditd}(`system_u:system_r:sysadm_t') |-cron(`system_u:system_r:sysadm_t') |-cupsd(`system_u:system_r:sysadm_t') |-dbus-daemon(`system_u:system_r:sysadm_dbusd_t') | `-{dbus-daemon}(`system_u:system_r:sysadm_dbusd_t') |-dhcpcd(`system_u:system_r:dhcpc_t') |-login(`system_u:system_r:sysadm_t') | `-bash(`system_u:system_r:sysadm_t') | `-pstree(`system_u:system_r:sysadm_t') |-master(`system_u:system_r:sysadm_t') | |-pickup(`system_u:system_r:sysadm_t') | `-qmgr(`system_u:system_r:sysadm_t') |-mingetty(`system_u:system_r:sysadm_t') |-mingetty(`system_u:system_r:sysadm_t') |-mingetty(`system_u:system_r:sysadm_t') |-mingetty(`system_u:system_r:sysadm_t') |-mingetty(`system_u:system_r:sysadm_t') |-nscd(`system_u:system_r:sysadm_t') |-rpcbind(`system_u:system_r:sysadm_t') |-rsyslogd(`system_u:system_r:sysadm_t') | |-{rsyslogd}(`system_u:system_r:sysadm_t') | |-{rsyslogd}(`system_u:system_r:sysadm_t') | `-{rsyslogd}(`system_u:system_r:sysadm_t') |-startpar(`system_u:system_r:sysadm_t') |-udevd(`system_u:system_r:sysadm_t') | |-udevd(`system_u:system_r:sysadm_t') | `-udevd(`system_u:system_r:sysadm_t') `-vmtoolsd(`system_u:system_r:sysadm_t') -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-17 20:18 ` Stephen Smalley 2010-02-17 20:17 ` Alan Rouse @ 2010-02-17 20:25 ` Stephen Smalley [not found] ` <5A5E55DF96F73844AF7DFB0F48721F0F529A7802A0@EUSAACMS0703.eamcs.ericsson.se> 1 sibling, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-17 20:25 UTC (permalink / raw) To: Alan Rouse Cc: Justin P. mattock, Dominick Grift, 'selinux@tycho.nsa.gov' On Wed, 2010-02-17 at 15:18 -0500, Stephen Smalley wrote: > On Wed, 2010-02-17 at 15:03 -0500, Alan Rouse wrote: > > Here are the AVC messages from reboot after relabel: > > Ok. And sestatus -v and pstree -Z output? Looks like you still have > processes running in the wrong context. Also, remember to setsebool -P init_upstart=1 and reboot afterward. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
[parent not found: <5A5E55DF96F73844AF7DFB0F48721F0F529A7802A0@EUSAACMS0703.eamcs.ericsson.se>]
[parent not found: <1266438910.4945.137.camel@moss-pluto.epoch.ncsc.mil>]
* RE: SELinux Policy in OpenSUSE 11.2 [not found] ` <1266438910.4945.137.camel@moss-pluto.epoch.ncsc.mil> @ 2010-02-17 20:49 ` Alan Rouse 2010-02-17 21:09 ` Stephen Smalley 0 siblings, 1 reply; 113+ messages in thread From: Alan Rouse @ 2010-02-17 20:49 UTC (permalink / raw) To: Stephen Smalley; +Cc: 'selinux@tycho.nsa.gov' Today, up until now, I've been working with the binary policy package in the native OpenSuse 11.2 repository (without installing source). But I've just now installed the corresponding source package and built it as monolithic=n. As before, "setsebool -P init_upstart=1" gives an error message: ---------------- Libsemanage.get_home_dirs: nobody homedir /var/lib/nobody or its parent directory conflicts with a file context already specified in the policy. This usually indicates an incorrectly defined system account. If it is a system account please make sure its uid is less than 1000 or its log in shell is /sbin/nologin. ---------------- So I did "usermod -s /sbin/nologin nobody" and repeated the setsebool. No error message returned, and "getsebool init_upstart" reports that it was on. But after reboot it is off again... And, yes, I did issue "setsebool -P init_upstart=1" before reboot, and confirmed with "getsebool init_upstart" that it worked. It is still giving the gdm /selinux error that I quoted in my first email on this thread (despite the fact that selinux is in permissive mode, confirmed by sestatus). The following services in runlevel 5 fail: earlyxdm, xdm, avahi-daemon. So boot drops me into runlevel 3. The sestatus -v and pstree -Z are unchanged from what I sent most recently (since the setsebool -P isn't persistent across a boot.) -----Original Message----- From: Stephen Smalley [mailto:sds@tycho.nsa.gov] Sent: Wednesday, February 17, 2010 3:35 PM To: Alan Rouse Subject: RE: SELinux Policy in OpenSUSE 11.2 On Wed, 2010-02-17 at 15:18 -0500, Alan Rouse wrote: > Ok, for that I'll have to get the source and build it as a non-monolithic policy, right? Oh, I thought you were already building it with MONOLITHIC=n. If it is monolithic, then just change the init_upstart = false line in policy/booleans.conf to init_upstart = true and do a make load. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-17 20:49 ` Alan Rouse @ 2010-02-17 21:09 ` Stephen Smalley 2010-02-17 21:11 ` Alan Rouse 0 siblings, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-17 21:09 UTC (permalink / raw) To: Alan Rouse; +Cc: 'selinux@tycho.nsa.gov' On Wed, 2010-02-17 at 15:49 -0500, Alan Rouse wrote: > Today, up until now, I've been working with the binary policy package > in the native OpenSuse 11.2 repository (without installing source). > But I've just now installed the corresponding source package and built > it as monolithic=n. As before, "setsebool -P init_upstart=1" gives an > error message: > ---------------- > Libsemanage.get_home_dirs: nobody homedir /var/lib/nobody or its > parent directory conflicts with a file context already specified in > the policy. This usually indicates an incorrectly defined system > account. If it is a system account please make sure its uid is less > than 1000 or its log in shell is /sbin/nologin. > ---------------- > > So I did "usermod -s /sbin/nologin nobody" and repeated the setsebool. > No error message returned, and "getsebool init_upstart" reports that > it was on. But after reboot it is off again... And, yes, I did issue > "setsebool -P init_upstart=1" before reboot, and confirmed with > "getsebool init_upstart" that it worked. The fact that the setsebool -P isn't persisting across reboot suggests that you are not in fact loading the policy that you think you are. ls -l /etc/selinux/$SELINUXTYPE/policy cat /selinux/policyvers checkpolicy -V -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-17 21:09 ` Stephen Smalley @ 2010-02-17 21:11 ` Alan Rouse 2010-02-17 21:29 ` Stephen Smalley 0 siblings, 1 reply; 113+ messages in thread From: Alan Rouse @ 2010-02-17 21:11 UTC (permalink / raw) To: Stephen Smalley; +Cc: 'selinux@tycho.nsa.gov' 1. Is there supposed to be an environment variable $SELINUXTYPE? I don't have one... 2. When I do "make load", the policy file in /etc/selinux/refpolicy-standard/policy/policy.24 is replaced (at least, it gets a new timestamp). /etc/selinux/config contains: SELINUX=permissive SELINUXTYPE=refpolicy-standard 3. ls -l /etc/selinux/refpolicy-standard/policy -rw-r--r--. 1 root root 3686162 Feb 17 16:05 policy.24 4. cat /selinux/policyvers <nothing>... File is empty 5. checkpolicy -V 24 (compatibility range 24-15) -----Original Message----- From: Stephen Smalley [mailto:sds@tycho.nsa.gov] Sent: Wednesday, February 17, 2010 4:10 PM To: Alan Rouse Cc: 'selinux@tycho.nsa.gov' Subject: RE: SELinux Policy in OpenSUSE 11.2 The fact that the setsebool -P isn't persisting across reboot suggests that you are not in fact loading the policy that you think you are. ls -l /etc/selinux/$SELINUXTYPE/policy cat /selinux/policyvers checkpolicy -V -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-17 21:11 ` Alan Rouse @ 2010-02-17 21:29 ` Stephen Smalley 2010-02-17 21:37 ` Stephen Smalley [not found] ` <5A5E55DF96F73844AF7DFB0F48721F0F529A780365@EUSAACMS0703.eamcs.ericsson.se> 0 siblings, 2 replies; 113+ messages in thread From: Stephen Smalley @ 2010-02-17 21:29 UTC (permalink / raw) To: Alan Rouse; +Cc: 'selinux@tycho.nsa.gov' On Wed, 2010-02-17 at 16:11 -0500, Alan Rouse wrote: > 1. Is there supposed to be an environment variable $SELINUXTYPE? I don't have one... Defined by /etc/selinux/config . /etc/selinux/config > 2. When I do "make load", the policy file in > > /etc/selinux/refpolicy-standard/policy/policy.24 > > is replaced (at least, it gets a new timestamp). Ok, and what happens when you run setsebool -P init_upstart=1? That file should also get regenerated. > /etc/selinux/config contains: > > SELINUX=permissive > SELINUXTYPE=refpolicy-standard > > 3. ls -l /etc/selinux/refpolicy-standard/policy > > -rw-r--r--. 1 root root 3686162 Feb 17 16:05 policy.24 > > 4. cat /selinux/policyvers > > <nothing>... File is empty What? grep selinuxfs /proc/mounts ls /selinux > 5. checkpolicy -V > > 24 (compatibility range 24-15) -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-17 21:29 ` Stephen Smalley @ 2010-02-17 21:37 ` Stephen Smalley 2010-02-17 21:48 ` Alan Rouse [not found] ` <5A5E55DF96F73844AF7DFB0F48721F0F529A780365@EUSAACMS0703.eamcs.ericsson.se> 1 sibling, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-17 21:37 UTC (permalink / raw) To: Alan Rouse; +Cc: 'selinux@tycho.nsa.gov' On Wed, 2010-02-17 at 16:29 -0500, Stephen Smalley wrote: > On Wed, 2010-02-17 at 16:11 -0500, Alan Rouse wrote: > > 1. Is there supposed to be an environment variable $SELINUXTYPE? I don't have one... > > Defined by /etc/selinux/config > . /etc/selinux/config > > > 2. When I do "make load", the policy file in > > > > /etc/selinux/refpolicy-standard/policy/policy.24 > > > > is replaced (at least, it gets a new timestamp). > > Ok, and what happens when you run setsebool -P init_upstart=1? > That file should also get regenerated. > > > /etc/selinux/config contains: > > > > SELINUX=permissive > > SELINUXTYPE=refpolicy-standard > > > > 3. ls -l /etc/selinux/refpolicy-standard/policy > > > > -rw-r--r--. 1 root root 3686162 Feb 17 16:05 policy.24 > > > > 4. cat /selinux/policyvers > > > > <nothing>... File is empty > > What? grep selinuxfs /proc/mounts > ls /selinux > > > 5. checkpolicy -V > > > > 24 (compatibility range 24-15) BTW, it would be useful to know the versions of the selinux userland (libsepol, libselinux, libsemanage, policycoreutils, checkpolicy) that are in OpenSUSE 11.2. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-17 21:37 ` Stephen Smalley @ 2010-02-17 21:48 ` Alan Rouse 2010-02-18 14:16 ` Stephen Smalley 2010-02-18 16:03 ` Stephen Smalley 0 siblings, 2 replies; 113+ messages in thread From: Alan Rouse @ 2010-02-17 21:48 UTC (permalink / raw) To: Stephen Smalley; +Cc: 'selinux@tycho.nsa.gov' libselinux-2.0.80-5.2.i586 libsepol1-2.0.36-2.2.i586 libsemanage1-2.0.31-4.1.i586 policycoreutils-2.0.62-3.1.i586 checkpolicy-2.0.19-2.2.i586 -----Original Message----- From: Stephen Smalley [mailto:sds@tycho.nsa.gov] Sent: Wednesday, February 17, 2010 4:37 PM To: Alan Rouse Cc: 'selinux@tycho.nsa.gov' Subject: RE: SELinux Policy in OpenSUSE 11.2 On Wed, 2010-02-17 at 16:29 -0500, Stephen Smalley wrote: > On Wed, 2010-02-17 at 16:11 -0500, Alan Rouse wrote: > > 1. Is there supposed to be an environment variable $SELINUXTYPE? I don't have one... > > Defined by /etc/selinux/config > . /etc/selinux/config > > > 2. When I do "make load", the policy file in > > > > /etc/selinux/refpolicy-standard/policy/policy.24 > > > > is replaced (at least, it gets a new timestamp). > > Ok, and what happens when you run setsebool -P init_upstart=1? > That file should also get regenerated. > > > /etc/selinux/config contains: > > > > SELINUX=permissive > > SELINUXTYPE=refpolicy-standard > > > > 3. ls -l /etc/selinux/refpolicy-standard/policy > > > > -rw-r--r--. 1 root root 3686162 Feb 17 16:05 policy.24 > > > > 4. cat /selinux/policyvers > > > > <nothing>... File is empty > > What? grep selinuxfs /proc/mounts > ls /selinux > > > 5. checkpolicy -V > > > > 24 (compatibility range 24-15) BTW, it would be useful to know the versions of the selinux userland (libsepol, libselinux, libsemanage, policycoreutils, checkpolicy) that are in OpenSUSE 11.2. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-17 21:48 ` Alan Rouse @ 2010-02-18 14:16 ` Stephen Smalley 2010-02-18 21:28 ` Stephen Smalley 2010-02-18 16:03 ` Stephen Smalley 1 sibling, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-18 14:16 UTC (permalink / raw) To: Alan Rouse; +Cc: 'selinux@tycho.nsa.gov' On Wed, 2010-02-17 at 16:48 -0500, Alan Rouse wrote: > libselinux-2.0.80-5.2.i586 > libsepol1-2.0.36-2.2.i586 > libsemanage1-2.0.31-4.1.i586 > policycoreutils-2.0.62-3.1.i586 > checkpolicy-2.0.19-2.2.i586 Could you update to newer versions from: http://userspace.selinuxproject.org You can either use a released set from: http://userspace.selinuxproject.org/trac/wiki/Releases or you can just clone the git repo and build the latest via: git clone http://oss.tresys.com/git/selinux.git -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-18 14:16 ` Stephen Smalley @ 2010-02-18 21:28 ` Stephen Smalley 0 siblings, 0 replies; 113+ messages in thread From: Stephen Smalley @ 2010-02-18 21:28 UTC (permalink / raw) To: Alan Rouse; +Cc: 'selinux@tycho.nsa.gov' On Thu, 2010-02-18 at 09:16 -0500, Stephen Smalley wrote: > On Wed, 2010-02-17 at 16:48 -0500, Alan Rouse wrote: > > libselinux-2.0.80-5.2.i586 > > libsepol1-2.0.36-2.2.i586 > > libsemanage1-2.0.31-4.1.i586 > > policycoreutils-2.0.62-3.1.i586 > > checkpolicy-2.0.19-2.2.i586 > > Could you update to newer versions from: > http://userspace.selinuxproject.org > > You can either use a released set from: > http://userspace.selinuxproject.org/trac/wiki/Releases > > or you can just clone the git repo and build the latest via: > git clone http://oss.tresys.com/git/selinux.git BTW, you should likely file a bugzilla against those packages asking that they be updated to the latest upstream ones if they haven't already done so for the next OpenSUSE release. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-17 21:48 ` Alan Rouse 2010-02-18 14:16 ` Stephen Smalley @ 2010-02-18 16:03 ` Stephen Smalley 2010-02-18 17:36 ` Alan Rouse 1 sibling, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-18 16:03 UTC (permalink / raw) To: Alan Rouse; +Cc: 'selinux@tycho.nsa.gov' On Wed, 2010-02-17 at 16:48 -0500, Alan Rouse wrote: > libselinux-2.0.80-5.2.i586 > libsepol1-2.0.36-2.2.i586 > libsemanage1-2.0.31-4.1.i586 > policycoreutils-2.0.62-3.1.i586 > checkpolicy-2.0.19-2.2.i586 Do you also have a setools package? If so, run: sesearch -C --type -s init_t -t shell_exec_t -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-18 16:03 ` Stephen Smalley @ 2010-02-18 17:36 ` Alan Rouse 2010-02-18 17:53 ` Stephen Smalley 0 siblings, 1 reply; 113+ messages in thread From: Alan Rouse @ 2010-02-18 17:36 UTC (permalink / raw) To: Stephen Smalley; +Cc: 'selinux@tycho.nsa.gov' sesearch -C --type -s init_t -t shell_exec_t Found 2 semantic te rules: DF type_transition init_t shell_exec_t : process sysadm_t; [ init_upstart ] ET type_transition init_t shell_exec_t : process initrc_t; [ init_upstart ] -----Original Message----- From: Stephen Smalley [mailto:sds@tycho.nsa.gov] Sent: Thursday, February 18, 2010 11:03 AM To: Alan Rouse Cc: 'selinux@tycho.nsa.gov' Subject: RE: SELinux Policy in OpenSUSE 11.2 On Wed, 2010-02-17 at 16:48 -0500, Alan Rouse wrote: > libselinux-2.0.80-5.2.i586 > libsepol1-2.0.36-2.2.i586 > libsemanage1-2.0.31-4.1.i586 > policycoreutils-2.0.62-3.1.i586 > checkpolicy-2.0.19-2.2.i586 Do you also have a setools package? If so, run: sesearch -C --type -s init_t -t shell_exec_t -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-18 17:36 ` Alan Rouse @ 2010-02-18 17:53 ` Stephen Smalley 2010-02-18 18:21 ` Alan Rouse 0 siblings, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-18 17:53 UTC (permalink / raw) To: Alan Rouse; +Cc: 'selinux@tycho.nsa.gov' On Thu, 2010-02-18 at 12:36 -0500, Alan Rouse wrote: > sesearch -C --type -s init_t -t shell_exec_t > > Found 2 semantic te rules: > DF type_transition init_t shell_exec_t : process sysadm_t; [ init_upstart ] > ET type_transition init_t shell_exec_t : process initrc_t; [ init_upstart ] That looks correct. getsebool init_upstart says what? > -----Original Message----- > From: Stephen Smalley [mailto:sds@tycho.nsa.gov] > Sent: Thursday, February 18, 2010 11:03 AM > To: Alan Rouse > Cc: 'selinux@tycho.nsa.gov' > Subject: RE: SELinux Policy in OpenSUSE 11.2 > > On Wed, 2010-02-17 at 16:48 -0500, Alan Rouse wrote: > > libselinux-2.0.80-5.2.i586 > > libsepol1-2.0.36-2.2.i586 > > libsemanage1-2.0.31-4.1.i586 > > policycoreutils-2.0.62-3.1.i586 > > checkpolicy-2.0.19-2.2.i586 > > Do you also have a setools package? > > If so, run: > sesearch -C --type -s init_t -t shell_exec_t > > -- > Stephen Smalley > National Security Agency > -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-18 17:53 ` Stephen Smalley @ 2010-02-18 18:21 ` Alan Rouse 2010-02-19 14:49 ` Stephen Smalley 0 siblings, 1 reply; 113+ messages in thread From: Alan Rouse @ 2010-02-18 18:21 UTC (permalink / raw) To: Stephen Smalley; +Cc: 'selinux@tycho.nsa.gov' Stephen wrote: > That looks correct. getsebool init_upstart says what? Off. So, I did "setsebool -P init_upstart=1" Then "getsebool init_upstart" returns "on". So I reboot. Now "getsebool init_upstart" returns "off" again. -----Original Message----- From: Stephen Smalley [mailto:sds@tycho.nsa.gov] Sent: Thursday, February 18, 2010 12:54 PM To: Alan Rouse Cc: 'selinux@tycho.nsa.gov' Subject: RE: SELinux Policy in OpenSUSE 11.2 On Thu, 2010-02-18 at 12:36 -0500, Alan Rouse wrote: > sesearch -C --type -s init_t -t shell_exec_t > > Found 2 semantic te rules: > DF type_transition init_t shell_exec_t : process sysadm_t; [ > init_upstart ] ET type_transition init_t shell_exec_t : process > initrc_t; [ init_upstart ] That looks correct. getsebool init_upstart says what? > -----Original Message----- > From: Stephen Smalley [mailto:sds@tycho.nsa.gov] > Sent: Thursday, February 18, 2010 11:03 AM > To: Alan Rouse > Cc: 'selinux@tycho.nsa.gov' > Subject: RE: SELinux Policy in OpenSUSE 11.2 > > On Wed, 2010-02-17 at 16:48 -0500, Alan Rouse wrote: > > libselinux-2.0.80-5.2.i586 > > libsepol1-2.0.36-2.2.i586 > > libsemanage1-2.0.31-4.1.i586 > > policycoreutils-2.0.62-3.1.i586 > > checkpolicy-2.0.19-2.2.i586 > > Do you also have a setools package? > > If so, run: > sesearch -C --type -s init_t -t shell_exec_t > > -- > Stephen Smalley > National Security Agency > -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-18 18:21 ` Alan Rouse @ 2010-02-19 14:49 ` Stephen Smalley 2010-02-19 15:29 ` Alan Rouse 0 siblings, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-19 14:49 UTC (permalink / raw) To: Alan Rouse; +Cc: 'selinux@tycho.nsa.gov' On Thu, 2010-02-18 at 13:21 -0500, Alan Rouse wrote: > Stephen wrote: > > That looks correct. getsebool init_upstart says what? > > Off. > > So, I did "setsebool -P init_upstart=1" > Then "getsebool init_upstart" returns "on". > > So I reboot. > > Now "getsebool init_upstart" returns "off" again. We need to figure out why that is happening. Can you do this? . /etc/selinux/config ls -lR /etc/selinux/$SELINUXTYPE strace load_policy -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-19 14:49 ` Stephen Smalley @ 2010-02-19 15:29 ` Alan Rouse 2010-02-19 17:46 ` Stephen Smalley 0 siblings, 1 reply; 113+ messages in thread From: Alan Rouse @ 2010-02-19 15:29 UTC (permalink / raw) To: Stephen Smalley; +Cc: 'selinux@tycho.nsa.gov' I wrote: >> Now "getsebool init_upstart" returns "off" again. And Stephen replied: > We need to figure out why that is happening. > Can you do this? > > . /etc/selinux/config > ls -lR /etc/selinux/$SELINUXTYPE > strace load_policy ======================================================================= . /etc/selinux/config ls -lR /etc/selinux/$SELINUXTYPE ======================================================================= /etc/selinux/refpolicy-standard: total 28 -rw-r--r--. 1 root root 2029 Oct 19 17:09 booleans drwxr-xr-x. 4 root root 4096 Feb 18 16:36 contexts drwx------. 3 root root 4096 Feb 18 16:36 modules drwxr-xr-x. 2 root root 4096 Feb 18 16:48 policy -rw-r--r--. 1 root root 47 Feb 18 16:36 seusers drwxr-xr-x. 3 root root 4096 Feb 18 15:07 src drwxr-xr-x. 2 root root 4096 Feb 18 14:46 users /etc/selinux/refpolicy-standard/contexts: total 48 -rw-r--r--. 1 root root 0 Feb 18 16:25 customizable_types -rw-r--r--. 1 root root 195 Feb 18 16:18 dbus_contexts -rw-r--r--. 1 root root 875 Feb 18 16:18 default_contexts -rw-r--r--. 1 root root 114 Feb 18 16:18 default_type -rw-r--r--. 1 root root 18 Feb 18 16:18 failsafe_context drwxr-xr-x. 2 root root 4096 Feb 18 16:36 files -rw-r--r--. 1 root root 27 Feb 18 16:18 initrc_context -rw-r--r--. 1 root root 0 Feb 18 16:36 netfilter_contexts -rw-r--r--. 1 root root 30 Feb 18 16:18 removable_context -rw-r--r--. 1 root root 123 Feb 18 16:18 securetty_types -rw-r--r--. 1 root root 27 Feb 18 16:18 userhelper_context drwxr-xr-x. 2 root root 4096 Feb 18 16:18 users -rw-r--r--. 1 root root 7051 Feb 18 16:18 x_contexts /etc/selinux/refpolicy-standard/contexts/files: total 152 -rw-r--r--. 1 root root 139886 Feb 18 16:36 file_contexts -rw-r--r--. 1 root root 2663 Feb 18 16:36 file_contexts.homedirs -rw-r--r--. 1 root root 2527 Oct 19 17:09 homedir_template -rw-r--r--. 1 root root 130 Feb 18 16:18 media /etc/selinux/refpolicy-standard/contexts/users: total 16 -rw-r--r--. 1 root root 630 Feb 18 16:18 root -rw-r--r--. 1 root root 378 Feb 18 16:18 staff_u -rw-r--r--. 1 root root 452 Feb 18 16:18 unconfined_u -rw-r--r--. 1 root root 242 Feb 18 16:18 user_u /etc/selinux/refpolicy-standard/modules: total 4 drwx------. 3 root root 4096 Feb 18 16:36 active -rw-------. 1 root root 0 Feb 18 15:07 semanage.read.LOCK -rw-------. 1 root root 0 Feb 18 15:07 semanage.trans.LOCK /etc/selinux/refpolicy-standard/modules/active: total 3936 -rw-r--r--. 1 root root 20377 Feb 18 16:36 base.pp -rw-------. 1 root root 32 Feb 18 16:36 commit_num -rw-------. 1 root root 139886 Feb 18 16:36 file_contexts -rw-r--r--. 1 root root 2663 Feb 18 16:36 file_contexts.homedirs -rw-------. 1 root root 142369 Feb 18 16:36 file_contexts.template -rw-------. 1 root root 2483 Feb 18 16:36 homedir_template drwx------. 2 root root 12288 Feb 18 16:36 modules -rw-------. 1 root root 0 Feb 18 16:36 netfilter_contexts -rw-r--r--. 1 root root 3687284 Feb 18 16:36 policy.kern -rw-------. 1 root root 47 Feb 18 16:36 seusers.final -rw-------. 1 root root 143 Feb 18 16:36 users_extra /etc/selinux/refpolicy-standard/modules/active/modules: total 2380 -rw-r--r--. 1 root root 6057 Feb 18 16:36 acct.pp -rw-r--r--. 1 root root 5951 Feb 18 16:36 ada.pp -rw-r--r--. 1 root root 7520 Feb 18 16:36 afs.pp -rw-r--r--. 1 root root 5283 Feb 18 16:36 aide.pp -rw-r--r--. 1 root root 6562 Feb 18 16:36 alsa.pp -rw-r--r--. 1 root root 8311 Feb 18 16:36 amanda.pp -rw-r--r--. 1 root root 7308 Feb 18 16:36 amavis.pp -rw-r--r--. 1 root root 5114 Feb 18 16:36 amtu.pp -rw-r--r--. 1 root root 6670 Feb 18 16:36 anaconda.pp -rw-r--r--. 1 root root 14679 Feb 18 16:36 apache.pp -rw-r--r--. 1 root root 8846 Feb 18 16:36 apcupsd.pp -rw-r--r--. 1 root root 8482 Feb 18 16:36 apm.pp -rw-r--r--. 1 root root 4571 Feb 18 16:36 application.pp -rw-r--r--. 1 root root 7799 Feb 18 16:36 apt.pp -rw-r--r--. 1 root root 6964 Feb 18 16:36 arpwatch.pp -rw-r--r--. 1 root root 6877 Feb 18 16:36 asterisk.pp -rw-r--r--. 1 root root 5778 Feb 18 16:36 audioentropy.pp -rw-r--r--. 1 root root 25101 Feb 18 16:36 auditadm.pp -rw-r--r--. 1 root root 5088 Feb 18 16:36 authbind.pp -rw-r--r--. 1 root root 10256 Feb 18 16:36 authlogin.pp -rw-r--r--. 1 root root 7767 Feb 18 16:36 automount.pp -rw-r--r--. 1 root root 7134 Feb 18 16:36 avahi.pp -rw-r--r--. 1 root root 7942 Feb 18 16:36 awstats.pp -rw-r--r--. 1 root root 6199 Feb 18 16:36 backup.pp -rw-r--r--. 1 root root 8655 Feb 18 16:36 bind.pp -rw-r--r--. 1 root root 6265 Feb 18 16:36 bitlbee.pp -rw-r--r--. 1 root root 9473 Feb 18 16:36 bluetooth.pp -rw-r--r--. 1 root root 6881 Feb 18 16:36 bootloader.pp -rw-r--r--. 1 root root 5358 Feb 18 16:36 brctl.pp -rw-r--r--. 1 root root 6323 Feb 18 16:36 calamaris.pp -rw-r--r--. 1 root root 6694 Feb 18 16:36 canna.pp -rw-r--r--. 1 root root 6336 Feb 18 16:36 ccs.pp -rw-r--r--. 1 root root 5812 Feb 18 16:36 cdrecord.pp -rw-r--r--. 1 root root 5466 Feb 18 16:36 certwatch.pp -rw-r--r--. 1 root root 6241 Feb 18 16:36 cipe.pp -rw-r--r--. 1 root root 7380 Feb 18 16:36 clamav.pp -rw-r--r--. 1 root root 5864 Feb 18 16:36 clock.pp -rw-r--r--. 1 root root 6074 Feb 18 16:36 clockspeed.pp -rw-r--r--. 1 root root 6851 Feb 18 16:36 comsat.pp -rw-r--r--. 1 root root 6772 Feb 18 16:36 consolekit.pp -rw-r--r--. 1 root root 6377 Feb 18 16:36 consoletype.pp -rw-r--r--. 1 root root 9222 Feb 18 16:36 courier.pp -rw-r--r--. 1 root root 6124 Feb 18 16:36 cpucontrol.pp -rw-r--r--. 1 root root 12970 Feb 18 16:36 cron.pp -rw-r--r--. 1 root root 12252 Feb 18 16:36 cups.pp -rw-r--r--. 1 root root 9506 Feb 18 16:36 cvs.pp -rw-r--r--. 1 root root 6666 Feb 18 16:36 cyphesis.pp -rw-r--r--. 1 root root 7921 Feb 18 16:36 cyrus.pp -rw-r--r--. 1 root root 5941 Feb 18 16:36 daemontools.pp -rw-r--r--. 1 root root 5993 Feb 18 16:36 dante.pp -rw-r--r--. 1 root root 6821 Feb 18 16:36 dbskk.pp -rw-r--r--. 1 root root 7235 Feb 18 16:36 dbus.pp -rw-r--r--. 1 root root 9925 Feb 18 16:36 dcc.pp -rw-r--r--. 1 root root 6579 Feb 18 16:36 ddclient.pp -rw-r--r--. 1 root root 5374 Feb 18 16:36 ddcprobe.pp -rw-r--r--. 1 root root 7327 Feb 18 16:36 dhcp.pp -rw-r--r--. 1 root root 6505 Feb 18 16:36 dictd.pp -rw-r--r--. 1 root root 6484 Feb 18 16:36 distcc.pp -rw-r--r--. 1 root root 5851 Feb 18 16:36 djbdns.pp -rw-r--r--. 1 root root 5476 Feb 18 16:36 dmesg.pp -rw-r--r--. 1 root root 5079 Feb 18 16:36 dmidecode.pp -rw-r--r--. 1 root root 6626 Feb 18 16:36 dnsmasq.pp -rw-r--r--. 1 root root 8646 Feb 18 16:36 dovecot.pp -rw-r--r--. 1 root root 9839 Feb 18 16:36 dpkg.pp -rw-r--r--. 1 root root 7720 Feb 18 16:36 ethereal.pp -rw-r--r--. 1 root root 11778 Feb 18 16:36 evolution.pp -rw-r--r--. 1 root root 6993 Feb 18 16:36 exim.pp -rw-r--r--. 1 root root 7013 Feb 18 16:36 fail2ban.pp -rw-r--r--. 1 root root 6416 Feb 18 16:36 fetchmail.pp -rw-r--r--. 1 root root 7011 Feb 18 16:36 finger.pp -rw-r--r--. 1 root root 7751 Feb 18 16:36 firstboot.pp -rw-r--r--. 1 root root 7353 Feb 18 16:36 fstools.pp -rw-r--r--. 1 root root 9265 Feb 18 16:36 ftp.pp -rw-r--r--. 1 root root 8329 Feb 18 16:36 games.pp -rw-r--r--. 1 root root 6543 Feb 18 16:36 gatekeeper.pp -rw-r--r--. 1 root root 6463 Feb 18 16:36 getty.pp -rw-r--r--. 1 root root 7463 Feb 18 16:36 gift.pp -rw-r--r--. 1 root root 5758 Feb 18 16:36 gnome.pp -rw-r--r--. 1 root root 7317 Feb 18 16:36 gpg.pp -rw-r--r--. 1 root root 5960 Feb 18 16:36 gpm.pp -rw-r--r--. 1 root root 11220 Feb 18 16:36 hal.pp -rw-r--r--. 1 root root 5716 Feb 18 16:36 hostname.pp -rw-r--r--. 1 root root 7918 Feb 18 16:36 hotplug.pp -rw-r--r--. 1 root root 6354 Feb 18 16:36 howl.pp -rw-r--r--. 1 root root 6657 Feb 18 16:36 i18n_input.pp -rw-r--r--. 1 root root 6483 Feb 18 16:36 imaze.pp -rw-r--r--. 1 root root 9313 Feb 18 16:36 inetd.pp -rw-r--r--. 1 root root 13836 Feb 18 16:36 init.pp -rw-r--r--. 1 root root 7409 Feb 18 16:36 inn.pp -rw-r--r--. 1 root root 8415 Feb 18 16:36 ipsec.pp -rw-r--r--. 1 root root 7206 Feb 18 16:36 iptables.pp -rw-r--r--. 1 root root 6286 Feb 18 16:36 irc.pp -rw-r--r--. 1 root root 6489 Feb 18 16:36 ircd.pp -rw-r--r--. 1 root root 5773 Feb 18 16:36 irqbalance.pp -rw-r--r--. 1 root root 6134 Feb 18 16:36 iscsi.pp -rw-r--r--. 1 root root 6632 Feb 18 16:36 jabber.pp -rw-r--r--. 1 root root 8906 Feb 18 16:36 java.pp -rw-r--r--. 1 root root 8537 Feb 18 16:36 kerberos.pp -rw-r--r--. 1 root root 5968 Feb 18 16:36 kerneloops.pp -rw-r--r--. 1 root root 6355 Feb 18 16:36 kismet.pp -rw-r--r--. 1 root root 6904 Feb 18 16:36 ktalk.pp -rw-r--r--. 1 root root 7695 Feb 18 16:36 kudzu.pp -rw-r--r--. 1 root root 7455 Feb 18 16:36 ldap.pp -rw-r--r--. 1 root root 6633 Feb 18 16:36 libraries.pp -rw-r--r--. 1 root root 5283 Feb 18 16:36 loadkeys.pp -rw-r--r--. 1 root root 10343 Feb 18 16:36 locallogin.pp -rw-r--r--. 1 root root 5271 Feb 18 16:36 lockdev.pp -rw-r--r--. 1 root root 10172 Feb 18 16:36 logging.pp -rw-r--r--. 1 root root 7922 Feb 18 16:36 logrotate.pp -rw-r--r--. 1 root root 7392 Feb 18 16:36 logwatch.pp -rw-r--r--. 1 root root 9024 Feb 18 16:36 lpd.pp -rw-r--r--. 1 root root 8679 Feb 18 16:36 lvm.pp -rw-r--r--. 1 root root 9142 Feb 18 16:36 mailman.pp -rw-r--r--. 1 root root 5834 Feb 18 16:36 memcached.pp -rw-r--r--. 1 root root 6904 Feb 18 16:36 milter.pp -rw-r--r--. 1 root root 5008 Feb 18 16:36 miscfiles.pp -rw-r--r--. 1 root root 7806 Feb 18 16:36 modutils.pp -rw-r--r--. 1 root root 6118 Feb 18 16:36 mono.pp -rw-r--r--. 1 root root 6323 Feb 18 16:36 monop.pp -rw-r--r--. 1 root root 8396 Feb 18 16:36 mount.pp -rw-r--r--. 1 root root 8756 Feb 18 16:36 mozilla.pp -rw-r--r--. 1 root root 7751 Feb 18 16:36 mplayer.pp -rw-r--r--. 1 root root 7328 Feb 18 16:36 mrtg.pp -rw-r--r--. 1 root root 9064 Feb 18 16:36 mta.pp -rw-r--r--. 1 root root 6848 Feb 18 16:36 munin.pp -rw-r--r--. 1 root root 7318 Feb 18 16:36 mysql.pp -rw-r--r--. 1 root root 8125 Feb 18 16:36 nagios.pp -rw-r--r--. 1 root root 6627 Feb 18 16:36 nessus.pp -rw-r--r--. 1 root root 5037 Feb 18 16:36 netlabel.pp -rw-r--r--. 1 root root 8167 Feb 18 16:36 netutils.pp -rw-r--r--. 1 root root 8264 Feb 18 16:36 networkmanager.pp -rw-r--r--. 1 root root 7820 Feb 18 16:36 nis.pp -rw-r--r--. 1 root root 6995 Feb 18 16:36 nscd.pp -rw-r--r--. 1 root root 7138 Feb 18 16:36 nsd.pp -rw-r--r--. 1 root root 6284 Feb 18 16:36 ntop.pp -rw-r--r--. 1 root root 7638 Feb 18 16:36 ntp.pp -rw-r--r--. 1 root root 7453 Feb 18 16:36 nx.pp -rw-r--r--. 1 root root 6739 Feb 18 16:36 oav.pp -rw-r--r--. 1 root root 6281 Feb 18 16:36 oddjob.pp -rw-r--r--. 1 root root 6422 Feb 18 16:36 oident.pp -rw-r--r--. 1 root root 5311 Feb 18 16:36 openca.pp -rw-r--r--. 1 root root 5806 Feb 18 16:36 openct.pp -rw-r--r--. 1 root root 6880 Feb 18 16:36 openvpn.pp -rw-r--r--. 1 root root 6796 Feb 18 16:36 pcmcia.pp -rw-r--r--. 1 root root 6032 Feb 18 16:36 pcscd.pp -rw-r--r--. 1 root root 7912 Feb 18 16:36 pegasus.pp -rw-r--r--. 1 root root 5971 Feb 18 16:36 perdition.pp -rw-r--r--. 1 root root 5244 Feb 18 16:36 podsleuth.pp -rw-r--r--. 1 root root 8851 Feb 18 16:36 portage.pp -rw-r--r--. 1 root root 6945 Feb 18 16:36 portmap.pp -rw-r--r--. 1 root root 7678 Feb 18 16:36 portslave.pp -rw-r--r--. 1 root root 17478 Feb 18 16:36 postfix.pp -rw-r--r--. 1 root root 5921 Feb 18 16:36 postfixpolicyd.pp -rw-r--r--. 1 root root 9350 Feb 18 16:36 postgresql.pp -rw-r--r--. 1 root root 6716 Feb 18 16:36 postgrey.pp -rw-r--r--. 1 root root 8809 Feb 18 16:36 ppp.pp -rw-r--r--. 1 root root 5887 Feb 18 16:36 prelink.pp -rw-r--r--. 1 root root 9230 Feb 18 16:36 prelude.pp -rw-r--r--. 1 root root 6800 Feb 18 16:36 privoxy.pp -rw-r--r--. 1 root root 7482 Feb 18 16:36 procmail.pp -rw-r--r--. 1 root root 5542 Feb 18 16:36 publicfile.pp -rw-r--r--. 1 root root 5841 Feb 18 16:36 pxe.pp -rw-r--r--. 1 root root 7829 Feb 18 16:36 pyzor.pp -rw-r--r--. 1 root root 7154 Feb 18 16:36 qemu.pp -rw-r--r--. 1 root root 10224 Feb 18 16:36 qmail.pp -rw-r--r--. 1 root root 5886 Feb 18 16:36 quota.pp -rw-r--r--. 1 root root 8162 Feb 18 16:36 radius.pp -rw-r--r--. 1 root root 6440 Feb 18 16:36 radvd.pp -rw-r--r--. 1 root root 7113 Feb 18 16:36 raid.pp -rw-r--r--. 1 root root 7515 Feb 18 16:36 razor.pp -rw-r--r--. 1 root root 5753 Feb 18 16:36 rdisc.pp -rw-r--r--. 1 root root 6201 Feb 18 16:36 readahead.pp -rw-r--r--. 1 root root 9167 Feb 18 16:36 remotelogin.pp -rw-r--r--. 1 root root 5842 Feb 18 16:36 resmgr.pp -rw-r--r--. 1 root root 6961 Feb 18 16:36 rhgb.pp -rw-r--r--. 1 root root 11578 Feb 18 16:36 ricci.pp -rw-r--r--. 1 root root 7638 Feb 18 16:36 rlogin.pp -rw-r--r--. 1 root root 6363 Feb 18 16:36 roundup.pp -rw-r--r--. 1 root root 9554 Feb 18 16:36 rpc.pp -rw-r--r--. 1 root root 6127 Feb 18 16:36 rpcbind.pp -rw-r--r--. 1 root root 10826 Feb 18 16:36 rpm.pp -rw-r--r--. 1 root root 8149 Feb 18 16:36 rshd.pp -rw-r--r--. 1 root root 6196 Feb 18 16:36 rssh.pp -rw-r--r--. 1 root root 7535 Feb 18 16:36 rsync.pp -rw-r--r--. 1 root root 5943 Feb 18 16:36 rwho.pp -rw-r--r--. 1 root root 15271 Feb 18 16:36 samba.pp -rw-r--r--. 1 root root 7763 Feb 18 16:36 sasl.pp -rw-r--r--. 1 root root 4973 Feb 18 16:36 screen.pp -rw-r--r--. 1 root root 25271 Feb 18 16:36 secadm.pp -rw-r--r--. 1 root root 12046 Feb 18 16:36 selinuxutil.pp -rw-r--r--. 1 root root 7537 Feb 18 16:36 sendmail.pp -rw-r--r--. 1 root root 5902 Feb 18 16:36 setrans.pp -rw-r--r--. 1 root root 7274 Feb 18 16:36 setroubleshoot.pp -rw-r--r--. 1 root root 6467 Feb 18 16:36 slocate.pp -rw-r--r--. 1 root root 5977 Feb 18 16:36 slrnpull.pp -rw-r--r--. 1 root root 6628 Feb 18 16:36 smartmon.pp -rw-r--r--. 1 root root 7907 Feb 18 16:36 snmp.pp -rw-r--r--. 1 root root 6384 Feb 18 16:36 snort.pp -rw-r--r--. 1 root root 6545 Feb 18 16:36 soundserver.pp -rw-r--r--. 1 root root 9528 Feb 18 16:36 spamassassin.pp -rw-r--r--. 1 root root 5823 Feb 18 16:36 speedtouch.pp -rw-r--r--. 1 root root 10291 Feb 18 16:36 squid.pp -rw-r--r--. 1 root root 12933 Feb 18 16:36 ssh.pp -rw-r--r--. 1 root root 24422 Feb 18 16:36 staff.pp -rw-r--r--. 1 root root 5223 Feb 18 16:36 storage.pp -rw-r--r--. 1 root root 6924 Feb 18 16:36 stunnel.pp -rw-r--r--. 1 root root 4567 Feb 18 16:36 su.pp -rw-r--r--. 1 root root 4533 Feb 18 16:36 sudo.pp -rw-r--r--. 1 root root 6136 Feb 18 16:36 sxid.pp -rw-r--r--. 1 root root 29684 Feb 18 16:36 sysadm.pp -rw-r--r--. 1 root root 8864 Feb 18 16:36 sysnetwork.pp -rw-r--r--. 1 root root 5811 Feb 18 16:36 sysstat.pp -rw-r--r--. 1 root root 5767 Feb 18 16:36 tcpd.pp -rw-r--r--. 1 root root 7262 Feb 18 16:36 telnet.pp -rw-r--r--. 1 root root 7066 Feb 18 16:36 tftp.pp -rw-r--r--. 1 root root 8786 Feb 18 16:36 thunderbird.pp -rw-r--r--. 1 root root 6073 Feb 18 16:36 timidity.pp -rw-r--r--. 1 root root 5415 Feb 18 16:36 tmpreaper.pp -rw-r--r--. 1 root root 6829 Feb 18 16:36 tor.pp -rw-r--r--. 1 root root 5911 Feb 18 16:36 transproxy.pp -rw-r--r--. 1 root root 6439 Feb 18 16:36 tripwire.pp -rw-r--r--. 1 root root 6827 Feb 18 16:36 tvtime.pp -rw-r--r--. 1 root root 5559 Feb 18 16:36 tzdata.pp -rw-r--r--. 1 root root 5839 Feb 18 16:36 ucspitcp.pp -rw-r--r--. 1 root root 8928 Feb 18 16:36 udev.pp -rw-r--r--. 1 root root 7407 Feb 18 16:36 uml.pp -rw-r--r--. 1 root root 11422 Feb 18 16:36 unconfined.pp -rw-r--r--. 1 root root 24283 Feb 18 16:36 unprivuser.pp -rw-r--r--. 1 root root 6482 Feb 18 16:36 updfstab.pp -rw-r--r--. 1 root root 5994 Feb 18 16:36 uptime.pp -rw-r--r--. 1 root root 5324 Feb 18 16:36 usbmodules.pp -rw-r--r--. 1 root root 5326 Feb 18 16:36 userdomain.pp -rw-r--r--. 1 root root 4631 Feb 18 16:36 userhelper.pp -rw-r--r--. 1 root root 11006 Feb 18 16:36 usermanage.pp -rw-r--r--. 1 root root 6500 Feb 18 16:36 usernetctl.pp -rw-r--r--. 1 root root 7482 Feb 18 16:36 uucp.pp -rw-r--r--. 1 root root 7399 Feb 18 16:36 uwimap.pp -rw-r--r--. 1 root root 5276 Feb 18 16:36 vbetool.pp -rw-r--r--. 1 root root 8917 Feb 18 16:36 virt.pp -rw-r--r--. 1 root root 8875 Feb 18 16:36 vmware.pp -rw-r--r--. 1 root root 7120 Feb 18 16:36 vpn.pp -rw-r--r--. 1 root root 7574 Feb 18 16:36 w3c.pp -rw-r--r--. 1 root root 6699 Feb 18 16:36 watchdog.pp -rw-r--r--. 1 root root 6560 Feb 18 16:36 webalizer.pp -rw-r--r--. 1 root root 5970 Feb 18 16:36 wine.pp -rw-r--r--. 1 root root 6498 Feb 18 16:36 wireshark.pp -rw-r--r--. 1 root root 8691 Feb 18 16:36 xen.pp -rw-r--r--. 1 root root 6905 Feb 18 16:36 xfs.pp -rw-r--r--. 1 root root 6412 Feb 18 16:36 xprint.pp -rw-r--r--. 1 root root 16921 Feb 18 16:36 xserver.pp -rw-r--r--. 1 root root 6743 Feb 18 16:36 yam.pp -rw-r--r--. 1 root root 5762 Feb 18 16:36 zabbix.pp -rw-r--r--. 1 root root 6993 Feb 18 16:36 zebra.pp /etc/selinux/refpolicy-standard/policy: total 3604 -rw-r--r--. 1 root root 3687284 Feb 18 16:36 policy.24 /etc/selinux/refpolicy-standard/src: total 12 drwxr-xr-x. 8 root root 12288 Feb 18 16:24 policy /etc/selinux/refpolicy-standard/src/policy: total 29996 -rw-r--r--. 1 root root 18009 Feb 18 15:07 COPYING -rw-r--r--. 1 root root 24498 Feb 18 15:07 Changelog -rw-r--r--. 1 root root 1170 Feb 18 15:07 INSTALL -rw-r--r--. 1 root root 21735 Feb 18 15:07 Makefile -rw-r--r--. 1 root root 10206 Feb 18 15:07 README -rw-r--r--. 1 root root 8093 Feb 18 15:07 Rules.modular -rw-r--r--. 1 root root 8559 Feb 18 15:07 Rules.monolithic -rw-r--r--. 1 root root 11 Feb 18 15:07 VERSION -rw-r--r--. 1 root root 60867 Feb 18 16:22 acct.pp -rw-r--r--. 1 root root 59016 Feb 18 16:22 ada.pp -rw-r--r--. 1 root root 116935 Feb 18 16:22 afs.pp -rw-r--r--. 1 root root 42452 Feb 18 16:22 aide.pp -rw-r--r--. 1 root root 70472 Feb 18 16:22 alsa.pp -rw-r--r--. 1 root root 127092 Feb 18 16:22 amanda.pp -rw-r--r--. 1 root root 88814 Feb 18 16:22 amavis.pp -rw-r--r--. 1 root root 43550 Feb 18 16:22 amtu.pp -rw-r--r--. 1 root root 77830 Feb 18 16:22 anaconda.pp -rw-r--r--. 1 root root 354987 Feb 18 16:22 apache.pp -rw-r--r--. 1 root root 125824 Feb 18 16:22 apcupsd.pp -rw-r--r--. 1 root root 125726 Feb 18 16:22 apm.pp -rw-r--r--. 1 root root 31212 Feb 18 16:22 application.pp -rw-r--r--. 1 root root 94086 Feb 18 16:22 apt.pp -rw-r--r--. 1 root root 81567 Feb 18 16:22 arpwatch.pp -rw-r--r--. 1 root root 73292 Feb 18 16:22 asterisk.pp -rw-r--r--. 1 root root 53740 Feb 18 16:22 audioentropy.pp -rw-r--r--. 1 root root 753878 Feb 18 16:22 auditadm.pp -rw-r--r--. 1 root root 40076 Feb 18 16:22 authbind.pp -rw-r--r--. 1 root root 221019 Feb 18 16:22 authlogin.pp -rw-r--r--. 1 root root 102626 Feb 18 16:23 automount.pp -rw-r--r--. 1 root root 85569 Feb 18 16:23 avahi.pp -rw-r--r--. 1 root root 107027 Feb 18 16:23 awstats.pp -rw-r--r--. 1 root root 62329 Feb 18 16:23 backup.pp -rw-r--r--. 1 root root 399695 Feb 18 16:22 base.conf -rw-r--r--. 1 root root 18796 Feb 18 16:22 base.fc -rw-r--r--. 1 root root 216829 Feb 18 16:22 base.pp -rw-r--r--. 1 root root 140207 Feb 18 16:23 bind.pp -rw-r--r--. 1 root root 66225 Feb 18 16:23 bitlbee.pp -rw-r--r--. 1 root root 139368 Feb 18 16:23 bluetooth.pp -rw-r--r--. 1 root root 80937 Feb 18 16:23 bootloader.pp -rw-r--r--. 1 root root 52367 Feb 18 16:23 brctl.pp -rw-r--r--. 1 root root 1876 Feb 18 15:07 build.conf -rw-r--r--. 1 root root 65172 Feb 18 16:23 calamaris.pp -rw-r--r--. 1 root root 67655 Feb 18 16:23 canna.pp -rw-r--r--. 1 root root 61204 Feb 18 16:23 ccs.pp -rw-r--r--. 1 root root 55858 Feb 18 16:23 cdrecord.pp -rw-r--r--. 1 root root 50845 Feb 18 16:23 certwatch.pp -rw-r--r--. 1 root root 64046 Feb 18 16:23 cipe.pp -rw-r--r--. 1 root root 103605 Feb 18 16:23 clamav.pp -rw-r--r--. 1 root root 59601 Feb 18 16:23 clock.pp -rw-r--r--. 1 root root 63339 Feb 18 16:23 clockspeed.pp -rw-r--r--. 1 root root 78906 Feb 18 16:23 comsat.pp drwxr-xr-x. 5 root root 4096 Feb 18 15:07 config -rw-r--r--. 1 root root 78754 Feb 18 16:23 consolekit.pp -rw-r--r--. 1 root root 79723 Feb 18 16:23 consoletype.pp -rw-r--r--. 1 root root 195175 Feb 18 16:23 courier.pp -rw-r--r--. 1 root root 74398 Feb 18 16:23 cpucontrol.pp -rw-r--r--. 1 root root 322765 Feb 18 16:23 cron.pp -rw-r--r--. 1 root root 329577 Feb 18 16:23 cups.pp -rw-r--r--. 1 root root 163792 Feb 18 16:23 cvs.pp -rw-r--r--. 1 root root 69304 Feb 18 16:23 cyphesis.pp -rw-r--r--. 1 root root 106686 Feb 18 16:23 cyrus.pp -rw-r--r--. 1 root root 74198 Feb 18 16:23 daemontools.pp -rw-r--r--. 1 root root 56714 Feb 18 16:23 dante.pp -rw-r--r--. 1 root root 79827 Feb 18 16:23 dbskk.pp -rw-r--r--. 1 root root 85897 Feb 18 16:23 dbus.pp -rw-r--r--. 1 root root 272791 Feb 18 16:23 dcc.pp -rw-r--r--. 1 root root 65441 Feb 18 16:23 ddclient.pp -rw-r--r--. 1 root root 47878 Feb 18 16:23 ddcprobe.pp -rw-r--r--. 1 root root 90148 Feb 18 16:23 dhcp.pp -rw-r--r--. 1 root root 69008 Feb 18 16:23 dictd.pp -rw-r--r--. 1 root root 66681 Feb 18 16:23 distcc.pp -rw-r--r--. 1 root root 71355 Feb 18 16:23 djbdns.pp -rw-r--r--. 1 root root 50208 Feb 18 16:23 dmesg.pp -rw-r--r--. 1 root root 40065 Feb 18 16:23 dmidecode.pp -rw-r--r--. 1 root root 68387 Feb 18 16:23 dnsmasq.pp drwxr-xr-x. 3 root root 4096 Feb 18 15:07 doc -rw-r--r--. 1 root root 162926 Feb 18 16:23 dovecot.pp -rw-r--r--. 1 root root 182116 Feb 18 16:23 dpkg.pp -rw-r--r--. 1 root root 88687 Feb 18 16:23 ethereal.pp -rw-r--r--. 1 root root 224088 Feb 18 16:23 evolution.pp -rw-r--r--. 1 root root 80311 Feb 18 16:23 exim.pp -rw-r--r--. 1 root root 83356 Feb 18 16:23 fail2ban.pp -rw-r--r--. 1 root root 64211 Feb 18 16:23 fetchmail.pp -rw-r--r--. 1 root root 86742 Feb 18 16:23 finger.pp -rw-r--r--. 1 root root 99547 Feb 18 16:23 firstboot.pp -rw-r--r--. 1 root root 81899 Feb 18 16:23 fstools.pp -rw-r--r--. 1 root root 158768 Feb 18 16:23 ftp.pp -rw-r--r--. 1 root root 93012 Feb 18 16:23 games.pp -rw-r--r--. 1 root root 66196 Feb 18 16:23 gatekeeper.pp -rw-r--r--. 1 root root 74271 Feb 18 16:23 getty.pp -rw-r--r--. 1 root root 78777 Feb 18 16:23 gift.pp -rw-r--r--. 1 root root 50256 Feb 18 16:23 gnome.pp -rw-r--r--. 1 root root 100423 Feb 18 16:23 gpg.pp -rw-r--r--. 1 root root 55431 Feb 18 16:23 gpm.pp -rw-r--r--. 1 root root 251392 Feb 18 16:23 hal.pp -rw-r--r--. 1 root root 55456 Feb 18 16:23 hostname.pp -rw-r--r--. 1 root root 120056 Feb 18 16:23 hotplug.pp -rw-r--r--. 1 root root 64416 Feb 18 16:23 howl.pp -rw-r--r--. 1 root root 70466 Feb 18 16:23 i18n_input.pp -rw-r--r--. 1 root root 65292 Feb 18 16:23 imaze.pp -rw-r--r--. 1 root root 143501 Feb 18 16:23 inetd.pp -rw-r--r--. 1 root root 350464 Feb 18 16:23 init.pp -rw-r--r--. 1 root root 80386 Feb 18 16:23 inn.pp -rw-r--r--. 1 root root 136329 Feb 18 16:23 ipsec.pp -rw-r--r--. 1 root root 95237 Feb 18 16:23 iptables.pp -rw-r--r--. 1 root root 59437 Feb 18 16:23 irc.pp -rw-r--r--. 1 root root 66059 Feb 18 16:23 ircd.pp -rw-r--r--. 1 root root 54736 Feb 18 16:23 irqbalance.pp -rw-r--r--. 1 root root 62424 Feb 18 16:23 iscsi.pp -rw-r--r--. 1 root root 67208 Feb 18 16:23 jabber.pp -rw-r--r--. 1 root root 112129 Feb 18 16:23 java.pp -rw-r--r--. 1 root root 137581 Feb 18 16:23 kerberos.pp -rw-r--r--. 1 root root 55757 Feb 18 16:23 kerneloops.pp -rw-r--r--. 1 root root 65653 Feb 18 16:23 kismet.pp -rw-r--r--. 1 root root 79367 Feb 18 16:23 ktalk.pp -rw-r--r--. 1 root root 98201 Feb 18 16:23 kudzu.pp -rw-r--r--. 1 root root 92449 Feb 18 16:23 ldap.pp -rw-r--r--. 1 root root 60657 Feb 18 16:23 libraries.pp -rw-r--r--. 1 root root 46017 Feb 18 16:23 loadkeys.pp -rw-r--r--. 1 root root 196440 Feb 18 16:23 locallogin.pp -rw-r--r--. 1 root root 42047 Feb 18 16:23 lockdev.pp -rw-r--r--. 1 root root 199269 Feb 18 16:23 logging.pp -rw-r--r--. 1 root root 108028 Feb 18 16:23 logrotate.pp -rw-r--r--. 1 root root 98264 Feb 18 16:23 logwatch.pp -rw-r--r--. 1 root root 149090 Feb 18 16:23 lpd.pp -rw-r--r--. 1 root root 129311 Feb 18 16:23 lvm.pp -rw-r--r--. 1 root root 198209 Feb 18 16:23 mailman.pp drwxr-xr-x. 4 root root 4096 Feb 18 15:07 man -rw-r--r--. 1 root root 51908 Feb 18 16:23 memcached.pp -rw-r--r--. 1 root root 86439 Feb 18 16:23 milter.pp -rw-r--r--. 1 root root 31851 Feb 18 16:23 miscfiles.pp -rw-r--r--. 1 root root 115111 Feb 18 16:23 modutils.pp -rw-r--r--. 1 root root 68509 Feb 18 16:23 mono.pp -rw-r--r--. 1 root root 63488 Feb 18 16:23 monop.pp -rw-r--r--. 1 root root 120983 Feb 18 16:23 mount.pp -rw-r--r--. 1 root root 108633 Feb 18 16:23 mozilla.pp -rw-r--r--. 1 root root 96700 Feb 18 16:23 mplayer.pp -rw-r--r--. 1 root root 93972 Feb 18 16:23 mrtg.pp -rw-r--r--. 1 root root 168313 Feb 18 16:23 mta.pp -rw-r--r--. 1 root root 73212 Feb 18 16:23 munin.pp -rw-r--r--. 1 root root 87041 Feb 18 16:23 mysql.pp -rw-r--r--. 1 root root 137366 Feb 18 16:23 nagios.pp -rw-r--r--. 1 root root 67814 Feb 18 16:23 nessus.pp -rw-r--r--. 1 root root 39973 Feb 18 16:23 netlabel.pp -rw-r--r--. 1 root root 157555 Feb 18 16:23 netutils.pp -rw-r--r--. 1 root root 115159 Feb 18 16:23 networkmanager.pp -rw-r--r--. 1 root root 134665 Feb 18 16:23 nis.pp -rw-r--r--. 1 root root 84959 Feb 18 16:23 nscd.pp -rw-r--r--. 1 root root 95238 Feb 18 16:23 nsd.pp -rw-r--r--. 1 root root 66496 Feb 18 16:23 ntop.pp -rw-r--r--. 1 root root 102060 Feb 18 16:23 ntp.pp -rw-r--r--. 1 root root 92837 Feb 18 16:23 nx.pp -rw-r--r--. 1 root root 77674 Feb 18 16:23 oav.pp -rw-r--r--. 1 root root 82852 Feb 18 16:23 oddjob.pp -rw-r--r--. 1 root root 61117 Feb 18 16:23 oident.pp -rw-r--r--. 1 root root 42834 Feb 18 16:23 openca.pp -rw-r--r--. 1 root root 54539 Feb 18 16:23 openct.pp -rw-r--r--. 1 root root 70448 Feb 18 16:23 openvpn.pp -rw-r--r--. 1 root root 78864 Feb 18 16:23 pcmcia.pp -rw-r--r--. 1 root root 65014 Feb 18 16:23 pcscd.pp -rw-r--r--. 1 root root 116613 Feb 18 16:24 pegasus.pp -rw-r--r--. 1 root root 56203 Feb 18 16:24 perdition.pp -rw-r--r--. 1 root root 43502 Feb 18 16:24 podsleuth.pp drwxr-xr-x. 5 root root 4096 Feb 18 16:36 policy -rw-r--r--. 1 root root 148288 Feb 18 16:24 portage.pp -rw-r--r--. 1 root root 90102 Feb 18 16:24 portmap.pp -rw-r--r--. 1 root root 115728 Feb 18 16:24 portslave.pp -rw-r--r--. 1 root root 714170 Feb 18 16:24 postfix.pp -rw-r--r--. 1 root root 53386 Feb 18 16:24 postfixpolicyd.pp -rw-r--r--. 1 root root 130088 Feb 18 16:24 postgresql.pp -rw-r--r--. 1 root root 70444 Feb 18 16:24 postgrey.pp -rw-r--r--. 1 root root 139258 Feb 18 16:24 ppp.pp -rw-r--r--. 1 root root 55264 Feb 18 16:24 prelink.pp -rw-r--r--. 1 root root 155082 Feb 18 16:24 prelude.pp -rw-r--r--. 1 root root 72238 Feb 18 16:24 privoxy.pp -rw-r--r--. 1 root root 95161 Feb 18 16:24 procmail.pp -rw-r--r--. 1 root root 54352 Feb 18 16:24 publicfile.pp -rw-r--r--. 1 root root 53870 Feb 18 16:24 pxe.pp -rw-r--r--. 1 root root 116164 Feb 18 16:24 pyzor.pp -rw-r--r--. 1 root root 93642 Feb 18 16:24 qemu.pp -rw-r--r--. 1 root root 264774 Feb 18 16:24 qmail.pp -rw-r--r--. 1 root root 55902 Feb 18 16:24 quota.pp -rw-r--r--. 1 root root 122131 Feb 18 16:24 radius.pp -rw-r--r--. 1 root root 65765 Feb 18 16:24 radvd.pp -rw-r--r--. 1 root root 82274 Feb 18 16:24 raid.pp -rw-r--r--. 1 root root 108144 Feb 18 16:24 razor.pp -rw-r--r--. 1 root root 54359 Feb 18 16:24 rdisc.pp -rw-r--r--. 1 root root 66150 Feb 18 16:24 readahead.pp -rw-r--r--. 1 root root 151191 Feb 18 16:24 remotelogin.pp -rw-r--r--. 1 root root 55738 Feb 18 16:24 resmgr.pp -rw-r--r--. 1 root root 80366 Feb 18 16:24 rhgb.pp -rw-r--r--. 1 root root 278922 Feb 18 16:24 ricci.pp -rw-r--r--. 1 root root 113168 Feb 18 16:24 rlogin.pp -rw-r--r--. 1 root root 62661 Feb 18 16:24 roundup.pp -rw-r--r--. 1 root root 222357 Feb 18 16:24 rpc.pp -rw-r--r--. 1 root root 57311 Feb 18 16:24 rpcbind.pp -rw-r--r--. 1 root root 208833 Feb 18 16:24 rpm.pp -rw-r--r--. 1 root root 132869 Feb 18 16:24 rshd.pp -rw-r--r--. 1 root root 56752 Feb 18 16:24 rssh.pp -rw-r--r--. 1 root root 100247 Feb 18 16:24 rsync.pp -rw-r--r--. 1 root root 53794 Feb 18 16:24 rwho.pp -rw-r--r--. 1 root root 501041 Feb 18 16:24 samba.pp -rw-r--r--. 1 root root 116865 Feb 18 16:24 sasl.pp -rw-r--r--. 1 root root 32153 Feb 18 16:24 screen.pp -rw-r--r--. 1 root root 758738 Feb 18 16:24 secadm.pp -rw-r--r--. 1 root root 316588 Feb 18 16:24 selinuxutil.pp -rw-r--r--. 1 root root 96940 Feb 18 16:24 sendmail.pp -rw-r--r--. 1 root root 54132 Feb 18 16:24 setrans.pp -rw-r--r--. 1 root root 94235 Feb 18 16:24 setroubleshoot.pp -rw-r--r--. 1 root root 69886 Feb 18 16:24 slocate.pp -rw-r--r--. 1 root root 57287 Feb 18 16:24 slrnpull.pp -rw-r--r--. 1 root root 68831 Feb 18 16:24 smartmon.pp -rw-r--r--. 1 root root 108741 Feb 18 16:24 snmp.pp -rw-r--r--. 1 root root 60989 Feb 18 16:24 snort.pp -rw-r--r--. 1 root root 64634 Feb 18 16:24 soundserver.pp -rw-r--r--. 1 root root 171492 Feb 18 16:24 spamassassin.pp -rw-r--r--. 1 root root 54698 Feb 18 16:24 speedtouch.pp -rw-r--r--. 1 root root 180578 Feb 18 16:24 squid.pp -rw-r--r--. 1 root root 279950 Feb 18 16:24 ssh.pp -rw-r--r--. 1 root root 720590 Feb 18 16:24 staff.pp -rw-r--r--. 1 root root 34192 Feb 18 16:24 storage.pp -rw-r--r--. 1 root root 85508 Feb 18 16:24 stunnel.pp -rw-r--r--. 1 root root 29824 Feb 18 16:24 su.pp -rw-r--r--. 1 root root 29768 Feb 18 16:24 sudo.pp drwxr-xr-x. 2 root root 4096 Feb 18 16:15 support -rw-r--r--. 1 root root 59783 Feb 18 16:24 sxid.pp -rw-r--r--. 1 root root 957005 Feb 18 16:24 sysadm.pp -rw-r--r--. 1 root root 144933 Feb 18 16:24 sysnetwork.pp -rw-r--r--. 1 root root 54729 Feb 18 16:24 sysstat.pp -rw-r--r--. 1 root root 52775 Feb 18 16:24 tcpd.pp -rw-r--r--. 1 root root 86646 Feb 18 16:24 telnet.pp -rw-r--r--. 1 root root 90348 Feb 18 16:24 tftp.pp -rw-r--r--. 1 root root 113471 Feb 18 16:24 thunderbird.pp -rw-r--r--. 1 root root 63905 Feb 18 16:24 timidity.pp drwxr-xr-x. 2 root root 36864 Feb 18 16:25 tmp -rw-r--r--. 1 root root 47763 Feb 18 16:24 tmpreaper.pp -rw-r--r--. 1 root root 77128 Feb 18 16:24 tor.pp -rw-r--r--. 1 root root 55189 Feb 18 16:24 transproxy.pp -rw-r--r--. 1 root root 89792 Feb 18 16:24 tripwire.pp -rw-r--r--. 1 root root 62480 Feb 18 16:24 tvtime.pp -rw-r--r--. 1 root root 55602 Feb 18 16:24 tzdata.pp -rw-r--r--. 1 root root 68207 Feb 18 16:24 ucspitcp.pp -rw-r--r--. 1 root root 132495 Feb 18 16:24 udev.pp -rw-r--r--. 1 root root 84610 Feb 18 16:24 uml.pp -rw-r--r--. 1 root root 242448 Feb 18 16:24 unconfined.pp -rw-r--r--. 1 root root 715268 Feb 18 16:24 unprivuser.pp -rw-r--r--. 1 root root 74784 Feb 18 16:24 updfstab.pp -rw-r--r--. 1 root root 57820 Feb 18 16:24 uptime.pp -rw-r--r--. 1 root root 48374 Feb 18 16:24 usbmodules.pp -rw-r--r--. 1 root root 35738 Feb 18 16:24 userdomain.pp -rw-r--r--. 1 root root 30046 Feb 18 16:24 userhelper.pp -rw-r--r--. 1 root root 295491 Feb 18 16:24 usermanage.pp -rw-r--r--. 1 root root 78414 Feb 18 16:24 usernetctl.pp -rw-r--r--. 1 root root 100071 Feb 18 16:24 uucp.pp -rw-r--r--. 1 root root 97364 Feb 18 16:24 uwimap.pp -rw-r--r--. 1 root root 45186 Feb 18 16:24 vbetool.pp -rw-r--r--. 1 root root 130978 Feb 18 16:24 virt.pp -rw-r--r--. 1 root root 108071 Feb 18 16:24 vmware.pp -rw-r--r--. 1 root root 83858 Feb 18 16:24 vpn.pp -rw-r--r--. 1 root root 89388 Feb 18 16:24 w3c.pp -rw-r--r--. 1 root root 69752 Feb 18 16:24 watchdog.pp -rw-r--r--. 1 root root 67982 Feb 18 16:24 webalizer.pp -rw-r--r--. 1 root root 60854 Feb 18 16:24 wine.pp -rw-r--r--. 1 root root 65013 Feb 18 16:24 wireshark.pp -rw-r--r--. 1 root root 151169 Feb 18 16:24 xen.pp -rw-r--r--. 1 root root 79747 Feb 18 16:24 xfs.pp -rw-r--r--. 1 root root 68048 Feb 18 16:24 xprint.pp -rw-r--r--. 1 root root 404586 Feb 18 16:24 xserver.pp -rw-r--r--. 1 root root 72176 Feb 18 16:24 yam.pp -rw-r--r--. 1 root root 52302 Feb 18 16:24 zabbix.pp -rw-r--r--. 1 root root 76147 Feb 18 16:24 zebra.pp /etc/selinux/refpolicy-standard/src/policy/config: total 16 drwxr-xr-x. 2 root root 4096 Feb 18 15:07 appconfig-mcs drwxr-xr-x. 2 root root 4096 Feb 18 15:07 appconfig-mls drwxr-xr-x. 2 root root 4096 Feb 18 16:11 appconfig-standard -rw-r--r--. 1 root root 722 Feb 18 15:07 local.users /etc/selinux/refpolicy-standard/src/policy/config/appconfig-mcs: total 64 -rw-r--r--. 1 root root 195 Feb 18 15:07 dbus_contexts -rw-r--r--. 1 root root 1018 Feb 18 15:07 default_contexts -rw-r--r--. 1 root root 114 Feb 18 15:07 default_type -rw-r--r--. 1 root root 21 Feb 18 15:07 failsafe_context -rw-r--r--. 1 root root 30 Feb 18 15:07 initrc_context -rw-r--r--. 1 root root 139 Feb 18 15:07 media -rw-r--r--. 1 root root 33 Feb 18 15:07 removable_context -rw-r--r--. 1 root root 724 Feb 18 15:07 root_default_contexts -rw-r--r--. 1 root root 123 Feb 18 15:07 securetty_types -rw-r--r--. 1 root root 86 Feb 18 15:07 seusers -rw-r--r--. 1 root root 433 Feb 18 15:07 staff_u_default_contexts -rw-r--r--. 1 root root 503 Feb 18 15:07 unconfined_u_default_contexts -rw-r--r--. 1 root root 280 Feb 18 15:07 user_u_default_contexts -rw-r--r--. 1 root root 30 Feb 18 15:07 userhelper_context -rw-r--r--. 1 root root 7327 Feb 18 15:07 x_contexts /etc/selinux/refpolicy-standard/src/policy/config/appconfig-mls: total 64 -rw-r--r--. 1 root root 195 Feb 18 15:07 dbus_contexts -rw-r--r--. 1 root root 1018 Feb 18 15:07 default_contexts -rw-r--r--. 1 root root 114 Feb 18 15:07 default_type -rw-r--r--. 1 root root 21 Feb 18 15:07 failsafe_context -rw-r--r--. 1 root root 45 Feb 18 15:07 initrc_context -rw-r--r--. 1 root root 139 Feb 18 15:07 media -rw-r--r--. 1 root root 33 Feb 18 15:07 removable_context -rw-r--r--. 1 root root 724 Feb 18 15:07 root_default_contexts -rw-r--r--. 1 root root 123 Feb 18 15:07 securetty_types -rw-r--r--. 1 root root 86 Feb 18 15:07 seusers -rw-r--r--. 1 root root 433 Feb 18 15:07 staff_u_default_contexts -rw-r--r--. 1 root root 503 Feb 18 15:07 unconfined_u_default_contexts -rw-r--r--. 1 root root 280 Feb 18 15:07 user_u_default_contexts -rw-r--r--. 1 root root 30 Feb 18 15:07 userhelper_context -rw-r--r--. 1 root root 7327 Feb 18 15:07 x_contexts /etc/selinux/refpolicy-standard/src/policy/config/appconfig-standard: total 64 -rw-r--r--. 1 root root 195 Feb 18 15:07 dbus_contexts -rw-r--r--. 1 root root 875 Feb 18 15:07 default_contexts -rw-r--r--. 1 root root 114 Feb 18 15:07 default_type -rw-r--r--. 1 root root 18 Feb 18 15:07 failsafe_context -rw-r--r--. 1 root root 27 Feb 18 15:07 initrc_context -rw-r--r--. 1 root root 130 Feb 18 15:07 media -rw-r--r--. 1 root root 30 Feb 18 15:07 removable_context -rw-r--r--. 1 root root 630 Feb 18 15:07 root_default_contexts -rw-r--r--. 1 root root 123 Feb 18 15:07 securetty_types -rw-r--r--. 1 root root 47 Feb 18 15:07 seusers -rw-r--r--. 1 root root 378 Feb 18 15:07 staff_u_default_contexts -rw-r--r--. 1 root root 452 Feb 18 15:07 unconfined_u_default_contexts -rw-r--r--. 1 root root 242 Feb 18 15:07 user_u_default_contexts -rw-r--r--. 1 root root 27 Feb 18 15:07 userhelper_context -rw-r--r--. 1 root root 7051 Feb 18 15:07 x_contexts /etc/selinux/refpolicy-standard/src/policy/doc: total 1436 -rw-r--r--. 1 root root 195 Feb 18 15:07 Makefile.example -rw-r--r--. 1 root root 185 Feb 18 15:07 example.fc -rw-r--r--. 1 root root 1033 Feb 18 15:07 example.if -rw-r--r--. 1 root root 516 Feb 18 15:07 example.te -rw-r--r--. 1 root root 550 Feb 18 15:07 global_booleans.xml -rw-r--r--. 1 root root 2654 Feb 18 15:07 global_tunables.xml -rw-r--r--. 1 root root 1393 Feb 18 15:07 policy.dtd -rw-r--r--. 1 root root 1435250 Feb 18 16:22 policy.xml drwxr-xr-x. 2 root root 4096 Feb 18 15:07 templates /etc/selinux/refpolicy-standard/src/policy/doc/templates: total 64 -rw-r--r--. 1 root root 531 Feb 18 15:07 bool_list.html -rw-r--r--. 1 root root 296 Feb 18 15:07 boolean.html -rw-r--r--. 1 root root 281 Feb 18 15:07 global_bool_list.html -rw-r--r--. 1 root root 275 Feb 18 15:07 global_tun_list.html -rw-r--r--. 1 root root 280 Feb 18 15:07 header.html -rw-r--r--. 1 root root 705 Feb 18 15:07 int_list.html -rw-r--r--. 1 root root 997 Feb 18 15:07 interface.html -rw-r--r--. 1 root root 806 Feb 18 15:07 menu.html -rw-r--r--. 1 root root 1062 Feb 18 15:07 module.html -rw-r--r--. 1 root root 492 Feb 18 15:07 module_list.html -rw-r--r--. 1 root root 4282 Feb 18 15:07 style.css -rw-r--r--. 1 root root 708 Feb 18 15:07 temp_list.html -rw-r--r--. 1 root root 998 Feb 18 15:07 template.html -rw-r--r--. 1 root root 517 Feb 18 15:07 tun_list.html -rw-r--r--. 1 root root 288 Feb 18 15:07 tunable.html /etc/selinux/refpolicy-standard/src/policy/man: total 8 drwxr-xr-x. 2 root root 4096 Feb 18 15:07 man8 drwxr-xr-x. 3 root root 4096 Feb 18 15:07 ru /etc/selinux/refpolicy-standard/src/policy/man/man8: total 40 -rw-r--r--. 1 root root 2022 Feb 18 15:07 ftpd_selinux.8 -rw-r--r--. 1 root root 5100 Feb 18 15:07 httpd_selinux.8 -rw-r--r--. 1 root root 870 Feb 18 15:07 kerberos_selinux.8 -rw-r--r--. 1 root root 891 Feb 18 15:07 named_selinux.8 -rw-r--r--. 1 root root 1075 Feb 18 15:07 nfs_selinux.8 -rw-r--r--. 1 root root 26 Feb 18 15:07 nis_selinux.8 -rw-r--r--. 1 root root 1676 Feb 18 15:07 rsync_selinux.8 -rw-r--r--. 1 root root 2178 Feb 18 15:07 samba_selinux.8 -rw-r--r--. 1 root root 746 Feb 18 15:07 ypbind_selinux.8 /etc/selinux/refpolicy-standard/src/policy/man/ru: total 4 drwxr-xr-x. 2 root root 4096 Feb 18 15:07 man8 /etc/selinux/refpolicy-standard/src/policy/man/ru/man8: total 44 -rw-r--r--. 1 root root 4020 Feb 18 15:07 ftpd_selinux.8 -rw-r--r--. 1 root root 9266 Feb 18 15:07 httpd_selinux.8 -rw-r--r--. 1 root root 1513 Feb 18 15:07 kerberos_selinux.8 -rw-r--r--. 1 root root 1562 Feb 18 15:07 named_selinux.8 -rw-r--r--. 1 root root 1936 Feb 18 15:07 nfs_selinux.8 -rw-r--r--. 1 root root 3122 Feb 18 15:07 rsync_selinux.8 -rw-r--r--. 1 root root 4181 Feb 18 15:07 samba_selinux.8 -rw-r--r--. 1 root root 1300 Feb 18 15:07 ypbind_selinux.8 /etc/selinux/refpolicy-standard/src/policy/policy: total 108 -rw-r--r--. 1 root root 9044 Feb 18 16:22 booleans.conf -rw-r--r--. 1 root root 6072 Feb 18 15:07 constraints drwxr-xr-x. 2 root root 4096 Feb 18 15:07 flask -rw-r--r--. 1 root root 692 Feb 18 15:07 global_booleans -rw-r--r--. 1 root root 2717 Feb 18 15:07 global_tunables -rw-r--r--. 1 root root 3789 Feb 18 15:07 mcs -rw-r--r--. 1 root root 22208 Feb 18 15:07 mls drwxr-xr-x. 8 root root 4096 Feb 18 15:07 modules -rw-r--r--. 1 root root 26074 Feb 18 16:22 modules.conf -rw-r--r--. 1 root root 661 Feb 18 15:07 policy_capabilities -rw-r--r--. 1 root root 331 Feb 18 15:07 rolemap drwxr-xr-x. 2 root root 4096 Feb 18 15:07 support -rw-r--r--. 1 root root 1809 Feb 18 15:07 users /etc/selinux/refpolicy-standard/src/policy/policy/flask: total 40 -rw-r--r--. 1 root root 1615 Feb 18 15:07 Makefile -rw-r--r--. 1 root root 8270 Feb 18 15:07 access_vectors -rw-r--r--. 1 root root 14532 Feb 18 15:07 flask.py -rw-r--r--. 1 root root 417 Feb 18 15:07 initial_sids -rw-r--r--. 1 root root 2136 Feb 18 15:07 security_classes /etc/selinux/refpolicy-standard/src/policy/policy/modules: total 40 drwxr-xr-x. 2 root root 4096 Feb 18 15:07 admin drwxr-xr-x. 2 root root 4096 Feb 18 15:07 apps drwxr-xr-x. 2 root root 4096 Feb 18 15:07 kernel drwxr-xr-x. 2 root root 4096 Feb 18 15:07 roles drwxr-xr-x. 2 root root 20480 Feb 18 15:07 services drwxr-xr-x. 2 root root 4096 Feb 18 15:07 system /etc/selinux/refpolicy-standard/src/policy/policy/modules/admin: total 536 -rw-r--r--. 1 root root 280 Feb 18 15:07 acct.fc -rw-r--r--. 1 root root 1659 Feb 18 15:07 acct.if -rw-r--r--. 1 root root 1799 Feb 18 15:07 acct.te -rw-r--r--. 1 root root 615 Feb 18 15:07 alsa.fc -rw-r--r--. 1 root root 1812 Feb 18 15:07 alsa.if -rw-r--r--. 1 root root 1543 Feb 18 15:07 alsa.te -rw-r--r--. 1 root root 1687 Feb 18 15:07 amanda.fc -rw-r--r--. 1 root root 3190 Feb 18 15:07 amanda.if -rw-r--r--. 1 root root 7567 Feb 18 15:07 amanda.te -rw-r--r--. 1 root root 63 Feb 18 15:07 amtu.fc -rw-r--r--. 1 root root 849 Feb 18 15:07 amtu.if -rw-r--r--. 1 root root 558 Feb 18 15:07 amtu.te -rw-r--r--. 1 root root 164 Feb 18 15:07 anaconda.fc -rw-r--r--. 1 root root 57 Feb 18 15:07 anaconda.if -rw-r--r--. 1 root root 1076 Feb 18 15:07 anaconda.te -rw-r--r--. 1 root root 685 Feb 18 15:07 apt.fc -rw-r--r--. 1 root root 3843 Feb 18 15:07 apt.if -rw-r--r--. 1 root root 3645 Feb 18 15:07 apt.te -rw-r--r--. 1 root root 535 Feb 18 15:07 backup.fc -rw-r--r--. 1 root root 886 Feb 18 15:07 backup.if -rw-r--r--. 1 root root 2056 Feb 18 15:07 backup.te -rw-r--r--. 1 root root 353 Feb 18 15:07 bootloader.fc -rw-r--r--. 1 root root 2680 Feb 18 15:07 bootloader.if -rw-r--r--. 1 root root 6026 Feb 18 15:07 bootloader.te -rw-r--r--. 1 root root 67 Feb 18 15:07 brctl.fc -rw-r--r--. 1 root root 414 Feb 18 15:07 brctl.if -rw-r--r--. 1 root root 919 Feb 18 15:07 brctl.te -rw-r--r--. 1 root root 73 Feb 18 15:07 certwatch.fc -rw-r--r--. 1 root root 1787 Feb 18 15:07 certwatch.if -rw-r--r--. 1 root root 946 Feb 18 15:07 certwatch.te -rw-r--r--. 1 root root 75 Feb 18 15:07 consoletype.fc -rw-r--r--. 1 root root 1430 Feb 18 15:07 consoletype.if -rw-r--r--. 1 root root 2882 Feb 18 15:07 consoletype.te -rw-r--r--. 1 root root 83 Feb 18 15:07 ddcprobe.fc -rw-r--r--. 1 root root 978 Feb 18 15:07 ddcprobe.if -rw-r--r--. 1 root root 1156 Feb 18 15:07 ddcprobe.te -rw-r--r--. 1 root root 64 Feb 18 15:07 dmesg.fc -rw-r--r--. 1 root root 775 Feb 18 15:07 dmesg.if -rw-r--r--. 1 root root 1152 Feb 18 15:07 dmesg.te -rw-r--r--. 1 root root 223 Feb 18 15:07 dmidecode.fc -rw-r--r--. 1 root root 1094 Feb 18 15:07 dmidecode.if -rw-r--r--. 1 root root 565 Feb 18 15:07 dmidecode.te -rw-r--r--. 1 root root 629 Feb 18 15:07 dpkg.fc -rw-r--r--. 1 root root 4772 Feb 18 15:07 dpkg.if -rw-r--r--. 1 root root 10091 Feb 18 15:07 dpkg.te -rw-r--r--. 1 root root 165 Feb 18 15:07 firstboot.fc -rw-r--r--. 1 root root 3196 Feb 18 15:07 firstboot.if -rw-r--r--. 1 root root 3192 Feb 18 15:07 firstboot.te -rw-r--r--. 1 root root 296 Feb 18 15:07 kismet.fc -rw-r--r--. 1 root root 4932 Feb 18 15:07 kismet.if -rw-r--r--. 1 root root 1435 Feb 18 15:07 kismet.te -rw-r--r--. 1 root root 194 Feb 18 15:07 kudzu.fc -rw-r--r--. 1 root root 1288 Feb 18 15:07 kudzu.if -rw-r--r--. 1 root root 3913 Feb 18 15:07 kudzu.te -rw-r--r--. 1 root root 361 Feb 18 15:07 logrotate.fc -rw-r--r--. 1 root root 2344 Feb 18 15:07 logrotate.if -rw-r--r--. 1 root root 4992 Feb 18 15:07 logrotate.te -rw-r--r--. 1 root root 397 Feb 18 15:07 logwatch.fc -rw-r--r--. 1 root root 737 Feb 18 15:07 logwatch.if -rw-r--r--. 1 root root 2949 Feb 18 15:07 logwatch.te -rw-r--r--. 1 root root 95 Feb 18 15:07 metadata.xml -rw-r--r--. 1 root root 499 Feb 18 15:07 mrtg.fc -rw-r--r--. 1 root root 420 Feb 18 15:07 mrtg.if -rw-r--r--. 1 root root 3589 Feb 18 15:07 mrtg.te -rw-r--r--. 1 root root 712 Feb 18 15:07 netutils.fc -rw-r--r--. 1 root root 5644 Feb 18 15:07 netutils.if -rw-r--r--. 1 root root 5671 Feb 18 15:07 netutils.te -rw-r--r--. 1 root root 1544 Feb 18 15:07 portage.fc -rw-r--r--. 1 root root 6484 Feb 18 15:07 portage.if -rw-r--r--. 1 root root 7444 Feb 18 15:07 portage.te -rw-r--r--. 1 root root 302 Feb 18 15:07 prelink.fc -rw-r--r--. 1 root root 2317 Feb 18 15:07 prelink.if -rw-r--r--. 1 root root 2446 Feb 18 15:07 prelink.te -rw-r--r--. 1 root root 782 Feb 18 15:07 quota.fc -rw-r--r--. 1 root root 1672 Feb 18 15:07 quota.if -rw-r--r--. 1 root root 1943 Feb 18 15:07 quota.te -rw-r--r--. 1 root root 152 Feb 18 15:07 readahead.fc -rw-r--r--. 1 root root 85 Feb 18 15:07 readahead.if -rw-r--r--. 1 root root 2390 Feb 18 15:07 readahead.te -rw-r--r--. 1 root root 1816 Feb 18 15:07 rpm.fc -rw-r--r--. 1 root root 5768 Feb 18 15:07 rpm.if -rw-r--r--. 1 root root 10101 Feb 18 15:07 rpm.te -rw-r--r--. 1 root root 191 Feb 18 15:07 su.fc -rw-r--r--. 1 root root 7482 Feb 18 15:07 su.if -rw-r--r--. 1 root root 166 Feb 18 15:07 su.te -rw-r--r--. 1 root root 71 Feb 18 15:07 sudo.fc -rw-r--r--. 1 root root 3386 Feb 18 15:07 sudo.if -rw-r--r--. 1 root root 147 Feb 18 15:07 sudo.te -rw-r--r--. 1 root root 350 Feb 18 15:07 sxid.fc -rw-r--r--. 1 root root 421 Feb 18 15:07 sxid.if -rw-r--r--. 1 root root 2191 Feb 18 15:07 sxid.te -rw-r--r--. 1 root root 149 Feb 18 15:07 tmpreaper.fc -rw-r--r--. 1 root root 453 Feb 18 15:07 tmpreaper.if -rw-r--r--. 1 root root 939 Feb 18 15:07 tmpreaper.te -rw-r--r--. 1 root root 521 Feb 18 15:07 tripwire.fc -rw-r--r--. 1 root root 3991 Feb 18 15:07 tripwire.if -rw-r--r--. 1 root root 3991 Feb 18 15:07 tripwire.te -rw-r--r--. 1 root root 75 Feb 18 15:07 tzdata.fc -rw-r--r--. 1 root root 826 Feb 18 15:07 tzdata.if -rw-r--r--. 1 root root 691 Feb 18 15:07 tzdata.te -rw-r--r--. 1 root root 147 Feb 18 15:07 updfstab.fc -rw-r--r--. 1 root root 478 Feb 18 15:07 updfstab.if -rw-r--r--. 1 root root 2725 Feb 18 15:07 updfstab.te -rw-r--r--. 1 root root 173 Feb 18 15:07 usbmodules.fc -rw-r--r--. 1 root root 993 Feb 18 15:07 usbmodules.if -rw-r--r--. 1 root root 918 Feb 18 15:07 usbmodules.te -rw-r--r--. 1 root root 1887 Feb 18 15:07 usermanage.fc -rw-r--r--. 1 root root 5722 Feb 18 15:07 usermanage.if -rw-r--r--. 1 root root 15057 Feb 18 15:07 usermanage.te -rw-r--r--. 1 root root 70 Feb 18 15:07 vbetool.fc -rw-r--r--. 1 root root 452 Feb 18 15:07 vbetool.if -rw-r--r--. 1 root root 647 Feb 18 15:07 vbetool.te -rw-r--r--. 1 root root 291 Feb 18 15:07 vpn.fc -rw-r--r--. 1 root root 1552 Feb 18 15:07 vpn.if -rw-r--r--. 1 root root 3099 Feb 18 15:07 vpn.te /etc/selinux/refpolicy-standard/src/policy/policy/modules/apps: total 484 -rw-r--r--. 1 root root 285 Feb 18 15:07 ada.fc -rw-r--r--. 1 root root 836 Feb 18 15:07 ada.if -rw-r--r--. 1 root root 384 Feb 18 15:07 ada.te -rw-r--r--. 1 root root 155 Feb 18 15:07 authbind.fc -rw-r--r--. 1 root root 487 Feb 18 15:07 authbind.if -rw-r--r--. 1 root root 660 Feb 18 15:07 authbind.te -rw-r--r--. 1 root root 359 Feb 18 15:07 awstats.fc -rw-r--r--. 1 root root 976 Feb 18 15:07 awstats.if -rw-r--r--. 1 root root 1659 Feb 18 15:07 awstats.te -rw-r--r--. 1 root root 254 Feb 18 15:07 calamaris.fc -rw-r--r--. 1 root root 498 Feb 18 15:07 calamaris.if -rw-r--r--. 1 root root 2149 Feb 18 15:07 calamaris.te -rw-r--r--. 1 root root 83 Feb 18 15:07 cdrecord.fc -rw-r--r--. 1 root root 747 Feb 18 15:07 cdrecord.if -rw-r--r--. 1 root root 3562 Feb 18 15:07 cdrecord.te -rw-r--r--. 1 root root 231 Feb 18 15:07 ethereal.fc -rw-r--r--. 1 root root 2159 Feb 18 15:07 ethereal.if -rw-r--r--. 1 root root 5349 Feb 18 15:07 ethereal.te -rw-r--r--. 1 root root 800 Feb 18 15:07 evolution.fc -rw-r--r--. 1 root root 3939 Feb 18 15:07 evolution.if -rw-r--r--. 1 root root 23678 Feb 18 15:07 evolution.te -rw-r--r--. 1 root root 3886 Feb 18 15:07 games.fc -rw-r--r--. 1 root root 678 Feb 18 15:07 games.if -rw-r--r--. 1 root root 5282 Feb 18 15:07 games.te -rw-r--r--. 1 root root 373 Feb 18 15:07 gift.fc -rw-r--r--. 1 root root 1111 Feb 18 15:07 gift.if -rw-r--r--. 1 root root 4356 Feb 18 15:07 gift.te -rw-r--r--. 1 root root 356 Feb 18 15:07 gnome.fc -rw-r--r--. 1 root root 1972 Feb 18 15:07 gnome.if -rw-r--r--. 1 root root 2101 Feb 18 15:07 gnome.te -rw-r--r--. 1 root root 493 Feb 18 15:07 gpg.fc -rw-r--r--. 1 root root 2051 Feb 18 15:07 gpg.if -rw-r--r--. 1 root root 7621 Feb 18 15:07 gpg.te -rw-r--r--. 1 root root 285 Feb 18 15:07 irc.fc -rw-r--r--. 1 root root 593 Feb 18 15:07 irc.if -rw-r--r--. 1 root root 2882 Feb 18 15:07 irc.te -rw-r--r--. 1 root root 1280 Feb 18 15:07 java.fc -rw-r--r--. 1 root root 1457 Feb 18 15:07 java.if -rw-r--r--. 1 root root 4293 Feb 18 15:07 java.te -rw-r--r--. 1 root root 136 Feb 18 15:07 loadkeys.fc -rw-r--r--. 1 root root 1279 Feb 18 15:07 loadkeys.if -rw-r--r--. 1 root root 983 Feb 18 15:07 loadkeys.te -rw-r--r--. 1 root root 71 Feb 18 15:07 lockdev.fc -rw-r--r--. 1 root root 709 Feb 18 15:07 lockdev.if -rw-r--r--. 1 root root 991 Feb 18 15:07 lockdev.te -rw-r--r--. 1 root root 51 Feb 18 15:07 metadata.xml -rw-r--r--. 1 root root 63 Feb 18 15:07 mono.fc -rw-r--r--. 1 root root 764 Feb 18 15:07 mono.if -rw-r--r--. 1 root root 762 Feb 18 15:07 mono.te -rw-r--r--. 1 root root 1583 Feb 18 15:07 mozilla.fc -rw-r--r--. 1 root root 3298 Feb 18 15:07 mozilla.if -rw-r--r--. 1 root root 7917 Feb 18 15:07 mozilla.te -rw-r--r--. 1 root root 380 Feb 18 15:07 mplayer.fc -rw-r--r--. 1 root root 1973 Feb 18 15:07 mplayer.if -rw-r--r--. 1 root root 8807 Feb 18 15:07 mplayer.te -rw-r--r--. 1 root root 74 Feb 18 15:07 podsleuth.fc -rw-r--r--. 1 root root 455 Feb 18 15:07 podsleuth.if -rw-r--r--. 1 root root 712 Feb 18 15:07 podsleuth.te -rw-r--r--. 1 root root 130 Feb 18 15:07 qemu.fc -rw-r--r--. 1 root root 4108 Feb 18 15:07 qemu.if -rw-r--r--. 1 root root 1011 Feb 18 15:07 qemu.te -rw-r--r--. 1 root root 63 Feb 18 15:07 rssh.fc -rw-r--r--. 1 root root 1250 Feb 18 15:07 rssh.if -rw-r--r--. 1 root root 2399 Feb 18 15:07 rssh.te -rw-r--r--. 1 root root 292 Feb 18 15:07 screen.fc -rw-r--r--. 1 root root 4912 Feb 18 15:07 screen.if -rw-r--r--. 1 root root 974 Feb 18 15:07 screen.te -rw-r--r--. 1 root root 149 Feb 18 15:07 slocate.fc -rw-r--r--. 1 root root 873 Feb 18 15:07 slocate.if -rw-r--r--. 1 root root 1495 Feb 18 15:07 slocate.te -rw-r--r--. 1 root root 177 Feb 18 15:07 thunderbird.fc -rw-r--r--. 1 root root 1766 Feb 18 15:07 thunderbird.if -rw-r--r--. 1 root root 7475 Feb 18 15:07 thunderbird.te -rw-r--r--. 1 root root 80 Feb 18 15:07 tvtime.fc -rw-r--r--. 1 root root 1041 Feb 18 15:07 tvtime.if -rw-r--r--. 1 root root 3087 Feb 18 15:07 tvtime.te -rw-r--r--. 1 root root 264 Feb 18 15:07 uml.fc -rw-r--r--. 1 root root 3010 Feb 18 15:07 uml.if -rw-r--r--. 1 root root 5533 Feb 18 15:07 uml.te -rw-r--r--. 1 root root 187 Feb 18 15:07 userhelper.fc -rw-r--r--. 1 root root 7020 Feb 18 15:07 userhelper.if -rw-r--r--. 1 root root 250 Feb 18 15:07 userhelper.te -rw-r--r--. 1 root root 77 Feb 18 15:07 usernetctl.fc -rw-r--r--. 1 root root 1252 Feb 18 15:07 usernetctl.if -rw-r--r--. 1 root root 1833 Feb 18 15:07 usernetctl.te -rw-r--r--. 1 root root 4074 Feb 18 15:07 vmware.fc -rw-r--r--. 1 root root 1704 Feb 18 15:07 vmware.if -rw-r--r--. 1 root root 8466 Feb 18 15:07 vmware.te -rw-r--r--. 1 root root 176 Feb 18 15:07 webalizer.fc -rw-r--r--. 1 root root 958 Feb 18 15:07 webalizer.if -rw-r--r--. 1 root root 2939 Feb 18 15:07 webalizer.te -rw-r--r--. 1 root root 214 Feb 18 15:07 wine.fc -rw-r--r--. 1 root root 913 Feb 18 15:07 wine.if -rw-r--r--. 1 root root 458 Feb 18 15:07 wine.te -rw-r--r--. 1 root root 155 Feb 18 15:07 wireshark.fc -rw-r--r--. 1 root root 1388 Feb 18 15:07 wireshark.if -rw-r--r--. 1 root root 4147 Feb 18 15:07 wireshark.te -rw-r--r--. 1 root root 260 Feb 18 15:07 yam.fc -rw-r--r--. 1 root root 1250 Feb 18 15:07 yam.if -rw-r--r--. 1 root root 3289 Feb 18 15:07 yam.te /etc/selinux/refpolicy-standard/src/policy/policy/modules/kernel: total 1864 -rw-r--r--. 1 root root 15457 Feb 18 15:07 corecommands.fc -rw-r--r--. 1 root root 22048 Feb 18 15:07 corecommands.if -rw-r--r--. 1 root root 506 Feb 18 15:07 corecommands.te -rw-r--r--. 1 root root 317 Feb 18 15:07 corenetwork.fc -rw-r--r--. 1 root root 1171858 Feb 18 16:14 corenetwork.if -rw-r--r--. 1 root root 57247 Feb 18 15:07 corenetwork.if.in -rw-r--r--. 1 root root 14791 Feb 18 15:07 corenetwork.if.m4 -rw-r--r--. 1 root root 56418 Feb 18 16:14 corenetwork.te -rw-r--r--. 1 root root 10665 Feb 18 15:07 corenetwork.te.in -rw-r--r--. 1 root root 2065 Feb 18 15:07 corenetwork.te.m4 -rw-r--r--. 1 root root 7599 Feb 18 15:07 devices.fc -rw-r--r--. 1 root root 66332 Feb 18 15:07 devices.if -rw-r--r--. 1 root root 4025 Feb 18 15:07 devices.te -rw-r--r--. 1 root root 57 Feb 18 15:07 domain.fc -rw-r--r--. 1 root root 26494 Feb 18 15:07 domain.if -rw-r--r--. 1 root root 4527 Feb 18 15:07 domain.te -rw-r--r--. 1 root root 7708 Feb 18 15:07 files.fc -rw-r--r--. 1 root root 96187 Feb 18 15:07 files.if -rw-r--r--. 1 root root 4792 Feb 18 15:07 files.te -rw-r--r--. 1 root root 57 Feb 18 15:07 filesystem.fc -rw-r--r--. 1 root root 67951 Feb 18 15:07 filesystem.if -rw-r--r--. 1 root root 8219 Feb 18 15:07 filesystem.te -rw-r--r--. 1 root root 57 Feb 18 15:07 kernel.fc -rw-r--r--. 1 root root 52521 Feb 18 15:07 kernel.if -rw-r--r--. 1 root root 11359 Feb 18 15:07 kernel.te -rw-r--r--. 1 root root 23 Feb 18 15:07 mcs.fc -rw-r--r--. 1 root root 1294 Feb 18 15:07 mcs.if -rw-r--r--. 1 root root 157 Feb 18 15:07 mcs.te -rw-r--r--. 1 root root 56 Feb 18 15:07 metadata.xml -rw-r--r--. 1 root root 24 Feb 18 15:07 mls.fc -rw-r--r--. 1 root root 18660 Feb 18 15:07 mls.if -rw-r--r--. 1 root root 1349 Feb 18 15:07 mls.te -rw-r--r--. 1 root root 57 Feb 18 15:07 selinux.fc -rw-r--r--. 1 root root 11263 Feb 18 15:07 selinux.if -rw-r--r--. 1 root root 1503 Feb 18 15:07 selinux.te -rw-r--r--. 1 root root 4783 Feb 18 15:07 storage.fc -rw-r--r--. 1 root root 17186 Feb 18 15:07 storage.if -rw-r--r--. 1 root root 1552 Feb 18 15:07 storage.te -rw-r--r--. 1 root root 1935 Feb 18 15:07 terminal.fc -rw-r--r--. 1 root root 22106 Feb 18 15:07 terminal.if -rw-r--r--. 1 root root 1092 Feb 18 15:07 terminal.te -rw-r--r--. 1 root root 24 Feb 18 15:07 ubac.fc -rw-r--r--. 1 root root 3305 Feb 18 15:07 ubac.if -rw-r--r--. 1 root root 299 Feb 18 15:07 ubac.te /etc/selinux/refpolicy-standard/src/policy/policy/modules/roles: total 68 -rw-r--r--. 1 root root 56 Feb 18 15:07 auditadm.fc -rw-r--r--. 1 root root 917 Feb 18 15:07 auditadm.if -rw-r--r--. 1 root root 3089 Feb 18 15:07 auditadm.te -rw-r--r--. 1 root root 50 Feb 18 15:07 metadata.xml -rw-r--r--. 1 root root 56 Feb 18 15:07 secadm.fc -rw-r--r--. 1 root root 927 Feb 18 15:07 secadm.if -rw-r--r--. 1 root root 3099 Feb 18 15:07 secadm.te -rw-r--r--. 1 root root 56 Feb 18 15:07 staff.fc -rw-r--r--. 1 root root 871 Feb 18 15:07 staff.if -rw-r--r--. 1 root root 2392 Feb 18 15:07 staff.te -rw-r--r--. 1 root root 56 Feb 18 15:07 sysadm.fc -rw-r--r--. 1 root root 4033 Feb 18 15:07 sysadm.if -rw-r--r--. 1 root root 7365 Feb 18 15:07 sysadm.te -rw-r--r--. 1 root root 56 Feb 18 15:07 unprivuser.fc -rw-r--r--. 1 root root 890 Feb 18 15:07 unprivuser.if -rw-r--r--. 1 root root 2148 Feb 18 15:07 unprivuser.te /etc/selinux/refpolicy-standard/src/policy/policy/modules/services: total 2284 -rw-r--r--. 1 root root 1199 Feb 18 15:07 afs.fc -rw-r--r--. 1 root root 47 Feb 18 15:07 afs.if -rw-r--r--. 1 root root 9986 Feb 18 15:07 afs.te -rw-r--r--. 1 root root 312 Feb 18 15:07 aide.fc -rw-r--r--. 1 root root 1325 Feb 18 15:07 aide.if -rw-r--r--. 1 root root 707 Feb 18 15:07 aide.te -rw-r--r--. 1 root root 940 Feb 18 15:07 amavis.fc -rw-r--r--. 1 root root 4874 Feb 18 15:07 amavis.if -rw-r--r--. 1 root root 5080 Feb 18 15:07 amavis.te -rw-r--r--. 1 root root 4453 Feb 18 15:07 apache.fc -rw-r--r--. 1 root root 27358 Feb 18 15:07 apache.if -rw-r--r--. 1 root root 22330 Feb 18 15:07 apache.te -rw-r--r--. 1 root root 892 Feb 18 15:07 apcupsd.fc -rw-r--r--. 1 root root 3066 Feb 18 15:07 apcupsd.if -rw-r--r--. 1 root root 3441 Feb 18 15:07 apcupsd.te -rw-r--r--. 1 root root 754 Feb 18 15:07 apm.fc -rw-r--r--. 1 root root 2091 Feb 18 15:07 apm.if -rw-r--r--. 1 root root 5226 Feb 18 15:07 apm.te -rw-r--r--. 1 root root 330 Feb 18 15:07 arpwatch.fc -rw-r--r--. 1 root root 2743 Feb 18 15:07 arpwatch.if -rw-r--r--. 1 root root 2638 Feb 18 15:07 arpwatch.te -rw-r--r--. 1 root root 539 Feb 18 15:07 asterisk.fc -rw-r--r--. 1 root root 1262 Feb 18 15:07 asterisk.if -rw-r--r--. 1 root root 4554 Feb 18 15:07 asterisk.te -rw-r--r--. 1 root root 175 Feb 18 15:07 audioentropy.fc -rw-r--r--. 1 root root 56 Feb 18 15:07 audioentropy.if -rw-r--r--. 1 root root 1393 Feb 18 15:07 audioentropy.te -rw-r--r--. 1 root root 349 Feb 18 15:07 automount.fc -rw-r--r--. 1 root root 3189 Feb 18 15:07 automount.if -rw-r--r--. 1 root root 5384 Feb 18 15:07 automount.te -rw-r--r--. 1 root root 471 Feb 18 15:07 avahi.fc -rw-r--r--. 1 root root 2972 Feb 18 15:07 avahi.if -rw-r--r--. 1 root root 2790 Feb 18 15:07 avahi.te -rw-r--r--. 1 root root 3194 Feb 18 15:07 bind.fc -rw-r--r--. 1 root root 6021 Feb 18 15:07 bind.if -rw-r--r--. 1 root root 6680 Feb 18 15:07 bind.te -rw-r--r--. 1 root root 299 Feb 18 15:07 bitlbee.fc -rw-r--r--. 1 root root 1291 Feb 18 15:07 bitlbee.if -rw-r--r--. 1 root root 2570 Feb 18 15:07 bitlbee.te -rw-r--r--. 1 root root 1256 Feb 18 15:07 bluetooth.fc -rw-r--r--. 1 root root 4875 Feb 18 15:07 bluetooth.if -rw-r--r--. 1 root root 7812 Feb 18 15:07 bluetooth.te -rw-r--r--. 1 root root 895 Feb 18 15:07 canna.fc -rw-r--r--. 1 root root 1381 Feb 18 15:07 canna.if -rw-r--r--. 1 root root 2402 Feb 18 15:07 canna.te -rw-r--r--. 1 root root 412 Feb 18 15:07 ccs.fc -rw-r--r--. 1 root root 1482 Feb 18 15:07 ccs.if -rw-r--r--. 1 root root 3075 Feb 18 15:07 ccs.te -rw-r--r--. 1 root root 79 Feb 18 15:07 cipe.fc -rw-r--r--. 1 root root 46 Feb 18 15:07 cipe.if -rw-r--r--. 1 root root 1653 Feb 18 15:07 cipe.te -rw-r--r--. 1 root root 1052 Feb 18 15:07 clamav.fc -rw-r--r--. 1 root root 1788 Feb 18 15:07 clamav.if -rw-r--r--. 1 root root 6529 Feb 18 15:07 clamav.te -rw-r--r--. 1 root root 494 Feb 18 15:07 clockspeed.fc -rw-r--r--. 1 root root 952 Feb 18 15:07 clockspeed.if -rw-r--r--. 1 root root 2238 Feb 18 15:07 clockspeed.te -rw-r--r--. 1 root root 73 Feb 18 15:07 comsat.fc -rw-r--r--. 1 root root 45 Feb 18 15:07 comsat.if -rw-r--r--. 1 root root 1844 Feb 18 15:07 comsat.te -rw-r--r--. 1 root root 168 Feb 18 15:07 consolekit.fc -rw-r--r--. 1 root root 853 Feb 18 15:07 consolekit.if -rw-r--r--. 1 root root 1579 Feb 18 15:07 consolekit.te -rw-r--r--. 1 root root 1537 Feb 18 15:07 courier.fc -rw-r--r--. 1 root root 4525 Feb 18 15:07 courier.if -rw-r--r--. 1 root root 3883 Feb 18 15:07 courier.te -rw-r--r--. 1 root root 447 Feb 18 15:07 cpucontrol.fc -rw-r--r--. 1 root root 382 Feb 18 15:07 cpucontrol.if -rw-r--r--. 1 root root 2692 Feb 18 15:07 cpucontrol.te -rw-r--r--. 1 root root 2292 Feb 18 15:07 cron.fc -rw-r--r--. 1 root root 10623 Feb 18 15:07 cron.if -rw-r--r--. 1 root root 17145 Feb 18 15:07 cron.te -rw-r--r--. 1 root root 2950 Feb 18 15:07 cups.fc -rw-r--r--. 1 root root 4812 Feb 18 15:07 cups.if -rw-r--r--. 1 root root 17536 Feb 18 15:07 cups.te -rw-r--r--. 1 root root 389 Feb 18 15:07 cvs.fc -rw-r--r--. 1 root root 1592 Feb 18 15:07 cvs.if -rw-r--r--. 1 root root 2798 Feb 18 15:07 cvs.te -rw-r--r--. 1 root root 71 Feb 18 15:07 cyphesis.fc -rw-r--r--. 1 root root 412 Feb 18 15:07 cyphesis.if -rw-r--r--. 1 root root 2270 Feb 18 15:07 cyphesis.te -rw-r--r--. 1 root root 247 Feb 18 15:07 cyrus.fc -rw-r--r--. 1 root root 1805 Feb 18 15:07 cyrus.if -rw-r--r--. 1 root root 3911 Feb 18 15:07 cyrus.te -rw-r--r--. 1 root root 208 Feb 18 15:07 dante.fc -rw-r--r--. 1 root root 62 Feb 18 15:07 dante.if -rw-r--r--. 1 root root 1898 Feb 18 15:07 dante.te -rw-r--r--. 1 root root 73 Feb 18 15:07 dbskk.fc -rw-r--r--. 1 root root 82 Feb 18 15:07 dbskk.if -rw-r--r--. 1 root root 1772 Feb 18 15:07 dbskk.te -rw-r--r--. 1 root root 558 Feb 18 15:07 dbus.fc -rw-r--r--. 1 root root 7636 Feb 18 15:07 dbus.if -rw-r--r--. 1 root root 4122 Feb 18 15:07 dbus.te -rw-r--r--. 1 root root 993 Feb 18 15:07 dcc.fc -rw-r--r--. 1 root root 3430 Feb 18 15:07 dcc.if -rw-r--r--. 1 root root 10908 Feb 18 15:07 dcc.te -rw-r--r--. 1 root root 756 Feb 18 15:07 ddclient.fc -rw-r--r--. 1 root root 1550 Feb 18 15:07 ddclient.if -rw-r--r--. 1 root root 3063 Feb 18 15:07 ddclient.te -rw-r--r--. 1 root root 384 Feb 18 15:07 dhcp.fc -rw-r--r--. 1 root root 1342 Feb 18 15:07 dhcp.if -rw-r--r--. 1 root root 3248 Feb 18 15:07 dhcp.te -rw-r--r--. 1 root root 364 Feb 18 15:07 dictd.fc -rw-r--r--. 1 root root 1269 Feb 18 15:07 dictd.if -rw-r--r--. 1 root root 2335 Feb 18 15:07 dictd.te -rw-r--r--. 1 root root 70 Feb 18 15:07 distcc.fc -rw-r--r--. 1 root root 50 Feb 18 15:07 distcc.if -rw-r--r--. 1 root root 2410 Feb 18 15:07 distcc.te -rw-r--r--. 1 root root 480 Feb 18 15:07 djbdns.fc -rw-r--r--. 1 root root 1714 Feb 18 15:07 djbdns.if -rw-r--r--. 1 root root 1197 Feb 18 15:07 djbdns.te -rw-r--r--. 1 root root 395 Feb 18 15:07 dnsmasq.fc -rw-r--r--. 1 root root 1951 Feb 18 15:07 dnsmasq.if -rw-r--r--. 1 root root 2651 Feb 18 15:07 dnsmasq.te -rw-r--r--. 1 root root 1136 Feb 18 15:07 dovecot.fc -rw-r--r--. 1 root root 838 Feb 18 15:07 dovecot.if -rw-r--r--. 1 root root 5287 Feb 18 15:07 dovecot.te -rw-r--r--. 1 root root 400 Feb 18 15:07 exim.fc -rw-r--r--. 1 root root 2907 Feb 18 15:07 exim.if -rw-r--r--. 1 root root 2874 Feb 18 15:07 exim.te -rw-r--r--. 1 root root 387 Feb 18 15:07 fail2ban.fc -rw-r--r--. 1 root root 2554 Feb 18 15:07 fail2ban.if -rw-r--r--. 1 root root 2178 Feb 18 15:07 fail2ban.te -rw-r--r--. 1 root root 357 Feb 18 15:07 fetchmail.fc -rw-r--r--. 1 root root 658 Feb 18 15:07 fetchmail.if -rw-r--r--. 1 root root 2693 Feb 18 15:07 fetchmail.te -rw-r--r--. 1 root root 423 Feb 18 15:07 finger.fc -rw-r--r--. 1 root root 747 Feb 18 15:07 finger.if -rw-r--r--. 1 root root 3021 Feb 18 15:07 finger.te -rw-r--r--. 1 root root 1241 Feb 18 15:07 ftp.fc -rw-r--r--. 1 root root 3311 Feb 18 15:07 ftp.if -rw-r--r--. 1 root root 7544 Feb 18 15:07 ftp.te -rw-r--r--. 1 root root 443 Feb 18 15:07 gatekeeper.fc -rw-r--r--. 1 root root 57 Feb 18 15:07 gatekeeper.if -rw-r--r--. 1 root root 2760 Feb 18 15:07 gatekeeper.te -rw-r--r--. 1 root root 247 Feb 18 15:07 gpm.fc -rw-r--r--. 1 root root 1554 Feb 18 15:07 gpm.if -rw-r--r--. 1 root root 1661 Feb 18 15:07 gpm.te -rw-r--r--. 1 root root 1607 Feb 18 15:07 hal.fc -rw-r--r--. 1 root root 6059 Feb 18 15:07 hal.if -rw-r--r--. 1 root root 10330 Feb 18 15:07 hal.te -rw-r--r--. 1 root root 209 Feb 18 15:07 howl.fc -rw-r--r--. 1 root root 352 Feb 18 15:07 howl.if -rw-r--r--. 1 root root 1839 Feb 18 15:07 howl.te -rw-r--r--. 1 root root 623 Feb 18 15:07 i18n_input.fc -rw-r--r--. 1 root root 327 Feb 18 15:07 i18n_input.if -rw-r--r--. 1 root root 2877 Feb 18 15:07 i18n_input.te -rw-r--r--. 1 root root 230 Feb 18 15:07 imaze.fc -rw-r--r--. 1 root root 40 Feb 18 15:07 imaze.if -rw-r--r--. 1 root root 2845 Feb 18 15:07 imaze.te -rw-r--r--. 1 root root 594 Feb 18 15:07 inetd.fc -rw-r--r--. 1 root root 4360 Feb 18 15:07 inetd.if -rw-r--r--. 1 root root 6658 Feb 18 15:07 inetd.te -rw-r--r--. 1 root root 3958 Feb 18 15:07 inn.fc -rw-r--r--. 1 root root 4430 Feb 18 15:07 inn.if -rw-r--r--. 1 root root 3328 Feb 18 15:07 inn.te -rw-r--r--. 1 root root 374 Feb 18 15:07 ircd.fc -rw-r--r--. 1 root root 33 Feb 18 15:07 ircd.if -rw-r--r--. 1 root root 2138 Feb 18 15:07 ircd.te -rw-r--r--. 1 root root 77 Feb 18 15:07 irqbalance.fc -rw-r--r--. 1 root root 43 Feb 18 15:07 irqbalance.if -rw-r--r--. 1 root root 1345 Feb 18 15:07 irqbalance.te -rw-r--r--. 1 root root 303 Feb 18 15:07 jabber.fc -rw-r--r--. 1 root root 1299 Feb 18 15:07 jabber.if -rw-r--r--. 1 root root 2464 Feb 18 15:07 jabber.te -rw-r--r--. 1 root root 1710 Feb 18 15:07 kerberos.fc -rw-r--r--. 1 root root 7605 Feb 18 15:07 kerberos.if -rw-r--r--. 1 root root 8340 Feb 18 15:07 kerberos.te -rw-r--r--. 1 root root 169 Feb 18 15:07 kerneloops.fc -rw-r--r--. 1 root root 2027 Feb 18 15:07 kerneloops.if -rw-r--r--. 1 root root 1271 Feb 18 15:07 kerneloops.te -rw-r--r--. 1 root root 281 Feb 18 15:07 ktalk.fc -rw-r--r--. 1 root root 38 Feb 18 15:07 ktalk.if -rw-r--r--. 1 root root 1985 Feb 18 15:07 ktalk.te -rw-r--r--. 1 root root 750 Feb 18 15:07 ldap.fc -rw-r--r--. 1 root root 2442 Feb 18 15:07 ldap.if -rw-r--r--. 1 root root 3479 Feb 18 15:07 ldap.te -rw-r--r--. 1 root root 1595 Feb 18 15:07 lpd.fc -rw-r--r--. 1 root root 4043 Feb 18 15:07 lpd.if -rw-r--r--. 1 root root 9186 Feb 18 15:07 lpd.te -rw-r--r--. 1 root root 1488 Feb 18 15:07 mailman.fc -rw-r--r--. 1 root root 7505 Feb 18 15:07 mailman.if -rw-r--r--. 1 root root 2782 Feb 18 15:07 mailman.te -rw-r--r--. 1 root root 246 Feb 18 15:07 memcached.fc -rw-r--r--. 1 root root 1569 Feb 18 15:07 memcached.if -rw-r--r--. 1 root root 1433 Feb 18 15:07 memcached.te -rw-r--r--. 1 root root 103 Feb 18 15:07 metadata.xml -rw-r--r--. 1 root root 436 Feb 18 15:07 milter.fc -rw-r--r--. 1 root root 2103 Feb 18 15:07 milter.if -rw-r--r--. 1 root root 1512 Feb 18 15:07 milter.te -rw-r--r--. 1 root root 216 Feb 18 15:07 monop.fc -rw-r--r--. 1 root root 38 Feb 18 15:07 monop.if -rw-r--r--. 1 root root 2042 Feb 18 15:07 monop.te -rw-r--r--. 1 root root 1289 Feb 18 15:07 mta.fc -rw-r--r--. 1 root root 17792 Feb 18 15:07 mta.if -rw-r--r--. 1 root root 5853 Feb 18 15:07 mta.te -rw-r--r--. 1 root root 646 Feb 18 15:07 munin.fc -rw-r--r--. 1 root root 1661 Feb 18 15:07 munin.if -rw-r--r--. 1 root root 3101 Feb 18 15:07 munin.te -rw-r--r--. 1 root root 712 Feb 18 15:07 mysql.fc -rw-r--r--. 1 root root 4627 Feb 18 15:07 mysql.if -rw-r--r--. 1 root root 3496 Feb 18 15:07 mysql.te -rw-r--r--. 1 root root 770 Feb 18 15:07 nagios.fc -rw-r--r--. 1 root root 1587 Feb 18 15:07 nagios.if -rw-r--r--. 1 root root 5101 Feb 18 15:07 nagios.te -rw-r--r--. 1 root root 377 Feb 18 15:07 nessus.fc -rw-r--r--. 1 root root 349 Feb 18 15:07 nessus.if -rw-r--r--. 1 root root 2825 Feb 18 15:07 nessus.te -rw-r--r--. 1 root root 770 Feb 18 15:07 networkmanager.fc -rw-r--r--. 1 root root 2777 Feb 18 15:07 networkmanager.if -rw-r--r--. 1 root root 6435 Feb 18 15:07 networkmanager.te -rw-r--r--. 1 root root 485 Feb 18 15:07 nis.fc -rw-r--r--. 1 root root 5330 Feb 18 15:07 nis.if -rw-r--r--. 1 root root 9272 Feb 18 15:07 nis.te -rw-r--r--. 1 root root 424 Feb 18 15:07 nscd.fc -rw-r--r--. 1 root root 4218 Feb 18 15:07 nscd.if -rw-r--r--. 1 root root 3203 Feb 18 15:07 nscd.te -rw-r--r--. 1 root root 740 Feb 18 15:07 nsd.fc -rw-r--r--. 1 root root 634 Feb 18 15:07 nsd.if -rw-r--r--. 1 root root 4450 Feb 18 15:07 nsd.te -rw-r--r--. 1 root root 351 Feb 18 15:07 ntop.fc -rw-r--r--. 1 root root 34 Feb 18 15:07 ntop.if -rw-r--r--. 1 root root 2577 Feb 18 15:07 ntop.te -rw-r--r--. 1 root root 1080 Feb 18 15:07 ntp.fc -rw-r--r--. 1 root root 2040 Feb 18 15:07 ntp.if -rw-r--r--. 1 root root 3478 Feb 18 15:07 ntp.te -rw-r--r--. 1 root root 316 Feb 18 15:07 nx.fc -rw-r--r--. 1 root root 386 Feb 18 15:07 nx.if -rw-r--r--. 1 root root 2683 Feb 18 15:07 nx.te -rw-r--r--. 1 root root 588 Feb 18 15:07 oav.fc -rw-r--r--. 1 root root 973 Feb 18 15:07 oav.if -rw-r--r--. 1 root root 4172 Feb 18 15:07 oav.te -rw-r--r--. 1 root root 234 Feb 18 15:07 oddjob.fc -rw-r--r--. 1 root root 1796 Feb 18 15:07 oddjob.if -rw-r--r--. 1 root root 2090 Feb 18 15:07 oddjob.te -rw-r--r--. 1 root root 393 Feb 18 15:07 oident.fc -rw-r--r--. 1 root root 1501 Feb 18 15:07 oident.if -rw-r--r--. 1 root root 2029 Feb 18 15:07 oident.te -rw-r--r--. 1 root root 557 Feb 18 15:07 openca.fc -rw-r--r--. 1 root root 1401 Feb 18 15:07 openca.if -rw-r--r--. 1 root root 2281 Feb 18 15:07 openca.te -rw-r--r--. 1 root root 246 Feb 18 15:07 openct.fc -rw-r--r--. 1 root root 1819 Feb 18 15:07 openct.if -rw-r--r--. 1 root root 1281 Feb 18 15:07 openct.te -rw-r--r--. 1 root root 407 Feb 18 15:07 openvpn.fc -rw-r--r--. 1 root root 2662 Feb 18 15:07 openvpn.if -rw-r--r--. 1 root root 3300 Feb 18 15:07 openvpn.te -rw-r--r--. 1 root root 288 Feb 18 15:07 pcscd.fc -rw-r--r--. 1 root root 1139 Feb 18 15:07 pcscd.if -rw-r--r--. 1 root root 1612 Feb 18 15:07 pcscd.te -rw-r--r--. 1 root root 579 Feb 18 15:07 pegasus.fc -rw-r--r--. 1 root root 62 Feb 18 15:07 pegasus.if -rw-r--r--. 1 root root 4006 Feb 18 15:07 pegasus.te -rw-r--r--. 1 root root 147 Feb 18 15:07 perdition.fc -rw-r--r--. 1 root root 378 Feb 18 15:07 perdition.if -rw-r--r--. 1 root root 1957 Feb 18 15:07 perdition.te -rw-r--r--. 1 root root 497 Feb 18 15:07 portmap.fc -rw-r--r--. 1 root root 1970 Feb 18 15:07 portmap.if -rw-r--r--. 1 root root 4526 Feb 18 15:07 portmap.te -rw-r--r--. 1 root root 224 Feb 18 15:07 portslave.fc -rw-r--r--. 1 root root 419 Feb 18 15:07 portslave.if -rw-r--r--. 1 root root 3582 Feb 18 15:07 portslave.te -rw-r--r--. 1 root root 4041 Feb 18 15:07 postfix.fc -rw-r--r--. 1 root root 11275 Feb 18 15:07 postfix.if -rw-r--r--. 1 root root 17838 Feb 18 15:07 postfix.te -rw-r--r--. 1 root root 350 Feb 18 15:07 postfixpolicyd.fc -rw-r--r--. 1 root root 1022 Feb 18 15:07 postfixpolicyd.if -rw-r--r--. 1 root root 1728 Feb 18 15:07 postfixpolicyd.te -rw-r--r--. 1 root root 1676 Feb 18 15:07 postgresql.fc -rw-r--r--. 1 root root 8742 Feb 18 15:07 postgresql.if -rw-r--r--. 1 root root 13146 Feb 18 15:07 postgresql.te -rw-r--r--. 1 root root 555 Feb 18 15:07 postgrey.fc -rw-r--r--. 1 root root 1842 Feb 18 15:07 postgrey.if -rw-r--r--. 1 root root 2898 Feb 18 15:07 postgrey.te -rw-r--r--. 1 root root 1347 Feb 18 15:07 ppp.fc -rw-r--r--. 1 root root 6490 Feb 18 15:07 ppp.if -rw-r--r--. 1 root root 7513 Feb 18 15:07 ppp.te -rw-r--r--. 1 root root 582 Feb 18 15:07 prelude.fc -rw-r--r--. 1 root root 2026 Feb 18 15:07 prelude.if -rw-r--r--. 1 root root 3788 Feb 18 15:07 prelude.te -rw-r--r--. 1 root root 394 Feb 18 15:07 privoxy.fc -rw-r--r--. 1 root root 980 Feb 18 15:07 privoxy.if -rw-r--r--. 1 root root 2474 Feb 18 15:07 privoxy.te -rw-r--r--. 1 root root 225 Feb 18 15:07 procmail.fc -rw-r--r--. 1 root root 1496 Feb 18 15:07 procmail.if -rw-r--r--. 1 root root 4276 Feb 18 15:07 procmail.te -rw-r--r--. 1 root root 295 Feb 18 15:07 publicfile.fc -rw-r--r--. 1 root root 83 Feb 18 15:07 publicfile.if -rw-r--r--. 1 root root 743 Feb 18 15:07 publicfile.te -rw-r--r--. 1 root root 200 Feb 18 15:07 pxe.fc -rw-r--r--. 1 root root 63 Feb 18 15:07 pxe.if -rw-r--r--. 1 root root 1216 Feb 18 15:07 pxe.te -rw-r--r--. 1 root root 417 Feb 18 15:07 pyzor.fc -rw-r--r--. 1 root root 1767 Feb 18 15:07 pyzor.if -rw-r--r--. 1 root root 4099 Feb 18 15:07 pyzor.te -rw-r--r--. 1 root root 2733 Feb 18 15:07 qmail.fc -rw-r--r--. 1 root root 3041 Feb 18 15:07 qmail.if -rw-r--r--. 1 root root 8454 Feb 18 15:07 qmail.te -rw-r--r--. 1 root root 1315 Feb 18 15:07 radius.fc -rw-r--r--. 1 root root 1412 Feb 18 15:07 radius.if -rw-r--r--. 1 root root 4098 Feb 18 15:07 radius.te -rw-r--r--. 1 root root 362 Feb 18 15:07 radvd.fc -rw-r--r--. 1 root root 866 Feb 18 15:07 radvd.if -rw-r--r--. 1 root root 2088 Feb 18 15:07 radvd.te -rw-r--r--. 1 root root 352 Feb 18 15:07 razor.fc -rw-r--r--. 1 root root 4416 Feb 18 15:07 razor.if -rw-r--r--. 1 root root 3533 Feb 18 15:07 razor.te -rw-r--r--. 1 root root 63 Feb 18 15:07 rdisc.fc -rw-r--r--. 1 root root 54 Feb 18 15:07 rdisc.if -rw-r--r--. 1 root root 1287 Feb 18 15:07 rdisc.te -rw-r--r--. 1 root root 48 Feb 18 15:07 remotelogin.fc -rw-r--r--. 1 root root 779 Feb 18 15:07 remotelogin.if -rw-r--r--. 1 root root 4054 Feb 18 15:07 remotelogin.te -rw-r--r--. 1 root root 295 Feb 18 15:07 resmgr.fc -rw-r--r--. 1 root root 495 Feb 18 15:07 resmgr.if -rw-r--r--. 1 root root 1585 Feb 18 15:07 resmgr.te -rw-r--r--. 1 root root 75 Feb 18 15:07 rhgb.fc -rw-r--r--. 1 root root 3656 Feb 18 15:07 rhgb.if -rw-r--r--. 1 root root 3603 Feb 18 15:07 rhgb.te -rw-r--r--. 1 root root 1005 Feb 18 15:07 ricci.fc -rw-r--r--. 1 root root 3646 Feb 18 15:07 ricci.if -rw-r--r--. 1 root root 12684 Feb 18 15:07 ricci.te -rw-r--r--. 1 root root 235 Feb 18 15:07 rlogin.fc -rw-r--r--. 1 root root 429 Feb 18 15:07 rlogin.if -rw-r--r--. 1 root root 2638 Feb 18 15:07 rlogin.te -rw-r--r--. 1 root root 265 Feb 18 15:07 roundup.fc -rw-r--r--. 1 root root 938 Feb 18 15:07 roundup.if -rw-r--r--. 1 root root 2501 Feb 18 15:07 roundup.te -rw-r--r--. 1 root root 812 Feb 18 15:07 rpc.fc -rw-r--r--. 1 root root 7420 Feb 18 15:07 rpc.if -rw-r--r--. 1 root root 4316 Feb 18 15:07 rpc.te -rw-r--r--. 1 root root 467 Feb 18 15:07 rpcbind.fc -rw-r--r--. 1 root root 2638 Feb 18 15:07 rpcbind.if -rw-r--r--. 1 root root 2218 Feb 18 15:07 rpcbind.te -rw-r--r--. 1 root root 213 Feb 18 15:07 rshd.fc -rw-r--r--. 1 root root 428 Feb 18 15:07 rshd.if -rw-r--r--. 1 root root 2273 Feb 18 15:07 rshd.te -rw-r--r--. 1 root root 223 Feb 18 15:07 rsync.fc -rw-r--r--. 1 root root 2153 Feb 18 15:07 rsync.if -rw-r--r--. 1 root root 3087 Feb 18 15:07 rsync.te -rw-r--r--. 1 root root 287 Feb 18 15:07 rwho.fc -rw-r--r--. 1 root root 2956 Feb 18 15:07 rwho.if -rw-r--r--. 1 root root 1463 Feb 18 15:07 rwho.te -rw-r--r--. 1 root root 2413 Feb 18 15:07 samba.fc -rw-r--r--. 1 root root 9072 Feb 18 15:07 samba.if -rw-r--r--. 1 root root 22421 Feb 18 15:07 samba.te -rw-r--r--. 1 root root 262 Feb 18 15:07 sasl.fc -rw-r--r--. 1 root root 1284 Feb 18 15:07 sasl.if -rw-r--r--. 1 root root 3001 Feb 18 15:07 sasl.te -rw-r--r--. 1 root root 309 Feb 18 15:07 sendmail.fc -rw-r--r--. 1 root root 2856 Feb 18 15:07 sendmail.if -rw-r--r--. 1 root root 4173 Feb 18 15:07 sendmail.te -rw-r--r--. 1 root root 359 Feb 18 15:07 setroubleshoot.fc -rw-r--r--. 1 root root 1016 Feb 18 15:07 setroubleshoot.if -rw-r--r--. 1 root root 3838 Feb 18 15:07 setroubleshoot.te -rw-r--r--. 1 root root 172 Feb 18 15:07 slrnpull.fc -rw-r--r--. 1 root root 978 Feb 18 15:07 slrnpull.if -rw-r--r--. 1 root root 1632 Feb 18 15:07 slrnpull.te -rw-r--r--. 1 root root 258 Feb 18 15:07 smartmon.fc -rw-r--r--. 1 root root 1277 Feb 18 15:07 smartmon.if -rw-r--r--. 1 root root 2522 Feb 18 15:07 smartmon.te -rw-r--r--. 1 root root 848 Feb 18 15:07 snmp.fc -rw-r--r--. 1 root root 2820 Feb 18 15:07 snmp.if -rw-r--r--. 1 root root 4169 Feb 18 15:07 snmp.te -rw-r--r--. 1 root root 427 Feb 18 15:07 snort.fc -rw-r--r--. 1 root root 1306 Feb 18 15:07 snort.if -rw-r--r--. 1 root root 2736 Feb 18 15:07 snort.te -rw-r--r--. 1 root root 648 Feb 18 15:07 soundserver.fc -rw-r--r--. 1 root root 1331 Feb 18 15:07 soundserver.if -rw-r--r--. 1 root root 3256 Feb 18 15:07 soundserver.te -rw-r--r--. 1 root root 741 Feb 18 15:07 spamassassin.fc -rw-r--r--. 1 root root 4817 Feb 18 15:07 spamassassin.if -rw-r--r--. 1 root root 13863 Feb 18 15:07 spamassassin.te -rw-r--r--. 1 root root 75 Feb 18 15:07 speedtouch.fc -rw-r--r--. 1 root root 56 Feb 18 15:07 speedtouch.if -rw-r--r--. 1 root root 1465 Feb 18 15:07 speedtouch.te -rw-r--r--. 1 root root 758 Feb 18 15:07 squid.fc -rw-r--r--. 1 root root 4144 Feb 18 15:07 squid.if -rw-r--r--. 1 root root 5537 Feb 18 15:07 squid.te -rw-r--r--. 1 root root 804 Feb 18 15:07 ssh.fc -rw-r--r--. 1 root root 14735 Feb 18 15:07 ssh.if -rw-r--r--. 1 root root 11055 Feb 18 15:07 ssh.te -rw-r--r--. 1 root root 226 Feb 18 15:07 stunnel.fc -rw-r--r--. 1 root root 577 Feb 18 15:07 stunnel.if -rw-r--r--. 1 root root 2938 Feb 18 15:07 stunnel.te -rw-r--r--. 1 root root 447 Feb 18 15:07 sysstat.fc -rw-r--r--. 1 root root 440 Feb 18 15:07 sysstat.if -rw-r--r--. 1 root root 1428 Feb 18 15:07 sysstat.te -rw-r--r--. 1 root root 66 Feb 18 15:07 tcpd.fc -rw-r--r--. 1 root root 903 Feb 18 15:07 tcpd.if -rw-r--r--. 1 root root 1115 Feb 18 15:07 tcpd.te -rw-r--r--. 1 root root 157 Feb 18 15:07 telnet.fc -rw-r--r--. 1 root root 36 Feb 18 15:07 telnet.if -rw-r--r--. 1 root root 2619 Feb 18 15:07 telnet.te -rw-r--r--. 1 root root 326 Feb 18 15:07 tftp.fc -rw-r--r--. 1 root root 625 Feb 18 15:07 tftp.if -rw-r--r--. 1 root root 2683 Feb 18 15:07 tftp.te -rw-r--r--. 1 root root 72 Feb 18 15:07 timidity.fc -rw-r--r--. 1 root root 79 Feb 18 15:07 timidity.if -rw-r--r--. 1 root root 2568 Feb 18 15:07 timidity.te -rw-r--r--. 1 root root 470 Feb 18 15:07 tor.fc -rw-r--r--. 1 root root 1349 Feb 18 15:07 tor.if -rw-r--r--. 1 root root 2672 Feb 18 15:07 tor.te -rw-r--r--. 1 root root 152 Feb 18 15:07 transproxy.fc -rw-r--r--. 1 root root 45 Feb 18 15:07 transproxy.if -rw-r--r--. 1 root root 1677 Feb 18 15:07 transproxy.te -rw-r--r--. 1 root root 144 Feb 18 15:07 ucspitcp.fc -rw-r--r--. 1 root root 766 Feb 18 15:07 ucspitcp.if -rw-r--r--. 1 root root 2561 Feb 18 15:07 ucspitcp.te -rw-r--r--. 1 root root 225 Feb 18 15:07 uptime.fc -rw-r--r--. 1 root root 36 Feb 18 15:07 uptime.if -rw-r--r--. 1 root root 1636 Feb 18 15:07 uptime.te -rw-r--r--. 1 root root 348 Feb 18 15:07 uucp.fc -rw-r--r--. 1 root root 2066 Feb 18 15:07 uucp.if -rw-r--r--. 1 root root 2953 Feb 18 15:07 uucp.te -rw-r--r--. 1 root root 69 Feb 18 15:07 uwimap.fc -rw-r--r--. 1 root root 461 Feb 18 15:07 uwimap.if -rw-r--r--. 1 root root 2503 Feb 18 15:07 uwimap.te -rw-r--r--. 1 root root 716 Feb 18 15:07 virt.fc -rw-r--r--. 1 root root 6481 Feb 18 15:07 virt.if -rw-r--r--. 1 root root 4548 Feb 18 15:07 virt.te -rw-r--r--. 1 root root 312 Feb 18 15:07 w3c.fc -rw-r--r--. 1 root root 43 Feb 18 15:07 w3c.if -rw-r--r--. 1 root root 670 Feb 18 15:07 w3c.te -rw-r--r--. 1 root root 227 Feb 18 15:07 watchdog.fc -rw-r--r--. 1 root root 40 Feb 18 15:07 watchdog.if -rw-r--r--. 1 root root 2891 Feb 18 15:07 watchdog.te -rw-r--r--. 1 root root 335 Feb 18 15:07 xfs.fc -rw-r--r--. 1 root root 1099 Feb 18 15:07 xfs.if -rw-r--r--. 1 root root 2005 Feb 18 15:07 xfs.te -rw-r--r--. 1 root root 65 Feb 18 15:07 xprint.fc -rw-r--r--. 1 root root 37 Feb 18 15:07 xprint.if -rw-r--r--. 1 root root 1870 Feb 18 15:07 xprint.te -rw-r--r--. 1 root root 4238 Feb 18 15:07 xserver.fc -rw-r--r--. 1 root root 26924 Feb 18 15:07 xserver.if -rw-r--r--. 1 root root 30899 Feb 18 15:07 xserver.te -rw-r--r--. 1 root root 305 Feb 18 15:07 zabbix.fc -rw-r--r--. 1 root root 2369 Feb 18 15:07 zabbix.if -rw-r--r--. 1 root root 1083 Feb 18 15:07 zabbix.te -rw-r--r--. 1 root root 1247 Feb 18 15:07 zebra.fc -rw-r--r--. 1 root root 1528 Feb 18 15:07 zebra.if -rw-r--r--. 1 root root 3687 Feb 18 15:07 zebra.te /etc/selinux/refpolicy-standard/src/policy/policy/modules/system: total 664 -rw-r--r--. 1 root root 32 Feb 18 15:07 application.fc -rw-r--r--. 1 root root 2139 Feb 18 15:07 application.if -rw-r--r--. 1 root root 278 Feb 18 15:07 application.te -rw-r--r--. 1 root root 2139 Feb 18 15:07 authlogin.fc -rw-r--r--. 1 root root 26493 Feb 18 15:07 authlogin.if -rw-r--r--. 1 root root 9195 Feb 18 15:07 authlogin.te -rw-r--r--. 1 root root 131 Feb 18 15:07 clock.fc -rw-r--r--. 1 root root 1945 Feb 18 15:07 clock.if -rw-r--r--. 1 root root 1793 Feb 18 15:07 clock.te -rw-r--r--. 1 root root 2502 Feb 18 15:07 daemontools.fc -rw-r--r--. 1 root root 3094 Feb 18 15:07 daemontools.if -rw-r--r--. 1 root root 2544 Feb 18 15:07 daemontools.te -rw-r--r--. 1 root root 2708 Feb 18 15:07 fstools.fc -rw-r--r--. 1 root root 3017 Feb 18 15:07 fstools.if -rw-r--r--. 1 root root 4779 Feb 18 15:07 fstools.te -rw-r--r--. 1 root root 503 Feb 18 15:07 getty.fc -rw-r--r--. 1 root root 1759 Feb 18 15:07 getty.if -rw-r--r--. 1 root root 3035 Feb 18 15:07 getty.te -rw-r--r--. 1 root root 69 Feb 18 15:07 hostname.fc -rw-r--r--. 1 root root 1266 Feb 18 15:07 hostname.if -rw-r--r--. 1 root root 1494 Feb 18 15:07 hostname.te -rw-r--r--. 1 root root 507 Feb 18 15:07 hotplug.fc -rw-r--r--. 1 root root 3353 Feb 18 15:07 hotplug.if -rw-r--r--. 1 root root 4769 Feb 18 15:07 hotplug.te -rw-r--r--. 1 root root 2402 Feb 18 15:07 init.fc -rw-r--r--. 1 root root 29476 Feb 18 15:07 init.if -rw-r--r--. 1 root root 18996 Feb 18 15:07 init.te -rw-r--r--. 1 root root 1995 Feb 18 15:07 ipsec.fc -rw-r--r--. 1 root root 4560 Feb 18 15:07 ipsec.if -rw-r--r--. 1 root root 10637 Feb 18 15:07 ipsec.te -rw-r--r--. 1 root root 438 Feb 18 15:07 iptables.fc -rw-r--r--. 1 root root 1344 Feb 18 15:07 iptables.if -rw-r--r--. 1 root root 2437 Feb 18 15:07 iptables.te -rw-r--r--. 1 root root 282 Feb 18 15:07 iscsi.fc -rw-r--r--. 1 root root 405 Feb 18 15:07 iscsi.if -rw-r--r--. 1 root root 2206 Feb 18 15:07 iscsi.te -rw-r--r--. 1 root root 19549 Feb 18 15:07 libraries.fc -rw-r--r--. 1 root root 10003 Feb 18 15:07 libraries.if -rw-r--r--. 1 root root 2686 Feb 18 15:07 libraries.te -rw-r--r--. 1 root root 68 Feb 18 15:07 locallogin.fc -rw-r--r--. 1 root root 2519 Feb 18 15:07 locallogin.if -rw-r--r--. 1 root root 8030 Feb 18 15:07 locallogin.te -rw-r--r--. 1 root root 3640 Feb 18 15:07 logging.fc -rw-r--r--. 1 root root 19448 Feb 18 15:07 logging.if -rw-r--r--. 1 root root 12767 Feb 18 15:07 logging.te -rw-r--r--. 1 root root 4705 Feb 18 15:07 lvm.fc -rw-r--r--. 1 root root 1686 Feb 18 15:07 lvm.if -rw-r--r--. 1 root root 8090 Feb 18 15:07 lvm.te -rw-r--r--. 1 root root 89 Feb 18 15:07 metadata.xml -rw-r--r--. 1 root root 2678 Feb 18 15:07 miscfiles.fc -rw-r--r--. 1 root root 9928 Feb 18 15:07 miscfiles.if -rw-r--r--. 1 root root 895 Feb 18 15:07 miscfiles.te -rw-r--r--. 1 root root 1166 Feb 18 15:07 modutils.fc -rw-r--r--. 1 root root 5895 Feb 18 15:07 modutils.if -rw-r--r--. 1 root root 6713 Feb 18 15:07 modutils.te -rw-r--r--. 1 root root 203 Feb 18 15:07 mount.fc -rw-r--r--. 1 root root 3303 Feb 18 15:07 mount.if -rw-r--r--. 1 root root 4894 Feb 18 15:07 mount.te -rw-r--r--. 1 root root 76 Feb 18 15:07 netlabel.fc -rw-r--r--. 1 root root 1011 Feb 18 15:07 netlabel.if -rw-r--r--. 1 root root 651 Feb 18 15:07 netlabel.te -rw-r--r--. 1 root root 437 Feb 18 15:07 pcmcia.fc -rw-r--r--. 1 root root 3075 Feb 18 15:07 pcmcia.if -rw-r--r--. 1 root root 4035 Feb 18 15:07 pcmcia.te -rw-r--r--. 1 root root 200 Feb 18 15:07 raid.fc -rw-r--r--. 1 root root 1076 Feb 18 15:07 raid.if -rw-r--r--. 1 root root 2028 Feb 18 15:07 raid.te -rw-r--r--. 1 root root 2207 Feb 18 15:07 selinuxutil.fc -rw-r--r--. 1 root root 24478 Feb 18 15:07 selinuxutil.if -rw-r--r--. 1 root root 16009 Feb 18 15:07 selinuxutil.te -rw-r--r--. 1 root root 246 Feb 18 15:07 setrans.fc -rw-r--r--. 1 root root 589 Feb 18 15:07 setrans.if -rw-r--r--. 1 root root 2150 Feb 18 15:07 setrans.te -rw-r--r--. 1 root root 2278 Feb 18 15:07 sysnetwork.fc -rw-r--r--. 1 root root 12182 Feb 18 15:07 sysnetwork.if -rw-r--r--. 1 root root 8431 Feb 18 15:07 sysnetwork.te -rw-r--r--. 1 root root 947 Feb 18 15:07 udev.fc -rw-r--r--. 1 root root 2576 Feb 18 15:07 udev.if -rw-r--r--. 1 root root 6168 Feb 18 15:07 udev.te -rw-r--r--. 1 root root 921 Feb 18 15:07 unconfined.fc -rw-r--r--. 1 root root 11905 Feb 18 15:07 unconfined.if -rw-r--r--. 1 root root 4518 Feb 18 15:07 unconfined.te -rw-r--r--. 1 root root 202 Feb 18 15:07 userdomain.fc -rw-r--r--. 1 root root 65478 Feb 18 15:07 userdomain.if -rw-r--r--. 1 root root 2855 Feb 18 15:07 userdomain.te -rw-r--r--. 1 root root 1800 Feb 18 15:07 xen.fc -rw-r--r--. 1 root root 3777 Feb 18 15:07 xen.if -rw-r--r--. 1 root root 9866 Feb 18 15:07 xen.te /etc/selinux/refpolicy-standard/src/policy/policy/support: total 52 -rw-r--r--. 1 root root 12662 Feb 18 15:07 file_patterns.spt -rw-r--r--. 1 root root 341 Feb 18 15:07 ipc_patterns.spt -rw-r--r--. 1 root root 3335 Feb 18 15:07 loadable_module.spt -rw-r--r--. 1 root root 1723 Feb 18 15:07 misc_macros.spt -rw-r--r--. 1 root root 1370 Feb 18 15:07 misc_patterns.spt -rw-r--r--. 1 root root 1385 Feb 18 15:07 mls_mcs_macros.spt -rw-r--r--. 1 root root 12395 Feb 18 15:07 obj_perm_sets.spt /etc/selinux/refpolicy-standard/src/policy/support: total 168 -rw-r--r--. 1 root root 7236 Feb 18 15:07 Makefile.devel -rw-r--r--. 1 root root 672 Feb 18 15:07 comment_move_decl.sed -rw-r--r--. 1 root root 13623 Feb 18 15:07 fc_sort.c -rw-r--r--. 1 root root 9504 Feb 18 15:07 genclassperms.py -rw-r--r--. 1 root root 17017 Feb 18 15:07 genhomedircon -rw-r--r--. 1 root root 4374 Feb 18 15:07 gennetfilter.py -rw-r--r--. 1 root root 266 Feb 18 15:07 get_type_attr_decl.sed -rw-r--r--. 1 root root 32 Feb 18 15:07 iferror.m4 -rw-r--r--. 1 root root 10492 Feb 18 15:07 pyplate.py -rw-r--r--. 1 root root 16303 Feb 18 16:15 pyplate.pyc -rw-r--r--. 1 root root 25444 Feb 18 15:07 sedoctool.py -rw-r--r--. 1 root root 10766 Feb 18 15:07 segenxml.py -rw-r--r--. 1 root root 14846 Feb 18 15:07 selinux-policy-refpolicy.spec -rw-r--r--. 1 root root 1177 Feb 18 15:07 selinux-refpolicy-sources.spec.skel -rw-r--r--. 1 root root 209 Feb 18 15:07 set_bools_tuns.awk /etc/selinux/refpolicy-standard/src/policy/tmp: total 80000 -rw-r--r--. 1 root root 48063 Feb 18 16:22 acct.mod -rw-r--r--. 1 root root 12780 Feb 18 16:22 acct.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:22 acct.mod.role -rw-r--r--. 1 root root 50977 Feb 18 16:22 acct.tmp -rw-r--r--. 1 root root 46207 Feb 18 16:22 ada.mod -rw-r--r--. 1 root root 12785 Feb 18 16:22 ada.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:22 ada.mod.role -rw-r--r--. 1 root root 38395 Feb 18 16:22 ada.tmp -rw-r--r--. 1 root root 49151 Feb 18 16:22 admin.xml -rw-r--r--. 1 root root 103420 Feb 18 16:22 afs.mod -rw-r--r--. 1 root root 13491 Feb 18 16:22 afs.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:22 afs.mod.role -rw-r--r--. 1 root root 162583 Feb 18 16:22 afs.tmp -rw-r--r--. 1 root root 29664 Feb 18 16:22 aide.mod -rw-r--r--. 1 root root 12764 Feb 18 16:22 aide.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:22 aide.mod.role -rw-r--r--. 1 root root 31550 Feb 18 16:22 aide.tmp -rw-r--r--. 1 root root 24675 Feb 18 16:22 all_attrs_types.conf -rw-r--r--. 1 root root 3874465 Feb 18 16:22 all_interfaces.conf -rw-r--r--. 1 root root 3974239 Feb 18 16:22 all_interfaces.conf.tmp -rw-r--r--. 1 root root 49969 Feb 18 16:22 all_post.conf -rw-r--r--. 1 root root 251506 Feb 18 16:22 all_te_files.conf -rw-r--r--. 1 root root 57413 Feb 18 16:22 alsa.mod -rw-r--r--. 1 root root 13035 Feb 18 16:22 alsa.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:22 alsa.mod.role -rw-r--r--. 1 root root 84230 Feb 18 16:22 alsa.tmp -rw-r--r--. 1 root root 113141 Feb 18 16:22 amanda.mod -rw-r--r--. 1 root root 13927 Feb 18 16:22 amanda.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:22 amanda.mod.role -rw-r--r--. 1 root root 206411 Feb 18 16:22 amanda.tmp -rw-r--r--. 1 root root 75569 Feb 18 16:22 amavis.mod -rw-r--r--. 1 root root 13221 Feb 18 16:22 amavis.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:22 amavis.mod.role -rw-r--r--. 1 root root 100760 Feb 18 16:22 amavis.tmp -rw-r--r--. 1 root root 30915 Feb 18 16:22 amtu.mod -rw-r--r--. 1 root root 12611 Feb 18 16:22 amtu.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:22 amtu.mod.role -rw-r--r--. 1 root root 27375 Feb 18 16:22 amtu.tmp -rw-r--r--. 1 root root 65078 Feb 18 16:22 anaconda.mod -rw-r--r--. 1 root root 12728 Feb 18 16:22 anaconda.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:22 anaconda.mod.role -rw-r--r--. 1 root root 54456 Feb 18 16:22 anaconda.tmp -rw-r--r--. 1 root root 338963 Feb 18 16:22 apache.mod -rw-r--r--. 1 root root 16000 Feb 18 16:22 apache.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:22 apache.mod.role -rw-r--r--. 1 root root 585639 Feb 18 16:22 apache.tmp -rw-r--r--. 1 root root 112582 Feb 18 16:22 apcupsd.mod -rw-r--r--. 1 root root 13218 Feb 18 16:22 apcupsd.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:22 apcupsd.mod.role -rw-r--r--. 1 root root 202793 Feb 18 16:22 apcupsd.tmp -rw-r--r--. 1 root root 112567 Feb 18 16:22 apm.mod -rw-r--r--. 1 root root 13135 Feb 18 16:22 apm.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:22 apm.mod.role -rw-r--r--. 1 root root 115097 Feb 18 16:22 apm.tmp -rw-r--r--. 1 root root 18592 Feb 18 16:22 application.mod -rw-r--r--. 1 root root 12596 Feb 18 16:22 application.mod.fc -rw-r--r--. 1 root root 227 Feb 18 16:22 application.mod.role -rw-r--r--. 1 root root 17398 Feb 18 16:22 application.tmp -rw-r--r--. 1 root root 24976 Feb 18 16:22 apps.xml -rw-r--r--. 1 root root 80941 Feb 18 16:22 apt.mod -rw-r--r--. 1 root root 13121 Feb 18 16:22 apt.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:22 apt.mod.role -rw-r--r--. 1 root root 106491 Feb 18 16:22 apt.tmp -rw-r--r--. 1 root root 68713 Feb 18 16:22 arpwatch.mod -rw-r--r--. 1 root root 12830 Feb 18 16:22 arpwatch.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:22 arpwatch.mod.role -rw-r--r--. 1 root root 105721 Feb 18 16:22 arpwatch.tmp -rw-r--r--. 1 root root 60277 Feb 18 16:22 asterisk.mod -rw-r--r--. 1 root root 12991 Feb 18 16:22 asterisk.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:22 asterisk.mod.role -rw-r--r--. 1 root root 94419 Feb 18 16:22 asterisk.tmp -rw-r--r--. 1 root root 41009 Feb 18 16:22 audioentropy.mod -rw-r--r--. 1 root root 12707 Feb 18 16:22 audioentropy.mod.fc -rw-r--r--. 1 root root 230 Feb 18 16:22 audioentropy.mod.role -rw-r--r--. 1 root root 43609 Feb 18 16:22 audioentropy.tmp -rw-r--r--. 1 root root 741234 Feb 18 16:22 auditadm.mod -rw-r--r--. 1 root root 12620 Feb 18 16:22 auditadm.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:22 auditadm.mod.role -rw-r--r--. 1 root root 1182985 Feb 18 16:22 auditadm.tmp -rw-r--r--. 1 root root 27365 Feb 18 16:22 authbind.mod -rw-r--r--. 1 root root 12687 Feb 18 16:22 authbind.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:22 authbind.mod.role -rw-r--r--. 1 root root 28603 Feb 18 16:22 authbind.tmp -rw-r--r--. 1 root root 206880 Feb 18 16:22 authlogin.mod -rw-r--r--. 1 root root 14115 Feb 18 16:22 authlogin.mod.fc -rw-r--r--. 1 root root 221 Feb 18 16:22 authlogin.mod.role -rw-r--r--. 1 root root 364620 Feb 18 16:22 authlogin.tmp -rw-r--r--. 1 root root 89753 Feb 18 16:23 automount.mod -rw-r--r--. 1 root root 12849 Feb 18 16:23 automount.mod.fc -rw-r--r--. 1 root root 221 Feb 18 16:22 automount.mod.role -rw-r--r--. 1 root root 140505 Feb 18 16:22 automount.tmp -rw-r--r--. 1 root root 72606 Feb 18 16:23 avahi.mod -rw-r--r--. 1 root root 12939 Feb 18 16:23 avahi.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:23 avahi.mod.role -rw-r--r--. 1 root root 107690 Feb 18 16:23 avahi.tmp -rw-r--r--. 1 root root 94144 Feb 18 16:23 awstats.mod -rw-r--r--. 1 root root 12859 Feb 18 16:23 awstats.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:23 awstats.mod.role -rw-r--r--. 1 root root 149814 Feb 18 16:23 awstats.tmp -rw-r--r--. 1 root root 49400 Feb 18 16:23 backup.mod -rw-r--r--. 1 root root 12905 Feb 18 16:23 backup.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:23 backup.mod.role -rw-r--r--. 1 root root 70340 Feb 18 16:23 backup.tmp -rw-r--r--. 1 root root 26248 Feb 18 16:22 base.fc.tmp -rw-r--r--. 1 root root 197803 Feb 18 16:22 base.mod -rw-r--r--. 1 root root 127016 Feb 18 16:23 bind.mod -rw-r--r--. 1 root root 13167 Feb 18 16:23 bind.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:23 bind.mod.role -rw-r--r--. 1 root root 211284 Feb 18 16:23 bind.tmp -rw-r--r--. 1 root root 53402 Feb 18 16:23 bitlbee.mod -rw-r--r--. 1 root root 12799 Feb 18 16:23 bitlbee.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:23 bitlbee.mod.role -rw-r--r--. 1 root root 73042 Feb 18 16:23 bitlbee.tmp -rw-r--r--. 1 root root 125780 Feb 18 16:23 bluetooth.mod -rw-r--r--. 1 root root 13564 Feb 18 16:23 bluetooth.mod.fc -rw-r--r--. 1 root root 221 Feb 18 16:23 bluetooth.mod.role -rw-r--r--. 1 root root 203157 Feb 18 16:23 bluetooth.tmp -rw-r--r--. 1 root root 68076 Feb 18 16:23 bootloader.mod -rw-r--r--. 1 root root 12837 Feb 18 16:23 bootloader.mod.fc -rw-r--r--. 1 root root 224 Feb 18 16:23 bootloader.mod.role -rw-r--r--. 1 root root 90960 Feb 18 16:23 bootloader.tmp -rw-r--r--. 1 root root 39728 Feb 18 16:23 brctl.mod -rw-r--r--. 1 root root 12615 Feb 18 16:23 brctl.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:23 brctl.mod.role -rw-r--r--. 1 root root 38832 Feb 18 16:23 brctl.tmp -rw-r--r--. 1 root root 52378 Feb 18 16:23 calamaris.mod -rw-r--r--. 1 root root 12770 Feb 18 16:23 calamaris.mod.fc -rw-r--r--. 1 root root 221 Feb 18 16:23 calamaris.mod.role -rw-r--r--. 1 root root 73991 Feb 18 16:23 calamaris.tmp -rw-r--r--. 1 root root 54364 Feb 18 16:23 canna.mod -rw-r--r--. 1 root root 13267 Feb 18 16:23 canna.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:23 canna.mod.role -rw-r--r--. 1 root root 75543 Feb 18 16:23 canna.tmp -rw-r--r--. 1 root root 48300 Feb 18 16:23 ccs.mod -rw-r--r--. 1 root root 12880 Feb 18 16:23 ccs.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:23 ccs.mod.role -rw-r--r--. 1 root root 70096 Feb 18 16:23 ccs.tmp -rw-r--r--. 1 root root 43203 Feb 18 16:23 cdrecord.mod -rw-r--r--. 1 root root 12631 Feb 18 16:23 cdrecord.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:23 cdrecord.mod.role -rw-r--r--. 1 root root 63130 Feb 18 16:23 cdrecord.tmp -rw-r--r--. 1 root root 38200 Feb 18 16:23 certwatch.mod -rw-r--r--. 1 root root 12621 Feb 18 16:23 certwatch.mod.fc -rw-r--r--. 1 root root 221 Feb 18 16:23 certwatch.mod.role -rw-r--r--. 1 root root 38666 Feb 18 16:23 certwatch.tmp -rw-r--r--. 1 root root 51395 Feb 18 16:23 cipe.mod -rw-r--r--. 1 root root 12627 Feb 18 16:23 cipe.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:23 cipe.mod.role -rw-r--r--. 1 root root 69016 Feb 18 16:23 cipe.tmp -rw-r--r--. 1 root root 90189 Feb 18 16:23 clamav.mod -rw-r--r--. 1 root root 13392 Feb 18 16:23 clamav.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:23 clamav.mod.role -rw-r--r--. 1 root root 136716 Feb 18 16:23 clamav.tmp -rw-r--r--. 1 root root 46914 Feb 18 16:23 clock.mod -rw-r--r--. 1 root root 12663 Feb 18 16:23 clock.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:23 clock.mod.role -rw-r--r--. 1 root root 49601 Feb 18 16:23 clock.tmp -rw-r--r--. 1 root root 50353 Feb 18 16:23 clockspeed.mod -rw-r--r--. 1 root root 12962 Feb 18 16:23 clockspeed.mod.fc -rw-r--r--. 1 root root 224 Feb 18 16:23 clockspeed.mod.role -rw-r--r--. 1 root root 65706 Feb 18 16:23 clockspeed.tmp -rw-r--r--. 1 root root 66261 Feb 18 16:23 comsat.mod -rw-r--r--. 1 root root 12621 Feb 18 16:23 comsat.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:23 comsat.mod.role -rw-r--r--. 1 root root 107851 Feb 18 16:23 comsat.tmp -rw-r--r--. 1 root root 66030 Feb 18 16:23 consolekit.mod -rw-r--r--. 1 root root 12700 Feb 18 16:23 consolekit.mod.fc -rw-r--r--. 1 root root 224 Feb 18 16:23 consolekit.mod.role -rw-r--r--. 1 root root 92134 Feb 18 16:23 consolekit.tmp -rw-r--r--. 1 root root 67076 Feb 18 16:23 consoletype.mod -rw-r--r--. 1 root root 12623 Feb 18 16:23 consoletype.mod.fc -rw-r--r--. 1 root root 227 Feb 18 16:23 consoletype.mod.role -rw-r--r--. 1 root root 76604 Feb 18 16:23 consoletype.tmp -rw-r--r--. 1 root root 181338 Feb 18 16:23 courier.mod -rw-r--r--. 1 root root 13813 Feb 18 16:23 courier.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:23 courier.mod.role -rw-r--r--. 1 root root 284314 Feb 18 16:23 courier.tmp -rw-r--r--. 1 root root 61459 Feb 18 16:23 cpucontrol.mod -rw-r--r--. 1 root root 12915 Feb 18 16:23 cpucontrol.mod.fc -rw-r--r--. 1 root root 224 Feb 18 16:23 cpucontrol.mod.role -rw-r--r--. 1 root root 67873 Feb 18 16:23 cpucontrol.tmp -rw-r--r--. 1 root root 308435 Feb 18 16:23 cron.mod -rw-r--r--. 1 root root 14306 Feb 18 16:23 cron.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:23 cron.mod.role -rw-r--r--. 1 root root 486093 Feb 18 16:23 cron.tmp -rw-r--r--. 1 root root 314675 Feb 18 16:23 cups.mod -rw-r--r--. 1 root root 14878 Feb 18 16:23 cups.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:23 cups.mod.role -rw-r--r--. 1 root root 510533 Feb 18 16:23 cups.tmp -rw-r--r--. 1 root root 0 Feb 18 16:25 customizable_types -rw-r--r--. 1 root root 150895 Feb 18 16:23 cvs.mod -rw-r--r--. 1 root root 12873 Feb 18 16:23 cvs.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:23 cvs.mod.role -rw-r--r--. 1 root root 275289 Feb 18 16:23 cvs.tmp -rw-r--r--. 1 root root 56661 Feb 18 16:23 cyphesis.mod -rw-r--r--. 1 root root 12619 Feb 18 16:23 cyphesis.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:23 cyphesis.mod.role -rw-r--r--. 1 root root 81410 Feb 18 16:23 cyphesis.tmp -rw-r--r--. 1 root root 93899 Feb 18 16:23 cyrus.mod -rw-r--r--. 1 root root 12763 Feb 18 16:23 cyrus.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:23 cyrus.mod.role -rw-r--r--. 1 root root 141448 Feb 18 16:23 cyrus.tmp -rw-r--r--. 1 root root 59668 Feb 18 16:23 daemontools.mod -rw-r--r--. 1 root root 14506 Feb 18 16:23 daemontools.mod.fc -rw-r--r--. 1 root root 227 Feb 18 16:23 daemontools.mod.role -rw-r--r--. 1 root root 65675 Feb 18 16:23 daemontools.tmp -rw-r--r--. 1 root root 43966 Feb 18 16:23 dante.mod -rw-r--r--. 1 root root 12724 Feb 18 16:23 dante.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:23 dante.mod.role -rw-r--r--. 1 root root 51616 Feb 18 16:23 dante.tmp -rw-r--r--. 1 root root 67182 Feb 18 16:23 dbskk.mod -rw-r--r--. 1 root root 12621 Feb 18 16:23 dbskk.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:23 dbskk.mod.role -rw-r--r--. 1 root root 106133 Feb 18 16:23 dbskk.tmp -rw-r--r--. 1 root root 72951 Feb 18 16:23 dbus.mod -rw-r--r--. 1 root root 12922 Feb 18 16:23 dbus.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:23 dbus.mod.role -rw-r--r--. 1 root root 115099 Feb 18 16:23 dbus.tmp -rw-r--r--. 1 root root 259434 Feb 18 16:23 dcc.mod -rw-r--r--. 1 root root 13333 Feb 18 16:23 dcc.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:23 dcc.mod.role -rw-r--r--. 1 root root 485842 Feb 18 16:23 dcc.tmp -rw-r--r--. 1 root root 52257 Feb 18 16:23 ddclient.mod -rw-r--r--. 1 root root 13160 Feb 18 16:23 ddclient.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:23 ddclient.mod.role -rw-r--r--. 1 root root 68036 Feb 18 16:23 ddclient.tmp -rw-r--r--. 1 root root 35223 Feb 18 16:23 ddcprobe.mod -rw-r--r--. 1 root root 12631 Feb 18 16:23 ddcprobe.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:23 ddcprobe.mod.role -rw-r--r--. 1 root root 41460 Feb 18 16:23 ddcprobe.tmp -rw-r--r--. 1 root root 77256 Feb 18 16:23 dhcp.mod -rw-r--r--. 1 root root 12868 Feb 18 16:23 dhcp.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:23 dhcp.mod.role -rw-r--r--. 1 root root 116386 Feb 18 16:23 dhcp.tmp -rw-r--r--. 1 root root 56136 Feb 18 16:23 dictd.mod -rw-r--r--. 1 root root 12848 Feb 18 16:23 dictd.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:23 dictd.mod.role -rw-r--r--. 1 root root 78940 Feb 18 16:23 dictd.tmp -rw-r--r--. 1 root root 54039 Feb 18 16:23 distcc.mod -rw-r--r--. 1 root root 12618 Feb 18 16:23 distcc.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:23 distcc.mod.role -rw-r--r--. 1 root root 78550 Feb 18 16:23 distcc.tmp -rw-r--r--. 1 root root 58383 Feb 18 16:23 djbdns.mod -rw-r--r--. 1 root root 12948 Feb 18 16:23 djbdns.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:23 djbdns.mod.role -rw-r--r--. 1 root root 77837 Feb 18 16:23 djbdns.tmp -rw-r--r--. 1 root root 37572 Feb 18 16:23 dmesg.mod -rw-r--r--. 1 root root 12612 Feb 18 16:23 dmesg.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:23 dmesg.mod.role -rw-r--r--. 1 root root 41683 Feb 18 16:23 dmesg.tmp -rw-r--r--. 1 root root 27302 Feb 18 16:23 dmidecode.mod -rw-r--r--. 1 root root 12739 Feb 18 16:23 dmidecode.mod.fc -rw-r--r--. 1 root root 221 Feb 18 16:23 dmidecode.mod.role -rw-r--r--. 1 root root 28334 Feb 18 16:23 dmidecode.tmp -rw-r--r--. 1 root root 55484 Feb 18 16:23 dnsmasq.mod -rw-r--r--. 1 root root 12879 Feb 18 16:23 dnsmasq.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:23 dnsmasq.mod.role -rw-r--r--. 1 root root 80300 Feb 18 16:23 dnsmasq.tmp -rw-r--r--. 1 root root 149595 Feb 18 16:23 dovecot.mod -rw-r--r--. 1 root root 13307 Feb 18 16:23 dovecot.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:23 dovecot.mod.role -rw-r--r--. 1 root root 280063 Feb 18 16:23 dovecot.tmp -rw-r--r--. 1 root root 169011 Feb 18 16:23 dpkg.mod -rw-r--r--. 1 root root 13081 Feb 18 16:23 dpkg.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:23 dpkg.mod.role -rw-r--r--. 1 root root 250104 Feb 18 16:23 dpkg.tmp -rw-r--r--. 1 root root 75916 Feb 18 16:23 ethereal.mod -rw-r--r--. 1 root root 12747 Feb 18 16:23 ethereal.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:23 ethereal.mod.role -rw-r--r--. 1 root root 109543 Feb 18 16:23 ethereal.tmp -rw-r--r--. 1 root root 210828 Feb 18 16:23 evolution.mod -rw-r--r--. 1 root root 13236 Feb 18 16:23 evolution.mod.fc -rw-r--r--. 1 root root 221 Feb 18 16:23 evolution.mod.role -rw-r--r--. 1 root root 388488 Feb 18 16:23 evolution.tmp -rw-r--r--. 1 root root 67489 Feb 18 16:23 exim.mod -rw-r--r--. 1 root root 12798 Feb 18 16:23 exim.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:23 exim.mod.role -rw-r--r--. 1 root root 113458 Feb 18 16:23 exim.tmp -rw-r--r--. 1 root root 70461 Feb 18 16:23 fail2ban.mod -rw-r--r--. 1 root root 12871 Feb 18 16:23 fail2ban.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:23 fail2ban.mod.role -rw-r--r--. 1 root root 102770 Feb 18 16:23 fail2ban.tmp -rwxr-xr-x. 1 root root 14750 Feb 18 16:22 fc_sort -rw-r--r--. 1 root root 51330 Feb 18 16:23 fetchmail.mod -rw-r--r--. 1 root root 12857 Feb 18 16:23 fetchmail.mod.fc -rw-r--r--. 1 root root 221 Feb 18 16:23 fetchmail.mod.role -rw-r--r--. 1 root root 62258 Feb 18 16:23 fetchmail.tmp -rw-r--r--. 1 root root 73811 Feb 18 16:23 finger.mod -rw-r--r--. 1 root root 12907 Feb 18 16:23 finger.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:23 finger.mod.role -rw-r--r--. 1 root root 94430 Feb 18 16:23 finger.tmp -rw-r--r--. 1 root root 86826 Feb 18 16:23 firstboot.mod -rw-r--r--. 1 root root 12697 Feb 18 16:23 firstboot.mod.fc -rw-r--r--. 1 root root 221 Feb 18 16:23 firstboot.mod.role -rw-r--r--. 1 root root 113494 Feb 18 16:23 firstboot.tmp -rw-r--r--. 1 root root 67259 Feb 18 16:23 fstools.mod -rw-r--r--. 1 root root 14616 Feb 18 16:23 fstools.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:23 fstools.mod.role -rw-r--r--. 1 root root 103148 Feb 18 16:23 fstools.tmp -rw-r--r--. 1 root root 145211 Feb 18 16:23 ftp.mod -rw-r--r--. 1 root root 13533 Feb 18 16:23 ftp.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:23 ftp.mod.role -rw-r--r--. 1 root root 239237 Feb 18 16:23 ftp.tmp -rw-r--r--. 1 root root 77487 Feb 18 16:23 games.mod -rw-r--r--. 1 root root 15501 Feb 18 16:23 games.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:23 games.mod.role -rw-r--r--. 1 root root 109589 Feb 18 16:23 games.tmp -rw-r--r--. 1 root root 53261 Feb 18 16:23 gatekeeper.mod -rw-r--r--. 1 root root 12911 Feb 18 16:23 gatekeeper.mod.fc -rw-r--r--. 1 root root 224 Feb 18 16:23 gatekeeper.mod.role -rw-r--r--. 1 root root 80045 Feb 18 16:23 gatekeeper.tmp -rw-r--r--. 1 root root 20572 Feb 18 16:22 generated_definitions.conf -rw-r--r--. 1 root root 61292 Feb 18 16:23 getty.mod -rw-r--r--. 1 root root 12955 Feb 18 16:23 getty.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:23 getty.mod.role -rw-r--r--. 1 root root 71209 Feb 18 16:23 getty.tmp -rw-r--r--. 1 root root 65896 Feb 18 16:23 gift.mod -rw-r--r--. 1 root root 12857 Feb 18 16:23 gift.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:23 gift.mod.role -rw-r--r--. 1 root root 95105 Feb 18 16:23 gift.tmp -rw-r--r--. 1 root root 9797 Feb 18 16:22 global_bools.conf -rw-r--r--. 1 root root 37392 Feb 18 16:23 gnome.mod -rw-r--r--. 1 root root 12840 Feb 18 16:23 gnome.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:23 gnome.mod.role -rw-r--r--. 1 root root 43363 Feb 18 16:23 gnome.tmp -rw-r--r--. 1 root root 87454 Feb 18 16:23 gpg.mod -rw-r--r--. 1 root root 12945 Feb 18 16:23 gpg.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:23 gpg.mod.role -rw-r--r--. 1 root root 139359 Feb 18 16:23 gpg.tmp -rw-r--r--. 1 root root 42660 Feb 18 16:23 gpm.mod -rw-r--r--. 1 root root 12747 Feb 18 16:23 gpm.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:23 gpm.mod.role -rw-r--r--. 1 root root 46798 Feb 18 16:23 gpm.tmp -rw-r--r--. 1 root root 237602 Feb 18 16:23 hal.mod -rw-r--r--. 1 root root 13766 Feb 18 16:23 hal.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:23 hal.mod.role -rw-r--r--. 1 root root 342571 Feb 18 16:23 hal.tmp -rw-r--r--. 1 root root 42815 Feb 18 16:23 hostname.mod -rw-r--r--. 1 root root 12617 Feb 18 16:23 hostname.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:23 hostname.mod.role -rw-r--r--. 1 root root 54984 Feb 18 16:23 hostname.tmp -rw-r--r--. 1 root root 107073 Feb 18 16:23 hotplug.mod -rw-r--r--. 1 root root 12959 Feb 18 16:23 hotplug.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:23 hotplug.mod.role -rw-r--r--. 1 root root 127600 Feb 18 16:23 hotplug.tmp -rw-r--r--. 1 root root 51667 Feb 18 16:23 howl.mod -rw-r--r--. 1 root root 12725 Feb 18 16:23 howl.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:23 howl.mod.role -rw-r--r--. 1 root root 72249 Feb 18 16:23 howl.tmp -rw-r--r--. 1 root root 57383 Feb 18 16:23 i18n_input.mod -rw-r--r--. 1 root root 13059 Feb 18 16:23 i18n_input.mod.fc -rw-r--r--. 1 root root 224 Feb 18 16:23 i18n_input.mod.role -rw-r--r--. 1 root root 81420 Feb 18 16:23 i18n_input.tmp -rw-r--r--. 1 root root 52522 Feb 18 16:23 imaze.mod -rw-r--r--. 1 root root 12746 Feb 18 16:23 imaze.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:23 imaze.mod.role -rw-r--r--. 1 root root 76090 Feb 18 16:23 imaze.tmp -rw-r--r--. 1 root root 130447 Feb 18 16:23 inetd.mod -rw-r--r--. 1 root root 13030 Feb 18 16:23 inetd.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:23 inetd.mod.role -rw-r--r--. 1 root root 204091 Feb 18 16:23 inetd.tmp -rw-r--r--. 1 root root 336568 Feb 18 16:23 init.mod -rw-r--r--. 1 root root 13872 Feb 18 16:23 init.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:23 init.mod.role -rw-r--r--. 1 root root 478075 Feb 18 16:23 init.tmp -rw-r--r--. 1 root root 64640 Feb 18 16:23 inn.mod -rw-r--r--. 1 root root 15722 Feb 18 16:23 inn.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:23 inn.mod.role -rw-r--r--. 1 root root 89515 Feb 18 16:23 inn.tmp -rw-r--r--. 1 root root 122162 Feb 18 16:23 ipsec.mod -rw-r--r--. 1 root root 14143 Feb 18 16:23 ipsec.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:23 ipsec.mod.role -rw-r--r--. 1 root root 178659 Feb 18 16:23 ipsec.tmp -rw-r--r--. 1 root root 82307 Feb 18 16:23 iptables.mod -rw-r--r--. 1 root root 12906 Feb 18 16:23 iptables.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:23 iptables.mod.role -rw-r--r--. 1 root root 130237 Feb 18 16:23 iptables.tmp -rw-r--r--. 1 root root 46628 Feb 18 16:23 irc.mod -rw-r--r--. 1 root root 12785 Feb 18 16:23 irc.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:23 irc.mod.role -rw-r--r--. 1 root root 75408 Feb 18 16:23 irc.tmp -rw-r--r--. 1 root root 53177 Feb 18 16:23 ircd.mod -rw-r--r--. 1 root root 12858 Feb 18 16:23 ircd.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:23 ircd.mod.role -rw-r--r--. 1 root root 74961 Feb 18 16:23 ircd.tmp -rw-r--r--. 1 root root 42087 Feb 18 16:23 irqbalance.mod -rw-r--r--. 1 root root 12625 Feb 18 16:23 irqbalance.mod.fc -rw-r--r--. 1 root root 224 Feb 18 16:23 irqbalance.mod.role -rw-r--r--. 1 root root 43881 Feb 18 16:23 irqbalance.tmp -rw-r--r--. 1 root root 49618 Feb 18 16:23 iscsi.mod -rw-r--r--. 1 root root 12782 Feb 18 16:23 iscsi.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:23 iscsi.mod.role -rw-r--r--. 1 root root 62551 Feb 18 16:23 iscsi.tmp -rw-r--r--. 1 root root 54381 Feb 18 16:23 jabber.mod -rw-r--r--. 1 root root 12803 Feb 18 16:23 jabber.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:23 jabber.mod.role -rw-r--r--. 1 root root 80007 Feb 18 16:23 jabber.tmp -rw-r--r--. 1 root root 98533 Feb 18 16:23 java.mod -rw-r--r--. 1 root root 13572 Feb 18 16:23 java.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:23 java.mod.role -rw-r--r--. 1 root root 135211 Feb 18 16:23 java.tmp -rw-r--r--. 1 root root 123619 Feb 18 16:23 kerberos.mod -rw-r--r--. 1 root root 13938 Feb 18 16:23 kerberos.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:23 kerberos.mod.role -rw-r--r--. 1 root root 228555 Feb 18 16:23 kerberos.tmp -rw-r--r--. 1 root root 1010513 Feb 18 16:22 kernel.xml -rw-r--r--. 1 root root 43032 Feb 18 16:23 kerneloops.mod -rw-r--r--. 1 root root 12701 Feb 18 16:23 kerneloops.mod.fc -rw-r--r--. 1 root root 224 Feb 18 16:23 kerneloops.mod.role -rw-r--r--. 1 root root 57034 Feb 18 16:23 kerneloops.tmp -rw-r--r--. 1 root root 52833 Feb 18 16:23 kismet.mod -rw-r--r--. 1 root root 12796 Feb 18 16:23 kismet.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:23 kismet.mod.role -rw-r--r--. 1 root root 80489 Feb 18 16:23 kismet.tmp -rw-r--r--. 1 root root 66562 Feb 18 16:23 ktalk.mod -rw-r--r--. 1 root root 12781 Feb 18 16:23 ktalk.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:23 ktalk.mod.role -rw-r--r--. 1 root root 109336 Feb 18 16:23 ktalk.tmp -rw-r--r--. 1 root root 85467 Feb 18 16:23 kudzu.mod -rw-r--r--. 1 root root 12710 Feb 18 16:23 kudzu.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:23 kudzu.mod.role -rw-r--r--. 1 root root 102827 Feb 18 16:23 kudzu.tmp -rw-r--r--. 1 root root 79347 Feb 18 16:23 ldap.mod -rw-r--r--. 1 root root 13078 Feb 18 16:23 ldap.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:23 ldap.mod.role -rw-r--r--. 1 root root 127924 Feb 18 16:23 ldap.tmp -rw-r--r--. 1 root root 43449 Feb 18 16:23 libraries.mod -rw-r--r--. 1 root root 17184 Feb 18 16:23 libraries.mod.fc -rw-r--r--. 1 root root 221 Feb 18 16:23 libraries.mod.role -rw-r--r--. 1 root root 49119 Feb 18 16:23 libraries.tmp -rw-r--r--. 1 root root 33325 Feb 18 16:23 loadkeys.mod -rw-r--r--. 1 root root 12668 Feb 18 16:23 loadkeys.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:23 loadkeys.mod.role -rw-r--r--. 1 root root 35471 Feb 18 16:23 loadkeys.tmp -rw-r--r--. 1 root root 183800 Feb 18 16:23 locallogin.mod -rw-r--r--. 1 root root 12616 Feb 18 16:23 locallogin.mod.fc -rw-r--r--. 1 root root 224 Feb 18 16:23 locallogin.mod.role -rw-r--r--. 1 root root 313846 Feb 18 16:23 locallogin.tmp -rw-r--r--. 1 root root 29404 Feb 18 16:23 lockdev.mod -rw-r--r--. 1 root root 12619 Feb 18 16:23 lockdev.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:23 lockdev.mod.role -rw-r--r--. 1 root root 31473 Feb 18 16:23 lockdev.tmp -rw-r--r--. 1 root root 184069 Feb 18 16:23 logging.mod -rw-r--r--. 1 root root 15176 Feb 18 16:23 logging.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:23 logging.mod.role -rw-r--r--. 1 root root 301791 Feb 18 16:23 logging.tmp -rw-r--r--. 1 root root 95237 Feb 18 16:23 logrotate.mod -rw-r--r--. 1 root root 12767 Feb 18 16:23 logrotate.mod.fc -rw-r--r--. 1 root root 221 Feb 18 16:23 logrotate.mod.role -rw-r--r--. 1 root root 129325 Feb 18 16:23 logrotate.tmp -rw-r--r--. 1 root root 85361 Feb 18 16:23 logwatch.mod -rw-r--r--. 1 root root 12879 Feb 18 16:23 logwatch.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:23 logwatch.mod.role -rw-r--r--. 1 root root 119336 Feb 18 16:23 logwatch.tmp -rw-r--r--. 1 root root 135283 Feb 18 16:23 lpd.mod -rw-r--r--. 1 root root 13783 Feb 18 16:23 lpd.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:23 lpd.mod.role -rw-r--r--. 1 root root 234488 Feb 18 16:23 lpd.tmp -rw-r--r--. 1 root root 113181 Feb 18 16:23 lvm.mod -rw-r--r--. 1 root root 16106 Feb 18 16:23 lvm.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:23 lvm.mod.role -rw-r--r--. 1 root root 175115 Feb 18 16:23 lvm.tmp -rw-r--r--. 1 root root 185194 Feb 18 16:23 mailman.mod -rw-r--r--. 1 root root 12991 Feb 18 16:23 mailman.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:23 mailman.mod.role -rw-r--r--. 1 root root 355663 Feb 18 16:23 mailman.tmp -rw-r--r--. 1 root root 39122 Feb 18 16:23 memcached.mod -rw-r--r--. 1 root root 12762 Feb 18 16:23 memcached.mod.fc -rw-r--r--. 1 root root 221 Feb 18 16:23 memcached.mod.role -rw-r--r--. 1 root root 55332 Feb 18 16:23 memcached.tmp -rw-r--r--. 1 root root 73495 Feb 18 16:23 milter.mod -rw-r--r--. 1 root root 12920 Feb 18 16:23 milter.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:23 milter.mod.role -rw-r--r--. 1 root root 107094 Feb 18 16:23 milter.tmp -rw-r--r--. 1 root root 17772 Feb 18 16:23 miscfiles.mod -rw-r--r--. 1 root root 14055 Feb 18 16:23 miscfiles.mod.fc -rw-r--r--. 1 root root 221 Feb 18 16:23 miscfiles.mod.role -rw-r--r--. 1 root root 21748 Feb 18 16:23 miscfiles.tmp -rw-r--r--. 1 root root 101733 Feb 18 16:23 modutils.mod -rw-r--r--. 1 root root 13354 Feb 18 16:23 modutils.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:23 modutils.mod.role -rw-r--r--. 1 root root 141989 Feb 18 16:23 modutils.tmp -rw-r--r--. 1 root root 55874 Feb 18 16:23 mono.mod -rw-r--r--. 1 root root 12611 Feb 18 16:23 mono.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:23 mono.mod.role -rw-r--r--. 1 root root 43292 Feb 18 16:23 mono.tmp -rw-r--r--. 1 root root 50732 Feb 18 16:23 monop.mod -rw-r--r--. 1 root root 12732 Feb 18 16:23 monop.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:23 monop.mod.role -rw-r--r--. 1 root root 71416 Feb 18 16:23 monop.tmp -rw-r--r--. 1 root root 108240 Feb 18 16:23 mount.mod -rw-r--r--. 1 root root 12719 Feb 18 16:23 mount.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:23 mount.mod.role -rw-r--r--. 1 root root 162223 Feb 18 16:23 mount.tmp -rw-r--r--. 1 root root 94766 Feb 18 16:23 mozilla.mod -rw-r--r--. 1 root root 13843 Feb 18 16:23 mozilla.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:23 mozilla.mod.role -rw-r--r--. 1 root root 146417 Feb 18 16:23 mozilla.tmp -rw-r--r--. 1 root root 83812 Feb 18 16:23 mplayer.mod -rw-r--r--. 1 root root 12864 Feb 18 16:23 mplayer.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:23 mplayer.mod.role -rw-r--r--. 1 root root 139622 Feb 18 16:23 mplayer.tmp -rw-r--r--. 1 root root 80997 Feb 18 16:23 mrtg.mod -rw-r--r--. 1 root root 12951 Feb 18 16:23 mrtg.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:23 mrtg.mod.role -rw-r--r--. 1 root root 117701 Feb 18 16:23 mrtg.tmp -rw-r--r--. 1 root root 154774 Feb 18 16:23 mta.mod -rw-r--r--. 1 root root 13515 Feb 18 16:23 mta.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:23 mta.mod.role -rw-r--r--. 1 root root 235058 Feb 18 16:23 mta.tmp -rw-r--r--. 1 root root 60122 Feb 18 16:23 munin.mod -rw-r--r--. 1 root root 13066 Feb 18 16:23 munin.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:23 munin.mod.role -rw-r--r--. 1 root root 81590 Feb 18 16:23 munin.tmp -rw-r--r--. 1 root root 73885 Feb 18 16:23 mysql.mod -rw-r--r--. 1 root root 13132 Feb 18 16:23 mysql.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:23 mysql.mod.role -rw-r--r--. 1 root root 113056 Feb 18 16:23 mysql.tmp -rw-r--r--. 1 root root 124313 Feb 18 16:23 nagios.mod -rw-r--r--. 1 root root 13029 Feb 18 16:23 nagios.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:23 nagios.mod.role -rw-r--r--. 1 root root 163797 Feb 18 16:23 nagios.tmp -rw-r--r--. 1 root root 54929 Feb 18 16:23 nessus.mod -rw-r--r--. 1 root root 12861 Feb 18 16:23 nessus.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:23 nessus.mod.role -rw-r--r--. 1 root root 81389 Feb 18 16:23 nessus.tmp -rw-r--r--. 1 root root 27325 Feb 18 16:23 netlabel.mod -rw-r--r--. 1 root root 12624 Feb 18 16:23 netlabel.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:23 netlabel.mod.role -rw-r--r--. 1 root root 28187 Feb 18 16:23 netlabel.tmp -rw-r--r--. 1 root root 144415 Feb 18 16:23 netutils.mod -rw-r--r--. 1 root root 13116 Feb 18 16:23 netutils.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:23 netutils.mod.role -rw-r--r--. 1 root root 278916 Feb 18 16:23 netutils.tmp -rw-r--r--. 1 root root 101945 Feb 18 16:23 networkmanager.mod -rw-r--r--. 1 root root 13190 Feb 18 16:23 networkmanager.mod.fc -rw-r--r--. 1 root root 236 Feb 18 16:23 networkmanager.mod.role -rw-r--r--. 1 root root 144201 Feb 18 16:23 networkmanager.tmp -rw-r--r--. 1 root root 121704 Feb 18 16:23 nis.mod -rw-r--r--. 1 root root 12937 Feb 18 16:23 nis.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:23 nis.mod.role -rw-r--r--. 1 root root 185190 Feb 18 16:23 nis.tmp -rw-r--r--. 1 root root 72043 Feb 18 16:23 nscd.mod -rw-r--r--. 1 root root 12892 Feb 18 16:23 nscd.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:23 nscd.mod.role -rw-r--r--. 1 root root 110418 Feb 18 16:23 nscd.tmp -rw-r--r--. 1 root root 82086 Feb 18 16:23 nsd.mod -rw-r--r--. 1 root root 13128 Feb 18 16:23 nsd.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:23 nsd.mod.role -rw-r--r--. 1 root root 124682 Feb 18 16:23 nsd.tmp -rw-r--r--. 1 root root 53637 Feb 18 16:23 ntop.mod -rw-r--r--. 1 root root 12835 Feb 18 16:23 ntop.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:23 ntop.mod.role -rw-r--r--. 1 root root 64795 Feb 18 16:23 ntop.tmp -rw-r--r--. 1 root root 88632 Feb 18 16:23 ntp.mod -rw-r--r--. 1 root root 13404 Feb 18 16:23 ntp.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:23 ntp.mod.role -rw-r--r--. 1 root root 124955 Feb 18 16:23 ntp.tmp -rw-r--r--. 1 root root 79997 Feb 18 16:23 nx.mod -rw-r--r--. 1 root root 12816 Feb 18 16:23 nx.mod.fc -rw-r--r--. 1 root root 200 Feb 18 16:23 nx.mod.role -rw-r--r--. 1 root root 136934 Feb 18 16:23 nx.tmp -rw-r--r--. 1 root root 64610 Feb 18 16:23 oav.mod -rw-r--r--. 1 root root 13040 Feb 18 16:23 oav.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:23 oav.mod.role -rw-r--r--. 1 root root 87969 Feb 18 16:23 oav.tmp -rw-r--r--. 1 root root 70078 Feb 18 16:23 oddjob.mod -rw-r--r--. 1 root root 12750 Feb 18 16:23 oddjob.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:23 oddjob.mod.role -rw-r--r--. 1 root root 71445 Feb 18 16:23 oddjob.tmp -rw-r--r--. 1 root root 48221 Feb 18 16:23 oident.mod -rw-r--r--. 1 root root 12872 Feb 18 16:23 oident.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:23 oident.mod.role -rw-r--r--. 1 root root 70050 Feb 18 16:23 oident.tmp -rw-r--r--. 1 root root 297486 Feb 18 16:22 only_te_rules.conf -rw-r--r--. 1 root root 29801 Feb 18 16:23 openca.mod -rw-r--r--. 1 root root 13009 Feb 18 16:23 openca.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:23 openca.mod.role -rw-r--r--. 1 root root 33051 Feb 18 16:23 openca.tmp -rw-r--r--. 1 root root 41753 Feb 18 16:23 openct.mod -rw-r--r--. 1 root root 12762 Feb 18 16:23 openct.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:23 openct.mod.role -rw-r--r--. 1 root root 43694 Feb 18 16:23 openct.tmp -rw-r--r--. 1 root root 57533 Feb 18 16:23 openvpn.mod -rw-r--r--. 1 root root 12891 Feb 18 16:23 openvpn.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:23 openvpn.mod.role -rw-r--r--. 1 root root 83631 Feb 18 16:23 openvpn.tmp -rw-r--r--. 1 root root 65935 Feb 18 16:23 pcmcia.mod -rw-r--r--. 1 root root 12905 Feb 18 16:23 pcmcia.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:23 pcmcia.mod.role -rw-r--r--. 1 root root 82957 Feb 18 16:23 pcmcia.tmp -rw-r--r--. 1 root root 52202 Feb 18 16:23 pcscd.mod -rw-r--r--. 1 root root 12788 Feb 18 16:23 pcscd.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:23 pcscd.mod.role -rw-r--r--. 1 root root 61132 Feb 18 16:23 pcscd.tmp -rw-r--r--. 1 root root 103558 Feb 18 16:24 pegasus.mod -rw-r--r--. 1 root root 13031 Feb 18 16:24 pegasus.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:24 pegasus.mod.role -rw-r--r--. 1 root root 178033 Feb 18 16:24 pegasus.tmp -rw-r--r--. 1 root root 43500 Feb 18 16:24 perdition.mod -rw-r--r--. 1 root root 12679 Feb 18 16:24 perdition.mod.fc -rw-r--r--. 1 root root 221 Feb 18 16:24 perdition.mod.role -rw-r--r--. 1 root root 53045 Feb 18 16:24 perdition.tmp -rw-r--r--. 1 root root 30856 Feb 18 16:24 podsleuth.mod -rw-r--r--. 1 root root 12622 Feb 18 16:24 podsleuth.mod.fc -rw-r--r--. 1 root root 221 Feb 18 16:24 podsleuth.mod.role -rw-r--r--. 1 root root 33002 Feb 18 16:24 podsleuth.tmp -rw-r--r--. 1 root root 134476 Feb 18 16:24 portage.mod -rw-r--r--. 1 root root 13788 Feb 18 16:24 portage.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:24 portage.mod.role -rw-r--r--. 1 root root 228729 Feb 18 16:24 portage.tmp -rw-r--r--. 1 root root 77262 Feb 18 16:24 portmap.mod -rw-r--r--. 1 root root 12816 Feb 18 16:24 portmap.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:24 portmap.mod.role -rw-r--r--. 1 root root 132971 Feb 18 16:24 portmap.tmp -rw-r--r--. 1 root root 102964 Feb 18 16:24 portslave.mod -rw-r--r--. 1 root root 12740 Feb 18 16:24 portslave.mod.fc -rw-r--r--. 1 root root 221 Feb 18 16:24 portslave.mod.role -rw-r--r--. 1 root root 161989 Feb 18 16:24 portslave.tmp -rw-r--r--. 1 root root 28769 Feb 18 16:22 post_te_files.conf -rw-r--r--. 1 root root 699323 Feb 18 16:24 postfix.mod -rw-r--r--. 1 root root 14823 Feb 18 16:24 postfix.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:24 postfix.mod.role -rw-r--r--. 1 root root 1298407 Feb 18 16:24 postfix.tmp -rw-r--r--. 1 root root 40515 Feb 18 16:24 postfixpolicyd.mod -rw-r--r--. 1 root root 12847 Feb 18 16:24 postfixpolicyd.mod.fc -rw-r--r--. 1 root root 236 Feb 18 16:24 postfixpolicyd.mod.role -rw-r--r--. 1 root root 56950 Feb 18 16:24 postfixpolicyd.tmp -rw-r--r--. 1 root root 116403 Feb 18 16:24 postgresql.mod -rw-r--r--. 1 root root 13661 Feb 18 16:24 postgresql.mod.fc -rw-r--r--. 1 root root 224 Feb 18 16:24 postgresql.mod.role -rw-r--r--. 1 root root 174621 Feb 18 16:24 postgresql.tmp -rw-r--r--. 1 root root 57413 Feb 18 16:24 postgrey.mod -rw-r--r--. 1 root root 13007 Feb 18 16:24 postgrey.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:24 postgrey.mod.role -rw-r--r--. 1 root root 79135 Feb 18 16:24 postgrey.tmp -rw-r--r--. 1 root root 125595 Feb 18 16:24 ppp.mod -rw-r--r--. 1 root root 13639 Feb 18 16:24 ppp.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:24 ppp.mod.role -rw-r--r--. 1 root root 179605 Feb 18 16:24 ppp.tmp -rw-r--r--. 1 root root 17768 Feb 18 16:22 pre_te_files.conf -rw-r--r--. 1 root root 42438 Feb 18 16:24 prelink.mod -rw-r--r--. 1 root root 12802 Feb 18 16:24 prelink.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:24 prelink.mod.role -rw-r--r--. 1 root root 52339 Feb 18 16:24 prelink.tmp -rw-r--r--. 1 root root 142024 Feb 18 16:24 prelude.mod -rw-r--r--. 1 root root 13034 Feb 18 16:24 prelude.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:24 prelude.mod.role -rw-r--r--. 1 root root 230508 Feb 18 16:24 prelude.tmp -rw-r--r--. 1 root root 59336 Feb 18 16:24 privoxy.mod -rw-r--r--. 1 root root 12878 Feb 18 16:24 privoxy.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:24 privoxy.mod.role -rw-r--r--. 1 root root 91898 Feb 18 16:24 privoxy.tmp -rw-r--r--. 1 root root 82396 Feb 18 16:24 procmail.mod -rw-r--r--. 1 root root 12741 Feb 18 16:24 procmail.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:24 procmail.mod.role -rw-r--r--. 1 root root 128453 Feb 18 16:24 procmail.tmp -rw-r--r--. 1 root root 41501 Feb 18 16:24 publicfile.mod -rw-r--r--. 1 root root 12827 Feb 18 16:24 publicfile.mod.fc -rw-r--r--. 1 root root 224 Feb 18 16:24 publicfile.mod.role -rw-r--r--. 1 root root 36291 Feb 18 16:24 publicfile.tmp -rw-r--r--. 1 root root 41130 Feb 18 16:24 pxe.mod -rw-r--r--. 1 root root 12716 Feb 18 16:24 pxe.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:24 pxe.mod.role -rw-r--r--. 1 root root 43098 Feb 18 16:24 pxe.tmp -rw-r--r--. 1 root root 103256 Feb 18 16:24 pyzor.mod -rw-r--r--. 1 root root 12884 Feb 18 16:24 pyzor.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:24 pyzor.mod.role -rw-r--r--. 1 root root 172176 Feb 18 16:24 pyzor.tmp -rw-r--r--. 1 root root 80956 Feb 18 16:24 qemu.mod -rw-r--r--. 1 root root 12662 Feb 18 16:24 qemu.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:24 qemu.mod.role -rw-r--r--. 1 root root 87312 Feb 18 16:24 qemu.tmp -rw-r--r--. 1 root root 251075 Feb 18 16:24 qmail.mod -rw-r--r--. 1 root root 13675 Feb 18 16:24 qmail.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:24 qmail.mod.role -rw-r--r--. 1 root root 311441 Feb 18 16:24 qmail.tmp -rw-r--r--. 1 root root 42779 Feb 18 16:24 quota.mod -rw-r--r--. 1 root root 13099 Feb 18 16:24 quota.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:24 quota.mod.role -rw-r--r--. 1 root root 50753 Feb 18 16:24 quota.tmp -rw-r--r--. 1 root root 108500 Feb 18 16:24 radius.mod -rw-r--r--. 1 root root 13607 Feb 18 16:24 radius.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:24 radius.mod.role -rw-r--r--. 1 root root 186479 Feb 18 16:24 radius.tmp -rw-r--r--. 1 root root 52895 Feb 18 16:24 radvd.mod -rw-r--r--. 1 root root 12846 Feb 18 16:24 radvd.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:24 radvd.mod.role -rw-r--r--. 1 root root 74920 Feb 18 16:24 radvd.tmp -rw-r--r--. 1 root root 69534 Feb 18 16:24 raid.mod -rw-r--r--. 1 root root 12716 Feb 18 16:24 raid.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:24 raid.mod.role -rw-r--r--. 1 root root 67391 Feb 18 16:24 raid.tmp -rw-r--r--. 1 root root 95284 Feb 18 16:24 razor.mod -rw-r--r--. 1 root root 12836 Feb 18 16:24 razor.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:24 razor.mod.role -rw-r--r--. 1 root root 174533 Feb 18 16:24 razor.tmp -rw-r--r--. 1 root root 41724 Feb 18 16:24 rdisc.mod -rw-r--r--. 1 root root 12611 Feb 18 16:24 rdisc.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:24 rdisc.mod.role -rw-r--r--. 1 root root 47274 Feb 18 16:24 rdisc.tmp -rw-r--r--. 1 root root 53442 Feb 18 16:24 readahead.mod -rw-r--r--. 1 root root 12684 Feb 18 16:24 readahead.mod.fc -rw-r--r--. 1 root root 221 Feb 18 16:24 readahead.mod.role -rw-r--r--. 1 root root 63235 Feb 18 16:24 readahead.tmp -rw-r--r--. 1 root root 138555 Feb 18 16:24 remotelogin.mod -rw-r--r--. 1 root root 12612 Feb 18 16:24 remotelogin.mod.fc -rw-r--r--. 1 root root 227 Feb 18 16:24 remotelogin.mod.role -rw-r--r--. 1 root root 247044 Feb 18 16:24 remotelogin.tmp -rw-r--r--. 1 root root 42919 Feb 18 16:24 resmgr.mod -rw-r--r--. 1 root root 12795 Feb 18 16:24 resmgr.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:24 resmgr.mod.role -rw-r--r--. 1 root root 46890 Feb 18 16:24 resmgr.tmp -rw-r--r--. 1 root root 67719 Feb 18 16:24 rhgb.mod -rw-r--r--. 1 root root 12623 Feb 18 16:24 rhgb.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:24 rhgb.mod.role -rw-r--r--. 1 root root 99132 Feb 18 16:24 rhgb.tmp -rw-r--r--. 1 root root 265521 Feb 18 16:24 ricci.mod -rw-r--r--. 1 root root 13377 Feb 18 16:24 ricci.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:24 ricci.mod.role -rw-r--r--. 1 root root 339210 Feb 18 16:24 ricci.tmp -rw-r--r--. 1 root root 100393 Feb 18 16:24 rlogin.mod -rw-r--r--. 1 root root 12751 Feb 18 16:24 rlogin.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:24 rlogin.mod.role -rw-r--r--. 1 root root 179486 Feb 18 16:24 rlogin.tmp -rw-r--r--. 1 root root 1 Feb 18 16:22 rolemap.conf -rw-r--r--. 1 root root 5720 Feb 18 16:22 roles.xml -rw-r--r--. 1 root root 49856 Feb 18 16:24 roundup.mod -rw-r--r--. 1 root root 12781 Feb 18 16:24 roundup.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:24 roundup.mod.role -rw-r--r--. 1 root root 62968 Feb 18 16:24 roundup.tmp -rw-r--r--. 1 root root 209133 Feb 18 16:24 rpc.mod -rw-r--r--. 1 root root 13200 Feb 18 16:24 rpc.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:24 rpc.mod.role -rw-r--r--. 1 root root 375496 Feb 18 16:24 rpc.tmp -rw-r--r--. 1 root root 44352 Feb 18 16:24 rpcbind.mod -rw-r--r--. 1 root root 12935 Feb 18 16:24 rpcbind.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:24 rpcbind.mod.role -rw-r--r--. 1 root root 62923 Feb 18 16:24 rpcbind.tmp -rw-r--r--. 1 root root 195270 Feb 18 16:24 rpm.mod -rw-r--r--. 1 root root 13539 Feb 18 16:24 rpm.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:24 rpm.mod.role -rw-r--r--. 1 root root 295553 Feb 18 16:24 rpm.tmp -rw-r--r--. 1 root root 120116 Feb 18 16:24 rshd.mod -rw-r--r--. 1 root root 12729 Feb 18 16:24 rshd.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:24 rshd.mod.role -rw-r--r--. 1 root root 212054 Feb 18 16:24 rshd.tmp -rw-r--r--. 1 root root 44117 Feb 18 16:24 rssh.mod -rw-r--r--. 1 root root 12611 Feb 18 16:24 rssh.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:24 rssh.mod.role -rw-r--r--. 1 root root 61210 Feb 18 16:24 rssh.tmp -rw-r--r--. 1 root root 87484 Feb 18 16:24 rsync.mod -rw-r--r--. 1 root root 12739 Feb 18 16:24 rsync.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:24 rsync.mod.role -rw-r--r--. 1 root root 130269 Feb 18 16:24 rsync.tmp -rw-r--r--. 1 root root 40983 Feb 18 16:24 rwho.mod -rw-r--r--. 1 root root 12787 Feb 18 16:24 rwho.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:24 rwho.mod.role -rw-r--r--. 1 root root 56698 Feb 18 16:24 rwho.tmp -rw-r--r--. 1 root root 486536 Feb 18 16:24 samba.mod -rw-r--r--. 1 root root 14481 Feb 18 16:24 samba.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:24 samba.mod.role -rw-r--r--. 1 root root 939626 Feb 18 16:24 samba.tmp -rw-r--r--. 1 root root 104063 Feb 18 16:24 sasl.mod -rw-r--r--. 1 root root 12778 Feb 18 16:24 sasl.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:24 sasl.mod.role -rw-r--r--. 1 root root 185710 Feb 18 16:24 sasl.tmp -rw-r--r--. 1 root root 19321 Feb 18 16:24 screen.mod -rw-r--r--. 1 root root 12808 Feb 18 16:24 screen.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:24 screen.mod.role -rw-r--r--. 1 root root 23483 Feb 18 16:24 screen.tmp -rw-r--r--. 1 root root 746094 Feb 18 16:24 secadm.mod -rw-r--r--. 1 root root 12620 Feb 18 16:24 secadm.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:24 secadm.mod.role -rw-r--r--. 1 root root 1147777 Feb 18 16:24 secadm.tmp -rw-r--r--. 1 root root 302241 Feb 18 16:24 selinuxutil.mod -rw-r--r--. 1 root root 14323 Feb 18 16:24 selinuxutil.mod.fc -rw-r--r--. 1 root root 227 Feb 18 16:24 selinuxutil.mod.role -rw-r--r--. 1 root root 581292 Feb 18 16:24 selinuxutil.tmp -rw-r--r--. 1 root root 84107 Feb 18 16:24 sendmail.mod -rw-r--r--. 1 root root 12809 Feb 18 16:24 sendmail.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:24 sendmail.mod.role -rw-r--r--. 1 root root 122738 Feb 18 16:24 sendmail.tmp -rw-r--r--. 1 root root 200407 Feb 18 16:22 services.xml -rw-r--r--. 1 root root 41358 Feb 18 16:24 setrans.mod -rw-r--r--. 1 root root 12750 Feb 18 16:24 setrans.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:24 setrans.mod.role -rw-r--r--. 1 root root 49506 Feb 18 16:24 setrans.tmp -rw-r--r--. 1 root root 81352 Feb 18 16:24 setroubleshoot.mod -rw-r--r--. 1 root root 12859 Feb 18 16:24 setroubleshoot.mod.fc -rw-r--r--. 1 root root 236 Feb 18 16:24 setroubleshoot.mod.role -rw-r--r--. 1 root root 123527 Feb 18 16:24 setroubleshoot.tmp -rw-r--r--. 1 root root 47 Feb 18 16:22 seusers -rw-r--r--. 1 root root 57182 Feb 18 16:24 slocate.mod -rw-r--r--. 1 root root 12680 Feb 18 16:24 slocate.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:24 slocate.mod.role -rw-r--r--. 1 root root 84013 Feb 18 16:24 slocate.tmp -rw-r--r--. 1 root root 44559 Feb 18 16:24 slrnpull.mod -rw-r--r--. 1 root root 12704 Feb 18 16:24 slrnpull.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:24 slrnpull.mod.role -rw-r--r--. 1 root root 46927 Feb 18 16:24 slrnpull.tmp -rw-r--r--. 1 root root 56033 Feb 18 16:24 smartmon.mod -rw-r--r--. 1 root root 12774 Feb 18 16:24 smartmon.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:24 smartmon.mod.role -rw-r--r--. 1 root root 75073 Feb 18 16:24 smartmon.tmp -rw-r--r--. 1 root root 95481 Feb 18 16:24 snmp.mod -rw-r--r--. 1 root root 13236 Feb 18 16:24 snmp.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:24 snmp.mod.role -rw-r--r--. 1 root root 132139 Feb 18 16:24 snmp.tmp -rw-r--r--. 1 root root 48070 Feb 18 16:24 snort.mod -rw-r--r--. 1 root root 12895 Feb 18 16:24 snort.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:24 snort.mod.role -rw-r--r--. 1 root root 63149 Feb 18 16:24 snort.tmp -rw-r--r--. 1 root root 51542 Feb 18 16:24 soundserver.mod -rw-r--r--. 1 root root 13068 Feb 18 16:24 soundserver.mod.fc -rw-r--r--. 1 root root 227 Feb 18 16:24 soundserver.mod.role -rw-r--r--. 1 root root 64664 Feb 18 16:24 soundserver.tmp -rw-r--r--. 1 root root 158323 Feb 18 16:24 spamassassin.mod -rw-r--r--. 1 root root 13145 Feb 18 16:24 spamassassin.mod.fc -rw-r--r--. 1 root root 230 Feb 18 16:24 spamassassin.mod.role -rw-r--r--. 1 root root 273810 Feb 18 16:24 spamassassin.tmp -rw-r--r--. 1 root root 42051 Feb 18 16:24 speedtouch.mod -rw-r--r--. 1 root root 12623 Feb 18 16:24 speedtouch.mod.fc -rw-r--r--. 1 root root 224 Feb 18 16:24 speedtouch.mod.role -rw-r--r--. 1 root root 45639 Feb 18 16:24 speedtouch.tmp -rw-r--r--. 1 root root 167392 Feb 18 16:24 squid.mod -rw-r--r--. 1 root root 13162 Feb 18 16:24 squid.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:24 squid.mod.role -rw-r--r--. 1 root root 313205 Feb 18 16:24 squid.tmp -rw-r--r--. 1 root root 266734 Feb 18 16:24 ssh.mod -rw-r--r--. 1 root root 13192 Feb 18 16:24 ssh.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:24 ssh.mod.role -rw-r--r--. 1 root root 418451 Feb 18 16:24 ssh.tmp -rw-r--r--. 1 root root 707946 Feb 18 16:24 staff.mod -rw-r--r--. 1 root root 12620 Feb 18 16:24 staff.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:24 staff.mod.role -rw-r--r--. 1 root root 1085118 Feb 18 16:24 staff.tmp -rw-r--r--. 1 root root 18252 Feb 18 16:24 storage.mod -rw-r--r--. 1 root root 15916 Feb 18 16:24 storage.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:24 storage.mod.role -rw-r--r--. 1 root root 19487 Feb 18 16:24 storage.tmp -rw-r--r--. 1 root root 72742 Feb 18 16:24 stunnel.mod -rw-r--r--. 1 root root 12742 Feb 18 16:24 stunnel.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:24 stunnel.mod.role -rw-r--r--. 1 root root 113812 Feb 18 16:24 stunnel.tmp -rw-r--r--. 1 root root 17093 Feb 18 16:24 su.mod -rw-r--r--. 1 root root 12707 Feb 18 16:24 su.mod.fc -rw-r--r--. 1 root root 200 Feb 18 16:24 su.mod.role -rw-r--r--. 1 root root 17103 Feb 18 16:24 su.tmp -rw-r--r--. 1 root root 17125 Feb 18 16:24 sudo.mod -rw-r--r--. 1 root root 12619 Feb 18 16:24 sudo.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:24 sudo.mod.role -rw-r--r--. 1 root root 17479 Feb 18 16:24 sudo.tmp -rw-r--r--. 1 root root 46925 Feb 18 16:24 sxid.mod -rw-r--r--. 1 root root 12834 Feb 18 16:24 sxid.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:24 sxid.mod.role -rw-r--r--. 1 root root 59002 Feb 18 16:24 sxid.tmp -rw-r--r--. 1 root root 944361 Feb 18 16:24 sysadm.mod -rw-r--r--. 1 root root 12620 Feb 18 16:24 sysadm.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:24 sysadm.mod.role -rw-r--r--. 1 root root 1381603 Feb 18 16:24 sysadm.tmp -rw-r--r--. 1 root root 130830 Feb 18 16:24 sysnetwork.mod -rw-r--r--. 1 root root 14079 Feb 18 16:24 sysnetwork.mod.fc -rw-r--r--. 1 root root 224 Feb 18 16:24 sysnetwork.mod.role -rw-r--r--. 1 root root 176323 Feb 18 16:24 sysnetwork.tmp -rw-r--r--. 1 root root 41790 Feb 18 16:24 sysstat.mod -rw-r--r--. 1 root root 12915 Feb 18 16:24 sysstat.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:24 sysstat.mod.role -rw-r--r--. 1 root root 46358 Feb 18 16:24 sysstat.tmp -rw-r--r--. 1 root root 140978 Feb 18 16:22 system.xml -rw-r--r--. 1 root root 40137 Feb 18 16:24 tcpd.mod -rw-r--r--. 1 root root 12614 Feb 18 16:24 tcpd.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:24 tcpd.mod.role -rw-r--r--. 1 root root 57481 Feb 18 16:24 tcpd.tmp -rw-r--r--. 1 root root 73933 Feb 18 16:24 telnet.mod -rw-r--r--. 1 root root 12689 Feb 18 16:24 telnet.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:24 telnet.mod.role -rw-r--r--. 1 root root 119868 Feb 18 16:24 telnet.tmp -rw-r--r--. 1 root root 77514 Feb 18 16:24 tftp.mod -rw-r--r--. 1 root root 12810 Feb 18 16:24 tftp.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:24 tftp.mod.role -rw-r--r--. 1 root root 108226 Feb 18 16:24 tftp.tmp -rw-r--r--. 1 root root 100738 Feb 18 16:24 thunderbird.mod -rw-r--r--. 1 root root 12709 Feb 18 16:24 thunderbird.mod.fc -rw-r--r--. 1 root root 227 Feb 18 16:24 thunderbird.mod.role -rw-r--r--. 1 root root 174027 Feb 18 16:24 thunderbird.tmp -rw-r--r--. 1 root root 51261 Feb 18 16:24 timidity.mod -rw-r--r--. 1 root root 12620 Feb 18 16:24 timidity.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:24 timidity.mod.role -rw-r--r--. 1 root root 59342 Feb 18 16:24 timidity.tmp -rw-r--r--. 1 root root 35058 Feb 18 16:24 tmpreaper.mod -rw-r--r--. 1 root root 12681 Feb 18 16:24 tmpreaper.mod.fc -rw-r--r--. 1 root root 221 Feb 18 16:24 tmpreaper.mod.role -rw-r--r--. 1 root root 37993 Feb 18 16:24 tmpreaper.tmp -rw-r--r--. 1 root root 64182 Feb 18 16:24 tor.mod -rw-r--r--. 1 root root 12922 Feb 18 16:24 tor.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:24 tor.mod.role -rw-r--r--. 1 root root 96881 Feb 18 16:24 tor.tmp -rw-r--r--. 1 root root 42481 Feb 18 16:24 transproxy.mod -rw-r--r--. 1 root root 12684 Feb 18 16:24 transproxy.mod.fc -rw-r--r--. 1 root root 224 Feb 18 16:24 transproxy.mod.role -rw-r--r--. 1 root root 49026 Feb 18 16:24 transproxy.tmp -rw-r--r--. 1 root root 76795 Feb 18 16:24 tripwire.mod -rw-r--r--. 1 root root 12973 Feb 18 16:24 tripwire.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:24 tripwire.mod.role -rw-r--r--. 1 root root 95150 Feb 18 16:24 tripwire.tmp -rw-r--r--. 1 root root 49828 Feb 18 16:24 tvtime.mod -rw-r--r--. 1 root root 12628 Feb 18 16:24 tvtime.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:24 tvtime.mod.role -rw-r--r--. 1 root root 67326 Feb 18 16:24 tvtime.tmp -rw-r--r--. 1 root root 42955 Feb 18 16:24 tzdata.mod -rw-r--r--. 1 root root 12623 Feb 18 16:24 tzdata.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:24 tzdata.mod.role -rw-r--r--. 1 root root 43969 Feb 18 16:24 tzdata.tmp -rw-r--r--. 1 root root 55507 Feb 18 16:24 ucspitcp.mod -rw-r--r--. 1 root root 12676 Feb 18 16:24 ucspitcp.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:24 ucspitcp.mod.role -rw-r--r--. 1 root root 72964 Feb 18 16:24 ucspitcp.tmp -rw-r--r--. 1 root root 119184 Feb 18 16:24 udev.mod -rw-r--r--. 1 root root 13287 Feb 18 16:24 udev.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:24 udev.mod.role -rw-r--r--. 1 root root 161990 Feb 18 16:24 udev.tmp -rw-r--r--. 1 root root 71806 Feb 18 16:24 uml.mod -rw-r--r--. 1 root root 12780 Feb 18 16:24 uml.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:24 uml.mod.role -rw-r--r--. 1 root root 105266 Feb 18 16:24 uml.tmp -rw-r--r--. 1 root root 229165 Feb 18 16:24 unconfined.mod -rw-r--r--. 1 root root 13259 Feb 18 16:24 unconfined.mod.fc -rw-r--r--. 1 root root 224 Feb 18 16:24 unconfined.mod.role -rw-r--r--. 1 root root 225803 Feb 18 16:24 unconfined.tmp -rw-r--r--. 1 root root 702624 Feb 18 16:24 unprivuser.mod -rw-r--r--. 1 root root 12620 Feb 18 16:24 unprivuser.mod.fc -rw-r--r--. 1 root root 224 Feb 18 16:24 unprivuser.mod.role -rw-r--r--. 1 root root 1075113 Feb 18 16:24 unprivuser.tmp -rw-r--r--. 1 root root 62081 Feb 18 16:24 updfstab.mod -rw-r--r--. 1 root root 12679 Feb 18 16:24 updfstab.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:24 updfstab.mod.role -rw-r--r--. 1 root root 71657 Feb 18 16:24 updfstab.tmp -rw-r--r--. 1 root root 45055 Feb 18 16:24 uptime.mod -rw-r--r--. 1 root root 12741 Feb 18 16:24 uptime.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:24 uptime.mod.role -rw-r--r--. 1 root root 45765 Feb 18 16:24 uptime.tmp -rw-r--r--. 1 root root 35645 Feb 18 16:24 usbmodules.mod -rw-r--r--. 1 root root 12705 Feb 18 16:24 usbmodules.mod.fc -rw-r--r--. 1 root root 224 Feb 18 16:24 usbmodules.mod.role -rw-r--r--. 1 root root 38208 Feb 18 16:24 usbmodules.tmp -rw-r--r--. 1 root root 23011 Feb 18 16:24 userdomain.mod -rw-r--r--. 1 root root 12703 Feb 18 16:24 userdomain.mod.fc -rw-r--r--. 1 root root 224 Feb 18 16:24 userdomain.mod.role -rw-r--r--. 1 root root 34868 Feb 18 16:24 userdomain.tmp -rw-r--r--. 1 root root 17303 Feb 18 16:24 userhelper.mod -rw-r--r--. 1 root root 12719 Feb 18 16:24 userhelper.mod.fc -rw-r--r--. 1 root root 224 Feb 18 16:24 userhelper.mod.role -rw-r--r--. 1 root root 18094 Feb 18 16:24 userhelper.tmp -rw-r--r--. 1 root root 281506 Feb 18 16:24 usermanage.mod -rw-r--r--. 1 root root 13961 Feb 18 16:24 usermanage.mod.fc -rw-r--r--. 1 root root 224 Feb 18 16:24 usermanage.mod.role -rw-r--r--. 1 root root 523890 Feb 18 16:24 usermanage.tmp -rw-r--r--. 1 root root 65765 Feb 18 16:24 usernetctl.mod -rw-r--r--. 1 root root 12625 Feb 18 16:24 usernetctl.mod.fc -rw-r--r--. 1 root root 224 Feb 18 16:24 usernetctl.mod.role -rw-r--r--. 1 root root 108071 Feb 18 16:24 usernetctl.tmp -rw-r--r--. 1 root root 143 Feb 18 16:22 users_extra -rw-r--r--. 1 root root 87215 Feb 18 16:24 uucp.mod -rw-r--r--. 1 root root 12832 Feb 18 16:24 uucp.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:24 uucp.mod.role -rw-r--r--. 1 root root 133077 Feb 18 16:24 uucp.tmp -rw-r--r--. 1 root root 84723 Feb 18 16:24 uwimap.mod -rw-r--r--. 1 root root 12617 Feb 18 16:24 uwimap.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:24 uwimap.mod.role -rw-r--r--. 1 root root 126789 Feb 18 16:24 uwimap.tmp -rw-r--r--. 1 root root 32544 Feb 18 16:24 vbetool.mod -rw-r--r--. 1 root root 12618 Feb 18 16:24 vbetool.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:24 vbetool.mod.role -rw-r--r--. 1 root root 34957 Feb 18 16:24 vbetool.tmp -rw-r--r--. 1 root root 117834 Feb 18 16:24 virt.mod -rw-r--r--. 1 root root 13120 Feb 18 16:24 virt.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:24 virt.mod.role -rw-r--r--. 1 root root 149003 Feb 18 16:24 virt.tmp -rw-r--r--. 1 root root 93427 Feb 18 16:24 vmware.mod -rw-r--r--. 1 root root 14620 Feb 18 16:24 vmware.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:24 vmware.mod.role -rw-r--r--. 1 root root 151182 Feb 18 16:24 vmware.tmp -rw-r--r--. 1 root root 71043 Feb 18 16:24 vpn.mod -rw-r--r--. 1 root root 12791 Feb 18 16:24 vpn.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:24 vpn.mod.role -rw-r--r--. 1 root root 113282 Feb 18 16:24 vpn.tmp -rw-r--r--. 1 root root 76536 Feb 18 16:24 w3c.mod -rw-r--r--. 1 root root 12828 Feb 18 16:24 w3c.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:24 w3c.mod.role -rw-r--r--. 1 root root 132969 Feb 18 16:24 w3c.tmp -rw-r--r--. 1 root root 56985 Feb 18 16:24 watchdog.mod -rw-r--r--. 1 root root 12743 Feb 18 16:24 watchdog.mod.fc -rw-r--r--. 1 root root 218 Feb 18 16:24 watchdog.mod.role -rw-r--r--. 1 root root 82062 Feb 18 16:24 watchdog.tmp -rw-r--r--. 1 root root 55250 Feb 18 16:24 webalizer.mod -rw-r--r--. 1 root root 12708 Feb 18 16:24 webalizer.mod.fc -rw-r--r--. 1 root root 221 Feb 18 16:24 webalizer.mod.role -rw-r--r--. 1 root root 85220 Feb 18 16:24 webalizer.tmp -rw-r--r--. 1 root root 48100 Feb 18 16:24 wine.mod -rw-r--r--. 1 root root 12730 Feb 18 16:24 wine.mod.fc -rw-r--r--. 1 root root 206 Feb 18 16:24 wine.mod.role -rw-r--r--. 1 root root 39493 Feb 18 16:24 wine.tmp -rw-r--r--. 1 root root 52302 Feb 18 16:24 wireshark.mod -rw-r--r--. 1 root root 12687 Feb 18 16:24 wireshark.mod.fc -rw-r--r--. 1 root root 221 Feb 18 16:24 wireshark.mod.role -rw-r--r--. 1 root root 68804 Feb 18 16:24 wireshark.tmp -rw-r--r--. 1 root root 137458 Feb 18 16:24 xen.mod -rw-r--r--. 1 root root 13687 Feb 18 16:24 xen.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:24 xen.mod.role -rw-r--r--. 1 root root 198872 Feb 18 16:24 xen.tmp -rw-r--r--. 1 root root 66904 Feb 18 16:24 xfs.mod -rw-r--r--. 1 root root 12819 Feb 18 16:24 xfs.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:24 xfs.mod.role -rw-r--r--. 1 root root 96769 Feb 18 16:24 xfs.tmp -rw-r--r--. 1 root root 55411 Feb 18 16:24 xprint.mod -rw-r--r--. 1 root root 12613 Feb 18 16:24 xprint.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:24 xprint.mod.role -rw-r--r--. 1 root root 74382 Feb 18 16:24 xprint.tmp -rw-r--r--. 1 root root 388884 Feb 18 16:24 xserver.mod -rw-r--r--. 1 root root 15678 Feb 18 16:24 xserver.mod.fc -rw-r--r--. 1 root root 215 Feb 18 16:24 xserver.mod.role -rw-r--r--. 1 root root 558332 Feb 18 16:24 xserver.tmp -rw-r--r--. 1 root root 59392 Feb 18 16:24 yam.mod -rw-r--r--. 1 root root 12760 Feb 18 16:24 yam.mod.fc -rw-r--r--. 1 root root 203 Feb 18 16:24 yam.mod.role -rw-r--r--. 1 root root 87605 Feb 18 16:24 yam.tmp -rw-r--r--. 1 root root 39473 Feb 18 16:24 zabbix.mod -rw-r--r--. 1 root root 12805 Feb 18 16:24 zabbix.mod.fc -rw-r--r--. 1 root root 212 Feb 18 16:24 zabbix.mod.role -rw-r--r--. 1 root root 40385 Feb 18 16:24 zabbix.tmp -rw-r--r--. 1 root root 62584 Feb 18 16:24 zebra.mod -rw-r--r--. 1 root root 13539 Feb 18 16:24 zebra.mod.fc -rw-r--r--. 1 root root 209 Feb 18 16:24 zebra.mod.role -rw-r--r--. 1 root root 91783 Feb 18 16:24 zebra.tmp /etc/selinux/refpolicy-standard/users: total 8 -rw-r--r--. 1 root root 722 Oct 19 17:09 local.users -rw-r--r--. 1 root root 355 Oct 19 17:09 system.users ======================================================================= strace load_policy: ======================================================================= execve("/usr/sbin/load_policy", ["load_policy"], [/* 53 vars */]) = 0 brk(0) = 0xb77bc000 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7797000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=75566, ...}) = 0 mmap2(NULL, 75566, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7784000 close(3) = 0 open("/lib/libsepol.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P6\0\0004\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=239596, ...}) = 0 mmap2(NULL, 243712, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7748000 fadvise64(3, 0, 243712, POSIX_FADV_WILLNEED) = 0 mmap2(0xb7782000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x39) = 0xb7782000 close(3) = 0 open("/lib/libselinux.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000J\0\0004\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=116764, ...}) = 0 mmap2(NULL, 121836, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb772a000 fadvise64(3, 0, 121836, POSIX_FADV_WILLNEED) = 0 mmap2(0xb7746000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b) = 0xb7746000 close(3) = 0 open("/lib/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0 l\1\0004\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1430104, ...}) = 0 mmap2(NULL, 1440072, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb75ca000 fadvise64(3, 0, 1440072, POSIX_FADV_WILLNEED) = 0 mprotect(0xb7723000, 4096, PROT_NONE) = 0 mmap2(0xb7724000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x159) = 0xb7724000 mmap2(0xb7727000, 10568, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7727000 close(3) = 0 open("/lib/libdl.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200\n\0\0004\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=14016, ...}) = 0 mmap2(NULL, 16504, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb75c5000 fadvise64(3, 0, 16504, POSIX_FADV_WILLNEED) = 0 mmap2(0xb75c8000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2) = 0xb75c8000 close(3) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb75c4000 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb75c3000 set_thread_area({entry_number:-1 -> 6, base_addr:0xb75c3720, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 mprotect(0xb75c8000, 4096, PROT_READ) = 0 mprotect(0xb7724000, 8192, PROT_READ) = 0 mprotect(0xb7746000, 4096, PROT_READ) = 0 mprotect(0xb7782000, 4096, PROT_READ) = 0 mprotect(0xb77ba000, 4096, PROT_READ) = 0 mprotect(0xb77b6000, 4096, PROT_READ) = 0 munmap(0xb7784000, 75566) = 0 brk(0) = 0xb77bc000 brk(0xb77dd000) = 0xb77dd000 open("/etc/selinux/config", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0600, st_size=50, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7796000 read(3, "SELINUX=permissive\nSELINUXTYPE=r"..., 4096) = 50 read(3, "", 4096) = 0 close(3) = 0 munmap(0xb7796000, 4096) = 0 statfs64("/selinux", 84, {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0 stat64("/selinux/class", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0 open("/selinux/mls", O_RDONLY|O_LARGEFILE) = 3 read(3, "0", 19) = 1 close(3) = 0 open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/usr/share/locale/locale.alias", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=2512, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7796000 read(3, "# Locale name alias data base.\n#"..., 4096) = 2512 read(3, "", 4096) = 0 close(3) = 0 munmap(0xb7796000, 4096) = 0 open("/usr/lib/locale/en_US.UTF-8/LC_CTYPE", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/en_US.utf8/LC_CTYPE", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=256316, ...}) = 0 mmap2(NULL, 256316, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7584000 close(3) = 0 open("/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=26048, ...}) = 0 mmap2(NULL, 26048, PROT_READ, MAP_SHARED, 3, 0) = 0xb7790000 close(3) = 0 open("/selinux/policyvers", O_RDONLY|O_LARGEFILE) = 3 read(3, "24", 19) = 2 close(3) = 0 access("/etc/selinux/refpolicy-standard/booleans", F_OK) = 0 uname({sys="Linux", node="linux-f8dr", ...}) = 0 open("/etc/selinux/refpolicy-standard/policy/policy.24", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=3687284, ...}) = 0 mmap2(NULL, 3687284, PROT_READ|PROT_WRITE, MAP_PRIVATE, 3, 0) = 0xb71ff000 brk(0xb77fe000) = 0xb77fe000 brk(0xb781f000) = 0xb781f000 brk(0xb7840000) = 0xb7840000 brk(0xb7861000) = 0xb7861000 brk(0xb7882000) = 0xb7882000 brk(0xb78a3000) = 0xb78a3000 brk(0xb78c4000) = 0xb78c4000 brk(0xb78e5000) = 0xb78e5000 brk(0xb7906000) = 0xb7906000 brk(0xb7927000) = 0xb7927000 brk(0xb7948000) = 0xb7948000 brk(0xb7969000) = 0xb7969000 brk(0xb798a000) = 0xb798a000 brk(0xb79ab000) = 0xb79ab000 brk(0xb79cc000) = 0xb79cc000 brk(0xb79ed000) = 0xb79ed000 brk(0xb7a0e000) = 0xb7a0e000 brk(0xb7a2f000) = 0xb7a2f000 brk(0xb7a50000) = 0xb7a50000 brk(0xb7a71000) = 0xb7a71000 brk(0xb7a92000) = 0xb7a92000 brk(0xb7ab3000) = 0xb7ab3000 brk(0xb7ad4000) = 0xb7ad4000 brk(0xb7af5000) = 0xb7af5000 brk(0xb7b16000) = 0xb7b16000 brk(0xb7b37000) = 0xb7b37000 brk(0xb7b58000) = 0xb7b58000 brk(0xb7b79000) = 0xb7b79000 brk(0xb7b9a000) = 0xb7b9a000 brk(0xb7bbb000) = 0xb7bbb000 brk(0xb7bdc000) = 0xb7bdc000 brk(0xb7bfd000) = 0xb7bfd000 brk(0xb7c1e000) = 0xb7c1e000 brk(0xb7c3f000) = 0xb7c3f000 brk(0xb7c60000) = 0xb7c60000 brk(0xb7c81000) = 0xb7c81000 brk(0xb7ca2000) = 0xb7ca2000 brk(0xb7cc3000) = 0xb7cc3000 brk(0xb7ce4000) = 0xb7ce4000 brk(0xb7d05000) = 0xb7d05000 brk(0xb7d26000) = 0xb7d26000 brk(0xb7d47000) = 0xb7d47000 brk(0xb7d68000) = 0xb7d68000 brk(0xb7d89000) = 0xb7d89000 brk(0xb7daa000) = 0xb7daa000 brk(0xb7dcb000) = 0xb7dcb000 brk(0xb7dec000) = 0xb7dec000 brk(0xb7e0d000) = 0xb7e0d000 brk(0xb7e2e000) = 0xb7e2e000 brk(0xb7e4f000) = 0xb7e4f000 brk(0xb7e70000) = 0xb7e70000 brk(0xb7e91000) = 0xb7e91000 brk(0xb7eb2000) = 0xb7eb2000 brk(0xb7ed3000) = 0xb7ed3000 brk(0xb7ef4000) = 0xb7ef4000 brk(0xb7f15000) = 0xb7f15000 brk(0xb7f36000) = 0xb7f36000 brk(0xb7f57000) = 0xb7f57000 brk(0xb7f78000) = 0xb7f78000 brk(0xb7f99000) = 0xb7f99000 brk(0xb7fba000) = 0xb7fba000 brk(0xb7fdb000) = 0xb7fdb000 brk(0xb7ffc000) = 0xb7ffc000 brk(0xb801d000) = 0xb801d000 brk(0xb803e000) = 0xb803e000 brk(0xb805f000) = 0xb805f000 brk(0xb8080000) = 0xb8080000 brk(0xb80a1000) = 0xb80a1000 brk(0xb80c2000) = 0xb80c2000 brk(0xb80e3000) = 0xb80e3000 brk(0xb8104000) = 0xb8104000 brk(0xb8125000) = 0xb8125000 brk(0xb8146000) = 0xb8146000 brk(0xb8167000) = 0xb8167000 brk(0xb8188000) = 0xb8188000 brk(0xb81a9000) = 0xb81a9000 brk(0xb81ca000) = 0xb81ca000 brk(0xb81eb000) = 0xb81eb000 brk(0xb820c000) = 0xb820c000 brk(0xb822d000) = 0xb822d000 brk(0xb824e000) = 0xb824e000 brk(0xb826f000) = 0xb826f000 brk(0xb8290000) = 0xb8290000 brk(0xb82b1000) = 0xb82b1000 brk(0xb82d2000) = 0xb82d2000 brk(0xb82f3000) = 0xb82f3000 brk(0xb8314000) = 0xb8314000 open("/etc/selinux/refpolicy-standard/users//local.users", O_RDONLY) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=722, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb778f000 read(4, "################################"..., 4096) = 722 read(4, "", 4096) = 0 close(4) = 0 munmap(0xb778f000, 4096) = 0 mmap2(NULL, 3690496, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb6e7a000 brk(0xb8335000) = 0xb8335000 brk(0xb8356000) = 0xb8356000 brk(0xb8377000) = 0xb8377000 brk(0xb8398000) = 0xb8398000 brk(0xb83b9000) = 0xb83b9000 brk(0xb83da000) = 0xb83da000 brk(0xb83fb000) = 0xb83fb000 brk(0xb841c000) = 0xb841c000 brk(0xb843d000) = 0xb843d000 brk(0xb845e000) = 0xb845e000 brk(0xb847f000) = 0xb847f000 brk(0xb84a0000) = 0xb84a0000 brk(0xb84c1000) = 0xb84c1000 brk(0xb84e2000) = 0xb84e2000 brk(0xb8503000) = 0xb8503000 brk(0xb8524000) = 0xb8524000 brk(0xb8545000) = 0xb8545000 brk(0xb8566000) = 0xb8566000 brk(0xb8587000) = 0xb8587000 brk(0xb85a8000) = 0xb85a8000 brk(0xb85c9000) = 0xb85c9000 brk(0xb85ea000) = 0xb85ea000 brk(0xb860b000) = 0xb860b000 brk(0xb862c000) = 0xb862c000 brk(0xb864d000) = 0xb864d000 brk(0xb866e000) = 0xb866e000 brk(0xb868f000) = 0xb868f000 brk(0xb86b0000) = 0xb86b0000 brk(0xb86d1000) = 0xb86d1000 brk(0xb86f2000) = 0xb86f2000 brk(0xb8713000) = 0xb8713000 brk(0xb8734000) = 0xb8734000 brk(0xb8755000) = 0xb8755000 brk(0xb8776000) = 0xb8776000 brk(0xb8797000) = 0xb8797000 brk(0xb87b8000) = 0xb87b8000 brk(0xb87d9000) = 0xb87d9000 brk(0xb87fa000) = 0xb87fa000 brk(0xb881b000) = 0xb881b000 brk(0xb883c000) = 0xb883c000 brk(0xb885d000) = 0xb885d000 brk(0xb887e000) = 0xb887e000 brk(0xb889f000) = 0xb889f000 brk(0xb88c0000) = 0xb88c0000 brk(0xb88e1000) = 0xb88e1000 brk(0xb8902000) = 0xb8902000 brk(0xb8923000) = 0xb8923000 brk(0xb8944000) = 0xb8944000 brk(0xb8965000) = 0xb8965000 brk(0xb8986000) = 0xb8986000 brk(0xb89a7000) = 0xb89a7000 brk(0xb89c8000) = 0xb89c8000 brk(0xb89e9000) = 0xb89e9000 brk(0xb8a0a000) = 0xb8a0a000 brk(0xb8a2b000) = 0xb8a2b000 brk(0xb8a4c000) = 0xb8a4c000 brk(0xb8a6d000) = 0xb8a6d000 brk(0xb8a8e000) = 0xb8a8e000 brk(0xb8aaf000) = 0xb8aaf000 brk(0xb8ad0000) = 0xb8ad0000 brk(0xb8af1000) = 0xb8af1000 brk(0xb8b12000) = 0xb8b12000 brk(0xb8b33000) = 0xb8b33000 brk(0xb8b54000) = 0xb8b54000 brk(0xb8b75000) = 0xb8b75000 brk(0xb8b96000) = 0xb8b96000 brk(0xb8bb7000) = 0xb8bb7000 brk(0xb8bd8000) = 0xb8bd8000 brk(0xb8bf9000) = 0xb8bf9000 brk(0xb8c1a000) = 0xb8c1a000 brk(0xb8c3b000) = 0xb8c3b000 brk(0xb8c5c000) = 0xb8c5c000 brk(0xb8c7d000) = 0xb8c7d000 brk(0xb8c9e000) = 0xb8c9e000 brk(0xb8cbf000) = 0xb8cbf000 brk(0xb8ce0000) = 0xb8ce0000 brk(0xb8d01000) = 0xb8d01000 brk(0xb8d22000) = 0xb8d22000 brk(0xb8d43000) = 0xb8d43000 brk(0xb8d64000) = 0xb8d64000 brk(0xb8d85000) = 0xb8d85000 brk(0xb8da6000) = 0xb8da6000 brk(0xb8dc7000) = 0xb8dc7000 brk(0xb8de8000) = 0xb8de8000 brk(0xb8e09000) = 0xb8e09000 brk(0xb8e2a000) = 0xb8e2a000 brk(0xb8e4b000) = 0xb8e4b000 brk(0xb8e6c000) = 0xb8e6c000 open("/etc/selinux/refpolicy-standard/booleans", O_RDONLY) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=2029, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb6e79000 read(4, "allow_cvs_read_shadow = 0\nallow_"..., 4096) = 2029 read(4, "", 4096) = 0 close(4) = 0 munmap(0xb6e79000, 4096) = 0 open("/etc/selinux/refpolicy-standard/booleans.local", O_RDONLY) = -1 ENOENT (No such file or directory) brk(0xb832b000) = 0xb832b000 open("/selinux/load", O_RDWR|O_LARGEFILE) = 4 write(4, "\214\377|\371\10\0\0\0SE Linux\30\0\0\0\0\0\0\0\10\0\0\0\7\0\0\0"..., 3687284) = 3687284 close(4) = 0 munmap(0xb6e7a000, 3690496) = 0 munmap(0xb71ff000, 3687284) = 0 close(3) = 0 exit_group(0) = ? -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-19 15:29 ` Alan Rouse @ 2010-02-19 17:46 ` Stephen Smalley 2010-02-19 20:23 ` Alan Rouse 0 siblings, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-19 17:46 UTC (permalink / raw) To: Alan Rouse; +Cc: 'selinux@tycho.nsa.gov' On Fri, 2010-02-19 at 10:29 -0500, Alan Rouse wrote: > > ls -lR /etc/selinux/$SELINUXTYPE > > strace load_policy > > ======================================================================= > . /etc/selinux/config > ls -lR /etc/selinux/$SELINUXTYPE > ======================================================================= > /etc/selinux/refpolicy-standard: > total 28 > -rw-r--r--. 1 root root 2029 Oct 19 17:09 booleans What does this file contain? It shouldn't exist at all with modular/managed policy; it was the legacy way of providing distribution-shipped custom boolean definitions with monolithic policy. Delete it or put SETLOCALDEFS=0 in your /etc/selinux/config to ignore it. > /etc/selinux/refpolicy-standard/modules/active: > total 3936 > -rw-r--r--. 1 root root 20377 Feb 18 16:36 base.pp > -rw-------. 1 root root 32 Feb 18 16:36 commit_num > -rw-------. 1 root root 139886 Feb 18 16:36 file_contexts > -rw-r--r--. 1 root root 2663 Feb 18 16:36 file_contexts.homedirs > -rw-------. 1 root root 142369 Feb 18 16:36 file_contexts.template > -rw-------. 1 root root 2483 Feb 18 16:36 homedir_template > drwx------. 2 root root 12288 Feb 18 16:36 modules > -rw-------. 1 root root 0 Feb 18 16:36 netfilter_contexts > -rw-r--r--. 1 root root 3687284 Feb 18 16:36 policy.kern > -rw-------. 1 root root 47 Feb 18 16:36 seusers.final > -rw-------. 1 root root 143 Feb 18 16:36 users_extra Instead you should have a booleans.local file in this subdirectory if you have run setsebool -P on any boolean. Try running setsebool -P init_upstart=1 again for me and check whether a booleans.local file was created under modules/active, please? If not, strace the setsebool command for me. That might be large, so make it an attachment. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-19 17:46 ` Stephen Smalley @ 2010-02-19 20:23 ` Alan Rouse 2010-02-19 21:06 ` Stephen Smalley 0 siblings, 1 reply; 113+ messages in thread From: Alan Rouse @ 2010-02-19 20:23 UTC (permalink / raw) To: Stephen Smalley; +Cc: 'selinux@tycho.nsa.gov' Stephen wrote: > What does this file contain? It shouldn't exist at all with modular/managed policy; > it was the legacy way of providing distribution-shipped custom boolean definitions > with monolithic policy. Delete it or put SETLOCALDEFS=0 in your /etc/selinux/config to ignore it. Excellent!!! I put SETLOCALDEFS=0 in /etc/selinux/config and now I'm able to boot into the desktop with selinux enabled, in permissive mode. (BTW, setsebool does create / update the /etc/selinux/refpolicy-standard/modules/active/booleans.local file.) Outstanding issues: 1) Several pages of AVC messages: getty_t, sysadm_dbsud_t, system_dbusd_t, various others. 2) Error messages during the "fixfiles relabel" (running as root, in permissive mode): linux-f8dr:/etc/selinux # fixfiles relabel Files in the /tmp directory may be labeled incorrectly, this command can remove all files in /tmp. If you choose to remove files from /tmp, a reboot will be required after completion. Do you wish to clean out the /tmp directory [N]? n /sbin/setfiles: unable to stat file /home/alan/.gvfs: Permission denied /sbin/setfiles: error while labeling /home: Permission denied find: unknown predicate `-context' find: unknown predicate `-context' -----Original Message----- From: Stephen Smalley [mailto:sds@tycho.nsa.gov] Sent: Friday, February 19, 2010 12:46 PM To: Alan Rouse Cc: 'selinux@tycho.nsa.gov' Subject: RE: SELinux Policy in OpenSUSE 11.2 On Fri, 2010-02-19 at 10:29 -0500, Alan Rouse wrote: > > ls -lR /etc/selinux/$SELINUXTYPE > > strace load_policy > > ====================================================================== > = > . /etc/selinux/config > ls -lR /etc/selinux/$SELINUXTYPE > ====================================================================== > = > /etc/selinux/refpolicy-standard: > total 28 > -rw-r--r--. 1 root root 2029 Oct 19 17:09 booleans What does this file contain? It shouldn't exist at all with modular/managed policy; it was the legacy way of providing distribution-shipped custom boolean definitions with monolithic policy. Delete it or put SETLOCALDEFS=0 in your /etc/selinux/config to ignore it. > /etc/selinux/refpolicy-standard/modules/active: > total 3936 > -rw-r--r--. 1 root root 20377 Feb 18 16:36 base.pp > -rw-------. 1 root root 32 Feb 18 16:36 commit_num > -rw-------. 1 root root 139886 Feb 18 16:36 file_contexts > -rw-r--r--. 1 root root 2663 Feb 18 16:36 file_contexts.homedirs > -rw-------. 1 root root 142369 Feb 18 16:36 file_contexts.template > -rw-------. 1 root root 2483 Feb 18 16:36 homedir_template > drwx------. 2 root root 12288 Feb 18 16:36 modules > -rw-------. 1 root root 0 Feb 18 16:36 netfilter_contexts > -rw-r--r--. 1 root root 3687284 Feb 18 16:36 policy.kern > -rw-------. 1 root root 47 Feb 18 16:36 seusers.final > -rw-------. 1 root root 143 Feb 18 16:36 users_extra Instead you should have a booleans.local file in this subdirectory if you have run setsebool -P on any boolean. Try running setsebool -P init_upstart=1 again for me and check whether a booleans.local file was created under modules/active, please? If not, strace the setsebool command for me. That might be large, so make it an attachment. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-19 20:23 ` Alan Rouse @ 2010-02-19 21:06 ` Stephen Smalley 2010-02-19 21:10 ` Alan Rouse 0 siblings, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-19 21:06 UTC (permalink / raw) To: Alan Rouse; +Cc: 'selinux@tycho.nsa.gov' On Fri, 2010-02-19 at 15:23 -0500, Alan Rouse wrote: > Stephen wrote: > > What does this file contain? It shouldn't exist at all with modular/managed policy; > > it was the legacy way of providing distribution-shipped custom boolean definitions > > with monolithic policy. Delete it or put SETLOCALDEFS=0 in your /etc/selinux/config to ignore it. > > Excellent!!! I put SETLOCALDEFS=0 in /etc/selinux/config and now I'm able to boot into the desktop with selinux enabled, in permissive mode. (BTW, setsebool does create / update the /etc/selinux/refpolicy-standard/modules/active/booleans.local file.) > > Outstanding issues: > 1) Several pages of AVC messages: getty_t, sysadm_dbsud_t, system_dbusd_t, various others. > > 2) Error messages during the "fixfiles relabel" (running as root, in permissive mode): > > linux-f8dr:/etc/selinux # fixfiles relabel > > Files in the /tmp directory may be labeled incorrectly, this command > can remove all files in /tmp. If you choose to remove files from /tmp, > a reboot will be required after completion. > > Do you wish to clean out the /tmp directory [N]? n > /sbin/setfiles: unable to stat file /home/alan/.gvfs: Permission denied > /sbin/setfiles: error while labeling /home: Permission denied > find: unknown predicate `-context' > find: unknown predicate `-context' I'd run fixfiles from single-user mode and then reboot. You should file bugs against policycoreutils (to update to the latest) and against findutils (to include the selinux patch). The first problem (inability for even root to traverse a FUSE mount that is owned by another user) was worked around by a change to setfiles in policycoreutils 2.0.71 to skip inaccessible mounts. The second problem (lack of support for the -context predicate in find) indicates that your findutils package was not built with SELinux support. It appears that this support is still a separate patch in the Fedora package rather than being part of upstream findutils, so they would need to grab it from the Fedora .src.rpm or source repository. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-19 21:06 ` Stephen Smalley @ 2010-02-19 21:10 ` Alan Rouse 0 siblings, 0 replies; 113+ messages in thread From: Alan Rouse @ 2010-02-19 21:10 UTC (permalink / raw) To: Stephen Smalley; +Cc: 'selinux@tycho.nsa.gov' Stephen wrote: > I'd run fixfiles from single-user mode and then reboot. > > You should file bugs against policycoreutils (to update to the latest) > and against findutils (to include the selinux patch). The first problem > (inability for even root to traverse a FUSE mount that is owned by another > user) was worked around by a change to setfiles in policycoreutils 2.0.71 > to skip inaccessible mounts. The second problem (lack of support for the > -context predicate in find) indicates that your findutils package was not > built with SELinux support. It appears that this support is still a separate > patch in the Fedora package rather than being part of upstream findutils, > so they would need to grab it from the Fedora .src.rpm or source repository. Will do. Thanks so much for your assistance!!! -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
[parent not found: <5A5E55DF96F73844AF7DFB0F48721F0F529A780365@EUSAACMS0703.eamcs.ericsson.se>]
* RE: SELinux Policy in OpenSUSE 11.2 [not found] ` <5A5E55DF96F73844AF7DFB0F48721F0F529A780365@EUSAACMS0703.eamcs.ericsson.se> @ 2010-02-18 14:12 ` Stephen Smalley 2010-02-18 14:45 ` Alan Rouse 0 siblings, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-18 14:12 UTC (permalink / raw) To: Alan Rouse; +Cc: selinux On Wed, 2010-02-17 at 16:44 -0500, Alan Rouse wrote: > root> Ok, and what happens when you run setsebool -P init_upstart=1? > > The timestamp is also updated in that case. > > > What? grep selinuxfs /proc/mounts > > none /selinux selinuxfs rw,realtime 0 0 > > > ls /selinux > > access > avc > booleans > checkreqprot > class > commit_pending_bools > context > create > deny_unknown > disable > enforce > initial_contexts > load > member > mls > null > policy_capabilities > policyvers > reject_unknown > relabel > user Ok, that looks fine. Again, I'll ask that you do this: cat /selinux/policyvers It is a kernel pseudo filesystem, so don't worry about ls -l showing a zero size - the file contents are generated on demand. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-18 14:12 ` Stephen Smalley @ 2010-02-18 14:45 ` Alan Rouse 0 siblings, 0 replies; 113+ messages in thread From: Alan Rouse @ 2010-02-18 14:45 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux@tycho.nsa.gov cat /selinux/policyvers returns "24" -----Original Message----- From: Stephen Smalley [mailto:sds@tycho.nsa.gov] Sent: Thursday, February 18, 2010 9:12 AM To: Alan Rouse Cc: selinux@tycho.nsa.gov Subject: RE: SELinux Policy in OpenSUSE 11.2 On Wed, 2010-02-17 at 16:44 -0500, Alan Rouse wrote: > root> Ok, and what happens when you run setsebool -P init_upstart=1? > > The timestamp is also updated in that case. > > > What? grep selinuxfs /proc/mounts > > none /selinux selinuxfs rw,realtime 0 0 > > > ls /selinux > > access > avc > booleans > checkreqprot > class > commit_pending_bools > context > create > deny_unknown > disable > enforce > initial_contexts > load > member > mls > null > policy_capabilities > policyvers > reject_unknown > relabel > user Ok, that looks fine. Again, I'll ask that you do this: cat /selinux/policyvers It is a kernel pseudo filesystem, so don't worry about ls -l showing a zero size - the file contents are generated on demand. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-17 20:00 ` Stephen Smalley 2010-02-17 20:03 ` Alan Rouse @ 2010-02-17 20:08 ` Alan Rouse 2010-02-18 21:40 ` Justin P. mattock 1 sibling, 1 reply; 113+ messages in thread From: Alan Rouse @ 2010-02-17 20:08 UTC (permalink / raw) To: Alan Rouse, Stephen Smalley, Justin P. mattock Cc: Dominick Grift, 'selinux@tycho.nsa.gov' [-- Attachment #1: Type: text/plain, Size: 337 bytes --] Maybe that will come across better as an attachment. -----Original Message----- From: Alan Rouse Sent: Wednesday, February 17, 2010 3:03 PM To: 'Stephen Smalley'; Justin P. mattock Cc: Dominick Grift; 'selinux@tycho.nsa.gov' Subject: RE: SELinux Policy in OpenSUSE 11.2 Here are the AVC messages from reboot after relabel: [-- Attachment #2: audit.log --] [-- Type: application/octet-stream, Size: 8590 bytes --] type=DAEMON_START msg=audit(1266436045.285:1584): auditd start, ver=1.7.13 format=raw kernel=2.6.31.5-0.1-desktop auid=4294967295 pid=2191 subj=system_u:system_r:sysadm_t res=success type=AVC msg=audit(1266436045.288:170): avc: denied { nlmsg_read } for pid=2191 comm="auditd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_audit_socket type=AVC msg=audit(1266436045.394:171): avc: denied { ioctl } for pid=2206 comm="rcsmbfs" path="/etc/samba/smbfstab" dev=sda2 ino=110898 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:samba_etc_t tclass=file type=AVC msg=audit(1266436045.400:172): avc: denied { write } for pid=2211 comm="touch" name="smbfs" dev=sda2 ino=129640 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:var_lock_t tclass=file type=AVC msg=audit(1266436045.400:173): avc: denied { open } for pid=2211 comm="touch" name="smbfs" dev=sda2 ino=129640 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:var_lock_t tclass=file type=AVC msg=audit(1266436045.438:174): avc: denied { getattr } for pid=2220 comm="SuSEfirewall2" path="/usr/sbin/iptables" dev=sda2 ino=10435 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:iptables_exec_t tclass=file type=AVC msg=audit(1266436045.439:175): avc: denied { execute } for pid=2220 comm="SuSEfirewall2" name="iptables" dev=sda2 ino=10435 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:iptables_exec_t tclass=file type=AVC msg=audit(1266436045.439:176): avc: denied { read } for pid=2220 comm="SuSEfirewall2" name="iptables" dev=sda2 ino=10435 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:iptables_exec_t tclass=file type=AVC msg=audit(1266436045.441:177): avc: denied { open } for pid=2221 comm="SuSEfirewall2" name="iptables" dev=sda2 ino=10435 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:iptables_exec_t tclass=file type=AVC msg=audit(1266436045.441:178): avc: denied { execute_no_trans } for pid=2221 comm="SuSEfirewall2" path="/usr/sbin/iptables" dev=sda2 ino=10435 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:iptables_exec_t tclass=file type=AVC msg=audit(1266436045.444:179): avc: denied { create } for pid=2221 comm="iptables" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=rawip_socket type=AVC msg=audit(1266436045.444:180): avc: denied { getopt } for pid=2221 comm="iptables" lport=255 scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=rawip_socket type=AVC msg=audit(1266436045.501:181): avc: denied { getattr } for pid=2222 comm="SuSEfirewall2" path="/var/lock/SuSEfirewall2.booting" dev=sda2 ino=129622 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:var_lock_t tclass=file type=AVC msg=audit(1266436280.459:182): avc: denied { associate } for pid=2263 comm="kbd" name="vcs2" scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem type=AVC msg=audit(1266436280.725:183): avc: denied { read } for pid=2293 comm="hwinfo" name="mem" dev=tmpfs ino=1053 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:memory_device_t tclass=chr_file type=AVC msg=audit(1266436280.725:184): avc: denied { open } for pid=2293 comm="hwinfo" name="mem" dev=tmpfs ino=1053 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:memory_device_t tclass=chr_file type=AVC msg=audit(1266436281.245:185): avc: denied { execstack } for pid=2372 comm="cupsd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=process type=AVC msg=audit(1266436281.255:186): avc: denied { execmem } for pid=2372 comm="cupsd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=process type=AVC msg=audit(1266436281.423:187): avc: denied { node_bind } for pid=2380 comm="cupsd" saddr=0000:0000:0000:0000:0000:0000:0000:0001 src=631 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:compat_ipv4_node_t tclass=tcp_socket type=AVC msg=audit(1266436281.423:188): avc: denied { node_bind } for pid=2380 comm="cupsd" saddr=127.0.0.1 src=631 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:lo_node_t tclass=tcp_socket type=AVC msg=audit(1266436281.688:189): avc: denied { read write } for pid=2439 comm="smartd" name="sda" dev=tmpfs ino=1743 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file type=AVC msg=audit(1266436281.688:190): avc: denied { open } for pid=2439 comm="smartd" name="sda" dev=tmpfs ino=1743 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file type=AVC msg=audit(1266436281.689:191): avc: denied { ioctl } for pid=2439 comm="smartd" path="/dev/sda" dev=tmpfs ino=1743 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file type=AVC msg=audit(1266436282.004:192): avc: denied { read } for pid=2101 comm="rsyslogd" path="/proc/kmsg" dev=proc ino=4026531989 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:proc_kmsg_t tclass=file type=AVC msg=audit(1266436317.516:193): avc: denied { node_bind } for pid=2700 comm="master" src=25 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:inaddr_any_node_t tclass=tcp_socket type=AVC msg=audit(1266436317.522:194): avc: denied { node_bind } for pid=2700 comm="master" src=25 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:unspec_node_t tclass=tcp_socket type=AVC msg=audit(1266436317.812:195): avc: denied { write } for pid=2761 comm="ip6tables" path="/tmp/SuSEfirewall2_iptables.ME3rv0dJ" dev=sda2 ino=129882 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:user_tmp_t tclass=file type=AVC msg=audit(1266436317.813:196): avc: denied { read } for pid=2191 comm="auditd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_audit_socket type=AVC msg=audit(1266436317.840:197): avc: denied { write } for pid=2767 comm="modprobe" path="/tmp/SuSEfirewall2_iptables.ME3rv0dJ" dev=sda2 ino=129882 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:user_tmp_t tclass=file type=AVC msg=audit(1266436318.030:198): avc: denied { read } for pid=2806 comm="iptables-batch" name="SuSEfirewall2_iptables.ME3rv0dJ" dev=sda2 ino=129882 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:user_tmp_t tclass=file type=AVC msg=audit(1266436318.030:199): avc: denied { open } for pid=2806 comm="iptables-batch" name="SuSEfirewall2_iptables.ME3rv0dJ" dev=sda2 ino=129882 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:user_tmp_t tclass=file type=AVC msg=audit(1266436318.031:200): avc: denied { getattr } for pid=2806 comm="iptables-batch" path="/tmp/SuSEfirewall2_iptables.ME3rv0dJ" dev=sda2 ino=129882 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:user_tmp_t tclass=file type=AVC msg=audit(1266436318.066:201): avc: denied { read } for pid=286 comm="udevd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266436318.067:202): avc: denied { write } for pid=286 comm="udevd" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266436318.335:203): avc: denied { setattr } for pid=2841 comm="mingetty" name="tty1" dev=tmpfs ino=3835 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:tty_device_t tclass=chr_file type=AVC msg=audit(1266436744.301:204): avc: denied { setattr } for pid=2841 comm="login" name="tty1" dev=tmpfs ino=3835 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:tty_device_t tclass=chr_file type=AVC msg=audit(1266436745.371:205): avc: denied { create } for pid=2841 comm="login" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_audit_socket type=AVC msg=audit(1266436745.371:206): avc: denied { write } for pid=2841 comm="login" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_audit_socket type=AVC msg=audit(1266436745.371:207): avc: denied { nlmsg_relay } for pid=2841 comm="login" scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_audit_socket type=AVC msg=audit(1266436745.371:208): avc: denied { audit_write } for pid=2841 comm="login" capability=29 scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=capability ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-17 20:08 ` Alan Rouse @ 2010-02-18 21:40 ` Justin P. mattock 2010-02-18 21:53 ` Alan Rouse 2010-02-19 14:28 ` Stephen Smalley 0 siblings, 2 replies; 113+ messages in thread From: Justin P. mattock @ 2010-02-18 21:40 UTC (permalink / raw) To: Alan Rouse Cc: Stephen Smalley, Dominick Grift, 'selinux@tycho.nsa.gov' alright... policy is up and running in full enforcement mode: SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: error (Permission denied) Policy version: 24 Policy from config file: targeted Process contexts: Current context: name:user_r:user_t Init context: unknown (Permission denied) File contexts: Controlling term: name:object_r:user_devpts_t /etc/passwd system_u:object_r:etc_t /bin/bash system_u:object_r:shell_exec_t /bin/login system_u:object_r:login_exec_t /bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t /sbin/agetty system_u:object_r:getty_exec_t /sbin/mingetty system_u:object_r:getty_exec_t /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t I tried to enable poly-instantiation support(pam_namespace), but need to look more into that because I never really set it up with gdm. Anyways I'm able to boot up, able to use firefox and evolution. as for anything else I'm sure just need to define the allow rules. Now the only real area of interest is the dbus message pointing to targeted. I'm guessing dbus was built with a hard wire, if so this would require rebuilding dbus, or using anther rpm package built correctly. (if possible without breaking the system dependencies). but then again it could be just a boolean. In any case main thing is full enforcement works gdm works, nice system I'd have to say. Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-18 21:40 ` Justin P. mattock @ 2010-02-18 21:53 ` Alan Rouse 2010-02-18 23:17 ` Justin P. mattock 2010-02-19 14:28 ` Stephen Smalley 1 sibling, 1 reply; 113+ messages in thread From: Alan Rouse @ 2010-02-18 21:53 UTC (permalink / raw) To: Justin P. mattock Cc: Stephen Smalley, Dominick Grift, 'selinux@tycho.nsa.gov' Justin, could you share what you did to reach that state? Your last email yesterday left me with the impression that you were rebuilding some tools from source... What tools, what versions? What booleans did you disable? -----Original Message----- From: Justin P. mattock [mailto:justinmattock@gmail.com] Sent: Thursday, February 18, 2010 4:40 PM To: Alan Rouse Cc: Stephen Smalley; Dominick Grift; 'selinux@tycho.nsa.gov' Subject: Re: SELinux Policy in OpenSUSE 11.2 alright... policy is up and running in full enforcement mode: SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: error (Permission denied) Policy version: 24 Policy from config file: targeted Process contexts: Current context: name:user_r:user_t Init context: unknown (Permission denied) File contexts: Controlling term: name:object_r:user_devpts_t /etc/passwd system_u:object_r:etc_t /bin/bash system_u:object_r:shell_exec_t /bin/login system_u:object_r:login_exec_t /bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t /sbin/agetty system_u:object_r:getty_exec_t /sbin/mingetty system_u:object_r:getty_exec_t /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t I tried to enable poly-instantiation support(pam_namespace), but need to look more into that because I never really set it up with gdm. Anyways I'm able to boot up, able to use firefox and evolution. as for anything else I'm sure just need to define the allow rules. Now the only real area of interest is the dbus message pointing to targeted. I'm guessing dbus was built with a hard wire, if so this would require rebuilding dbus, or using anther rpm package built correctly. (if possible without breaking the system dependencies). but then again it could be just a boolean. In any case main thing is full enforcement works gdm works, nice system I'd have to say. Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-18 21:53 ` Alan Rouse @ 2010-02-18 23:17 ` Justin P. mattock 2010-02-19 14:35 ` Stephen Smalley 2010-02-19 15:58 ` Alan Rouse 0 siblings, 2 replies; 113+ messages in thread From: Justin P. mattock @ 2010-02-18 23:17 UTC (permalink / raw) To: Alan Rouse Cc: Stephen Smalley, Dominick Grift, 'selinux@tycho.nsa.gov' On 02/18/2010 01:53 PM, Alan Rouse wrote: > Justin, could you share what you did to reach that state? Your last email yesterday left me with the impression that you were rebuilding some tools from source... What tools, what versions? What booleans did you disable? > sure.. (hopefully I don't get you confused) from looking at the policy suse gives, a monolithic policy. While running the one that they provide I noticed the system is running as system_u:system_r:system_t (or whatever it is) I'm sure you can use this, but for me I like to either run in staff_r, sysadm_r or user_r(roles). (if under a corporate environment user_r would be the safest). If wanting to run under these roles you would need to define these roles, and users under policy/users, or if using a binary policy you would use /usr/sbin/semanage user * and so forth. I couldn't find the source from suse(although I'm sure its there), so I just grabbed a copy from tresys.(if the source is available then you just need to add the user and the roles in policy/users or if using a binary policy use semanage(in this case I wanted the system to run as name:user_r:user_t.) while building the source from tresys I sometimes will hit a syntex error(this time I did) with checkpolicy and/or checkmodule(something with flex-2.35*) so downgrading flex to 2.5.4a and building checkpolicy with this version for some reason or another fixes the syntax error(keep in mind I only used that flex version for checkpolicy/checkmodule, then removed that version and put back the original, after checkpolicy was built). keep in mind this error seems to be random so if you don't hit this then you don't need to rebuild chekpolicy/checkmodule. then after being able to build and install the policy then I focused in on the booleans, I set(although am not sure if they fixed the errors with avahi)where these: allow_polyinstantiation=on init_upstart=on(although I think they use sysvinit(notsure)) xdm_sysadm_login=on(this is for sysadm_r role(if I wanted the main context as name:sysadm_r:sysadm_t)) xserver_object_manager=on (although I dont see the SELinux extension in Xorg.0.log) keep in mind I don't think these booleans fixed the errors I think after I had relabeled then the errors were fixed(but could be wrong). (NOTE: relabeling with older versions of refpolicy will break, because there is no ext4 support so just use fixfiles) then once I was able to get a clean boot(even with the "targeted" dbus issue) I focused in on the login context: name:user_r:user_t this can be done in: /etc/pam.d/{login,gdm,xdm} adding: session required pam_selinux.so close session required pam_selinux.so open (suse has nothing of this in there files, or atleast I didn't see them) gets me to login as: name:user_r:user_t (with monolithic you can change your login/user context by adjust default_contexts to what context you want, binary policy you would have to use semanage) now after being able to have a clean boot, and login context I then started to define the allow rules (with binary policy you use audit2allow -dM modulename then semodule -i modulename to install) with monolithic because I'm lazy I just stick all allow rules in xserver.te in a real production environment you would have to individually place each allow rule in it's appropriate *.te file i.g. all hal allow rules goe into hal.te etc... (with selinux_policy_default you have a file called local.te where all of these go into). so after adding all allow rules from dmesg/messages(audit2allow) I then added all allow rules from /var/log/audit/audit.log (there probably is a tool, but haven't figured what it is yet) then after no more denials(with booting, and the apps I wanted to use) I was able to boot in full enforcement. (keep in mind you might need to do a make enableaudit to grab some noaudit rules that are preventing the system from running). hope this helps, and hope I didn't get you confused if you need any info let me know either me, or somebody else will help you out. Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-18 23:17 ` Justin P. mattock @ 2010-02-19 14:35 ` Stephen Smalley 2010-02-19 15:43 ` Justin P. mattock 2010-02-19 15:58 ` Alan Rouse 1 sibling, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-19 14:35 UTC (permalink / raw) To: Justin P. mattock Cc: Alan Rouse, Dominick Grift, 'selinux@tycho.nsa.gov' On Thu, 2010-02-18 at 15:17 -0800, Justin P. mattock wrote: > then after being able to build and install the policy then I focused in > on the booleans, I set(although am not sure if they fixed the errors > with avahi)where these: > > allow_polyinstantiation=on > init_upstart=on(although I think they use sysvinit(notsure)) I was suggesting trying to set the init_upstart boolean because it disables the transition from init_t to sysadm_t on executing a shell and it appeared that for some reason that was causing system services to be left in sysadm_t. Question: Are your boolean settings persisting across reboot? > then once I was able to get a clean boot(even with the "targeted" dbus > issue) > I focused in on the login context: > name:user_r:user_t > > this can be done in: > /etc/pam.d/{login,gdm,xdm} > > adding: > session required pam_selinux.so close > session required pam_selinux.so open > (suse has nothing of this in there files, > or atleast I didn't see them) So someone needs to file bugs against those packages asking to have the pam_selinux.so entries added. Should be harmless if SELinux is disabled; they will just exit with success. > so after adding all allow rules from dmesg/messages(audit2allow) > I then added all allow rules from /var/log/audit/audit.log > (there probably is a tool, but haven't figured what it is yet) Well, we ought to look at the actual denials to see if they truly should be allowed or if they instead indicate problems with your processes running in the wrong context or your files being mislabeled. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-19 14:35 ` Stephen Smalley @ 2010-02-19 15:43 ` Justin P. mattock 0 siblings, 0 replies; 113+ messages in thread From: Justin P. mattock @ 2010-02-19 15:43 UTC (permalink / raw) To: Stephen Smalley Cc: Alan Rouse, Dominick Grift, 'selinux@tycho.nsa.gov' On 02/19/2010 06:35 AM, Stephen Smalley wrote: > On Thu, 2010-02-18 at 15:17 -0800, Justin P. mattock wrote: >> then after being able to build and install the policy then I focused in >> on the booleans, I set(although am not sure if they fixed the errors >> with avahi)where these: >> >> allow_polyinstantiation=on >> init_upstart=on(although I think they use sysvinit(notsure)) > > I was suggesting trying to set the init_upstart boolean because it > disables the transition from init_t to sysadm_t on executing a shell and > it appeared that for some reason that was causing system services to be > left in sysadm_t. > > Question: Are your boolean settings persisting across reboot? > yep.. i.g. vim policy/booleans.conf(make chnges), then make policy with the binary policy on my other machine I used setsebool -P >> then once I was able to get a clean boot(even with the "targeted" dbus >> issue) >> I focused in on the login context: >> name:user_r:user_t >> >> this can be done in: >> /etc/pam.d/{login,gdm,xdm} >> >> adding: >> session required pam_selinux.so close >> session required pam_selinux.so open >> (suse has nothing of this in there files, >> or atleast I didn't see them) > > So someone needs to file bugs against those packages asking to have the > pam_selinux.so entries added. Should be harmless if SELinux is > disabled; they will just exit with success. > yeah I was surprised to not see them there. >> so after adding all allow rules from dmesg/messages(audit2allow) >> I then added all allow rules from /var/log/audit/audit.log >> (there probably is a tool, but haven't figured what it is yet) > > Well, we ought to look at the actual denials to see if they truly should > be allowed or if they instead indicate problems with your processes > running in the wrong context or your files being mislabeled. > seemed like it was o.k., to me(but could be wrong). there was I think three avc's that where defined as neverallow in the policy. an avc from hal which executed execmem to lower the gpu power level. mount mounting the hard drive(if remember correctly). and then a capability avc's in the past running ubuntu I remember those three,if I can remember the next policy update had fixed those or later down the line. BTW: just to let you know I took that image and reformatted it and put on my system so I can start looking into a kernel bug if you need me to reinstall let me know(should only take a few mins to get back where I was(now that I have a handle on whats happening)). Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-18 23:17 ` Justin P. mattock 2010-02-19 14:35 ` Stephen Smalley @ 2010-02-19 15:58 ` Alan Rouse 2010-02-19 16:26 ` Justin P. mattock 1 sibling, 1 reply; 113+ messages in thread From: Alan Rouse @ 2010-02-19 15:58 UTC (permalink / raw) To: Justin P. mattock; +Cc: 'selinux@tycho.nsa.gov' First let me say that I appreciate all the help on this list very much!!!!! Justin wrote: > While running the one that they provide I noticed the system is running as > system_u:system_r:system_t (or whatever it is) I'm sure you can use this, but for me I > like to either run in staff_r, sysadm_r or user_r(roles). Makes sense... I think you're saying this is not the underlying problem for the gdm / desktop / boot issues, right? If so I'd like to get to a clean selinux boot before addressing this type of thing. > I couldn't find the source from suse(although I'm sure its there), so I just grabbed a > copy from tresys...while building the source from tresys I sometimes will hit a syntex > error(this time I did) with checkpolicy and/or checkmodule I'm now able to build policy from the source obtained from the OpenSuse 11.2 repository. Do I need a different version of checkpolicy or checkmodule? Or can I skip this? > then after being able to build and install the policy then I focused in on the > booleans, I set(although am not sure if they fixed the errors with avahi)where these: > > allow_polyinstantiation=on I don't need polyinstantiation right now so I'll skip that unless you think it's pertinent to my main problem. > init_upstart=on(although I think they use sysvinit(notsure)) Yes, OpenSuse 11.2 seems to be using sysvinit > xdm_sysadm_login=on(this is for sysadm_r role(if I wanted the main context as name:sysadm_r:sysadm_t)) > xserver_object_manager=on (although I dont see the SELinux extension in Xorg.0.log) I've been unable to make persistent changes to policy, booleans etc. Hopefully Stephen will spot the problem causing that, based on the info I sent out a few minutes ago. > keep in mind I don't think these booleans fixed the errors I think after I had > relabeled then the errors were fixed(but could be wrong). I could boot cleanly to a desktop before relabeling (with everything as file_t). Once I relabeled with fixfiles, runlevel 5 would fail and I'd be dropped back to a console at runlevel 3. > then once I was able to get a clean boot(even with the "targeted" dbus > issue) If I can get to that point I think I'll be in business. Thanks Alan -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-19 15:58 ` Alan Rouse @ 2010-02-19 16:26 ` Justin P. mattock 0 siblings, 0 replies; 113+ messages in thread From: Justin P. mattock @ 2010-02-19 16:26 UTC (permalink / raw) To: Alan Rouse; +Cc: 'selinux@tycho.nsa.gov' On 02/19/2010 07:58 AM, Alan Rouse wrote: > First let me say that I appreciate all the help on this list very much!!!!! > > Justin wrote: > >> While running the one that they provide I noticed the system is running as >> system_u:system_r:system_t (or whatever it is) I'm sure you can use this, but for me I >> like to either run in staff_r, sysadm_r or user_r(roles). > > Makes sense... I think you're saying this is not the underlying problem for the gdm / desktop / boot issues, right? If so I'd like to get to a clean selinux boot before addressing this type of thing. > >> I couldn't find the source from suse(although I'm sure its there), so I just grabbed a >> copy from tresys...while building the source from tresys I sometimes will hit a syntex >> error(this time I did) with checkpolicy and/or checkmodule > with checkpolicy/checkmodule this syntex error is random i.g. I hit this sometimes, and then sometimes never appears(building those with an older version of flex seems to fix this, finding the issue is possible with probably doing a bisect, if the git repository goes back that far). > I'm now able to build policy from the source obtained from the OpenSuse 11.2 repository. Do I need a different version of checkpolicy or checkmodule? Or can I skip this? > >> then after being able to build and install the policy then I focused in on the >> booleans, I set(although am not sure if they fixed the errors with avahi)where these: >> >> allow_polyinstantiation=on > > I don't need polyinstantiation right now so I'll skip that unless you think it's pertinent to my main problem. > no pam_namespace is always something I like to turn on, but as stephen pointed out if you have multiple people using the system. >> init_upstart=on(although I think they use sysvinit(notsure)) > > Yes, OpenSuse 11.2 seems to be using sysvinit so the upstart boolean probably does nothing. > >> xdm_sysadm_login=on(this is for sysadm_r role(if I wanted the main context as name:sysadm_r:sysadm_t)) >> xserver_object_manager=on (although I dont see the SELinux extension in Xorg.0.log) > > I've been unable to make persistent changes to policy, booleans etc. Hopefully Stephen will spot the problem causing that, based on the info I sent out a few minutes ago. > >> keep in mind I don't think these booleans fixed the errors I think after I had >> relabeled then the errors were fixed(but could be wrong). > > I could boot cleanly to a desktop before relabeling (with everything as file_t). Once I relabeled with fixfiles, runlevel 5 would fail and I'd be dropped back to a console at runlevel 3. > yeah I noticed this as well i.g. after doing fixfiles relabel the system really crashed and burned. >> then once I was able to get a clean boot(even with the "targeted" dbus >> issue) > > If I can get to that point I think I'll be in business. > > Thanks > Alan > o.k. suse just finished installing, I'll go and re-du what I did to get things more cleaner. (changing out systems is easy). Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-18 21:40 ` Justin P. mattock 2010-02-18 21:53 ` Alan Rouse @ 2010-02-19 14:28 ` Stephen Smalley 2010-02-19 15:48 ` Justin P. mattock 2010-02-19 18:46 ` Justin P. mattock 1 sibling, 2 replies; 113+ messages in thread From: Stephen Smalley @ 2010-02-19 14:28 UTC (permalink / raw) To: Justin P. mattock Cc: Alan Rouse, Dominick Grift, 'selinux@tycho.nsa.gov' On Thu, 2010-02-18 at 13:40 -0800, Justin P. mattock wrote: > alright... policy is up and running > in full enforcement mode: > > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: enforcing > Mode from config file: error (Permission denied) > Policy version: 24 > Policy from config file: targeted > > Process contexts: > Current context: name:user_r:user_t > Init context: unknown (Permission denied) Since you ran it from user_t, you weren't allowed to see the context of init. Can you run pstree -Z as sysadm_t and confirm that processes are running in the correct context (i.e. that they are not left in sysadm_t as they were for Alan)? > I tried to enable poly-instantiation support(pam_namespace), but > need to look more into that because I never really set it up > with gdm. You don't really need that unless you want multi-level directories. > Anyways I'm able to boot up, able to > use firefox and evolution. as for anything > else I'm sure just need to define the allow rules. > > > Now the only real area of interest is > the dbus message pointing to targeted. > > I'm guessing dbus was built with a hard wire, > if so this would require rebuilding dbus, > or using anther rpm package built correctly. > (if possible without breaking the system dependencies). > > but then again it could be just a boolean. > In any case main thing is full enforcement works > gdm works, nice system I'd have to say. dbus should just be including whatever path your /etc/dbus-1/system.conf says to include, and it should be relative to /etc/selinux/$SELINUXTYPE from /etc/selinux/config if it has selinux_root_relative="yes" there. On Fedora, /etc/dbus-1/system.conf says: <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include> -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-19 14:28 ` Stephen Smalley @ 2010-02-19 15:48 ` Justin P. mattock 2010-02-19 18:46 ` Justin P. mattock 1 sibling, 0 replies; 113+ messages in thread From: Justin P. mattock @ 2010-02-19 15:48 UTC (permalink / raw) To: Stephen Smalley Cc: Alan Rouse, Dominick Grift, 'selinux@tycho.nsa.gov' On 02/19/2010 06:28 AM, Stephen Smalley wrote: > On Thu, 2010-02-18 at 13:40 -0800, Justin P. mattock wrote: >> alright... policy is up and running >> in full enforcement mode: >> >> SELinux status: enabled >> SELinuxfs mount: /selinux >> Current mode: enforcing >> Mode from config file: error (Permission denied) >> Policy version: 24 >> Policy from config file: targeted >> >> Process contexts: >> Current context: name:user_r:user_t >> Init context: unknown (Permission denied) > > Since you ran it from user_t, you weren't allowed to see the context of > init. Can you run pstree -Z as sysadm_t and confirm that processes are > running in the correct context (i.e. that they are not left in sysadm_t > as they were for Alan)? > man I knew to leave the system alone.(let me reinstall). but yeah I was not able to do a lot of things because I just had not defined them in the policy. >> I tried to enable poly-instantiation support(pam_namespace), but >> need to look more into that because I never really set it up >> with gdm. > > You don't really need that unless you want multi-level directories. > so one person on one machine is pointless >> Anyways I'm able to boot up, able to >> use firefox and evolution. as for anything >> else I'm sure just need to define the allow rules. >> >> >> Now the only real area of interest is >> the dbus message pointing to targeted. >> >> I'm guessing dbus was built with a hard wire, >> if so this would require rebuilding dbus, >> or using anther rpm package built correctly. >> (if possible without breaking the system dependencies). >> >> but then again it could be just a boolean. >> In any case main thing is full enforcement works >> gdm works, nice system I'd have to say. > > dbus should just be including whatever path your /etc/dbus-1/system.conf > says to include, and it should be relative to /etc/selinux/$SELINUXTYPE > from /etc/selinux/config if it has selinux_root_relative="yes" there. > > On Fedora, /etc/dbus-1/system.conf says: > <include if_selinux_enabled="yes" > selinux_root_relative="yes">contexts/dbus_contexts</include> > yeah its the same,which get 's me to beleive it's something that might be changed in the code of dbus(but could be wrong). Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-19 14:28 ` Stephen Smalley 2010-02-19 15:48 ` Justin P. mattock @ 2010-02-19 18:46 ` Justin P. mattock 2010-02-19 21:08 ` Alan Rouse 1 sibling, 1 reply; 113+ messages in thread From: Justin P. mattock @ 2010-02-19 18:46 UTC (permalink / raw) To: Stephen Smalley Cc: Alan Rouse, Dominick Grift, 'selinux@tycho.nsa.gov' alright re-install, rebuilt refpolicy back up and running to where I was. (minus adding the allow rules) here's some info(only thing missing are the allow avc's which I can gather later on). with the custom refpolicy only boolean enabled is upstart. seems with this off I hit the dbus error, after enableing gdm starts up. orig suse policy: > > SELinux status: enabled > > SELinuxfs mount: /selinux > > Current mode: permissive > > Mode from config file: permissive > > Policy version: 24 > > Policy from config file: refpolicy-standard > > > > Process contexts: > > Current context: system_u:system_r:kernel_t > > Init context: system_u:system_r:kernel_t > > /sbin/mingetty system_u:system_r:kernel_t > > /usr/sbin/sshd system_u:system_r:kernel_t > > > > File contexts: > > Controlling term: system_u:object_r:tty_device_t > > /etc/passwd system_u:object_r:file_t > > /etc/shadow system_u:object_r:file_t > > /bin/bash system_u:object_r:file_t > > /bin/login system_u:object_r:file_t > > /bin/sh system_u:object_r:file_t -> > > system_u:object_r:file_t > > /sbin/agetty system_u:object_r:file_t > > /sbin/init system_u:object_r:file_t > > /sbin/mingetty system_u:object_r:file_t > > /usr/sbin/sshd system_u:object_r:file_t > > /lib/libc.so.6 system_u:object_r:file_t -> > > system_u:object_r:file_t > > /lib/ld-linux.so.2 system_u:object_r:file_t -> > > system_u:object_r:file_t > > > > (id -Z after relabel) > > system_u:system_r:sysadm_t > > (before relabel) > > id -Z > > system_u:system_r:kernel_t > > > > custom: > > > > SELinux status: enabled > > SELinuxfs mount: /selinux > > Current mode: permissive > > Mode from config file: error (Permission denied) > > Policy version: 24 > > Policy from config file: targeted > > > > Process contexts: > > Current context: name:user_r:user_t > > Init context: system_u:system_r:init_t > > > > File contexts: > > Controlling term: justin:object_r:user_devpts_t > > /etc/passwd system_u:object_r:etc_t > > /etc/shadow system_u:object_r:shadow_t > > /bin/bash system_u:object_r:shell_exec_t > > /bin/login system_u:object_r:login_exec_t > > /bin/sh system_u:object_r:bin_t -> > > system_u:object_r:shell_exec_t > > /sbin/agetty system_u:object_r:getty_exec_t > > /sbin/init system_u:object_r:init_exec_t > > /sbin/mingetty system_u:object_r:getty_exec_t > > /usr/sbin/sshd system_u:object_r:sshd_exec_t > > /lib/libc.so.6 system_u:object_r:lib_t -> > > system_u:object_r:lib_t > > /lib/ld-linux.so.2 system_u:object_r:lib_t -> > > system_u:object_r:ld_so_t > > > > > > > > id -Z > > (after relabel) > > name:user_r:user_t > > > > /etc/pam.d/* > > cat login > > #%PAM-1.0 > > auth requisite pam_nologin.so > > auth [user_unknown=ignore success=ok ignore=ignore auth_err=die > > default=bad] pam_securetty.so > > auth include common-auth > > account include common-account > > password include common-password > > session required pam_selinux.so close > > session required pam_loginuid.so > > session include common-session > > session required pam_selinux.so open > > session required pam_lastlog.so nowtmp > > session optional pam_mail.so standard > > session optional pam_ck_connector.so > > > > > > > > cat gdm > > #%PAM-1.0 > > auth include common-auth > > account include common-account > > password include common-password > > session required pam_selinux.so close > > session required pam_loginuid.so > > session include common-session > > session required pam_selinux.so open > > > > > > cat xdm > > #%PAM-1.0 > > auth include common-auth > > account include common-account > > password include common-password > > session required pam_selinux.so close > > session required pam_loginuid.so > > session include common-session > > session required pam_selinux.so open > > > > (these might be mixed up, but they work id -Z shows what I want) and the strace: brk(0) = 0x7febe998d000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7febe9787000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7febe9786000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=89126, ...}) = 0 mmap(NULL, 89126, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7febe9770000 close(3) = 0 open("/lib64/libsepol.so.1", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`D\0\0\0\0\0 \0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=240528, ...}) = 0 mmap(NULL, 2337280, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7febe9330000 fadvise64(3, 0, 2337280, POSIX_FADV_WILLNEED) = 0 mprotect(0x7febe936a000, 2093056, PROT_NONE) = 0 mmap(0x7febe9569000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED| MAP_DENYWRITE, 3, 0x39000) = 0x7febe9569000 close(3) = 0 open("/lib64/libselinux.so.1", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340]\0\0\0\0\0 \0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=118048, ...}) = 0 mmap(NULL, 2217720, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7febe9112000 fadvise64(3, 0, 2217720, POSIX_FADV_WILLNEED) = 0 mprotect(0x7febe912e000, 2093056, PROT_NONE) = 0 mmap(0x7febe932d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED| MAP_DENYWRITE, 3, 0x1b000) = 0x7febe932d000 mmap(0x7febe932f000, 1784, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED| MAP_ANONYMOUS, -1, 0) = 0x7febe932f000 close(3) = 0 open("/lib64/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\353\1\0\0\0 \0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1408560, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7febe976f000 mmap(NULL, 3516488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7febe8db7000 fadvise64(3, 0, 3516488, POSIX_FADV_WILLNEED) = 0 mprotect(0x7febe8f08000, 2097152, PROT_NONE) = 0 mmap(0x7febe9108000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED| MAP_DENYWRITE, 3, 0x151000) = 0x7febe9108000 mmap(0x7febe910d000, 18504, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED| MAP_ANONYMOUS, -1, 0) = 0x7febe910d000 close(3) = 0 open("/lib64/libdl.so.2", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\r\0\0\0\0\0 \0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=14872, ...}) = 0 mmap(NULL, 2109696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7febe8bb3000 fadvise64(3, 0, 2109696, POSIX_FADV_WILLNEED) = 0 mprotect(0x7febe8bb5000, 2097152, PROT_NONE) = 0 mmap(0x7febe8db5000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED| MAP_DENYWRITE, 3, 0x2000) = 0x7febe8db5000 close(3) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7febe976e000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7febe976d000 arch_prctl(ARCH_SET_FS, 0x7febe976d790) = 0 mprotect(0x7febe8db5000, 4096, PROT_READ) = 0 mprotect(0x7febe9108000, 16384, PROT_READ) = 0 mprotect(0x7febe932d000, 4096, PROT_READ) = 0 mprotect(0x7febe9569000, 4096, PROT_READ) = 0 mprotect(0x7febe998b000, 4096, PROT_READ) = 0 mprotect(0x7febe9788000, 4096, PROT_READ) = 0 munmap(0x7febe9770000, 89126) = 0 brk(0) = 0x7febe998d000 brk(0x7febe99ae000) = 0x7febe99ae000 open("/etc/selinux/config", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0600, st_size=72, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7febe9785000 read(3, "SELINUX=permissive\n#SELINUXTYPE="..., 4096) = 72 read(3, "", 4096) = 0 close(3) = 0 munmap(0x7febe9785000, 4096) = 0 statfs("/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0 stat("/selinux/class", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0 open("/selinux/mls", O_RDONLY) = 3 read(3, "0", 19) = 1 close(3) = 0 open("/usr/lib/locale/locale-archive", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/locale.alias", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=2512, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7febe9785000 read(3, "# Locale name alias data base.\n#"..., 4096) = 2512 read(3, "", 4096) = 0 close(3) = 0 munmap(0x7febe9785000, 4096) = 0 open("/usr/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/en_US.utf8/LC_IDENTIFICATION", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=373, ...}) = 0 mmap(NULL, 373, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7febe9785000 close(3) = 0 open("/usr/lib64/gconv/gconv-modules.cache", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=26050, ...}) = 0 mmap(NULL, 26050, PROT_READ, MAP_SHARED, 3, 0) = 0x7febe977e000 close(3) = 0 open("/usr/lib/locale/en_US.UTF-8/LC_MEASUREMENT", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/en_US.utf8/LC_MEASUREMENT", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=23, ...}) = 0 mmap(NULL, 23, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7febe977d000 close(3) = 0 open("/usr/lib/locale/en_US.UTF-8/LC_TELEPHONE", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/en_US.utf8/LC_TELEPHONE", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=59, ...}) = 0 mmap(NULL, 59, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7febe977c000 close(3) = 0 open("/usr/lib/locale/en_US.UTF-8/LC_ADDRESS", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/en_US.utf8/LC_ADDRESS", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=155, ...}) = 0 mmap(NULL, 155, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7febe977b000 close(3) = 0 open("/usr/lib/locale/en_US.UTF-8/LC_NAME", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/en_US.utf8/LC_NAME", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=77, ...}) = 0 mmap(NULL, 77, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7febe977a000 close(3) = 0 open("/usr/lib/locale/en_US.UTF-8/LC_PAPER", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/en_US.utf8/LC_PAPER", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=34, ...}) = 0 mmap(NULL, 34, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7febe9779000 close(3) = 0 open("/usr/lib/locale/en_US.UTF-8/LC_MESSAGES", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/en_US.utf8/LC_MESSAGES", O_RDONLY) = 3 fstat(3, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 close(3) = 0 open("/usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=52, ...}) = 0 mmap(NULL, 52, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7febe9778000 close(3) = 0 open("/usr/lib/locale/en_US.UTF-8/LC_MONETARY", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/en_US.utf8/LC_MONETARY", O_RDONLY) = 3 >> > > brk(0x7f75c7616000) = 0x7f75c7616000 >> > > brk(0x7f75c7637000) = 0x7f75c7637000 >> > >fstat(3, {st_mode=S_IFREG|0644, st_size=286, ...}) = 0 mmap(NULL, 286, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7febe9777000 close(3) = 0 open("/usr/lib/locale/en_US.UTF-8/LC_COLLATE", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/en_US.utf8/LC_COLLATE", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=966938, ...}) = 0 mmap(NULL, 966938, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7febe9680000 close(3) = 0 open("/usr/lib/locale/en_US.UTF-8/LC_TIME", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/en_US.utf8/LC_TIME", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=2454, ...}) = 0 mmap(NULL, 2454, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7febe9776000 close(3) = 0 open("/usr/lib/locale/en_US.UTF-8/LC_NUMERIC", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/en_US.utf8/LC_NUMERIC", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=54, ...}) = 0 mmap(NULL, 54, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7febe9775000 close(3) = 0 open("/usr/lib/locale/en_US.UTF-8/LC_CTYPE", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/en_US.utf8/LC_CTYPE", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=256316, ...}) = 0 mmap(NULL, 256316, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7febe9641000 close(3) = 0 open("/selinux/policyvers", O_RDONLY) = 3 read(3, "24", 19) = 2 close(3) = 0 access("/etc/selinux/targeted/booleans", F_OK) = 0 uname({sys="Linux", node="linux-dbym", ...}) = 0 open("/etc/selinux/targeted/policy/policy.24", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=4188441, ...}) = 0 mmap(NULL, 4188441, PROT_READ|PROT_WRITE, MAP_PRIVATE, 3, 0) = 0x7febe87b4000 brk(0x7febe99cf000) = 0x7febe99cf000 brk(0x7febe99f0000) = 0x7febe99f0000 brk(0x7febe9a11000) = 0x7febe9a11000 brk(0x7febe9a32000) = 0x7febe9a32000 brk(0x7febe9a53000) = 0x7febe9a53000 <~~~~~~~~~~~~~~~~~~~~~~clip~~~~~~~~~~~~~~~~~~~~~~~~> brk(0x7febead25000) = 0x7febead25000 brk(0x7febead46000) = 0x7febead46000 brk(0x7febead67000) = 0x7febead67000 brk(0x7febead8c000) = 0x7febead8c000 brk(0x7febeadb7000) = 0x7febeadb7000 brk(0x7febeadd8000) = 0x7febeadd8000 brk(0x7febeadf9000) = 0x7febeadf9000 brk(0x7febeae1a000) = 0x7febeae1a000 open("/etc/selinux/targeted/users//local.users", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=722, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7febe9774000 read(4, "################################"..., 4096) = 722 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7febe9774000, 4096) = 0 mmap(NULL, 4190208, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7febe83b5000 brk(0x7febeae3b000) = 0x7febeae3b000 brk(0x7febeae5c000) = 0x7febeae5c000 brk(0x7febeae7d000) = 0x7febeae7d000 brk(0x7febeae9e000) = 0x7febeae9e000 brk(0x7febeaec2000) = 0x7febeaec2000 brk(0x7febeaee3000) = 0x7febeaee3000 brk(0x7febeaf04000) = 0x7febeaf04000 brk(0x7febeaf25000) = 0x7febeaf25000 brk(0x7febeaf46000) = 0x7febeaf46000 brk(0x7febeaf67000) = 0x7febeaf67000 <~~~~~~~~~~~~~~~~~~~~~~~~~~clip~~~~~~~~~~~~~~~~~~~~~~~~> > > brk(0x7f75c7658000) = 0x7f75c7658000 >> > > brk(0x7f75c7681000) = 0x7f75c7681000 >> > > brk(0x7f75c76a2000) = 0x7f75c76a2000 >> > > brk(0x7f75c76c3000) = 0x7f75c76c3000 >> > > brk(0x7f75c76e4000) = 0x7f75c76e4000 >> > > open("/etc/selinux/targeted/booleans", O_RDONLY) = 4 >> > > fstat(4, {st_mode=S_IFREG|0644, st_size=2084, ...}) = 0 >> > > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) >> > > = 0x7f75c6031000 >> > > read(4, "allow_cvs_read_shadow = 0\nallow_"..., 4096) = 2084 >> > > read(4, "", 4096) = 0 >> > > close(4) = 0 >> > > munmap(0x7f75c6031000, 4096) = 0 >> > > open("/etc/selinux/targeted/booleans.local", O_RDONLY) = -1 ENOENT (No >> > > such file or directory) >> > > brk(0x7f75c6270000) = 0x7f75c6270000 >> > > open("/selinux/load", O_RDWR) = 4 >> > > write(4, "\214\377|\371\10\0\0\0SE Linux\30\0\0\0\0\0\0\0\10\0\0\0\7\0\0 >> > > \0"..., 4188441) = 4188441 >> > > close(4) = 0 >> > > munmap(0x7f75c4c72000, 4190208) = 0 >> > > munmap(0x7f75c5071000, 4188441) = 0 >> > > close(3) = 0 >> > > exit_group(0) = ? >> > > >> > > >> > > > > > > (NOTE:the arrows are because I sent this to my other machine via e-mail). Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-19 18:46 ` Justin P. mattock @ 2010-02-19 21:08 ` Alan Rouse 2010-02-19 21:19 ` Dominick Grift ` (2 more replies) 0 siblings, 3 replies; 113+ messages in thread From: Alan Rouse @ 2010-02-19 21:08 UTC (permalink / raw) To: Justin P. mattock, Stephen Smalley Cc: Dominick Grift, 'selinux@tycho.nsa.gov' Ok, in case this might be useful to someone else, here's my recipe for an OpenSuse 11.2 system booting to the desktop using SELinux in permissive mode. (Next step for me is to fix a few pages of AVC denied messages...) 1. Default install of OpenSuse 11.2 (used Gnome desktop) 2. Boot normally to desktop, open terminal, su - 3. Do this: zypper install selinux-tools selinux-policy libselinux* libsemanage* policycoreutils checkpolicy setools-console make m4 gcc findutils-locate git vi /boot/grub/menu.lst -- and add to the Desktop kernel boot line: "security=selinux selinux=1 enforcing=0" cd /etc/selinux cp -R refpolicy-standard targeted usermod -s /sbin/nologin nobody reboot <should boot to desktop> =============== Get policy src: =============== -- launch firefox, go to http://software.opensuse.org/search/ -- search for selinux-policy, download src -- install src rpm cp /usr/src/packages/SOURCES/refpolicy-2.20081210.tar.bz2 /tmp cd /tmp bunzip2 refpolicy-2.20081210.tar.bz2 tar xvf refpolicy-2.20081210.tar cd refpolicy vi build.conf (set NAME = refpolicy-standard; set DISTRO = suse; set MONOLITHIC = n) make clean; make conf; make; make install; make load; make install-src cd /etc/selinux/refpolicy-standard/src/policy make clean; make conf; make; make install; make load cd /etc/selinux rsync -avz refpolicy-standard/ targeted reboot ============================= End of getting policy source: ============================= setsebool -P init_upstart=on setsebool -P xdm_sysadm_login=on setsebool -P xserver_object_manager=on fixfiles relabel -- put SETLOCALDEFS=0 in /etc/selinux/config reboot And we're now in the desktop with a relabeled system and selinux in permissive mode. ================================================================================ Here's what "audit2allow -al" shows now... #============= avahi_t ============== allow avahi_t tmpfs_t:dir search; allow avahi_t tmpfs_t:sock_file write; allow avahi_t xdm_t:dbus send_msg; #============= crond_t ============== allow crond_t tmpfs_t:dir search; allow crond_t tmpfs_t:sock_file write; #============= cupsd_t ============== allow cupsd_t self:process { execstack execmem }; allow cupsd_t tmpfs_t:dir search; #============= dhcpc_t ============== allow dhcpc_t nmbd_exec_t:file { read getattr execute }; allow dhcpc_t samba_etc_t:dir search; allow dhcpc_t samba_etc_t:file { read write getattr open append }; allow dhcpc_t tmpfs_t:dir search; allow dhcpc_t tmpfs_t:sock_file write; allow dhcpc_t var_t:dir { write remove_name add_name }; allow dhcpc_t var_t:file { write ioctl read create unlink open getattr }; #============= fsdaemon_t ============== allow fsdaemon_t tmpfs_t:dir { read search open }; allow fsdaemon_t tmpfs_t:sock_file write; allow fsdaemon_t usr_t:file { read getattr open }; #============= getty_t ============== allow getty_t anon_inodefs_t:file getattr; allow getty_t apmd_log_t:file getattr; allow getty_t audisp_t:dir { read search open }; allow getty_t audisp_t:file { read getattr open }; allow getty_t audisp_t:lnk_file read; allow getty_t audisp_t:unix_dgram_socket getattr; allow getty_t audisp_t:unix_stream_socket getattr; allow getty_t auditd_log_t:file getattr; allow getty_t auditd_t:dir { read search open }; allow getty_t auditd_t:fifo_file getattr; allow getty_t auditd_t:file { read getattr open }; allow getty_t auditd_t:lnk_file read; allow getty_t auditd_t:netlink_audit_socket getattr; allow getty_t auditd_t:unix_dgram_socket getattr; allow getty_t auditd_t:unix_stream_socket getattr; allow getty_t avahi_t:dir { read search open }; allow getty_t avahi_t:fifo_file getattr; allow getty_t avahi_t:file { read getattr open }; allow getty_t avahi_t:lnk_file read; allow getty_t avahi_t:netlink_route_socket getattr; allow getty_t avahi_t:udp_socket getattr; allow getty_t avahi_t:unix_dgram_socket getattr; allow getty_t avahi_t:unix_stream_socket getattr; allow getty_t bin_t:file getattr; allow getty_t crond_t:dir { read search open }; allow getty_t crond_t:file { read getattr open }; allow getty_t crond_t:lnk_file read; allow getty_t crond_t:unix_dgram_socket getattr; allow getty_t crond_var_run_t:file getattr; allow getty_t cupsd_log_t:file getattr; allow getty_t cupsd_t:dir { read search open }; allow getty_t cupsd_t:fifo_file getattr; allow getty_t cupsd_t:file { read getattr open }; allow getty_t cupsd_t:lnk_file read; allow getty_t cupsd_t:tcp_socket getattr; allow getty_t cupsd_t:udp_socket getattr; allow getty_t cupsd_t:unix_stream_socket getattr; allow getty_t debugfs_t:file getattr; allow getty_t device_t:chr_file getattr; allow getty_t dhcpc_t:dir { read search open }; allow getty_t dhcpc_t:fifo_file getattr; allow getty_t dhcpc_t:file { read getattr open }; allow getty_t dhcpc_t:lnk_file read; allow getty_t dhcpc_t:unix_dgram_socket getattr; allow getty_t dhcpc_var_run_t:file getattr; allow getty_t event_device_t:chr_file getattr; allow getty_t file_t:file getattr; allow getty_t fuse_device_t:chr_file getattr; allow getty_t hald_t:dir { read search open }; allow getty_t hald_t:fifo_file getattr; allow getty_t hald_t:file { read getattr open }; allow getty_t hald_t:lnk_file read; allow getty_t hald_t:unix_dgram_socket getattr; allow getty_t hald_t:unix_stream_socket getattr; allow getty_t initrc_t:dir { read search open getattr }; allow getty_t initrc_t:file { read getattr open }; allow getty_t initrc_t:lnk_file read; allow getty_t initrc_t:unix_dgram_socket getattr; allow getty_t initrc_t:unix_stream_socket getattr; allow getty_t innd_log_t:file getattr; allow getty_t inotifyfs_t:dir getattr; allow getty_t kernel_t:dir { read search open }; allow getty_t kernel_t:file { read getattr open }; allow getty_t mtrr_device_t:file getattr; allow getty_t nscd_log_t:file getattr; allow getty_t nscd_t:dir { read search open }; allow getty_t nscd_t:file { read getattr open }; allow getty_t nscd_t:lnk_file read; allow getty_t nscd_t:unix_stream_socket getattr; allow getty_t postfix_data_t:file getattr; allow getty_t postfix_etc_t:file getattr; allow getty_t postfix_master_t:dir { read search open }; allow getty_t postfix_master_t:fifo_file getattr; allow getty_t postfix_master_t:file { read getattr open }; allow getty_t postfix_master_t:lnk_file read; allow getty_t postfix_master_t:tcp_socket getattr; allow getty_t postfix_master_t:unix_dgram_socket getattr; allow getty_t postfix_master_t:unix_stream_socket getattr; allow getty_t postfix_pickup_t:dir { read search open }; allow getty_t postfix_pickup_t:file { read getattr open }; allow getty_t postfix_pickup_t:lnk_file read; allow getty_t postfix_pickup_t:unix_dgram_socket getattr; allow getty_t postfix_public_t:fifo_file getattr; allow getty_t postfix_qmgr_t:dir { read search open }; allow getty_t postfix_qmgr_t:file { read getattr open }; allow getty_t postfix_qmgr_t:lnk_file read; allow getty_t postfix_qmgr_t:unix_dgram_socket getattr; allow getty_t postfix_var_run_t:file getattr; allow getty_t proc_kmsg_t:file getattr; allow getty_t proc_mdstat_t:file getattr; allow getty_t proc_t:file getattr; allow getty_t ptmx_t:chr_file getattr; allow getty_t rpcbind_t:dir { read search open }; allow getty_t rpcbind_t:file { read getattr open }; allow getty_t rpcbind_t:lnk_file read; allow getty_t rpcbind_t:tcp_socket getattr; allow getty_t rpcbind_t:udp_socket getattr; allow getty_t rpcbind_t:unix_stream_socket getattr; allow getty_t rpcbind_var_run_t:file getattr; allow getty_t self:capability sys_ptrace; allow getty_t sendmail_log_t:file getattr; allow getty_t syslogd_t:dir { read search open }; allow getty_t syslogd_t:file { read getattr open }; allow getty_t syslogd_t:lnk_file read; allow getty_t syslogd_t:unix_dgram_socket getattr; allow getty_t system_dbusd_t:dir { read search open getattr }; allow getty_t system_dbusd_t:fifo_file getattr; allow getty_t system_dbusd_t:file { read getattr open }; allow getty_t system_dbusd_t:lnk_file read; allow getty_t system_dbusd_t:netlink_kobject_uevent_socket getattr; allow getty_t system_dbusd_t:netlink_selinux_socket getattr; allow getty_t system_dbusd_t:unix_dgram_socket getattr; allow getty_t system_dbusd_t:unix_stream_socket getattr; allow getty_t tmpfs_t:dir search; allow getty_t tmpfs_t:fifo_file getattr; allow getty_t tmpfs_t:file getattr; allow getty_t udev_t:dir { read search open }; allow getty_t udev_t:file { read getattr open }; allow getty_t udev_t:lnk_file read; allow getty_t udev_t:netlink_kobject_uevent_socket getattr; allow getty_t udev_t:unix_dgram_socket getattr; allow getty_t urandom_device_t:chr_file getattr; allow getty_t user_home_t:file getattr; allow getty_t usr_t:file getattr; allow getty_t var_lib_t:dir getattr; allow getty_t var_lib_t:file getattr; allow getty_t var_log_t:file getattr; allow getty_t xauth_home_t:file getattr; allow getty_t xdm_t:dir { read search open getattr }; allow getty_t xdm_t:file { read getattr open }; allow getty_t xdm_t:lnk_file read; allow getty_t xdm_t:netlink_kobject_uevent_socket getattr; allow getty_t xdm_t:netlink_selinux_socket getattr; allow getty_t xdm_t:unix_dgram_socket getattr; allow getty_t xdm_t:unix_stream_socket getattr; allow getty_t xdm_tmp_t:file getattr; allow getty_t xdm_var_run_t:file getattr; allow getty_t xserver_log_t:file getattr; allow getty_t xserver_t:dir { read search open getattr }; allow getty_t xserver_t:file { read getattr open }; allow getty_t xserver_t:lnk_file read; allow getty_t xserver_t:unix_stream_socket getattr; #============= hald_t ============== allow hald_t xdm_t:dbus send_msg; #============= initrc_t ============== allow initrc_t self:process { execstack execmem }; #============= insmod_t ============== allow insmod_t initrc_tmp_t:file write; #============= kernel_t ============== allow kernel_t self:process { execstack execmem }; #============= loadkeys_t ============== allow loadkeys_t tmpfs_t:dir search; allow loadkeys_t usr_t:file { read getattr open ioctl }; allow loadkeys_t usr_t:lnk_file read; #============= nscd_t ============== allow nscd_t bin_t:dir search; allow nscd_t nscd_exec_t:file execute_no_trans; allow nscd_t self:fifo_file write; allow nscd_t tmpfs_t:dir search; #============= postfix_master_t ============== allow postfix_master_t tmpfs_t:dir search; allow postfix_master_t tmpfs_t:sock_file write; #============= postfix_pickup_t ============== allow postfix_pickup_t tmpfs_t:dir search; allow postfix_pickup_t tmpfs_t:sock_file write; #============= postfix_postqueue_t ============== allow postfix_postqueue_t tmpfs_t:dir search; allow postfix_postqueue_t tmpfs_t:sock_file write; #============= postfix_qmgr_t ============== allow postfix_qmgr_t tmpfs_t:dir search; allow postfix_qmgr_t tmpfs_t:sock_file write; #============= rpcbind_t ============== allow rpcbind_t tmpfs_t:dir search; #============= syslogd_t ============== allow syslogd_t apmd_log_t:file { ioctl open append }; allow syslogd_t sendmail_log_t:file append; allow syslogd_t tmpfs_t:dir search; allow syslogd_t tmpfs_t:fifo_file { write read ioctl open }; #============= system_dbusd_t ============== allow system_dbusd_t anon_inodefs_t:file { read write }; allow system_dbusd_t avahi_t:dir search; allow system_dbusd_t avahi_t:file { read open }; allow system_dbusd_t debugfs_t:dir { read search open getattr }; allow system_dbusd_t debugfs_t:file getattr; allow system_dbusd_t etc_runtime_t:file { read write getattr open append }; allow system_dbusd_t etc_t:dir { write remove_name add_name }; allow system_dbusd_t etc_t:file { write create unlink link }; allow system_dbusd_t file_t:dir rmdir; allow system_dbusd_t fixed_disk_device_t:blk_file getattr; allow system_dbusd_t fusefs_t:dir { read getattr open search }; allow system_dbusd_t fusefs_t:file getattr; allow system_dbusd_t gpg_exec_t:file { read execute open execute_no_trans }; allow system_dbusd_t hald_t:dbus send_msg; allow system_dbusd_t hald_t:dir search; allow system_dbusd_t hald_t:file { read open }; allow system_dbusd_t initrc_t:dir search; allow system_dbusd_t initrc_t:file { read open }; allow system_dbusd_t inotifyfs_t:dir { read getattr ioctl }; allow system_dbusd_t iso9660_t:filesystem mount; allow system_dbusd_t lib_t:file execute_no_trans; allow system_dbusd_t mnt_t:dir { write search remove_name create add_name mounton }; allow system_dbusd_t mount_exec_t:file { read execute open execute_no_trans }; allow system_dbusd_t proc_mdstat_t:file { read getattr open }; allow system_dbusd_t proc_net_t:file { read getattr open }; allow system_dbusd_t removable_device_t:blk_file { read getattr open setattr }; allow system_dbusd_t rpm_var_lib_t:dir { write search getattr }; allow system_dbusd_t rpm_var_lib_t:file { read lock getattr open }; allow system_dbusd_t self:capability { sys_nice sys_ptrace ipc_lock sys_chroot }; allow system_dbusd_t self:netlink_kobject_uevent_socket { bind create setopt getattr }; allow system_dbusd_t self:process { execmem getcap getsched execstack setsched setrlimit }; allow system_dbusd_t shell_exec_t:file { read execute open }; allow system_dbusd_t system_dbusd_var_run_t:dir { create rmdir }; allow system_dbusd_t tmpfs_t:dir { search getattr }; allow system_dbusd_t tmpfs_t:sock_file write; allow system_dbusd_t tty_device_t:chr_file getattr; allow system_dbusd_t var_lib_t:dir { write remove_name add_name }; allow system_dbusd_t var_lib_t:file { rename read lock create write getattr unlink open }; allow system_dbusd_t var_log_t:dir { search getattr }; allow system_dbusd_t var_log_t:file { read getattr open append setattr }; allow system_dbusd_t var_t:file { read getattr open }; allow system_dbusd_t xdm_t:dbus send_msg; allow system_dbusd_t xdm_t:dir { getattr search }; allow system_dbusd_t xdm_t:file { read getattr open }; allow system_dbusd_t xdm_t:process getsched; allow system_dbusd_t xdm_var_run_t:dir search; allow system_dbusd_t xdm_var_run_t:file { read getattr open }; allow system_dbusd_t xserver_t:dir search; allow system_dbusd_t xserver_t:file { read getattr open }; allow system_dbusd_t xserver_t:unix_stream_socket connectto; #============= udev_t ============== allow udev_t anon_inodefs_t:file read; allow udev_t tmpfs_t:dir { write search getattr add_name }; allow udev_t tmpfs_t:file { rename write getattr read create unlink open }; #============= unlabeled_t ============== allow unlabeled_t self:filesystem associate; #============= xdm_t ============== allow xdm_t avahi_t:dbus send_msg; allow xdm_t hald_t:dbus send_msg; allow xdm_t self:process execstack; -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-19 21:08 ` Alan Rouse @ 2010-02-19 21:19 ` Dominick Grift 2010-02-19 21:22 ` Justin P. mattock 2010-02-19 21:25 ` Stephen Smalley 2 siblings, 0 replies; 113+ messages in thread From: Dominick Grift @ 2010-02-19 21:19 UTC (permalink / raw) To: Alan Rouse Cc: Justin P. mattock, Stephen Smalley, 'selinux@tycho.nsa.gov' [-- Attachment #1: Type: text/plain, Size: 456 bytes --] On 02/19/2010 10:08 PM, Alan Rouse wrote: > setsebool -P xserver_object_manager=on Leave that to off to keep thing as simple as possible for now. As for your other AVC denials i am willing to compare those to Fedoras' settings. Maybe tomorrow. But as far as policy goes it is a continuous process. So it will take much time to fix all policy issues and it will "never" be perfect. I would be helpful if you could enclose raw avc denials. [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 261 bytes --] ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-19 21:08 ` Alan Rouse 2010-02-19 21:19 ` Dominick Grift @ 2010-02-19 21:22 ` Justin P. mattock 2010-02-19 21:25 ` Stephen Smalley 2 siblings, 0 replies; 113+ messages in thread From: Justin P. mattock @ 2010-02-19 21:22 UTC (permalink / raw) To: Alan Rouse Cc: Stephen Smalley, Dominick Grift, 'selinux@tycho.nsa.gov' On 02/19/2010 01:08 PM, Alan Rouse wrote: > Ok, in case this might be useful to someone else, here's my recipe for an OpenSuse 11.2 system booting to the desktop using SELinux in permissive mode. (Next step for me is to fix a few pages of AVC denied messages...) > > 1. Default install of OpenSuse 11.2 (used Gnome desktop) > 2. Boot normally to desktop, open terminal, su - > 3. Do this: > > zypper install selinux-tools selinux-policy libselinux* libsemanage* policycoreutils checkpolicy setools-console make m4 gcc findutils-locate git > > vi /boot/grub/menu.lst > -- and add to the Desktop kernel boot line: "security=selinux selinux=1 enforcing=0" > > cd /etc/selinux > cp -R refpolicy-standard targeted > usermod -s /sbin/nologin nobody > reboot<should boot to desktop> > =============== > Get policy src: > =============== > -- launch firefox, go to http://software.opensuse.org/search/ > -- search for selinux-policy, download src > -- install src rpm > cp /usr/src/packages/SOURCES/refpolicy-2.20081210.tar.bz2 /tmp > cd /tmp > bunzip2 refpolicy-2.20081210.tar.bz2 > tar xvf refpolicy-2.20081210.tar > cd refpolicy > vi build.conf (set NAME = refpolicy-standard; set DISTRO = suse; set MONOLITHIC = n) > make clean; make conf; make; make install; make load; make install-src > cd /etc/selinux/refpolicy-standard/src/policy > make clean; make conf; make; make install; make load > cd /etc/selinux > rsync -avz refpolicy-standard/ targeted > reboot > ============================= > End of getting policy source: > ============================= > setsebool -P init_upstart=on > setsebool -P xdm_sysadm_login=on > setsebool -P xserver_object_manager=on > fixfiles relabel > -- put SETLOCALDEFS=0 in /etc/selinux/config > reboot > > And we're now in the desktop with a relabeled system and selinux in permissive mode. > ================================================================================ > > Here's what "audit2allow -al" shows now... > > #============= avahi_t ============== > allow avahi_t tmpfs_t:dir search; > allow avahi_t tmpfs_t:sock_file write; > allow avahi_t xdm_t:dbus send_msg; > > #============= crond_t ============== > allow crond_t tmpfs_t:dir search; > allow crond_t tmpfs_t:sock_file write; > > #============= cupsd_t ============== > allow cupsd_t self:process { execstack execmem }; > allow cupsd_t tmpfs_t:dir search; > > #============= dhcpc_t ============== > allow dhcpc_t nmbd_exec_t:file { read getattr execute }; > allow dhcpc_t samba_etc_t:dir search; > allow dhcpc_t samba_etc_t:file { read write getattr open append }; > allow dhcpc_t tmpfs_t:dir search; > allow dhcpc_t tmpfs_t:sock_file write; > allow dhcpc_t var_t:dir { write remove_name add_name }; > allow dhcpc_t var_t:file { write ioctl read create unlink open getattr }; > > #============= fsdaemon_t ============== > allow fsdaemon_t tmpfs_t:dir { read search open }; > allow fsdaemon_t tmpfs_t:sock_file write; > allow fsdaemon_t usr_t:file { read getattr open }; > > #============= getty_t ============== > allow getty_t anon_inodefs_t:file getattr; > allow getty_t apmd_log_t:file getattr; > allow getty_t audisp_t:dir { read search open }; > allow getty_t audisp_t:file { read getattr open }; > allow getty_t audisp_t:lnk_file read; > allow getty_t audisp_t:unix_dgram_socket getattr; > allow getty_t audisp_t:unix_stream_socket getattr; > allow getty_t auditd_log_t:file getattr; > allow getty_t auditd_t:dir { read search open }; > allow getty_t auditd_t:fifo_file getattr; > allow getty_t auditd_t:file { read getattr open }; > allow getty_t auditd_t:lnk_file read; > allow getty_t auditd_t:netlink_audit_socket getattr; > allow getty_t auditd_t:unix_dgram_socket getattr; > allow getty_t auditd_t:unix_stream_socket getattr; > allow getty_t avahi_t:dir { read search open }; > allow getty_t avahi_t:fifo_file getattr; > allow getty_t avahi_t:file { read getattr open }; > allow getty_t avahi_t:lnk_file read; > allow getty_t avahi_t:netlink_route_socket getattr; > allow getty_t avahi_t:udp_socket getattr; > allow getty_t avahi_t:unix_dgram_socket getattr; > allow getty_t avahi_t:unix_stream_socket getattr; > allow getty_t bin_t:file getattr; > allow getty_t crond_t:dir { read search open }; > allow getty_t crond_t:file { read getattr open }; > allow getty_t crond_t:lnk_file read; > allow getty_t crond_t:unix_dgram_socket getattr; > allow getty_t crond_var_run_t:file getattr; > allow getty_t cupsd_log_t:file getattr; > allow getty_t cupsd_t:dir { read search open }; > allow getty_t cupsd_t:fifo_file getattr; > allow getty_t cupsd_t:file { read getattr open }; > allow getty_t cupsd_t:lnk_file read; > allow getty_t cupsd_t:tcp_socket getattr; > allow getty_t cupsd_t:udp_socket getattr; > allow getty_t cupsd_t:unix_stream_socket getattr; > allow getty_t debugfs_t:file getattr; > allow getty_t device_t:chr_file getattr; > allow getty_t dhcpc_t:dir { read search open }; > allow getty_t dhcpc_t:fifo_file getattr; > allow getty_t dhcpc_t:file { read getattr open }; > allow getty_t dhcpc_t:lnk_file read; > allow getty_t dhcpc_t:unix_dgram_socket getattr; > allow getty_t dhcpc_var_run_t:file getattr; > allow getty_t event_device_t:chr_file getattr; > allow getty_t file_t:file getattr; > allow getty_t fuse_device_t:chr_file getattr; > allow getty_t hald_t:dir { read search open }; > allow getty_t hald_t:fifo_file getattr; > allow getty_t hald_t:file { read getattr open }; > allow getty_t hald_t:lnk_file read; > allow getty_t hald_t:unix_dgram_socket getattr; > allow getty_t hald_t:unix_stream_socket getattr; > allow getty_t initrc_t:dir { read search open getattr }; > allow getty_t initrc_t:file { read getattr open }; > allow getty_t initrc_t:lnk_file read; > allow getty_t initrc_t:unix_dgram_socket getattr; > allow getty_t initrc_t:unix_stream_socket getattr; > allow getty_t innd_log_t:file getattr; > allow getty_t inotifyfs_t:dir getattr; > allow getty_t kernel_t:dir { read search open }; > allow getty_t kernel_t:file { read getattr open }; > allow getty_t mtrr_device_t:file getattr; > allow getty_t nscd_log_t:file getattr; > allow getty_t nscd_t:dir { read search open }; > allow getty_t nscd_t:file { read getattr open }; > allow getty_t nscd_t:lnk_file read; > allow getty_t nscd_t:unix_stream_socket getattr; > allow getty_t postfix_data_t:file getattr; > allow getty_t postfix_etc_t:file getattr; > allow getty_t postfix_master_t:dir { read search open }; > allow getty_t postfix_master_t:fifo_file getattr; > allow getty_t postfix_master_t:file { read getattr open }; > allow getty_t postfix_master_t:lnk_file read; > allow getty_t postfix_master_t:tcp_socket getattr; > allow getty_t postfix_master_t:unix_dgram_socket getattr; > allow getty_t postfix_master_t:unix_stream_socket getattr; > allow getty_t postfix_pickup_t:dir { read search open }; > allow getty_t postfix_pickup_t:file { read getattr open }; > allow getty_t postfix_pickup_t:lnk_file read; > allow getty_t postfix_pickup_t:unix_dgram_socket getattr; > allow getty_t postfix_public_t:fifo_file getattr; > allow getty_t postfix_qmgr_t:dir { read search open }; > allow getty_t postfix_qmgr_t:file { read getattr open }; > allow getty_t postfix_qmgr_t:lnk_file read; > allow getty_t postfix_qmgr_t:unix_dgram_socket getattr; > allow getty_t postfix_var_run_t:file getattr; > allow getty_t proc_kmsg_t:file getattr; > allow getty_t proc_mdstat_t:file getattr; > allow getty_t proc_t:file getattr; > allow getty_t ptmx_t:chr_file getattr; > allow getty_t rpcbind_t:dir { read search open }; > allow getty_t rpcbind_t:file { read getattr open }; > allow getty_t rpcbind_t:lnk_file read; > allow getty_t rpcbind_t:tcp_socket getattr; > allow getty_t rpcbind_t:udp_socket getattr; > allow getty_t rpcbind_t:unix_stream_socket getattr; > allow getty_t rpcbind_var_run_t:file getattr; > allow getty_t self:capability sys_ptrace; > allow getty_t sendmail_log_t:file getattr; > allow getty_t syslogd_t:dir { read search open }; > allow getty_t syslogd_t:file { read getattr open }; > allow getty_t syslogd_t:lnk_file read; > allow getty_t syslogd_t:unix_dgram_socket getattr; > allow getty_t system_dbusd_t:dir { read search open getattr }; > allow getty_t system_dbusd_t:fifo_file getattr; > allow getty_t system_dbusd_t:file { read getattr open }; > allow getty_t system_dbusd_t:lnk_file read; > allow getty_t system_dbusd_t:netlink_kobject_uevent_socket getattr; > allow getty_t system_dbusd_t:netlink_selinux_socket getattr; > allow getty_t system_dbusd_t:unix_dgram_socket getattr; > allow getty_t system_dbusd_t:unix_stream_socket getattr; > allow getty_t tmpfs_t:dir search; > allow getty_t tmpfs_t:fifo_file getattr; > allow getty_t tmpfs_t:file getattr; > allow getty_t udev_t:dir { read search open }; > allow getty_t udev_t:file { read getattr open }; > allow getty_t udev_t:lnk_file read; > allow getty_t udev_t:netlink_kobject_uevent_socket getattr; > allow getty_t udev_t:unix_dgram_socket getattr; > allow getty_t urandom_device_t:chr_file getattr; > allow getty_t user_home_t:file getattr; > allow getty_t usr_t:file getattr; > allow getty_t var_lib_t:dir getattr; > allow getty_t var_lib_t:file getattr; > allow getty_t var_log_t:file getattr; > allow getty_t xauth_home_t:file getattr; > allow getty_t xdm_t:dir { read search open getattr }; > allow getty_t xdm_t:file { read getattr open }; > allow getty_t xdm_t:lnk_file read; > allow getty_t xdm_t:netlink_kobject_uevent_socket getattr; > allow getty_t xdm_t:netlink_selinux_socket getattr; > allow getty_t xdm_t:unix_dgram_socket getattr; > allow getty_t xdm_t:unix_stream_socket getattr; > allow getty_t xdm_tmp_t:file getattr; > allow getty_t xdm_var_run_t:file getattr; > allow getty_t xserver_log_t:file getattr; > allow getty_t xserver_t:dir { read search open getattr }; > allow getty_t xserver_t:file { read getattr open }; > allow getty_t xserver_t:lnk_file read; > allow getty_t xserver_t:unix_stream_socket getattr; > > #============= hald_t ============== > allow hald_t xdm_t:dbus send_msg; > > #============= initrc_t ============== > allow initrc_t self:process { execstack execmem }; > > #============= insmod_t ============== > allow insmod_t initrc_tmp_t:file write; > > #============= kernel_t ============== > allow kernel_t self:process { execstack execmem }; > > #============= loadkeys_t ============== > allow loadkeys_t tmpfs_t:dir search; > allow loadkeys_t usr_t:file { read getattr open ioctl }; > allow loadkeys_t usr_t:lnk_file read; > > #============= nscd_t ============== > allow nscd_t bin_t:dir search; > allow nscd_t nscd_exec_t:file execute_no_trans; > allow nscd_t self:fifo_file write; > allow nscd_t tmpfs_t:dir search; > > #============= postfix_master_t ============== > allow postfix_master_t tmpfs_t:dir search; > allow postfix_master_t tmpfs_t:sock_file write; > > #============= postfix_pickup_t ============== > allow postfix_pickup_t tmpfs_t:dir search; > allow postfix_pickup_t tmpfs_t:sock_file write; > > #============= postfix_postqueue_t ============== > allow postfix_postqueue_t tmpfs_t:dir search; > allow postfix_postqueue_t tmpfs_t:sock_file write; > > #============= postfix_qmgr_t ============== > allow postfix_qmgr_t tmpfs_t:dir search; > allow postfix_qmgr_t tmpfs_t:sock_file write; > > #============= rpcbind_t ============== > allow rpcbind_t tmpfs_t:dir search; > > #============= syslogd_t ============== > allow syslogd_t apmd_log_t:file { ioctl open append }; > allow syslogd_t sendmail_log_t:file append; > allow syslogd_t tmpfs_t:dir search; > allow syslogd_t tmpfs_t:fifo_file { write read ioctl open }; > > #============= system_dbusd_t ============== > allow system_dbusd_t anon_inodefs_t:file { read write }; > allow system_dbusd_t avahi_t:dir search; > allow system_dbusd_t avahi_t:file { read open }; > allow system_dbusd_t debugfs_t:dir { read search open getattr }; > allow system_dbusd_t debugfs_t:file getattr; > allow system_dbusd_t etc_runtime_t:file { read write getattr open append }; > allow system_dbusd_t etc_t:dir { write remove_name add_name }; > allow system_dbusd_t etc_t:file { write create unlink link }; > allow system_dbusd_t file_t:dir rmdir; > allow system_dbusd_t fixed_disk_device_t:blk_file getattr; > allow system_dbusd_t fusefs_t:dir { read getattr open search }; > allow system_dbusd_t fusefs_t:file getattr; > allow system_dbusd_t gpg_exec_t:file { read execute open execute_no_trans }; > allow system_dbusd_t hald_t:dbus send_msg; > allow system_dbusd_t hald_t:dir search; > allow system_dbusd_t hald_t:file { read open }; > allow system_dbusd_t initrc_t:dir search; > allow system_dbusd_t initrc_t:file { read open }; > allow system_dbusd_t inotifyfs_t:dir { read getattr ioctl }; > allow system_dbusd_t iso9660_t:filesystem mount; > allow system_dbusd_t lib_t:file execute_no_trans; > allow system_dbusd_t mnt_t:dir { write search remove_name create add_name mounton }; > allow system_dbusd_t mount_exec_t:file { read execute open execute_no_trans }; > allow system_dbusd_t proc_mdstat_t:file { read getattr open }; > allow system_dbusd_t proc_net_t:file { read getattr open }; > allow system_dbusd_t removable_device_t:blk_file { read getattr open setattr }; > allow system_dbusd_t rpm_var_lib_t:dir { write search getattr }; > allow system_dbusd_t rpm_var_lib_t:file { read lock getattr open }; > allow system_dbusd_t self:capability { sys_nice sys_ptrace ipc_lock sys_chroot }; > allow system_dbusd_t self:netlink_kobject_uevent_socket { bind create setopt getattr }; > allow system_dbusd_t self:process { execmem getcap getsched execstack setsched setrlimit }; > allow system_dbusd_t shell_exec_t:file { read execute open }; > allow system_dbusd_t system_dbusd_var_run_t:dir { create rmdir }; > allow system_dbusd_t tmpfs_t:dir { search getattr }; > allow system_dbusd_t tmpfs_t:sock_file write; > allow system_dbusd_t tty_device_t:chr_file getattr; > allow system_dbusd_t var_lib_t:dir { write remove_name add_name }; > allow system_dbusd_t var_lib_t:file { rename read lock create write getattr unlink open }; > allow system_dbusd_t var_log_t:dir { search getattr }; > allow system_dbusd_t var_log_t:file { read getattr open append setattr }; > allow system_dbusd_t var_t:file { read getattr open }; > allow system_dbusd_t xdm_t:dbus send_msg; > allow system_dbusd_t xdm_t:dir { getattr search }; > allow system_dbusd_t xdm_t:file { read getattr open }; > allow system_dbusd_t xdm_t:process getsched; > allow system_dbusd_t xdm_var_run_t:dir search; > allow system_dbusd_t xdm_var_run_t:file { read getattr open }; > allow system_dbusd_t xserver_t:dir search; > allow system_dbusd_t xserver_t:file { read getattr open }; > allow system_dbusd_t xserver_t:unix_stream_socket connectto; > > #============= udev_t ============== > allow udev_t anon_inodefs_t:file read; > allow udev_t tmpfs_t:dir { write search getattr add_name }; > allow udev_t tmpfs_t:file { rename write getattr read create unlink open }; > > #============= unlabeled_t ============== > allow unlabeled_t self:filesystem associate; > > #============= xdm_t ============== > allow xdm_t avahi_t:dbus send_msg; > allow xdm_t hald_t:dbus send_msg; > allow xdm_t self:process execstack; > what's id -Z? I posted the contents of /etc/pam.d/* which should get your login context correct. mine is name:user_r:user_t fedora(I think)is staff_t:unconfined_r:unconfined_t (or something like that). Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-19 21:08 ` Alan Rouse 2010-02-19 21:19 ` Dominick Grift 2010-02-19 21:22 ` Justin P. mattock @ 2010-02-19 21:25 ` Stephen Smalley 2010-02-19 21:30 ` Alan Rouse 2010-02-19 21:47 ` Justin P. mattock 2 siblings, 2 replies; 113+ messages in thread From: Stephen Smalley @ 2010-02-19 21:25 UTC (permalink / raw) To: Alan Rouse Cc: Justin P. mattock, Dominick Grift, 'selinux@tycho.nsa.gov' On Fri, 2010-02-19 at 16:08 -0500, Alan Rouse wrote: > Ok, in case this might be useful to someone else, here's my recipe for an OpenSuse 11.2 system booting to the desktop using SELinux in permissive mode. (Next step for me is to fix a few pages of AVC denied messages...) > > 1. Default install of OpenSuse 11.2 (used Gnome desktop) > 2. Boot normally to desktop, open terminal, su - > 3. Do this: > > zypper install selinux-tools selinux-policy libselinux* libsemanage* policycoreutils checkpolicy setools-console make m4 gcc findutils-locate git > > vi /boot/grub/menu.lst > -- and add to the Desktop kernel boot line: "security=selinux selinux=1 enforcing=0" > > cd /etc/selinux > cp -R refpolicy-standard targeted > usermod -s /sbin/nologin nobody > reboot <should boot to desktop> > =============== > Get policy src: > =============== > -- launch firefox, go to http://software.opensuse.org/search/ > -- search for selinux-policy, download src > -- install src rpm > cp /usr/src/packages/SOURCES/refpolicy-2.20081210.tar.bz2 /tmp > cd /tmp > bunzip2 refpolicy-2.20081210.tar.bz2 > tar xvf refpolicy-2.20081210.tar > cd refpolicy > vi build.conf (set NAME = refpolicy-standard; set DISTRO = suse; set MONOLITHIC = n) > make clean; make conf; make; make install; make load; make install-src > cd /etc/selinux/refpolicy-standard/src/policy > make clean; make conf; make; make install; make load > cd /etc/selinux > rsync -avz refpolicy-standard/ targeted Why is it necessary to download and rebuild the source policy? Did they build it as a monolithic policy? > reboot > ============================= > End of getting policy source: > ============================= > setsebool -P init_upstart=on > setsebool -P xdm_sysadm_login=on > setsebool -P xserver_object_manager=on I think you only need the first boolean setting. And we should likely introduce an ifdef for suse in refpolicy that always disables that transition so that you don't have to artificially turn on that boolean. > fixfiles relabel > -- put SETLOCALDEFS=0 in /etc/selinux/config > reboot > > And we're now in the desktop with a relabeled system and selinux in permissive mode. > ================================================================================ > > Here's what "audit2allow -al" shows now... > > #============= avahi_t ============== > allow avahi_t tmpfs_t:dir search; > allow avahi_t tmpfs_t:sock_file write; It would be useful to see the raw audit message with what directory/file is being accessed. tmpfs_t indicates a tmpfs mount, which might mean you have a mislabeled tmpfs mount (e.g. /dev is a tmpfs mount that should be relabeled by rc.sysinit via restorecon -R /dev). -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-19 21:25 ` Stephen Smalley @ 2010-02-19 21:30 ` Alan Rouse 2010-02-19 21:37 ` Stephen Smalley 2010-02-19 21:47 ` Justin P. mattock 1 sibling, 1 reply; 113+ messages in thread From: Alan Rouse @ 2010-02-19 21:30 UTC (permalink / raw) To: Stephen Smalley; +Cc: Dominick Grift, 'selinux@tycho.nsa.gov' [-- Attachment #1: Type: text/plain, Size: 864 bytes --] Stephen wrote: > Why is it necessary to download and rebuild the source policy? Did they build it as a monolithic policy? Yes, the policy rpm from OpenSuse 11.2 is monolithic. >> setsebool -P init_upstart=on >> setsebool -P xdm_sysadm_login=on >> setsebool -P xserver_object_manager=on > I think you only need the first boolean setting. > And we should likely introduce an ifdef for suse in refpolicy that always disables that > transition so that you don't have to artificially turn on that boolean. Ok > It would be useful to see the raw audit message with what directory/file is being accessed. > tmpfs_t indicates a tmpfs mount, which might mean you have a mislabeled tmpfs mount (e.g. > /dev is a tmpfs mount that should be relabeled by rc.sysinit via restorecon -R /dev). See attached raw audit messages from the most recent boot. [-- Attachment #2: audit.log --] [-- Type: application/octet-stream, Size: 103592 bytes --] type=DAEMON_START msg=audit(1266614566.568:8331): auditd start, ver=1.7.13 format=raw kernel=2.6.31.5-0.1-desktop auid=4294967295 pid=2482 subj=system_u:system_r:auditd_t res=success type=AVC msg=audit(1266614567.574:288): avc: denied { search } for pid=963 comm="dbus-daemon" name="2505" dev=proc ino=11033 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266614567.575:289): avc: denied { read } for pid=963 comm="dbus-daemon" name="cmdline" dev=proc ino=11034 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266614567.576:290): avc: denied { open } for pid=963 comm="dbus-daemon" name="cmdline" dev=proc ino=11034 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266614567.613:291): avc: denied { search } for pid=2503 comm="avahi-daemon" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:avahi_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266614567.660:292): avc: denied { write } for pid=2509 comm="avahi-daemon" name="log" dev=tmpfs ino=10401 scontext=system_u:system_r:avahi_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266614567.666:293): avc: denied { search } for pid=963 comm="dbus-daemon" name="2509" dev=proc ino=11045 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:avahi_t tclass=dir type=AVC msg=audit(1266614567.667:294): avc: denied { read } for pid=963 comm="dbus-daemon" name="cmdline" dev=proc ino=11066 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:avahi_t tclass=file type=AVC msg=audit(1266614567.667:295): avc: denied { open } for pid=963 comm="dbus-daemon" name="cmdline" dev=proc ino=11066 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:avahi_t tclass=file type=AVC msg=audit(1266614567.940:296): avc: denied { sys_nice } for pid=2507 comm="rtkit-daemon" capability=23 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=capability type=AVC msg=audit(1266614567.940:297): avc: denied { setsched } for pid=2507 comm="rtkit-daemon" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=process type=AVC msg=audit(1266614567.951:298): avc: denied { sys_chroot } for pid=2507 comm="rtkit-daemon" capability=18 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=capability type=AVC msg=audit(1266614567.955:299): avc: denied { getcap } for pid=2507 comm="rtkit-daemon" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=process type=AVC msg=audit(1266614567.956:300): avc: denied { setrlimit } for pid=2507 comm="rtkit-daemon" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=process type=AVC msg=audit(1266614567.968:301): avc: denied { getattr } for pid=2507 comm="rtkit-daemon" path="/2505/stat" dev=proc ino=11084 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266614567.968:302): avc: denied { sys_ptrace } for pid=2507 comm="rtkit-daemon" capability=19 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=capability type=AVC msg=audit(1266614568.157:303): avc: denied { getattr } for pid=2450 comm="polkitd" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:inotifyfs_t tclass=dir type=AVC msg=audit(1266614568.219:304): avc: denied { search } for pid=2450 comm="polkitd" name="root" dev=sda2 ino=8034 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:default_t tclass=dir type=AVC msg=audit(1266614568.359:305): avc: denied { ioctl } for pid=2450 comm="polkitd" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:inotifyfs_t tclass=dir type=AVC msg=audit(1266614568.363:306): avc: denied { read } for pid=2450 comm="polkitd" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:inotifyfs_t tclass=dir type=AVC msg=audit(1266614568.385:307): avc: denied { getattr } for pid=2450 comm="polkitd" path="/proc/2505" dev=proc ino=11033 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266614568.608:308): avc: denied { execstack } for pid=2535 comm="cupsd" scontext=system_u:system_r:cupsd_t tcontext=system_u:system_r:cupsd_t tclass=process type=AVC msg=audit(1266614568.620:309): avc: denied { execmem } for pid=2535 comm="cupsd" scontext=system_u:system_r:cupsd_t tcontext=system_u:system_r:cupsd_t tclass=process type=AVC msg=audit(1266614568.777:310): avc: denied { search } for pid=2536 comm="cupsd" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266614569.143:311): avc: denied { getattr } for pid=2450 comm="polkitd" path="/var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.devicekit.power.qos.request-latency-persistent.pkla" dev=sda2 ino=26258 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266614569.144:312): avc: denied { read } for pid=2450 comm="polkitd" name="org.freedesktop.devicekit.power.qos.request-latency-persistent.pkla" dev=sda2 ino=26258 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266614569.144:313): avc: denied { open } for pid=2450 comm="polkitd" name="org.freedesktop.devicekit.power.qos.request-latency-persistent.pkla" dev=sda2 ino=26258 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266614570.279:314): avc: denied { getsched } for pid=2507 comm="rtkit-daemon" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=process type=AVC msg=audit(1266614572.679:315): avc: denied { search } for pid=2714 comm="nscd" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:nscd_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266614572.745:316): avc: denied { search } for pid=2714 comm="nscd" name="sbin" dev=sda2 ino=10305 scontext=system_u:system_r:nscd_t tcontext=system_u:object_r:bin_t tclass=dir type=AVC msg=audit(1266614572.775:317): avc: denied { execute_no_trans } for pid=2714 comm="nscd" path="/usr/sbin/nscd" dev=sda2 ino=10351 scontext=system_u:system_r:nscd_t tcontext=system_u:object_r:nscd_exec_t tclass=file type=AVC msg=audit(1266614572.962:318): avc: denied { write } for pid=2514 comm="rtkit-daemon" path="anon_inode:[eventfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266614572.962:319): avc: denied { read } for pid=2517 comm="rtkit-daemon" path="anon_inode:[eventfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266614572.985:320): avc: denied { search } for pid=2729 comm="postfix" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:postfix_master_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266614572.994:321): avc: denied { write } for pid=2729 comm="postfix" name="log" dev=tmpfs ino=10401 scontext=system_u:system_r:postfix_master_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266614573.070:322): avc: denied { write } for pid=2715 comm="nscd" path="pipe:[11432]" dev=pipefs ino=11432 scontext=system_u:system_r:nscd_t tcontext=system_u:system_r:nscd_t tclass=fifo_file type=AVC msg=audit(1266614573.163:323): avc: denied { getattr } for pid=2450 comm="polkitd" path="/var/lib/polkit-1/localauthority/10-vendor.d/org.gnome.policykit.examples.kick-bar.pkla" dev=sda2 ino=26398 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266614573.163:324): avc: denied { read } for pid=2450 comm="polkitd" name="org.gnome.policykit.examples.kick-bar.pkla" dev=sda2 ino=26398 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266614573.163:325): avc: denied { open } for pid=2450 comm="polkitd" name="org.gnome.policykit.examples.kick-bar.pkla" dev=sda2 ino=26398 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266614573.547:326): avc: denied { execute } for pid=2758 comm="console-kit-dae" name="bash" dev=sda2 ino=77 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:shell_exec_t tclass=file type=AVC msg=audit(1266614573.547:327): avc: denied { read open } for pid=2758 comm="console-kit-dae" name="bash" dev=sda2 ino=77 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:shell_exec_t tclass=file type=AVC msg=audit(1266614573.720:328): avc: denied { rmdir } for pid=2766 comm="rmdir" name="gdm" dev=sda2 ino=144025 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:system_dbusd_var_run_t tclass=dir type=AVC msg=audit(1266614573.752:329): avc: denied { getattr } for pid=1384 comm="console-kit-dae" path="/var/log/ConsoleKit/history" dev=sda2 ino=129645 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266614573.752:330): avc: denied { search } for pid=1384 comm="console-kit-dae" name="log" dev=sda2 ino=26231 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=dir type=AVC msg=audit(1266614573.752:331): avc: denied { read } for pid=1384 comm="console-kit-dae" name="history" dev=sda2 ino=129645 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266614573.753:332): avc: denied { open } for pid=1384 comm="console-kit-dae" name="history" dev=sda2 ino=129645 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266614573.753:333): avc: denied { append } for pid=1384 comm="console-kit-dae" path="/var/log/ConsoleKit/history" dev=sda2 ino=129645 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266614574.025:334): avc: denied { getattr } for pid=2775 comm="udev-acl.ck" name="sr0" dev=tmpfs ino=5173 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:removable_device_t tclass=blk_file type=AVC msg=audit(1266614574.026:335): avc: denied { setattr } for pid=2775 comm="udev-acl.ck" name="sr0" dev=tmpfs ino=5173 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:removable_device_t tclass=blk_file type=AVC msg=audit(1266614574.137:336): avc: denied { execute_no_trans } for pid=2782 comm="console-kit-dae" path="/usr/lib/ConsoleKit/ck-collect-session-info" dev=sda2 ino=27348 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:lib_t tclass=file type=AVC msg=audit(1266614574.164:337): avc: denied { connectto } for pid=2783 comm="ck-get-x11-serv" path=002F746D702F2E5831312D756E69782F5830 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xserver_t tclass=unix_stream_socket type=AVC msg=audit(1266614574.165:338): avc: denied { search } for pid=2783 comm="ck-get-x11-serv" name="auth-for-gdm-OnyRsX" dev=sda2 ino=144008 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:xdm_var_run_t tclass=dir type=AVC msg=audit(1266614574.168:339): avc: denied { read } for pid=2783 comm="ck-get-x11-serv" name="database" dev=sda2 ino=129638 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:xdm_var_run_t tclass=file type=AVC msg=audit(1266614574.169:340): avc: denied { open } for pid=2783 comm="ck-get-x11-serv" name="database" dev=sda2 ino=129638 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:xdm_var_run_t tclass=file type=AVC msg=audit(1266614574.169:341): avc: denied { getattr } for pid=2783 comm="ck-get-x11-serv" path="/var/run/gdm/auth-for-gdm-OnyRsX/database" dev=sda2 ino=129638 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:xdm_var_run_t tclass=file type=AVC msg=audit(1266614574.176:342): avc: denied { search } for pid=2782 comm="ck-collect-sess" name="1095" dev=proc ino=6680 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xserver_t tclass=dir type=AVC msg=audit(1266614574.177:343): avc: denied { read } for pid=2782 comm="ck-collect-sess" name="stat" dev=proc ino=7781 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xserver_t tclass=file type=AVC msg=audit(1266614574.177:344): avc: denied { open } for pid=2782 comm="ck-collect-sess" name="stat" dev=proc ino=7781 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xserver_t tclass=file type=AVC msg=audit(1266614574.177:345): avc: denied { getattr } for pid=2782 comm="ck-collect-sess" path="/proc/1095/stat" dev=proc ino=7781 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xserver_t tclass=file type=AVC msg=audit(1266614574.179:346): avc: denied { getattr } for pid=2782 comm="ck-collect-sess" path="/dev/tty7" dev=tmpfs ino=1622 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tty_device_t tclass=chr_file type=AVC msg=audit(1266614574.236:347): avc: denied { create } for pid=2789 comm="mkdir" name="alan" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:system_dbusd_var_run_t tclass=dir type=AVC msg=audit(1266614575.043:348): avc: denied { execute_no_trans } for pid=2812 comm="nscd" path="/usr/sbin/nscd" dev=sda2 ino=10351 scontext=system_u:system_r:nscd_t tcontext=system_u:object_r:nscd_exec_t tclass=file type=AVC msg=audit(1266614575.331:349): avc: denied { write } for pid=2856 comm="postlog" name="log" dev=tmpfs ino=10401 scontext=system_u:system_r:postfix_master_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266614575.348:350): avc: denied { append } for pid=2342 comm="rsyslogd" path="/var/log/mail" dev=sda2 ino=26237 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:sendmail_log_t tclass=file type=AVC msg=audit(1266614575.563:351): avc: denied { execstack } for pid=2881 comm="slptool" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=process type=AVC msg=audit(1266614575.563:352): avc: denied { execmem } for pid=2881 comm="slptool" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=process type=AVC msg=audit(1266614575.592:353): avc: denied { append } for pid=2342 comm="rsyslogd" path="/var/log/mail" dev=sda2 ino=26237 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:sendmail_log_t tclass=file type=AVC msg=audit(1266614575.610:354): avc: denied { search } for pid=2884 comm="pickup" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:postfix_pickup_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266614575.622:355): avc: denied { search } for pid=2887 comm="cron" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266614575.622:356): avc: denied { write } for pid=2884 comm="pickup" name="log" dev=tmpfs ino=10401 scontext=system_u:system_r:postfix_pickup_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266614575.648:357): avc: denied { write } for pid=2715 comm="nscd" path="pipe:[12837]" dev=pipefs ino=12837 scontext=system_u:system_r:nscd_t tcontext=system_u:system_r:nscd_t tclass=fifo_file type=AVC msg=audit(1266614575.651:358): avc: denied { search } for pid=2888 comm="qmgr" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:postfix_qmgr_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266614575.657:359): avc: denied { search } for pid=2887 comm="cron" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266614575.658:360): avc: denied { write } for pid=2888 comm="qmgr" name="log" dev=tmpfs ino=10401 scontext=system_u:system_r:postfix_qmgr_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266614575.662:361): avc: denied { write } for pid=2887 comm="cron" name="log" dev=tmpfs ino=10401 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266614575.732:362): avc: denied { search } for pid=2894 comm="nscd" name="sbin" dev=sda2 ino=10305 scontext=system_u:system_r:nscd_t tcontext=system_u:object_r:bin_t tclass=dir type=AVC msg=audit(1266614575.733:363): avc: denied { execute_no_trans } for pid=2894 comm="nscd" path="/usr/sbin/nscd" dev=sda2 ino=10351 scontext=system_u:system_r:nscd_t tcontext=system_u:object_r:nscd_exec_t tclass=file type=AVC msg=audit(1266614575.794:364): avc: denied { read } for pid=2903 comm="smartd" name="drivedb.h" dev=sda2 ino=103893 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:usr_t tclass=file type=AVC msg=audit(1266614575.794:365): avc: denied { open } for pid=2903 comm="smartd" name="drivedb.h" dev=sda2 ino=103893 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:usr_t tclass=file type=AVC msg=audit(1266614575.795:366): avc: denied { getattr } for pid=2903 comm="smartd" path="/usr/share/smartmontools/drivedb.h" dev=sda2 ino=103893 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:usr_t tclass=file type=AVC msg=audit(1266614575.816:367): avc: denied { search } for pid=2903 comm="smartd" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266614575.817:368): avc: denied { write } for pid=2903 comm="smartd" name="log" dev=tmpfs ino=10401 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266614575.830:369): avc: denied { read } for pid=2903 comm="smartd" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266614575.830:370): avc: denied { open } for pid=2903 comm="smartd" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266614575.835:371): avc: denied { search } for pid=290 comm="udevd" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266614575.838:372): avc: denied { write } for pid=290 comm="udevd" path="/dev/.udev/queue.bin" dev=tmpfs ino=7011 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file type=AVC msg=audit(1266614575.905:373): avc: denied { getattr } for pid=343 comm="udevd" path="/dev" dev=tmpfs ino=864 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266614575.914:374): avc: denied { write } for pid=343 comm="udevd" name="disk" dev=tmpfs ino=1752 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266614575.914:375): avc: denied { add_name } for pid=343 comm="udevd" name="by-id" scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266614576.090:376): avc: denied { search } for pid=343 comm="udevd" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266614578.686:377): avc: denied { search } for pid=2996 comm="postfix" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:postfix_master_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266614578.686:378): avc: denied { write } for pid=2996 comm="postfix" name="log" dev=tmpfs ino=10401 scontext=system_u:system_r:postfix_master_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266614578.788:379): avc: denied { search } for pid=3004 comm="postqueue" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:postfix_postqueue_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266614578.804:380): avc: denied { write } for pid=3004 comm="postqueue" name="log" dev=tmpfs ino=10401 scontext=system_u:system_r:postfix_postqueue_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266614578.920:381): avc: denied { write } for pid=3027 comm="modprobe" path="/tmp/SuSEfirewall2_iptables.v905UXdy" dev=sda2 ino=129865 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:initrc_tmp_t tclass=file type=AVC msg=audit(1266614579.350:382): avc: denied { write } for pid=290 comm="udevd" path="/dev/.udev/queue.bin" dev=tmpfs ino=7011 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file type=AVC msg=audit(1266614579.821:383): avc: denied { search } for pid=3112 comm="mingetty" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266614579.835:384): avc: denied { search } for pid=3112 comm="mingetty" name="2" dev=proc ino=6027 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=dir type=AVC msg=audit(1266614579.843:385): avc: denied { read } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13481 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=file type=AVC msg=audit(1266614579.843:386): avc: denied { open } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13481 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=file type=AVC msg=audit(1266614579.849:387): avc: denied { getattr } for pid=3112 comm="mingetty" path="/proc/2/maps" dev=proc ino=13481 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=file type=AVC msg=audit(1266614579.862:388): avc: denied { read } for pid=3112 comm="mingetty" name="fd" dev=proc ino=11939 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=dir type=AVC msg=audit(1266614579.862:389): avc: denied { open } for pid=3112 comm="mingetty" name="fd" dev=proc ino=11939 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=dir type=AVC msg=audit(1266614579.866:390): avc: denied { search } for pid=3112 comm="mingetty" name="254" dev=proc ino=6062 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=dir type=AVC msg=audit(1266614579.891:391): avc: denied { read } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13536 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=file type=AVC msg=audit(1266614579.892:392): avc: denied { open } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13536 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=file type=AVC msg=audit(1266614579.892:393): avc: denied { getattr } for pid=3112 comm="mingetty" path="/proc/254/maps" dev=proc ino=13536 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=file type=AVC msg=audit(1266614579.893:394): avc: denied { read } for pid=3112 comm="mingetty" name="fd" dev=proc ino=12034 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=dir type=AVC msg=audit(1266614579.893:395): avc: denied { open } for pid=3112 comm="mingetty" name="fd" dev=proc ino=12034 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=dir type=AVC msg=audit(1266614579.894:396): avc: denied { read } for pid=3112 comm="mingetty" name="0" dev=proc ino=12321 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=lnk_file type=AVC msg=audit(1266614579.899:397): avc: denied { getattr } for pid=3112 comm="mingetty" path="/sys/kernel/debug/systemtap/preloadtrace/.cmd" dev=debugfs ino=3975 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:debugfs_t tclass=file type=AVC msg=audit(1266614579.899:398): avc: denied { getattr } for pid=3112 comm="mingetty" path="/dev/ptmx" dev=tmpfs ino=3829 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:ptmx_t tclass=chr_file type=AVC msg=audit(1266614579.900:399): avc: denied { search } for pid=3112 comm="mingetty" name="290" dev=proc ino=6065 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=dir type=AVC msg=audit(1266614579.900:400): avc: denied { read } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13539 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=file type=AVC msg=audit(1266614579.901:401): avc: denied { open } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13539 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=file type=AVC msg=audit(1266614579.901:402): avc: denied { getattr } for pid=3112 comm="mingetty" path="/proc/290/maps" dev=proc ino=13539 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=file type=AVC msg=audit(1266614579.901:403): avc: denied { read } for pid=3112 comm="mingetty" name="fd" dev=proc ino=12041 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=dir type=AVC msg=audit(1266614579.902:404): avc: denied { open } for pid=3112 comm="mingetty" name="fd" dev=proc ino=12041 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=dir type=AVC msg=audit(1266614579.902:405): avc: denied { read } for pid=3112 comm="mingetty" name="0" dev=proc ino=12330 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=lnk_file type=AVC msg=audit(1266614579.902:406): avc: denied { getattr } for pid=3112 comm="mingetty" path="/dev/.udev/queue.bin" dev=tmpfs ino=7011 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:tmpfs_t tclass=file type=AVC msg=audit(1266614579.905:407): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[4050]" dev=sockfs ino=4050 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=unix_dgram_socket type=AVC msg=audit(1266614579.905:408): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[4051]" dev=sockfs ino=4051 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266614579.906:409): avc: denied { getattr } for pid=3112 comm="mingetty" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:inotifyfs_t tclass=dir type=AVC msg=audit(1266614579.906:410): avc: denied { getattr } for pid=3112 comm="mingetty" path="anon_inode:[signalfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266614579.907:411): avc: denied { search } for pid=3112 comm="mingetty" name="963" dev=proc ino=6411 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=dir type=AVC msg=audit(1266614579.907:412): avc: denied { read } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13545 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=file type=AVC msg=audit(1266614579.907:413): avc: denied { open } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13545 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=file type=AVC msg=audit(1266614579.907:414): avc: denied { getattr } for pid=3112 comm="mingetty" path="/proc/963/maps" dev=proc ino=13545 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=file type=AVC msg=audit(1266614579.907:415): avc: denied { sys_ptrace } for pid=3112 comm="mingetty" capability=19 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t tclass=capability type=AVC msg=audit(1266614579.908:416): avc: denied { read } for pid=3112 comm="mingetty" name="fd" dev=proc ino=12059 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=dir type=AVC msg=audit(1266614579.908:417): avc: denied { open } for pid=3112 comm="mingetty" name="fd" dev=proc ino=12059 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=dir type=AVC msg=audit(1266614579.908:418): avc: denied { read } for pid=3112 comm="mingetty" name="0" dev=proc ino=12364 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=lnk_file type=AVC msg=audit(1266614579.908:419): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[6400]" dev=sockfs ino=6400 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=unix_stream_socket type=AVC msg=audit(1266614579.908:420): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[6410]" dev=sockfs ino=6410 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=netlink_selinux_socket type=AVC msg=audit(1266614579.910:421): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[7195]" dev=sockfs ino=7195 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=unix_dgram_socket type=AVC msg=audit(1266614579.911:422): avc: denied { getattr } for pid=3112 comm="mingetty" path="/proc/acpi/event" dev=proc ino=4026531938 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:proc_t tclass=file type=AVC msg=audit(1266614579.911:423): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[6514]" dev=sockfs ino=6514 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket type=AVC msg=audit(1266614579.911:424): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[6516]" dev=sockfs ino=6516 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=unix_dgram_socket type=AVC msg=audit(1266614579.912:425): avc: denied { search } for pid=3112 comm="mingetty" name="1058" dev=proc ino=6579 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266614579.912:426): avc: denied { read } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13547 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266614579.912:427): avc: denied { open } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13547 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266614579.912:428): avc: denied { getattr } for pid=3112 comm="mingetty" path="/proc/1058/maps" dev=proc ino=13547 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266614579.913:429): avc: denied { read } for pid=3112 comm="mingetty" name="fd" dev=proc ino=6580 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266614579.938:430): avc: denied { execstack } for pid=2794 comm="ssh-agent" scontext=system_u:system_r:xdm_t tcontext=system_u:system_r:xdm_t tclass=process type=AVC msg=audit(1266614579.962:431): avc: denied { open } for pid=3112 comm="mingetty" name="fd" dev=proc ino=6580 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266614579.968:432): avc: denied { read } for pid=3112 comm="mingetty" name="0" dev=proc ino=6581 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=lnk_file type=AVC msg=audit(1266614579.975:433): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[6586]" dev=sockfs ino=6586 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=unix_stream_socket type=AVC msg=audit(1266614579.976:434): avc: denied { getattr } for pid=3112 comm="mingetty" path="/var/run/gdm/auth-for-gdm-OnyRsX/database" dev=sda2 ino=129638 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:xdm_var_run_t tclass=file type=AVC msg=audit(1266614579.977:435): avc: denied { getattr } for pid=3112 comm="mingetty" path="/var/log/gdm/:0-slave.log" dev=sda2 ino=144012 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:xserver_log_t tclass=file type=AVC msg=audit(1266614579.978:436): avc: denied { search } for pid=3112 comm="mingetty" name="1095" dev=proc ino=6680 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=dir type=AVC msg=audit(1266614579.978:437): avc: denied { read } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13560 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=file type=AVC msg=audit(1266614579.978:438): avc: denied { open } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13560 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=file type=AVC msg=audit(1266614579.978:439): avc: denied { getattr } for pid=3112 comm="mingetty" path="/proc/1095/maps" dev=proc ino=13560 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=file type=AVC msg=audit(1266614579.979:440): avc: denied { read } for pid=3112 comm="mingetty" name="fd" dev=proc ino=6681 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=dir type=AVC msg=audit(1266614579.979:441): avc: denied { open } for pid=3112 comm="mingetty" name="fd" dev=proc ino=6681 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=dir type=AVC msg=audit(1266614579.979:442): avc: denied { read } for pid=3112 comm="mingetty" name="0" dev=proc ino=6682 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=lnk_file type=AVC msg=audit(1266614579.980:443): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[6773]" dev=sockfs ino=6773 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=unix_stream_socket type=AVC msg=audit(1266614579.980:444): avc: denied { getattr } for pid=3112 comm="mingetty" path="/proc/mtrr" dev=proc ino=4026531908 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:mtrr_device_t tclass=file type=AVC msg=audit(1266614579.980:445): avc: denied { getattr } for pid=3112 comm="mingetty" path="/dev/input/event1" dev=tmpfs ino=1444 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:event_device_t tclass=chr_file type=AVC msg=audit(1266614579.981:446): avc: denied { search } for pid=3112 comm="mingetty" name="1378" dev=proc ino=7087 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=dir type=AVC msg=audit(1266614579.986:447): avc: denied { read } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13562 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=file type=AVC msg=audit(1266614579.986:448): avc: denied { open } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13562 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=file type=AVC msg=audit(1266614579.986:449): avc: denied { getattr } for pid=3112 comm="mingetty" path="/proc/1378/maps" dev=proc ino=13562 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=file type=AVC msg=audit(1266614579.986:450): avc: denied { read } for pid=3112 comm="mingetty" name="fd" dev=proc ino=12066 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=dir type=AVC msg=audit(1266614579.986:451): avc: denied { open } for pid=3112 comm="mingetty" name="fd" dev=proc ino=12066 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=dir type=AVC msg=audit(1266614579.986:452): avc: denied { read } for pid=3112 comm="mingetty" name="0" dev=proc ino=12419 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=lnk_file type=AVC msg=audit(1266614579.986:453): avc: denied { getattr } for pid=3112 comm="mingetty" path="pipe:[7083]" dev=pipefs ino=7083 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=fifo_file type=AVC msg=audit(1266614579.987:454): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[7084]" dev=sockfs ino=7084 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=unix_stream_socket type=AVC msg=audit(1266614579.987:455): avc: denied { getattr } for pid=3112 comm="mingetty" path="/proc/mdstat" dev=proc ino=4026531930 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:proc_mdstat_t tclass=file type=AVC msg=audit(1266614579.987:456): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[7144]" dev=sockfs ino=7144 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=unix_dgram_socket type=AVC msg=audit(1266614579.988:457): avc: denied { getattr } for pid=3112 comm="mingetty" path="pipe:[7097]" dev=pipefs ino=7097 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=fifo_file type=AVC msg=audit(1266614580.031:458): avc: denied { getattr } for pid=3116 comm="mingetty" path="/var/log/ConsoleKit/history" dev=sda2 ino=129645 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266614580.040:459): avc: denied { write } for pid=2514 comm="rtkit-daemon" path="anon_inode:[eventfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266614580.040:460): avc: denied { read } for pid=2517 comm="rtkit-daemon" path="anon_inode:[eventfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266614580.055:461): avc: denied { getattr } for pid=3116 comm="mingetty" path="/dev/cpu_dma_latency" dev=tmpfs ino=1106 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:device_t tclass=chr_file type=AVC msg=audit(1266614580.055:462): avc: denied { getattr } for pid=3116 comm="mingetty" path="socket:[9061]" dev=sockfs ino=9061 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266614580.055:463): avc: denied { search } for pid=3116 comm="mingetty" name="2299" dev=proc ino=10376 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=dir type=AVC msg=audit(1266614580.055:464): avc: denied { read } for pid=3116 comm="mingetty" name="maps" dev=proc ino=13584 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=file type=AVC msg=audit(1266614580.056:465): avc: denied { open } for pid=3116 comm="mingetty" name="maps" dev=proc ino=13584 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=file type=AVC msg=audit(1266614580.056:466): avc: denied { getattr } for pid=3116 comm="mingetty" path="/proc/2299/maps" dev=proc ino=13584 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=file type=AVC msg=audit(1266614580.056:467): avc: denied { read } for pid=3116 comm="mingetty" name="fd" dev=proc ino=12101 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=dir type=AVC msg=audit(1266614580.056:468): avc: denied { open } for pid=3116 comm="mingetty" name="fd" dev=proc ino=12101 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=dir type=AVC msg=audit(1266614580.056:469): avc: denied { read } for pid=3116 comm="mingetty" name="0" dev=proc ino=12467 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=lnk_file type=AVC msg=audit(1266614580.056:470): avc: denied { getattr } for pid=3116 comm="mingetty" path="/var/run/dhcpcd-eth0.pid" dev=sda2 ino=129695 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:dhcpc_var_run_t tclass=file type=AVC msg=audit(1266614580.056:471): avc: denied { getattr } for pid=3116 comm="mingetty" path="socket:[7679]" dev=sockfs ino=7679 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=unix_dgram_socket type=AVC msg=audit(1266614580.056:472): avc: denied { getattr } for pid=3116 comm="mingetty" path="pipe:[7682]" dev=pipefs ino=7682 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=fifo_file type=AVC msg=audit(1266614580.057:473): avc: denied { search } for pid=3116 comm="mingetty" name="2341" dev=proc ino=10402 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=dir type=AVC msg=audit(1266614580.057:474): avc: denied { search } for pid=3119 comm="mingetty" name="254" dev=proc ino=6062 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=dir type=AVC msg=audit(1266614580.057:475): avc: denied { read } for pid=3119 comm="mingetty" name="fd" dev=proc ino=12034 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=dir type=AVC msg=audit(1266614580.057:476): avc: denied { open } for pid=3119 comm="mingetty" name="fd" dev=proc ino=12034 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=dir type=AVC msg=audit(1266614580.064:477): avc: denied { getattr } for pid=3117 comm="mingetty" path="/dev/input/event1" dev=tmpfs ino=1444 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:event_device_t tclass=chr_file type=AVC msg=audit(1266614580.069:478): avc: denied { read } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13585 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=file type=AVC msg=audit(1266614580.070:479): avc: denied { open } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13585 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=file type=AVC msg=audit(1266614580.070:480): avc: denied { getattr } for pid=3112 comm="mingetty" path="/proc/2341/maps" dev=proc ino=13585 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=file type=AVC msg=audit(1266614580.070:481): avc: denied { read } for pid=3112 comm="mingetty" name="fd" dev=proc ino=12104 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=dir type=AVC msg=audit(1266614580.070:482): avc: denied { open } for pid=3112 comm="mingetty" name="fd" dev=proc ino=12104 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=dir type=AVC msg=audit(1266614580.070:483): avc: denied { read } for pid=3112 comm="mingetty" name="0" dev=proc ino=12474 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=lnk_file type=AVC msg=audit(1266614580.070:484): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[10400]" dev=sockfs ino=10400 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket type=AVC msg=audit(1266614580.070:485): avc: denied { getattr } for pid=3112 comm="mingetty" path="/dev/xconsole" dev=tmpfs ino=6395 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file type=AVC msg=audit(1266614580.070:486): avc: denied { getattr } for pid=3112 comm="mingetty" path="/var/log/acpid" dev=sda2 ino=26239 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:apmd_log_t tclass=file type=AVC msg=audit(1266614580.071:487): avc: denied { getattr } for pid=3112 comm="mingetty" path="/var/log/mail" dev=sda2 ino=26237 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:sendmail_log_t tclass=file type=AVC msg=audit(1266614580.071:488): avc: denied { getattr } for pid=3112 comm="mingetty" path="/var/log/mail.info" dev=sda2 ino=26235 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266614580.071:489): avc: denied { getattr } for pid=3112 comm="mingetty" path="/var/log/news/news.crit" dev=sda2 ino=26244 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:innd_log_t tclass=file type=AVC msg=audit(1266614580.071:490): avc: denied { getattr } for pid=3112 comm="mingetty" path="/proc/kmsg" dev=proc ino=4026531989 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:proc_kmsg_t tclass=file type=AVC msg=audit(1266614580.071:491): avc: denied { search } for pid=3112 comm="mingetty" name="2358" dev=proc ino=10445 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=dir type=AVC msg=audit(1266614580.071:492): avc: denied { read } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13586 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=file type=AVC msg=audit(1266614580.071:493): avc: denied { open } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13586 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=file type=AVC msg=audit(1266614580.071:494): avc: denied { getattr } for pid=3112 comm="mingetty" path="/proc/2358/maps" dev=proc ino=13586 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=file type=AVC msg=audit(1266614580.072:495): avc: denied { read } for pid=3112 comm="mingetty" name="fd" dev=proc ino=12107 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=dir type=AVC msg=audit(1266614580.072:496): avc: denied { open } for pid=3112 comm="mingetty" name="fd" dev=proc ino=12107 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=dir type=AVC msg=audit(1266614580.072:497): avc: denied { read } for pid=3112 comm="mingetty" name="0" dev=proc ino=12507 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=lnk_file type=AVC msg=audit(1266614580.072:498): avc: denied { getattr } for pid=3112 comm="mingetty" path="/var/run/rpcbind.lock" dev=sda2 ino=129817 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:rpcbind_var_run_t tclass=file type=AVC msg=audit(1266614580.072:499): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[10460]" dev=sockfs ino=10460 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=udp_socket type=AVC msg=audit(1266614580.072:500): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[10427]" dev=sockfs ino=10427 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=unix_stream_socket type=AVC msg=audit(1266614580.072:501): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[10434]" dev=sockfs ino=10434 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=tcp_socket type=AVC msg=audit(1266614580.074:502): avc: denied { search } for pid=3112 comm="mingetty" name="2482" dev=proc ino=11000 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=dir type=AVC msg=audit(1266614580.074:503): avc: denied { read } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13589 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=file type=AVC msg=audit(1266614580.074:504): avc: denied { open } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13589 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=file type=AVC msg=audit(1266614580.075:505): avc: denied { getattr } for pid=3112 comm="mingetty" path="/proc/2482/maps" dev=proc ino=13589 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=file type=AVC msg=audit(1266614580.075:506): avc: denied { read } for pid=3112 comm="mingetty" name="fd" dev=proc ino=12111 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=dir type=AVC msg=audit(1266614580.075:507): avc: denied { open } for pid=3112 comm="mingetty" name="fd" dev=proc ino=12111 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=dir type=AVC msg=audit(1266614580.075:508): avc: denied { read } for pid=3112 comm="mingetty" name="0" dev=proc ino=12525 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=lnk_file type=AVC msg=audit(1266614580.080:509): avc: denied { read } for pid=3119 comm="mingetty" name="maps" dev=proc ino=13559 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=file type=AVC msg=audit(1266614580.080:510): avc: denied { open } for pid=3119 comm="mingetty" name="maps" dev=proc ino=13559 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=file type=AVC msg=audit(1266614580.080:511): avc: denied { getattr } for pid=3119 comm="mingetty" path="/proc/1067/maps" dev=proc ino=13559 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=file type=AVC msg=audit(1266614580.089:512): avc: denied { getattr } for pid=3116 comm="mingetty" path="socket:[10400]" dev=sockfs ino=10400 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket type=AVC msg=audit(1266614580.093:513): avc: denied { getattr } for pid=3116 comm="mingetty" path="socket:[10993]" dev=sockfs ino=10993 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=netlink_audit_socket type=AVC msg=audit(1266614580.093:514): avc: denied { getattr } for pid=3116 comm="mingetty" path="/var/log/audit/audit.log" dev=sda2 ino=129820 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:auditd_log_t tclass=file type=AVC msg=audit(1266614580.093:515): avc: denied { getattr } for pid=3116 comm="mingetty" path="socket:[10997]" dev=sockfs ino=10997 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=unix_dgram_socket type=AVC msg=audit(1266614580.093:516): avc: denied { getattr } for pid=3116 comm="mingetty" path="socket:[10996]" dev=sockfs ino=10996 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=unix_stream_socket type=AVC msg=audit(1266614580.093:517): avc: denied { search } for pid=3116 comm="mingetty" name="2484" dev=proc ino=11008 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=dir type=AVC msg=audit(1266614580.093:518): avc: denied { read } for pid=3116 comm="mingetty" name="maps" dev=proc ino=13590 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=file type=AVC msg=audit(1266614580.093:519): avc: denied { open } for pid=3116 comm="mingetty" name="maps" dev=proc ino=13590 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=file type=AVC msg=audit(1266614580.093:520): avc: denied { getattr } for pid=3116 comm="mingetty" path="/proc/2484/maps" dev=proc ino=13590 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=file type=AVC msg=audit(1266614580.094:521): avc: denied { read } for pid=3116 comm="mingetty" name="fd" dev=proc ino=12114 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=dir type=AVC msg=audit(1266614580.094:522): avc: denied { open } for pid=3116 comm="mingetty" name="fd" dev=proc ino=12114 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=dir type=AVC msg=audit(1266614580.094:523): avc: denied { read } for pid=3116 comm="mingetty" name="0" dev=proc ino=12534 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=lnk_file type=AVC msg=audit(1266614580.094:524): avc: denied { getattr } for pid=3116 comm="mingetty" path="pipe:[10992]" dev=pipefs ino=10992 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=fifo_file type=AVC msg=audit(1266614580.094:525): avc: denied { getattr } for pid=3116 comm="mingetty" path="socket:[11006]" dev=sockfs ino=11006 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=unix_stream_socket type=AVC msg=audit(1266614580.094:526): avc: denied { getattr } for pid=3116 comm="mingetty" path="socket:[11005]" dev=sockfs ino=11005 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=unix_dgram_socket type=AVC msg=audit(1266614580.096:527): avc: denied { getattr } for pid=3116 comm="mingetty" path="socket:[12948]" dev=sockfs ino=12948 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=unix_dgram_socket type=AVC msg=audit(1266614580.124:528): avc: denied { getattr } for pid=3112 comm="mingetty" path="/var/lib/gdm/.pulse/34218fbf2b09493b6a2222c24aef434d-device-volumes.i686-pc-linux-gnu.gdbm" dev=sda2 ino=129725 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266614580.124:529): avc: denied { search } for pid=3117 comm="mingetty" name="2341" dev=proc ino=10402 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=dir type=AVC msg=audit(1266614580.124:530): avc: denied { read } for pid=3117 comm="mingetty" name="maps" dev=proc ino=13585 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=file type=AVC msg=audit(1266614580.124:531): avc: denied { open } for pid=3117 comm="mingetty" name="maps" dev=proc ino=13585 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=file type=AVC msg=audit(1266614580.124:532): avc: denied { getattr } for pid=3117 comm="mingetty" path="/proc/2341/maps" dev=proc ino=13585 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=file type=AVC msg=audit(1266614580.125:533): avc: denied { read } for pid=3117 comm="mingetty" name="fd" dev=proc ino=12104 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=dir type=AVC msg=audit(1266614580.125:534): avc: denied { open } for pid=3117 comm="mingetty" name="fd" dev=proc ino=12104 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=dir type=AVC msg=audit(1266614580.126:535): avc: denied { getattr } for pid=3117 comm="mingetty" path="socket:[10434]" dev=sockfs ino=10434 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=tcp_socket type=AVC msg=audit(1266614580.126:536): avc: denied { read } for pid=3117 comm="mingetty" name="maps" dev=proc ino=13587 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=file type=AVC msg=audit(1266614580.126:537): avc: denied { open } for pid=3117 comm="mingetty" name="maps" dev=proc ino=13587 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=file type=AVC msg=audit(1266614580.126:538): avc: denied { getattr } for pid=3117 comm="mingetty" path="/proc/2450/maps" dev=proc ino=13587 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=file type=AVC msg=audit(1266614580.127:539): avc: denied { sys_ptrace } for pid=3117 comm="mingetty" capability=19 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t tclass=capability type=AVC msg=audit(1266614580.131:540): avc: denied { getattr } for pid=3117 comm="mingetty" path="socket:[12268]" dev=sockfs ino=12268 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266614580.132:541): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[11076]" dev=sockfs ino=11076 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=unix_dgram_socket type=AVC msg=audit(1266614580.132:542): avc: denied { search } for pid=3112 comm="mingetty" name="2509" dev=proc ino=11045 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=dir type=AVC msg=audit(1266614580.132:543): avc: denied { read } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13598 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=file type=AVC msg=audit(1266614580.132:544): avc: denied { open } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13598 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=file type=AVC msg=audit(1266614580.132:545): avc: denied { getattr } for pid=3112 comm="mingetty" path="/proc/2509/maps" dev=proc ino=13598 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=file type=AVC msg=audit(1266614580.133:546): avc: denied { read } for pid=3112 comm="mingetty" name="fd" dev=proc ino=11046 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=dir type=AVC msg=audit(1266614580.133:547): avc: denied { open } for pid=3112 comm="mingetty" name="fd" dev=proc ino=11046 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=dir type=AVC msg=audit(1266614580.133:548): avc: denied { read } for pid=3112 comm="mingetty" name="0" dev=proc ino=11047 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=lnk_file type=AVC msg=audit(1266614580.133:549): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[11058]" dev=sockfs ino=11058 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=unix_dgram_socket type=AVC msg=audit(1266614580.133:550): avc: denied { getattr } for pid=3112 comm="mingetty" path="pipe:[11060]" dev=pipefs ino=11060 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=fifo_file type=AVC msg=audit(1266614580.133:551): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[11062]" dev=sockfs ino=11062 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=unix_stream_socket type=AVC msg=audit(1266614580.133:552): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[11067]" dev=sockfs ino=11067 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=udp_socket type=AVC msg=audit(1266614580.133:553): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[11069]" dev=sockfs ino=11069 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=netlink_route_socket type=AVC msg=audit(1266614580.134:554): avc: denied { search } for pid=3112 comm="mingetty" name="2536" dev=proc ino=11153 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=dir type=AVC msg=audit(1266614580.134:555): avc: denied { read } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13599 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=file type=AVC msg=audit(1266614580.134:556): avc: denied { open } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13599 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=file type=AVC msg=audit(1266614580.134:557): avc: denied { getattr } for pid=3112 comm="mingetty" path="/proc/2536/maps" dev=proc ino=13599 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=file type=AVC msg=audit(1266614580.135:558): avc: denied { read } for pid=3112 comm="mingetty" name="fd" dev=proc ino=12121 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=dir type=AVC msg=audit(1266614580.135:559): avc: denied { open } for pid=3112 comm="mingetty" name="fd" dev=proc ino=12121 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=dir type=AVC msg=audit(1266614580.135:560): avc: denied { read } for pid=3112 comm="mingetty" name="0" dev=proc ino=12581 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=lnk_file type=AVC msg=audit(1266614580.135:561): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[11162]" dev=sockfs ino=11162 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=tcp_socket type=AVC msg=audit(1266614580.135:562): avc: denied { getattr } for pid=3112 comm="mingetty" path="/var/log/cups/error_log" dev=sda2 ino=27013 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:cupsd_log_t tclass=file type=AVC msg=audit(1266614580.135:563): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[11164]" dev=sockfs ino=11164 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=unix_stream_socket type=AVC msg=audit(1266614580.135:564): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[11166]" dev=sockfs ino=11166 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=udp_socket type=AVC msg=audit(1266614580.135:565): avc: denied { getattr } for pid=3112 comm="mingetty" path="pipe:[11167]" dev=pipefs ino=11167 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=fifo_file type=AVC msg=audit(1266614580.136:566): avc: denied { search } for pid=3112 comm="mingetty" name="2715" dev=proc ino=11410 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=dir type=AVC msg=audit(1266614580.136:567): avc: denied { read } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13600 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=file type=AVC msg=audit(1266614580.136:568): avc: denied { open } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13600 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=file type=AVC msg=audit(1266614580.136:569): avc: denied { getattr } for pid=3112 comm="mingetty" path="/proc/2715/maps" dev=proc ino=13600 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=file type=AVC msg=audit(1266614580.136:570): avc: denied { read } for pid=3112 comm="mingetty" name="fd" dev=proc ino=12124 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=dir type=AVC msg=audit(1266614580.136:571): avc: denied { open } for pid=3112 comm="mingetty" name="fd" dev=proc ino=12124 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=dir type=AVC msg=audit(1266614580.136:572): avc: denied { read } for pid=3112 comm="mingetty" name="0" dev=proc ino=12592 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=lnk_file type=AVC msg=audit(1266614580.136:573): avc: denied { getattr } for pid=3112 comm="mingetty" path="/var/log/nscd.log" dev=sda2 ino=129828 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:nscd_log_t tclass=file type=AVC msg=audit(1266614580.136:574): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[11406]" dev=sockfs ino=11406 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=unix_stream_socket type=AVC msg=audit(1266614580.137:575): avc: denied { getattr } for pid=3112 comm="mingetty" path="/home/alan/.xsession-errors" dev=sda3 ino=21 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:xauth_home_t tclass=file type=AVC msg=audit(1266614580.137:576): avc: denied { search } for pid=3112 comm="mingetty" name="2857" dev=proc ino=12310 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=dir type=AVC msg=audit(1266614580.137:577): avc: denied { read } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13602 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=file type=AVC msg=audit(1266614580.137:578): avc: denied { open } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13602 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=file type=AVC msg=audit(1266614580.137:579): avc: denied { getattr } for pid=3112 comm="mingetty" path="/proc/2857/maps" dev=proc ino=13602 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=file type=AVC msg=audit(1266614580.137:580): avc: denied { read } for pid=3112 comm="mingetty" name="fd" dev=proc ino=12617 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=dir type=AVC msg=audit(1266614580.137:581): avc: denied { open } for pid=3112 comm="mingetty" name="fd" dev=proc ino=12617 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=dir type=AVC msg=audit(1266614580.138:582): avc: denied { read } for pid=3112 comm="mingetty" name="0" dev=proc ino=12618 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=lnk_file type=AVC msg=audit(1266614580.138:583): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[12292]" dev=sockfs ino=12292 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=unix_dgram_socket type=AVC msg=audit(1266614580.138:584): avc: denied { getattr } for pid=3112 comm="mingetty" path="/var/spool/postfix/pid/master.pid" dev=sda2 ino=144028 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:postfix_var_run_t tclass=file type=AVC msg=audit(1266614580.138:585): avc: denied { getattr } for pid=3112 comm="mingetty" path="/var/lib/postfix/master.lock" dev=sda2 ino=129843 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:postfix_data_t tclass=file type=AVC msg=audit(1266614580.138:586): avc: denied { getattr } for pid=3112 comm="mingetty" path="pipe:[12797]" dev=pipefs ino=12797 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=fifo_file type=AVC msg=audit(1266614580.138:587): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[12655]" dev=sockfs ino=12655 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=tcp_socket type=AVC msg=audit(1266614580.138:588): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[12685]" dev=sockfs ino=12685 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=unix_stream_socket type=AVC msg=audit(1266614580.139:589): avc: denied { getattr } for pid=3112 comm="mingetty" path="/var/spool/postfix/public/pickup" dev=sda2 ino=144019 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:postfix_public_t tclass=fifo_file type=AVC msg=audit(1266614580.141:590): avc: denied { search } for pid=3112 comm="mingetty" name="2884" dev=proc ino=12830 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=dir type=AVC msg=audit(1266614580.142:591): avc: denied { search } for pid=3116 comm="mingetty" name="2507" dev=proc ino=11079 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=dir type=AVC msg=audit(1266614580.142:592): avc: denied { read } for pid=3116 comm="mingetty" name="fd" dev=proc ino=12117 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=dir type=AVC msg=audit(1266614580.142:593): avc: denied { open } for pid=3116 comm="mingetty" name="fd" dev=proc ino=12117 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=dir type=AVC msg=audit(1266614580.151:594): avc: denied { getattr } for pid=3119 comm="mingetty" path="pipe:[7682]" dev=pipefs ino=7682 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=fifo_file type=AVC msg=audit(1266614580.151:595): avc: denied { getattr } for pid=3119 comm="mingetty" path="/var/log/acpid" dev=sda2 ino=26239 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:apmd_log_t tclass=file type=AVC msg=audit(1266614580.151:596): avc: denied { getattr } for pid=3119 comm="mingetty" path="/var/log/mail" dev=sda2 ino=26237 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:sendmail_log_t tclass=file type=AVC msg=audit(1266614580.154:597): avc: denied { read } for pid=3119 comm="mingetty" name="0" dev=proc ino=12525 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=lnk_file type=AVC msg=audit(1266614580.181:598): avc: denied { search } for pid=3123 comm="mingetty" name="290" dev=proc ino=6065 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=dir type=AVC msg=audit(1266614580.181:599): avc: denied { read } for pid=3123 comm="mingetty" name="maps" dev=proc ino=13539 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=file type=AVC msg=audit(1266614580.182:600): avc: denied { open } for pid=3123 comm="mingetty" name="maps" dev=proc ino=13539 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=file type=AVC msg=audit(1266614580.182:601): avc: denied { getattr } for pid=3123 comm="mingetty" path="/proc/290/maps" dev=proc ino=13539 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=file type=AVC msg=audit(1266614580.182:602): avc: denied { read } for pid=3123 comm="mingetty" name="fd" dev=proc ino=12041 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=dir type=AVC msg=audit(1266614580.182:603): avc: denied { open } for pid=3123 comm="mingetty" name="fd" dev=proc ino=12041 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=dir type=AVC msg=audit(1266614580.182:604): avc: denied { getattr } for pid=3123 comm="mingetty" path="socket:[4050]" dev=sockfs ino=4050 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=unix_dgram_socket type=AVC msg=audit(1266614580.185:605): avc: denied { getattr } for pid=3123 comm="mingetty" path="socket:[6516]" dev=sockfs ino=6516 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=unix_dgram_socket type=AVC msg=audit(1266614580.217:606): avc: denied { getattr } for pid=3116 comm="mingetty" path="socket:[12700]" dev=sockfs ino=12700 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=unix_stream_socket type=AVC msg=audit(1266614580.225:607): avc: denied { read } for pid=3117 comm="mingetty" name="0" dev=proc ino=11047 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=lnk_file type=AVC msg=audit(1266614580.240:608): avc: denied { read } for pid=3116 comm="mingetty" name="maps" dev=proc ino=13612 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=file type=AVC msg=audit(1266614580.242:609): avc: denied { read } for pid=3117 comm="mingetty" name="0" dev=proc ino=12592 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=lnk_file type=AVC msg=audit(1266614580.242:610): avc: denied { open } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13612 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=file type=AVC msg=audit(1266614580.243:611): avc: denied { getattr } for pid=3112 comm="mingetty" path="/proc/2884/maps" dev=proc ino=13612 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=file type=AVC msg=audit(1266614580.243:612): avc: denied { read } for pid=3112 comm="mingetty" name="fd" dev=proc ino=13178 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=dir type=AVC msg=audit(1266614580.243:613): avc: denied { open } for pid=3112 comm="mingetty" name="fd" dev=proc ino=13178 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=dir type=AVC msg=audit(1266614580.244:614): avc: denied { read } for pid=3112 comm="mingetty" name="0" dev=proc ino=13179 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=lnk_file type=AVC msg=audit(1266614580.244:615): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[12800]" dev=sockfs ino=12800 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=unix_dgram_socket type=AVC msg=audit(1266614580.245:616): avc: denied { search } for pid=3116 comm="mingetty" name="2887" dev=proc ino=12845 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=dir type=AVC msg=audit(1266614580.250:617): avc: denied { read } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13613 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=file type=AVC msg=audit(1266614580.260:618): avc: denied { open } for pid=3116 comm="mingetty" name="maps" dev=proc ino=13613 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=file type=AVC msg=audit(1266614580.261:619): avc: denied { getattr } for pid=3117 comm="mingetty" path="/etc/X11/xinit/xinitrc" dev=sda2 ino=26987 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=file type=AVC msg=audit(1266614580.261:620): avc: denied { getattr } for pid=3112 comm="mingetty" path="/proc/2887/maps" dev=proc ino=13613 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=file type=AVC msg=audit(1266614580.261:621): avc: denied { read } for pid=3116 comm="mingetty" name="fd" dev=proc ino=13190 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=dir type=AVC msg=audit(1266614580.262:622): avc: denied { open } for pid=3112 comm="mingetty" name="fd" dev=proc ino=13190 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=dir type=AVC msg=audit(1266614580.262:623): avc: denied { read } for pid=3116 comm="mingetty" name="0" dev=proc ino=13191 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=lnk_file type=AVC msg=audit(1266614580.263:624): avc: denied { getattr } for pid=3112 comm="mingetty" path="/var/run/cron.pid" dev=sda2 ino=129864 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:crond_var_run_t tclass=file type=AVC msg=audit(1266614580.263:625): avc: denied { getattr } for pid=3116 comm="mingetty" path="socket:[12848]" dev=sockfs ino=12848 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=unix_dgram_socket type=AVC msg=audit(1266614580.263:626): avc: denied { search } for pid=3112 comm="mingetty" name="2888" dev=proc ino=12846 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=dir type=AVC msg=audit(1266614580.266:627): avc: denied { read } for pid=3116 comm="mingetty" name="maps" dev=proc ino=13614 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=file type=AVC msg=audit(1266614580.271:628): avc: denied { open } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13614 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=file type=AVC msg=audit(1266614580.271:629): avc: denied { getattr } for pid=3112 comm="mingetty" path="/proc/2888/maps" dev=proc ino=13614 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=file type=AVC msg=audit(1266614580.271:630): avc: denied { read } for pid=3112 comm="mingetty" name="fd" dev=proc ino=13198 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=dir type=AVC msg=audit(1266614580.271:631): avc: denied { open } for pid=3112 comm="mingetty" name="fd" dev=proc ino=13198 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=dir type=AVC msg=audit(1266614580.271:632): avc: denied { read } for pid=3112 comm="mingetty" name="0" dev=proc ino=13199 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=lnk_file type=AVC msg=audit(1266614580.271:633): avc: denied { getattr } for pid=3112 comm="mingetty" path="socket:[12839]" dev=sockfs ino=12839 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=unix_dgram_socket type=AVC msg=audit(1266614580.271:634): avc: denied { getattr } for pid=3112 comm="mingetty" path="/etc/postfix/relay.db" dev=sda2 ino=129689 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:postfix_etc_t tclass=file type=AVC msg=audit(1266614580.283:635): avc: denied { getattr } for pid=3116 comm="mingetty" path="/proc/2857/fd" dev=proc ino=12617 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=dir type=AVC msg=audit(1266614580.300:636): avc: denied { getattr } for pid=3117 comm="mingetty" path="/proc/277/fd" dev=proc ino=12039 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=dir type=AVC msg=audit(1266614580.357:637): avc: denied { read } for pid=3123 comm="mingetty" name="0" dev=proc ino=12581 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=lnk_file type=AVC msg=audit(1266614580.361:638): avc: denied { read } for pid=3112 comm="mingetty" name="maps" dev=proc ino=13582 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266614580.375:639): avc: denied { open } for pid=3117 comm="mingetty" name="maps" dev=proc ino=13547 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266614580.381:640): avc: denied { getattr } for pid=3119 comm="mingetty" path="/proc/1058/maps" dev=proc ino=13547 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266614580.382:641): avc: denied { getattr } for pid=3125 comm="mingetty" path="/var/log/gdm/:0-slave.log" dev=sda2 ino=144012 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:xserver_log_t tclass=file type=AVC msg=audit(1266614580.440:642): avc: denied { write } for pid=2342 comm="rsyslogd" path="/dev/xconsole" dev=tmpfs ino=6395 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file type=AVC msg=audit(1266614580.450:643): avc: denied { getattr } for pid=3119 comm="mingetty" path="/var/run/gdm/auth-for-gdm-OnyRsX/database" dev=sda2 ino=129638 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:xdm_var_run_t tclass=file type=AVC msg=audit(1266614580.455:644): avc: denied { getattr } for pid=3123 comm="mingetty" path="/proc/1378/fd" dev=proc ino=12066 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=dir type=AVC msg=audit(1266614580.457:645): avc: denied { read } for pid=3119 comm="mingetty" name="maps" dev=proc ino=13560 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=file type=AVC msg=audit(1266614580.474:646): avc: denied { open } for pid=3119 comm="mingetty" name="maps" dev=proc ino=13560 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=file type=AVC msg=audit(1266614580.476:647): avc: denied { getattr } for pid=3119 comm="mingetty" path="/proc/1095/maps" dev=proc ino=13560 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=file type=AVC msg=audit(1266614580.498:648): avc: denied { getattr } for pid=3125 comm="mingetty" path="/proc/350/fd" dev=proc ino=12045 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=dir type=AVC msg=audit(1266614580.551:649): avc: denied { search } for pid=3117 comm="mingetty" name="2794" dev=proc ino=11898 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266614580.554:650): avc: denied { read } for pid=3123 comm="mingetty" name="fd" dev=proc ino=6580 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266614580.555:651): avc: denied { open } for pid=3125 comm="mingetty" name="fd" dev=proc ino=13702 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266614580.570:652): avc: denied { getattr } for pid=3123 comm="mingetty" path="/proc/mtrr" dev=proc ino=4026531908 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:mtrr_device_t tclass=file type=AVC msg=audit(1266614580.579:653): avc: denied { getattr } for pid=3117 comm="mingetty" path="/proc/2887/fd" dev=proc ino=13190 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=dir type=AVC msg=audit(1266614580.583:654): avc: denied { getattr } for pid=3112 comm="mingetty" path="/proc/1095/fd" dev=proc ino=6681 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=dir type=AVC msg=audit(1266614580.601:655): avc: denied { read } for pid=3123 comm="mingetty" name="0" dev=proc ino=12419 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=lnk_file type=AVC msg=audit(1266614580.637:656): avc: denied { getattr } for pid=3117 comm="mingetty" path="/proc/2299/fd" dev=proc ino=12101 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=dir type=AVC msg=audit(1266614580.637:657): avc: denied { read } for pid=3123 comm="mingetty" name="4" dev=proc ino=12471 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=lnk_file type=AVC msg=audit(1266614580.638:658): avc: denied { getattr } for pid=3123 comm="mingetty" path="/var/log/news/news.crit" dev=sda2 ino=26244 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:innd_log_t tclass=file type=AVC msg=audit(1266614580.642:659): avc: denied { getattr } for pid=3123 comm="mingetty" path="pipe:[10992]" dev=pipefs ino=10992 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=fifo_file type=AVC msg=audit(1266614580.658:660): avc: denied { getattr } for pid=3119 comm="mingetty" path="/proc/2484/fd" dev=proc ino=12114 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=dir type=AVC msg=audit(1266614580.663:661): avc: denied { getattr } for pid=3123 comm="mingetty" path="socket:[11162]" dev=sockfs ino=11162 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=tcp_socket type=AVC msg=audit(1266614580.797:662): avc: denied { search } for pid=963 comm="dbus-daemon" name="3139" dev=proc ino=13752 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266614580.798:663): avc: denied { read } for pid=963 comm="dbus-daemon" name="cmdline" dev=proc ino=13753 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266614580.798:664): avc: denied { open } for pid=963 comm="dbus-daemon" name="cmdline" dev=proc ino=13753 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266614581.563:665): avc: denied { getattr } for pid=1381 comm="console-kit-dae" path="/proc/2794/environ" dev=proc ino=13893 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266614581.564:666): avc: denied { sys_ptrace } for pid=1381 comm="console-kit-dae" capability=19 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=capability type=AVC msg=audit(1266614582.678:667): avc: denied { search } for pid=963 comm="dbus-daemon" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266614582.680:668): avc: denied { write } for pid=963 comm="dbus-daemon" name="log" dev=tmpfs ino=10401 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266614583.186:669): avc: denied { getsched } for pid=2507 comm="rtkit-daemon" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=process type=AVC msg=audit(1266614583.189:670): avc: denied { getattr } for pid=2450 comm="polkitd" path="/proc/3194" dev=proc ino=14354 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266614583.195:671): avc: denied { getattr } for pid=2450 comm="polkitd" path="/var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.devicekit.power.qos.request-latency-persistent.pkla" dev=sda2 ino=26258 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266614583.196:672): avc: denied { read } for pid=2450 comm="polkitd" name="org.freedesktop.devicekit.power.qos.request-latency-persistent.pkla" dev=sda2 ino=26258 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266614583.196:673): avc: denied { open } for pid=2450 comm="polkitd" name="org.freedesktop.devicekit.power.qos.request-latency-persistent.pkla" dev=sda2 ino=26258 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266614585.045:674): avc: denied { write } for pid=2514 comm="rtkit-daemon" path="anon_inode:[eventfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266614585.045:675): avc: denied { read } for pid=2517 comm="rtkit-daemon" path="anon_inode:[eventfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266614589.297:676): avc: denied { getattr } for pid=2450 comm="polkitd" path="/var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.devicekit.power.qos.request-latency-persistent.pkla" dev=sda2 ino=26258 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266614589.297:677): avc: denied { read } for pid=2450 comm="polkitd" name="org.freedesktop.devicekit.power.qos.request-latency-persistent.pkla" dev=sda2 ino=26258 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266614589.298:678): avc: denied { open } for pid=2450 comm="polkitd" name="org.freedesktop.devicekit.power.qos.request-latency-persistent.pkla" dev=sda2 ino=26258 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266614594.669:679): avc: denied { execute_no_trans } for pid=3275 comm="dbus-daemon" path="/lib/dbus-1/dbus-daemon-launch-helper" dev=sda2 ino=36540 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:lib_t tclass=file type=AVC msg=audit(1266614594.680:680): avc: denied { search } for pid=3276 comm="nscd" name="sbin" dev=sda2 ino=10305 scontext=system_u:system_r:nscd_t tcontext=system_u:object_r:bin_t tclass=dir type=AVC msg=audit(1266614594.681:681): avc: denied { execute_no_trans } for pid=3276 comm="nscd" path="/usr/sbin/nscd" dev=sda2 ino=10351 scontext=system_u:system_r:nscd_t tcontext=system_u:object_r:nscd_exec_t tclass=file type=AVC msg=audit(1266614594.691:682): avc: denied { write } for pid=2715 comm="nscd" path="pipe:[15587]" dev=pipefs ino=15587 scontext=system_u:system_r:nscd_t tcontext=system_u:system_r:nscd_t tclass=fifo_file type=AVC msg=audit(1266614596.260:683): avc: denied { read } for pid=3275 comm="devkit-disks-da" name="mdstat" dev=proc ino=4026531930 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:proc_mdstat_t tclass=file type=AVC msg=audit(1266614596.260:684): avc: denied { open } for pid=3275 comm="devkit-disks-da" name="mdstat" dev=proc ino=4026531930 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:proc_mdstat_t tclass=file type=AVC msg=audit(1266614596.260:685): avc: denied { getattr } for pid=3275 comm="devkit-disks-da" path="/proc/mdstat" dev=proc ino=4026531930 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:proc_mdstat_t tclass=file type=AVC msg=audit(1266614596.261:686): avc: denied { create } for pid=3275 comm="devkit-disks-da" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266614596.263:687): avc: denied { setopt } for pid=3275 comm="devkit-disks-da" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266614596.264:688): avc: denied { bind } for pid=3275 comm="devkit-disks-da" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266614596.264:689): avc: denied { getattr } for pid=3275 comm="devkit-disks-da" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266614596.607:690): avc: denied { search } for pid=3275 comm="devkit-disks-da" name="media" dev=sda2 ino=36613 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mnt_t tclass=dir type=AVC msg=audit(1266614596.607:691): avc: denied { write } for pid=3275 comm="devkit-disks-da" name="media" dev=sda2 ino=36613 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mnt_t tclass=dir type=AVC msg=audit(1266614596.608:692): avc: denied { remove_name } for pid=3275 comm="devkit-disks-da" name="CDROM" dev=sda2 ino=144048 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mnt_t tclass=dir type=AVC msg=audit(1266614596.608:693): avc: denied { rmdir } for pid=3275 comm="devkit-disks-da" name="CDROM" dev=sda2 ino=144048 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mnt_t tclass=dir type=AVC msg=audit(1266614596.701:694): avc: denied { write } for pid=3275 comm="devkit-disks-da" name="DeviceKit-disks" dev=sda2 ino=66061 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=dir type=AVC msg=audit(1266614596.701:695): avc: denied { add_name } for pid=3275 comm="devkit-disks-da" name="mtab.P2507U" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=dir type=AVC msg=audit(1266614596.701:696): avc: denied { create } for pid=3275 comm="devkit-disks-da" name="mtab.P2507U" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266614596.701:697): avc: denied { write } for pid=3275 comm="devkit-disks-da" name="mtab.P2507U" dev=sda2 ino=144046 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266614596.701:698): avc: denied { remove_name } for pid=3275 comm="devkit-disks-da" name="mtab.P2507U" dev=sda2 ino=144046 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=dir type=AVC msg=audit(1266614596.702:699): avc: denied { rename } for pid=3275 comm="devkit-disks-da" name="mtab.P2507U" dev=sda2 ino=144046 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266614596.702:700): avc: denied { unlink } for pid=3275 comm="devkit-disks-da" name="mtab" dev=sda2 ino=129983 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266614597.477:701): avc: denied { getsched } for pid=3282 comm="gnome-clock-app" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=process type=AVC msg=audit(1266614599.122:702): avc: denied { read } for pid=3278 comm="devkit-disks-da" name="sr0" dev=tmpfs ino=5173 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:removable_device_t tclass=blk_file type=AVC msg=audit(1266614599.122:703): avc: denied { open } for pid=3278 comm="devkit-disks-da" name="sr0" dev=tmpfs ino=5173 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:removable_device_t tclass=blk_file type=AVC msg=audit(1266614599.298:704): avc: denied { write } for pid=2342 comm="rsyslogd" path="/dev/xconsole" dev=tmpfs ino=6395 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file type=AVC msg=audit(1266614603.245:705): avc: denied { getattr } for pid=3291 comm="packagekitd" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:inotifyfs_t tclass=dir type=AVC msg=audit(1266614607.790:706): avc: denied { execstack } for pid=3291 comm="packagekitd" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=process type=AVC msg=audit(1266614607.809:707): avc: denied { execmem } for pid=3291 comm="packagekitd" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=process type=AVC msg=audit(1266614609.194:708): avc: denied { search } for pid=3291 comm="packagekitd" name="log" dev=sda2 ino=26231 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=dir type=AVC msg=audit(1266614609.335:709): avc: denied { getattr } for pid=3291 comm="packagekitd" path="/var/log/pk_backend_zypp" dev=sda2 ino=129898 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266614609.740:710): avc: denied { append } for pid=3291 comm="packagekitd" name="pk_backend_zypp" dev=sda2 ino=129898 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266614609.740:711): avc: denied { open } for pid=3291 comm="packagekitd" name="pk_backend_zypp" dev=sda2 ino=129898 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266614609.741:712): avc: denied { setattr } for pid=3291 comm="packagekitd" name="pk_backend_zypp" dev=sda2 ino=129898 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266614611.090:713): avc: denied { getattr } for pid=3291 comm="packagekitd" path="/var/lib/rpm" dev=sda2 ino=66039 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=dir type=AVC msg=audit(1266614611.091:714): avc: denied { search } for pid=3291 comm="packagekitd" name="rpm" dev=sda2 ino=66039 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=dir type=AVC msg=audit(1266614611.091:715): avc: denied { getattr } for pid=3291 comm="packagekitd" path="/var/lib/rpm/Packages" dev=sda2 ino=66329 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=file type=AVC msg=audit(1266614611.094:716): avc: denied { write } for pid=3291 comm="packagekitd" name="rpm" dev=sda2 ino=66039 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=dir type=AVC msg=audit(1266614611.095:717): avc: denied { read } for pid=3291 comm="packagekitd" name="Packages" dev=sda2 ino=66329 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=file type=AVC msg=audit(1266614611.095:718): avc: denied { open } for pid=3291 comm="packagekitd" name="Packages" dev=sda2 ino=66329 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=file type=AVC msg=audit(1266614611.286:719): avc: denied { lock } for pid=3291 comm="packagekitd" path="/var/lib/rpm/Packages" dev=sda2 ino=66329 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=file type=AVC msg=audit(1266614611.907:720): avc: denied { execute } for pid=3312 comm="packagekitd" name="gpg2" dev=sda2 ino=10780 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:gpg_exec_t tclass=file type=AVC msg=audit(1266614611.909:721): avc: denied { read open } for pid=3312 comm="packagekitd" name="gpg2" dev=sda2 ino=10780 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:gpg_exec_t tclass=file type=AVC msg=audit(1266614611.909:722): avc: denied { execute_no_trans } for pid=3312 comm="packagekitd" path="/usr/bin/gpg2" dev=sda2 ino=10780 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:gpg_exec_t tclass=file type=AVC msg=audit(1266614611.914:723): avc: denied { ipc_lock } for pid=3312 comm="gpg2" capability=14 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=capability type=AVC msg=audit(1266614614.784:724): avc: denied { getattr } for pid=3291 comm="packagekitd" path="/var/log/zypp" dev=sda2 ino=65987 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=dir type=AVC msg=audit(1266614615.118:725): avc: denied { getattr } for pid=3291 comm="packagekitd" path="/var/cache/zypp/solv/@System/solv" dev=sda2 ino=136065 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_t tclass=file type=AVC msg=audit(1266614615.121:726): avc: denied { read } for pid=3291 comm="packagekitd" name="cookie" dev=sda2 ino=66335 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_t tclass=file type=AVC msg=audit(1266614615.123:727): avc: denied { open } for pid=3291 comm="packagekitd" name="cookie" dev=sda2 ino=66335 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_t tclass=file type=AVC msg=audit(1266614615.211:728): avc: denied { lock } for pid=3291 comm="packagekitd" path="/var/lib/PackageKit/transactions.db" dev=sda2 ino=35546 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266614615.265:729): avc: denied { read } for pid=3291 comm="packagekitd" name="route" dev=proc ino=4026531941 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:proc_net_t tclass=file type=AVC msg=audit(1266614615.265:730): avc: denied { open } for pid=3291 comm="packagekitd" name="route" dev=proc ino=4026531941 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:proc_net_t tclass=file type=AVC msg=audit(1266614615.266:731): avc: denied { getattr } for pid=3291 comm="packagekitd" path="/proc/3291/net/route" dev=proc ino=4026531941 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:proc_net_t tclass=file type=AVC msg=audit(1266614616.718:732): avc: denied { write } for pid=3348 comm="nm-system-setti" name="log" dev=tmpfs ino=10401 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266614621.586:733): avc: denied { getattr } for pid=3275 comm="devkit-disks-da" path="/dev" dev=tmpfs ino=864 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266614621.586:734): avc: denied { getattr } for pid=3275 comm="devkit-disks-da" path="/dev/sda2" dev=tmpfs ino=1796 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file type=AVC msg=audit(1266614621.936:735): avc: denied { add_name } for pid=3275 comm="devkit-disks-da" name="CDROM" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mnt_t tclass=dir type=AVC msg=audit(1266614621.937:736): avc: denied { create } for pid=3275 comm="devkit-disks-da" name="CDROM" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mnt_t tclass=dir type=AVC msg=audit(1266614621.940:737): avc: denied { execute } for pid=3362 comm="devkit-disks-da" name="mount" dev=sda2 ino=130 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mount_exec_t tclass=file type=AVC msg=audit(1266614621.940:738): avc: denied { read open } for pid=3362 comm="devkit-disks-da" name="mount" dev=sda2 ino=130 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mount_exec_t tclass=file type=AVC msg=audit(1266614621.941:739): avc: denied { execute_no_trans } for pid=3362 comm="devkit-disks-da" path="/bin/mount" dev=sda2 ino=130 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mount_exec_t tclass=file type=AVC msg=audit(1266614621.945:740): avc: denied { mounton } for pid=3362 comm="mount" path="/media/CDROM" dev=sda2 ino=144053 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mnt_t tclass=dir type=AVC msg=audit(1266614622.010:741): avc: denied { write } for pid=290 comm="udevd" path="/dev/.udev/queue.bin" dev=tmpfs ino=7011 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file type=AVC msg=audit(1266614622.012:742): avc: denied { search } for pid=343 comm="udevd" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266614622.015:743): avc: denied { mount } for pid=3362 comm="mount" name="/" dev=sr0 ino=1856 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:iso9660_t tclass=filesystem type=AVC msg=audit(1266614622.016:744): avc: denied { getattr } for pid=3362 comm="mount" path="/etc/mtab" dev=sda2 ino=103966 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_runtime_t tclass=file type=AVC msg=audit(1266614622.020:745): avc: denied { read write } for pid=3362 comm="mount" name="mtab" dev=sda2 ino=103966 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_runtime_t tclass=file type=AVC msg=audit(1266614622.020:746): avc: denied { open } for pid=3362 comm="mount" name="mtab" dev=sda2 ino=103966 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_runtime_t tclass=file type=AVC msg=audit(1266614622.024:747): avc: denied { write } for pid=3362 comm="mount" name="etc" dev=sda2 ino=8001 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_t tclass=dir type=AVC msg=audit(1266614622.025:748): avc: denied { ioctl } for pid=3348 comm="nm-system-setti" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:inotifyfs_t tclass=dir type=AVC msg=audit(1266614622.027:749): avc: denied { add_name } for pid=3362 comm="mount" name="mtab~3362" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_t tclass=dir type=AVC msg=audit(1266614622.027:750): avc: denied { create } for pid=3362 comm="mount" name="mtab~3362" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_t tclass=file type=AVC msg=audit(1266614622.027:751): avc: denied { write } for pid=3362 comm="mount" name="mtab~3362" dev=sda2 ino=136202 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_t tclass=file type=AVC msg=audit(1266614622.027:752): avc: denied { link } for pid=3362 comm="mount" name="mtab~3362" dev=sda2 ino=136202 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_t tclass=file type=AVC msg=audit(1266614622.028:753): avc: denied { remove_name } for pid=3362 comm="mount" name="mtab~3362" dev=sda2 ino=136202 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_t tclass=dir type=AVC msg=audit(1266614622.028:754): avc: denied { unlink } for pid=3362 comm="mount" name="mtab~3362" dev=sda2 ino=136202 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_t tclass=file type=AVC msg=audit(1266614622.028:755): avc: denied { append } for pid=3362 comm="mount" name="mtab" dev=sda2 ino=103966 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_runtime_t tclass=file type=AVC msg=audit(1266614622.044:756): avc: denied { read } for pid=3348 comm="nm-system-setti" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:inotifyfs_t tclass=dir ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-19 21:30 ` Alan Rouse @ 2010-02-19 21:37 ` Stephen Smalley 2010-02-19 21:53 ` Alan Rouse ` (2 more replies) 0 siblings, 3 replies; 113+ messages in thread From: Stephen Smalley @ 2010-02-19 21:37 UTC (permalink / raw) To: Alan Rouse; +Cc: Dominick Grift, 'selinux@tycho.nsa.gov' On Fri, 2010-02-19 at 16:30 -0500, Alan Rouse wrote: > Stephen wrote: > > Why is it necessary to download and rebuild the source policy? Did they build it as a monolithic policy? > > Yes, the policy rpm from OpenSuse 11.2 is monolithic. > > >> setsebool -P init_upstart=on > >> setsebool -P xdm_sysadm_login=on > >> setsebool -P xserver_object_manager=on > > I think you only need the first boolean setting. > > And we should likely introduce an ifdef for suse in refpolicy that always disables that > > transition so that you don't have to artificially turn on that boolean. > > Ok > > > It would be useful to see the raw audit message with what directory/file is being accessed. > > tmpfs_t indicates a tmpfs mount, which might mean you have a mislabeled tmpfs mount (e.g. > > /dev is a tmpfs mount that should be relabeled by rc.sysinit via restorecon -R /dev). > > See attached raw audit messages from the most recent boot. Can you move aside the audit.log, add the line below to the end of /etc/audit/audit.rules, reboot, and then send the new audit.log? -a exit,always -S chroot That will turn on syscall auditing and should provide more complete information, including PATH= and SYSCALL= records. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-19 21:37 ` Stephen Smalley @ 2010-02-19 21:53 ` Alan Rouse 2010-02-22 14:10 ` Stephen Smalley 2010-02-19 23:48 ` Justin P. mattock 2010-02-22 1:29 ` Justin P. mattock 2 siblings, 1 reply; 113+ messages in thread From: Alan Rouse @ 2010-02-19 21:53 UTC (permalink / raw) To: Stephen Smalley; +Cc: 'selinux@tycho.nsa.gov' [-- Attachment #1: Type: text/plain, Size: 205 bytes --] Stephen wrote: > Can you move aside the audit.log, add the line below to the > end of /etc/audit/audit.rules, reboot, and then send the new > audit.log? > > -a exit,always -S chroot See attached [-- Attachment #2: audit.log --] [-- Type: application/octet-stream, Size: 83575 bytes --] type=DAEMON_START msg=audit(1266615873.671:5147): auditd start, ver=1.7.13 format=raw kernel=2.6.31.5-0.1-desktop auid=4294967295 pid=2964 subj=system_u:system_r:auditd_t res=success type=AVC msg=audit(1266615873.732:412): avc: denied { read } for pid=2082 comm="polkitd" name="org.freedesktop.hal.wol.enable.pkla" dev=sda2 ino=26361 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266615873.734:413): avc: denied { open } for pid=2082 comm="polkitd" name="org.freedesktop.hal.wol.enable.pkla" dev=sda2 ino=26361 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266615873.736:414): avc: denied { getattr } for pid=2082 comm="polkitd" path="/var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.hal.wol.enable.pkla" dev=sda2 ino=26361 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266615873.755:415): avc: denied { write } for pid=2979 comm="avahi-daemon" name="log" dev=tmpfs ino=14136 scontext=system_u:system_r:avahi_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266615873.778:416): avc: denied { search } for pid=1034 comm="dbus-daemon" name="2979" dev=proc ino=14613 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:avahi_t tclass=dir type=AVC msg=audit(1266615873.778:417): avc: denied { read } for pid=1034 comm="dbus-daemon" name="cmdline" dev=proc ino=14641 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:avahi_t tclass=file type=AVC msg=audit(1266615873.779:418): avc: denied { open } for pid=1034 comm="dbus-daemon" name="cmdline" dev=proc ino=14641 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:avahi_t tclass=file type=AVC msg=audit(1266615874.150:419): avc: denied { execstack } for pid=2996 comm="cupsd" scontext=system_u:system_r:cupsd_t tcontext=system_u:system_r:cupsd_t tclass=process type=AVC msg=audit(1266615874.151:420): avc: denied { execmem } for pid=2996 comm="cupsd" scontext=system_u:system_r:cupsd_t tcontext=system_u:system_r:cupsd_t tclass=process type=AVC msg=audit(1266615874.189:421): avc: denied { search } for pid=2997 comm="cupsd" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266615874.226:422): avc: denied { search } for pid=2107 comm="rtkit-daemon" name="2896" dev=proc ino=14438 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266615874.227:423): avc: denied { read } for pid=2107 comm="rtkit-daemon" name="stat" dev=proc ino=14443 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266615874.227:424): avc: denied { open } for pid=2107 comm="rtkit-daemon" name="stat" dev=proc ino=14443 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266615874.227:425): avc: denied { getattr } for pid=2107 comm="rtkit-daemon" path="/2896/task/2896/stat" dev=proc ino=14443 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266615874.227:426): avc: denied { sys_ptrace } for pid=2107 comm="rtkit-daemon" capability=19 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=capability type=AVC msg=audit(1266615874.227:427): avc: denied { getsched } for pid=2107 comm="rtkit-daemon" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=process type=AVC msg=audit(1266615874.234:428): avc: denied { getattr } for pid=2082 comm="polkitd" path="/proc/2896" dev=proc ino=14438 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266615874.262:429): avc: denied { search } for pid=2997 comm="cupsd" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266615875.617:430): avc: denied { search } for pid=3150 comm="nscd" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:nscd_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266615875.640:431): avc: denied { search } for pid=3150 comm="nscd" name="sbin" dev=sda2 ino=10305 scontext=system_u:system_r:nscd_t tcontext=system_u:object_r:bin_t tclass=dir type=AVC msg=audit(1266615875.659:432): avc: denied { execute_no_trans } for pid=3150 comm="nscd" path="/usr/sbin/nscd" dev=sda2 ino=10351 scontext=system_u:system_r:nscd_t tcontext=system_u:object_r:nscd_exec_t tclass=file type=AVC msg=audit(1266615875.918:433): avc: denied { search } for pid=3180 comm="postfix" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:postfix_master_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266615875.943:434): avc: denied { write } for pid=3180 comm="postfix" name="log" dev=tmpfs ino=14136 scontext=system_u:system_r:postfix_master_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266615875.947:435): avc: denied { write } for pid=3155 comm="nscd" path="pipe:[14929]" dev=pipefs ino=14929 scontext=system_u:system_r:nscd_t tcontext=system_u:system_r:nscd_t tclass=fifo_file type=AVC msg=audit(1266615876.005:436): avc: denied { search } for pid=2578 comm="devkit-disks-da" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266615876.005:437): avc: denied { read } for pid=2578 comm="devkit-disks-da" name="sr0" dev=tmpfs ino=5146 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:removable_device_t tclass=blk_file type=AVC msg=audit(1266615876.005:438): avc: denied { open } for pid=2578 comm="devkit-disks-da" name="sr0" dev=tmpfs ino=5146 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:removable_device_t tclass=blk_file type=AVC msg=audit(1266615876.334:439): avc: denied { read } for pid=3225 comm="smartd" name="drivedb.h" dev=sda2 ino=103893 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:usr_t tclass=file type=AVC msg=audit(1266615876.337:440): avc: denied { open } for pid=3225 comm="smartd" name="drivedb.h" dev=sda2 ino=103893 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:usr_t tclass=file type=AVC msg=audit(1266615876.337:441): avc: denied { getattr } for pid=3225 comm="smartd" path="/usr/share/smartmontools/drivedb.h" dev=sda2 ino=103893 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:usr_t tclass=file type=AVC msg=audit(1266615876.386:442): avc: denied { search } for pid=3225 comm="smartd" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266615876.394:443): avc: denied { write } for pid=3225 comm="smartd" name="log" dev=tmpfs ino=14136 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266615876.406:444): avc: denied { read } for pid=3225 comm="smartd" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266615876.406:445): avc: denied { open } for pid=3225 comm="smartd" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266615876.553:446): avc: denied { getattr } for pid=355 comm="udevd" path="/dev" dev=tmpfs ino=864 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266615876.559:447): avc: denied { write } for pid=355 comm="udevd" name="disk" dev=tmpfs ino=1753 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266615876.564:448): avc: denied { add_name } for pid=355 comm="udevd" name="by-id" scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266615876.568:449): avc: denied { read } for pid=2577 comm="devkit-disks-da" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266615876.958:450): avc: denied { write } for pid=287 comm="udevd" path="/dev/.udev/queue.bin" dev=tmpfs ino=6743 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file type=AVC msg=audit(1266615876.979:451): avc: denied { ioctl } for pid=2666 comm="nm-system-setti" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:inotifyfs_t tclass=dir type=AVC msg=audit(1266615876.997:452): avc: denied { read } for pid=2666 comm="nm-system-setti" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:inotifyfs_t tclass=dir type=AVC msg=audit(1266615880.440:453): avc: denied { execute_no_trans } for pid=3290 comm="nscd" path="/usr/sbin/nscd" dev=sda2 ino=10351 scontext=system_u:system_r:nscd_t tcontext=system_u:object_r:nscd_exec_t tclass=file type=AVC msg=audit(1266615880.555:454): avc: denied { write } for pid=2113 comm="rtkit-daemon" path="anon_inode:[eventfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266615880.555:455): avc: denied { read } for pid=2114 comm="rtkit-daemon" path="anon_inode:[eventfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266615880.754:456): avc: denied { append } for pid=2819 comm="rsyslogd" path="/var/log/mail" dev=sda2 ino=26237 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:sendmail_log_t tclass=file type=AVC msg=audit(1266615881.075:457): avc: denied { append } for pid=2819 comm="rsyslogd" path="/var/log/mail" dev=sda2 ino=26237 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:sendmail_log_t tclass=file type=AVC msg=audit(1266615881.081:458): avc: denied { execstack } for pid=3347 comm="slptool" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=process type=AVC msg=audit(1266615881.081:459): avc: denied { execmem } for pid=3347 comm="slptool" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=process type=AVC msg=audit(1266615881.091:460): avc: denied { search } for pid=3348 comm="pickup" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:postfix_pickup_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266615881.095:461): avc: denied { search } for pid=3349 comm="cron" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266615881.112:462): avc: denied { write } for pid=3348 comm="pickup" name="log" dev=tmpfs ino=14136 scontext=system_u:system_r:postfix_pickup_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266615881.122:463): avc: denied { write } for pid=3349 comm="cron" name="log" dev=tmpfs ino=14136 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266615881.130:464): avc: denied { search } for pid=3350 comm="qmgr" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:postfix_qmgr_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266615881.130:465): avc: denied { write } for pid=3350 comm="qmgr" name="log" dev=tmpfs ino=14136 scontext=system_u:system_r:postfix_qmgr_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266615881.156:466): avc: denied { getattr } for pid=2082 comm="polkitd" path="/var/lib/polkit-1/localauthority/10-vendor.d/org.gnome.clockapplet.mechanism.settimezone.pkla" dev=sda2 ino=26351 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266615881.165:467): avc: denied { read } for pid=2082 comm="polkitd" name="org.gnome.clockapplet.mechanism.settimezone.pkla" dev=sda2 ino=26351 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266615881.166:468): avc: denied { open } for pid=2082 comm="polkitd" name="org.gnome.clockapplet.mechanism.settimezone.pkla" dev=sda2 ino=26351 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266615881.228:469): avc: denied { search } for pid=3354 comm="nscd" name="sbin" dev=sda2 ino=10305 scontext=system_u:system_r:nscd_t tcontext=system_u:object_r:bin_t tclass=dir type=AVC msg=audit(1266615881.229:470): avc: denied { execute_no_trans } for pid=3354 comm="nscd" path="/usr/sbin/nscd" dev=sda2 ino=10351 scontext=system_u:system_r:nscd_t tcontext=system_u:object_r:nscd_exec_t tclass=file type=AVC msg=audit(1266615881.247:471): avc: denied { write } for pid=3155 comm="nscd" path="pipe:[16488]" dev=pipefs ino=16488 scontext=system_u:system_r:nscd_t tcontext=system_u:system_r:nscd_t tclass=fifo_file type=AVC msg=audit(1266615881.413:472): avc: denied { write } for pid=2819 comm="rsyslogd" path="/dev/xconsole" dev=tmpfs ino=6594 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file type=AVC msg=audit(1266615881.427:473): avc: denied { search } for pid=1034 comm="dbus-daemon" name="3367" dev=proc ino=16517 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266615881.432:474): avc: denied { read } for pid=1034 comm="dbus-daemon" name="cmdline" dev=proc ino=16519 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266615881.432:475): avc: denied { open } for pid=1034 comm="dbus-daemon" name="cmdline" dev=proc ino=16519 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266615881.451:476): avc: denied { getattr } for pid=2107 comm="rtkit-daemon" path="/2896/task/2896/stat" dev=proc ino=14443 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266615881.452:477): avc: denied { getsched } for pid=2107 comm="rtkit-daemon" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=process type=AVC msg=audit(1266615881.472:478): avc: denied { getattr } for pid=2082 comm="polkitd" path="/proc/3367" dev=proc ino=16517 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266615881.477:479): avc: denied { getattr } for pid=2082 comm="polkitd" path="/var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.devicekit.power.qos.request-latency-persistent.pkla" dev=sda2 ino=26258 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266615881.488:480): avc: denied { read } for pid=2082 comm="polkitd" name="org.freedesktop.devicekit.power.qos.request-latency-persistent.pkla" dev=sda2 ino=26258 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266615881.488:481): avc: denied { open } for pid=2082 comm="polkitd" name="org.freedesktop.devicekit.power.qos.request-latency-persistent.pkla" dev=sda2 ino=26258 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266615881.823:482): avc: denied { write } for pid=3403 comm="modprobe" path="/tmp/SuSEfirewall2_iptables.G9E0WZfQ" dev=sda2 ino=138378 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:initrc_tmp_t tclass=file type=AVC msg=audit(1266615881.847:483): avc: denied { sys_ptrace } for pid=2107 comm="rtkit-daemon" capability=19 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=capability type=AVC msg=audit(1266615882.251:484): avc: denied { search } for pid=3433 comm="postfix" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:postfix_master_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266615882.252:485): avc: denied { write } for pid=3433 comm="postfix" name="log" dev=tmpfs ino=14136 scontext=system_u:system_r:postfix_master_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266615882.300:486): avc: denied { search } for pid=3440 comm="nscd" name="sbin" dev=sda2 ino=10305 scontext=system_u:system_r:nscd_t tcontext=system_u:object_r:bin_t tclass=dir type=AVC msg=audit(1266615882.318:487): avc: denied { search } for pid=3442 comm="postqueue" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:postfix_postqueue_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266615882.322:488): avc: denied { write } for pid=3155 comm="nscd" path="pipe:[16783]" dev=pipefs ino=16783 scontext=system_u:system_r:nscd_t tcontext=system_u:system_r:nscd_t tclass=fifo_file type=AVC msg=audit(1266615882.337:489): avc: denied { write } for pid=3442 comm="postqueue" name="log" dev=tmpfs ino=14136 scontext=system_u:system_r:postfix_postqueue_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266615882.449:490): avc: denied { execute_no_trans } for pid=3451 comm="nscd" path="/usr/sbin/nscd" dev=sda2 ino=10351 scontext=system_u:system_r:nscd_t tcontext=system_u:object_r:nscd_exec_t tclass=file type=AVC msg=audit(1266615882.581:491): avc: denied { write } for pid=287 comm="udevd" path="/dev/.udev/queue.bin" dev=tmpfs ino=6743 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file type=AVC msg=audit(1266615882.583:492): avc: denied { search } for pid=355 comm="udevd" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266615883.000:493): avc: denied { search } for pid=2578 comm="devkit-disks-da" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266615883.001:494): avc: denied { read } for pid=2578 comm="devkit-disks-da" name="sr0" dev=tmpfs ino=5146 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:removable_device_t tclass=blk_file type=AVC msg=audit(1266615883.002:495): avc: denied { open } for pid=2578 comm="devkit-disks-da" name="sr0" dev=tmpfs ino=5146 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:removable_device_t tclass=blk_file type=AVC msg=audit(1266615883.013:496): avc: denied { search } for pid=3477 comm="mingetty" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266615883.015:497): avc: denied { search } for pid=3477 comm="mingetty" name="2" dev=proc ino=5966 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=dir type=AVC msg=audit(1266615883.016:498): avc: denied { read } for pid=3477 comm="mingetty" name="maps" dev=proc ino=16922 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=file type=AVC msg=audit(1266615883.017:499): avc: denied { open } for pid=3477 comm="mingetty" name="maps" dev=proc ino=16922 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=file type=AVC msg=audit(1266615883.017:500): avc: denied { getattr } for pid=3477 comm="mingetty" path="/proc/2/maps" dev=proc ino=16922 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=file type=AVC msg=audit(1266615883.017:501): avc: denied { read } for pid=3477 comm="mingetty" name="fd" dev=proc ino=10525 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=dir type=AVC msg=audit(1266615883.017:502): avc: denied { open } for pid=3477 comm="mingetty" name="fd" dev=proc ino=10525 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=dir type=AVC msg=audit(1266615883.044:503): avc: denied { search } for pid=3477 comm="mingetty" name="255" dev=proc ino=6001 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=dir type=AVC msg=audit(1266615883.054:504): avc: denied { read } for pid=3477 comm="mingetty" name="maps" dev=proc ino=16959 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=file type=AVC msg=audit(1266615883.055:505): avc: denied { open } for pid=3477 comm="mingetty" name="maps" dev=proc ino=16959 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=file type=AVC msg=audit(1266615883.055:506): avc: denied { getattr } for pid=3477 comm="mingetty" path="/proc/255/maps" dev=proc ino=16959 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=file type=AVC msg=audit(1266615883.056:507): avc: denied { read } for pid=3477 comm="mingetty" name="fd" dev=proc ino=10620 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=dir type=AVC msg=audit(1266615883.061:508): avc: denied { open } for pid=3477 comm="mingetty" name="fd" dev=proc ino=10620 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=dir type=AVC msg=audit(1266615883.061:509): avc: denied { read } for pid=3477 comm="mingetty" name="0" dev=proc ino=15277 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=lnk_file type=AVC msg=audit(1266615883.061:510): avc: denied { getattr } for pid=3477 comm="mingetty" path="/sys/kernel/debug/systemtap/preloadtrace/.cmd" dev=debugfs ino=3963 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:debugfs_t tclass=file type=AVC msg=audit(1266615883.066:511): avc: denied { getattr } for pid=3477 comm="mingetty" path="/dev/ptmx" dev=tmpfs ino=3841 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:ptmx_t tclass=chr_file type=AVC msg=audit(1266615883.078:512): avc: denied { search } for pid=3477 comm="mingetty" name="287" dev=proc ino=6005 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=dir type=AVC msg=audit(1266615883.087:513): avc: denied { read } for pid=3477 comm="mingetty" name="maps" dev=proc ino=16967 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=file type=AVC msg=audit(1266615883.087:514): avc: denied { open } for pid=3477 comm="mingetty" name="maps" dev=proc ino=16967 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=file type=AVC msg=audit(1266615883.087:515): avc: denied { getattr } for pid=3477 comm="mingetty" path="/proc/287/maps" dev=proc ino=16967 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=file type=AVC msg=audit(1266615883.088:516): avc: denied { read } for pid=3477 comm="mingetty" name="fd" dev=proc ino=10627 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=dir type=AVC msg=audit(1266615883.088:517): avc: denied { open } for pid=3477 comm="mingetty" name="fd" dev=proc ino=10627 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=dir type=AVC msg=audit(1266615883.088:518): avc: denied { read } for pid=3477 comm="mingetty" name="0" dev=proc ino=15286 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=lnk_file type=AVC msg=audit(1266615883.089:519): avc: denied { getattr } for pid=3477 comm="mingetty" path="/dev/.udev/queue.bin" dev=tmpfs ino=6743 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:tmpfs_t tclass=file type=AVC msg=audit(1266615883.089:520): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[4027]" dev=sockfs ino=4027 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=unix_dgram_socket type=AVC msg=audit(1266615883.100:521): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[4028]" dev=sockfs ino=4028 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266615883.101:522): avc: denied { getattr } for pid=3477 comm="mingetty" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:inotifyfs_t tclass=dir type=AVC msg=audit(1266615883.101:523): avc: denied { getattr } for pid=3477 comm="mingetty" path="anon_inode:[signalfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266615883.103:524): avc: denied { search } for pid=3477 comm="mingetty" name="446" dev=proc ino=6022 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=dir type=AVC msg=audit(1266615883.113:525): avc: denied { read } for pid=3480 comm="mingetty" name="fd" dev=proc ino=10525 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=dir type=AVC msg=audit(1266615883.118:526): avc: denied { open } for pid=3477 comm="mingetty" name="fd" dev=proc ino=10634 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=dir type=AVC msg=audit(1266615883.119:527): avc: denied { getattr } for pid=3477 comm="mingetty" path="/proc/acpi/event" dev=proc ino=4026531938 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:proc_t tclass=file type=AVC msg=audit(1266615883.128:528): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[6643]" dev=sockfs ino=6643 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket type=AVC msg=audit(1266615883.133:529): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[7133]" dev=sockfs ino=7133 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=unix_dgram_socket type=AVC msg=audit(1266615883.139:530): avc: denied { search } for pid=3477 comm="mingetty" name="1034" dev=proc ino=6652 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=dir type=AVC msg=audit(1266615883.140:531): avc: denied { read } for pid=3477 comm="mingetty" name="maps" dev=proc ino=16984 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=file type=AVC msg=audit(1266615883.140:532): avc: denied { open } for pid=3477 comm="mingetty" name="maps" dev=proc ino=16984 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=file type=AVC msg=audit(1266615883.140:533): avc: denied { getattr } for pid=3477 comm="mingetty" path="/proc/1034/maps" dev=proc ino=16984 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=file type=AVC msg=audit(1266615883.141:534): avc: denied { sys_ptrace } for pid=3477 comm="mingetty" capability=19 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t tclass=capability type=AVC msg=audit(1266615883.141:535): avc: denied { read } for pid=3477 comm="mingetty" name="fd" dev=proc ino=10649 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=dir type=AVC msg=audit(1266615883.141:536): avc: denied { open } for pid=3477 comm="mingetty" name="fd" dev=proc ino=10649 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=dir type=AVC msg=audit(1266615883.149:537): avc: denied { read } for pid=3477 comm="mingetty" name="0" dev=proc ino=15326 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=lnk_file type=AVC msg=audit(1266615883.149:538): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[6642]" dev=sockfs ino=6642 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=unix_stream_socket type=AVC msg=audit(1266615883.149:539): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[6651]" dev=sockfs ino=6651 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=netlink_selinux_socket type=AVC msg=audit(1266615883.150:540): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[6840]" dev=sockfs ino=6840 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=unix_dgram_socket type=AVC msg=audit(1266615883.151:541): avc: denied { search } for pid=3477 comm="mingetty" name="1117" dev=proc ino=6762 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=dir type=AVC msg=audit(1266615883.151:542): avc: denied { read } for pid=3480 comm="mingetty" name="maps" dev=proc ino=16923 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=file type=AVC msg=audit(1266615883.158:543): avc: denied { open } for pid=3482 comm="mingetty" name="maps" dev=proc ino=16922 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=file type=AVC msg=audit(1266615883.158:544): avc: denied { getattr } for pid=3480 comm="mingetty" path="/proc/3/maps" dev=proc ino=16923 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=file type=AVC msg=audit(1266615883.163:545): avc: denied { read } for pid=3477 comm="mingetty" name="maps" dev=proc ino=16991 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=file type=AVC msg=audit(1266615883.174:546): avc: denied { open } for pid=3477 comm="mingetty" name="maps" dev=proc ino=16991 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=file type=AVC msg=audit(1266615883.174:547): avc: denied { getattr } for pid=3477 comm="mingetty" path="/proc/1117/maps" dev=proc ino=16991 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=file type=AVC msg=audit(1266615883.175:548): avc: denied { read } for pid=3477 comm="mingetty" name="fd" dev=proc ino=10654 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=dir type=AVC msg=audit(1266615883.184:549): avc: denied { open } for pid=3477 comm="mingetty" name="fd" dev=proc ino=10654 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=dir type=AVC msg=audit(1266615883.184:550): avc: denied { read } for pid=3477 comm="mingetty" name="0" dev=proc ino=15398 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=lnk_file type=AVC msg=audit(1266615883.186:551): avc: denied { getattr } for pid=3477 comm="mingetty" path="pipe:[6758]" dev=pipefs ino=6758 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=fifo_file type=AVC msg=audit(1266615883.186:552): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[6759]" dev=sockfs ino=6759 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=unix_stream_socket type=AVC msg=audit(1266615883.186:553): avc: denied { getattr } for pid=3477 comm="mingetty" path="/proc/mdstat" dev=proc ino=4026531930 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:proc_mdstat_t tclass=file type=AVC msg=audit(1266615883.191:554): avc: denied { getattr } for pid=3479 comm="mingetty" path="socket:[6901]" dev=sockfs ino=6901 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=unix_dgram_socket type=AVC msg=audit(1266615883.192:555): avc: denied { getattr } for pid=3477 comm="mingetty" path="pipe:[6772]" dev=pipefs ino=6772 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=fifo_file type=AVC msg=audit(1266615883.193:556): avc: denied { getattr } for pid=3477 comm="mingetty" path="/var/log/ConsoleKit/history" dev=sda2 ino=129645 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266615883.194:557): avc: denied { search } for pid=3477 comm="mingetty" name="1306" dev=proc ino=7012 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266615883.203:558): avc: denied { read } for pid=3477 comm="mingetty" name="maps" dev=proc ino=16999 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266615883.203:559): avc: denied { open } for pid=3477 comm="mingetty" name="maps" dev=proc ino=16999 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266615883.203:560): avc: denied { getattr } for pid=3477 comm="mingetty" path="/proc/1306/maps" dev=proc ino=16999 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266615883.204:561): avc: denied { read } for pid=3477 comm="mingetty" name="fd" dev=proc ino=7013 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266615883.219:562): avc: denied { open } for pid=3477 comm="mingetty" name="fd" dev=proc ino=7013 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266615883.219:563): avc: denied { read } for pid=3477 comm="mingetty" name="0" dev=proc ino=7014 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=lnk_file type=AVC msg=audit(1266615883.222:564): avc: denied { getattr } for pid=3479 comm="mingetty" path="socket:[7027]" dev=sockfs ino=7027 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=unix_stream_socket type=AVC msg=audit(1266615883.223:565): avc: denied { getattr } for pid=3477 comm="mingetty" path="/var/run/gdm/auth-for-gdm-aNsopF/database" dev=sda2 ino=129639 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:xdm_var_run_t tclass=file type=AVC msg=audit(1266615883.224:566): avc: denied { getattr } for pid=3477 comm="mingetty" path="/var/log/gdm/:0-slave.log" dev=sda2 ino=144025 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:xserver_log_t tclass=file type=AVC msg=audit(1266615883.225:567): avc: denied { search } for pid=3477 comm="mingetty" name="1331" dev=proc ino=7111 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=dir type=AVC msg=audit(1266615883.232:568): avc: denied { read } for pid=3477 comm="mingetty" name="maps" dev=proc ino=17008 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=file type=AVC msg=audit(1266615883.232:569): avc: denied { open } for pid=3477 comm="mingetty" name="maps" dev=proc ino=17008 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=file type=AVC msg=audit(1266615883.238:570): avc: denied { getattr } for pid=3477 comm="mingetty" path="/proc/1331/maps" dev=proc ino=17008 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=file type=AVC msg=audit(1266615883.242:571): avc: denied { read } for pid=3477 comm="mingetty" name="fd" dev=proc ino=7112 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=dir type=AVC msg=audit(1266615883.244:572): avc: denied { open } for pid=3477 comm="mingetty" name="fd" dev=proc ino=7112 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=dir type=AVC msg=audit(1266615883.244:573): avc: denied { read } for pid=3477 comm="mingetty" name="0" dev=proc ino=7113 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=lnk_file type=AVC msg=audit(1266615883.252:574): avc: denied { getattr } for pid=3480 comm="mingetty" path="socket:[7128]" dev=sockfs ino=7128 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=unix_stream_socket type=AVC msg=audit(1266615883.254:575): avc: denied { getattr } for pid=3479 comm="mingetty" path="/proc/mtrr" dev=proc ino=4026531908 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:mtrr_device_t tclass=file type=AVC msg=audit(1266615883.255:576): avc: denied { getattr } for pid=3477 comm="mingetty" path="/dev/input/event1" dev=tmpfs ino=1702 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:event_device_t tclass=chr_file type=AVC msg=audit(1266615883.264:577): avc: denied { getattr } for pid=3477 comm="mingetty" path="/dev/cpu_dma_latency" dev=tmpfs ino=1139 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:device_t tclass=chr_file type=AVC msg=audit(1266615883.276:578): avc: denied { getattr } for pid=3479 comm="mingetty" path="socket:[8975]" dev=sockfs ino=8975 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266615883.285:579): avc: denied { getattr } for pid=3480 comm="mingetty" path="/var/lib/polkit-1/localauthority/10-vendor.d" dev=sda2 ino=26257 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:var_lib_t tclass=dir type=AVC msg=audit(1266615883.291:580): avc: denied { getattr } for pid=3484 comm="mingetty" path="socket:[13277]" dev=sockfs ino=13277 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=unix_stream_socket type=AVC msg=audit(1266615883.308:581): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[8975]" dev=sockfs ino=8975 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266615883.311:582): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[10799]" dev=sockfs ino=10799 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=unix_dgram_socket type=AVC msg=audit(1266615883.330:583): avc: denied { getattr } for pid=3479 comm="mingetty" path="/var/lib/gdm/.pulse/34218fbf2b09493b6a2222c24aef434d-device-volumes.i686-pc-linux-gnu.gdbm" dev=sda2 ino=129725 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266615883.339:585): avc: denied { search } for pid=3477 comm="mingetty" name="2204" dev=proc ino=10519 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=dir type=AVC msg=audit(1266615883.343:586): avc: denied { read } for pid=3480 comm="mingetty" name="maps" dev=proc ino=17020 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=file type=AVC msg=audit(1266615883.348:587): avc: denied { open } for pid=3479 comm="mingetty" name="maps" dev=proc ino=17020 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=file type=AVC msg=audit(1266615883.349:588): avc: denied { getattr } for pid=3477 comm="mingetty" path="/proc/2204/maps" dev=proc ino=17020 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=file type=AVC msg=audit(1266615883.349:589): avc: denied { read } for pid=3477 comm="mingetty" name="fd" dev=proc ino=10687 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=dir type=AVC msg=audit(1266615883.349:590): avc: denied { open } for pid=3477 comm="mingetty" name="fd" dev=proc ino=10687 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=dir type=AVC msg=audit(1266615883.350:591): avc: denied { read } for pid=3477 comm="mingetty" name="0" dev=proc ino=15536 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=lnk_file type=AVC msg=audit(1266615883.354:592): avc: denied { getattr } for pid=3477 comm="mingetty" path="/var/run/dhcpcd-eth0.pid" dev=sda2 ino=129659 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:dhcpc_var_run_t tclass=file type=AVC msg=audit(1266615883.355:593): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[7892]" dev=sockfs ino=7892 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=unix_dgram_socket type=AVC msg=audit(1266615883.355:594): avc: denied { getattr } for pid=3477 comm="mingetty" path="pipe:[7895]" dev=pipefs ino=7895 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=fifo_file type=AVC msg=audit(1266615883.358:595): avc: denied { getattr } for pid=3479 comm="mingetty" path="/home/alan/.xsession-errors" dev=sda3 ino=60 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:xauth_home_t tclass=file type=AVC msg=audit(1266615883.388:596): avc: denied { getattr } for pid=3479 comm="mingetty" path="socket:[10857]" dev=sockfs ino=10857 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=netlink_selinux_socket type=AVC msg=audit(1266615883.401:597): avc: denied { getattr } for pid=3477 comm="mingetty" path="/home/alan/.gconfd/saved_state" dev=sda3 ino=255 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:gconf_home_t tclass=file type=AVC msg=audit(1266615883.338:584): avc: denied { getattr } for pid=3482 comm="mingetty" path="socket:[10761]" dev=sockfs ino=10761 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266615883.437:598): avc: denied { getattr } for pid=3479 comm="mingetty" path="/dev/urandom" dev=tmpfs ino=889 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file type=AVC msg=audit(1266615883.537:599): avc: denied { getattr } for pid=3480 comm="mingetty" path="/dev/fuse" dev=tmpfs ino=5899 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:fuse_device_t tclass=chr_file type=AVC msg=audit(1266615883.603:600): avc: denied { getattr } for pid=3477 comm="mingetty" path="/home/alan/.pulse/34218fbf2b09493b6a2222c24aef434d-device-volumes.i686-pc-linux-gnu.gdbm" dev=sda3 ino=55 scontext=system_u:system_r:getty_t tcontext=user_u:object_r:user_home_t tclass=file type=AVC msg=audit(1266615883.693:601): avc: denied { getattr } for pid=3477 comm="mingetty" path="/usr/bin/vmware-user-autostart-wrapper" dev=sda2 ino=122105 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=file type=AVC msg=audit(1266615883.738:602): avc: denied { getattr } for pid=3477 comm="mingetty" path="/tmp/pulse-CbHu2lCq5y0C/autospawn.lock" dev=sda2 ino=140895 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:xdm_tmp_t tclass=file type=AVC msg=audit(1266615883.820:603): avc: denied { getattr } for pid=3480 comm="mingetty" path="socket:[13825]" dev=sockfs ino=13825 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=udp_socket type=AVC msg=audit(1266615884.044:604): avc: denied { getattr } for pid=3477 comm="mingetty" path="/var/run/zypp.pid" dev=sda2 ino=129982 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:system_dbusd_var_run_t tclass=file type=AVC msg=audit(1266615884.068:605): avc: denied { search } for pid=3479 comm="mingetty" name="2811" dev=proc ino=14124 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=dir type=AVC msg=audit(1266615884.085:606): avc: denied { read } for pid=3477 comm="mingetty" name="maps" dev=proc ino=17151 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=file type=AVC msg=audit(1266615884.093:607): avc: denied { open } for pid=3477 comm="mingetty" name="maps" dev=proc ino=17151 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=file type=AVC msg=audit(1266615884.094:608): avc: denied { getattr } for pid=3477 comm="mingetty" path="/proc/2811/maps" dev=proc ino=17151 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=file type=AVC msg=audit(1266615884.094:609): avc: denied { read } for pid=3477 comm="mingetty" name="fd" dev=proc ino=16041 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=dir type=AVC msg=audit(1266615884.100:610): avc: denied { open } for pid=3477 comm="mingetty" name="fd" dev=proc ino=16041 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=dir type=AVC msg=audit(1266615884.103:611): avc: denied { read } for pid=3477 comm="mingetty" name="0" dev=proc ino=16042 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=lnk_file type=AVC msg=audit(1266615884.103:612): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[14135]" dev=sockfs ino=14135 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket type=AVC msg=audit(1266615884.104:613): avc: denied { getattr } for pid=3477 comm="mingetty" path="/dev/xconsole" dev=tmpfs ino=6594 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file type=AVC msg=audit(1266615884.104:614): avc: denied { getattr } for pid=3477 comm="mingetty" path="/var/log/acpid" dev=sda2 ino=26239 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:apmd_log_t tclass=file type=AVC msg=audit(1266615884.104:615): avc: denied { getattr } for pid=3477 comm="mingetty" path="/var/log/mail" dev=sda2 ino=26237 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:sendmail_log_t tclass=file type=AVC msg=audit(1266615884.105:616): avc: denied { getattr } for pid=3477 comm="mingetty" path="/var/log/news/news.crit" dev=sda2 ino=26244 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:innd_log_t tclass=file type=AVC msg=audit(1266615884.105:617): avc: denied { getattr } for pid=3477 comm="mingetty" path="/proc/kmsg" dev=proc ino=4026531989 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:proc_kmsg_t tclass=file type=AVC msg=audit(1266615884.108:618): avc: denied { search } for pid=3480 comm="mingetty" name="2831" dev=proc ino=14173 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=dir type=AVC msg=audit(1266615884.108:619): avc: denied { read } for pid=3477 comm="mingetty" name="maps" dev=proc ino=17152 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=file type=AVC msg=audit(1266615884.108:620): avc: denied { open } for pid=3477 comm="mingetty" name="maps" dev=proc ino=17152 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=file type=AVC msg=audit(1266615884.109:621): avc: denied { getattr } for pid=3477 comm="mingetty" path="/proc/2831/maps" dev=proc ino=17152 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=file type=AVC msg=audit(1266615884.109:622): avc: denied { read } for pid=3477 comm="mingetty" name="fd" dev=proc ino=16065 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=dir type=AVC msg=audit(1266615884.109:623): avc: denied { open } for pid=3477 comm="mingetty" name="fd" dev=proc ino=16065 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=dir type=AVC msg=audit(1266615884.114:624): avc: denied { read } for pid=3477 comm="mingetty" name="0" dev=proc ino=16066 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=lnk_file type=AVC msg=audit(1266615884.114:625): avc: denied { getattr } for pid=3477 comm="mingetty" path="/var/run/rpcbind.lock" dev=sda2 ino=144006 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:rpcbind_var_run_t tclass=file type=AVC msg=audit(1266615884.114:626): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[14200]" dev=sockfs ino=14200 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=udp_socket type=AVC msg=audit(1266615884.114:627): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[14155]" dev=sockfs ino=14155 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=unix_stream_socket type=AVC msg=audit(1266615884.121:628): avc: denied { execstack } for pid=3504 comm="git" scontext=system_u:system_r:xdm_t tcontext=system_u:system_r:xdm_t tclass=process type=AVC msg=audit(1266615884.130:629): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[14162]" dev=sockfs ino=14162 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=tcp_socket type=AVC msg=audit(1266615884.132:630): avc: denied { search } for pid=3477 comm="mingetty" name="2964" dev=proc ino=14583 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=dir type=AVC msg=audit(1266615884.139:631): avc: denied { read } for pid=3479 comm="mingetty" name="maps" dev=proc ino=17158 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=file type=AVC msg=audit(1266615884.147:632): avc: denied { open } for pid=3482 comm="mingetty" name="maps" dev=proc ino=17158 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=file type=AVC msg=audit(1266615884.164:633): avc: denied { getattr } for pid=3477 comm="mingetty" path="/proc/2964/maps" dev=proc ino=17158 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=file type=AVC msg=audit(1266615884.164:634): avc: denied { read } for pid=3477 comm="mingetty" name="fd" dev=proc ino=16094 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=dir type=AVC msg=audit(1266615884.167:635): avc: denied { open } for pid=3480 comm="mingetty" name="fd" dev=proc ino=16094 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=dir type=AVC msg=audit(1266615884.167:636): avc: denied { read } for pid=3477 comm="mingetty" name="0" dev=proc ino=16095 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=lnk_file type=AVC msg=audit(1266615884.168:637): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[14573]" dev=sockfs ino=14573 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=netlink_audit_socket type=AVC msg=audit(1266615884.173:638): avc: denied { getattr } for pid=3477 comm="mingetty" path="/var/log/audit/audit.log" dev=sda2 ino=144034 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:auditd_log_t tclass=file type=AVC msg=audit(1266615884.173:639): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[14577]" dev=sockfs ino=14577 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=unix_dgram_socket type=AVC msg=audit(1266615884.173:640): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[14576]" dev=sockfs ino=14576 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=unix_stream_socket type=AVC msg=audit(1266615884.174:641): avc: denied { search } for pid=3477 comm="mingetty" name="2966" dev=proc ino=14592 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=dir type=AVC msg=audit(1266615884.180:642): avc: denied { read } for pid=3477 comm="mingetty" name="maps" dev=proc ino=17161 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=file type=AVC msg=audit(1266615884.180:643): avc: denied { open } for pid=3477 comm="mingetty" name="maps" dev=proc ino=17161 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=file type=AVC msg=audit(1266615884.180:644): avc: denied { getattr } for pid=3477 comm="mingetty" path="/proc/2966/maps" dev=proc ino=17161 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=file type=AVC msg=audit(1266615884.181:645): avc: denied { read } for pid=3477 comm="mingetty" name="fd" dev=proc ino=16106 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=dir type=AVC msg=audit(1266615884.181:646): avc: denied { open } for pid=3477 comm="mingetty" name="fd" dev=proc ino=16106 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=dir type=AVC msg=audit(1266615884.181:647): avc: denied { read } for pid=3477 comm="mingetty" name="0" dev=proc ino=16107 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=lnk_file type=AVC msg=audit(1266615884.182:648): avc: denied { getattr } for pid=3477 comm="mingetty" path="pipe:[14572]" dev=pipefs ino=14572 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=fifo_file type=AVC msg=audit(1266615884.183:649): avc: denied { getattr } for pid=3479 comm="mingetty" path="socket:[14587]" dev=sockfs ino=14587 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=unix_stream_socket type=AVC msg=audit(1266615884.183:650): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[14582]" dev=sockfs ino=14582 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=unix_dgram_socket type=AVC msg=audit(1266615884.185:651): avc: denied { search } for pid=3477 comm="mingetty" name="2979" dev=proc ino=14613 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=dir type=AVC msg=audit(1266615884.186:652): avc: denied { read } for pid=3477 comm="mingetty" name="maps" dev=proc ino=17162 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=file type=AVC msg=audit(1266615884.187:653): avc: denied { open } for pid=3480 comm="mingetty" name="maps" dev=proc ino=17162 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=file type=AVC msg=audit(1266615884.187:654): avc: denied { getattr } for pid=3477 comm="mingetty" path="/proc/2979/maps" dev=proc ino=17162 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=file type=AVC msg=audit(1266615884.188:655): avc: denied { read } for pid=3477 comm="mingetty" name="fd" dev=proc ino=14614 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=dir type=AVC msg=audit(1266615884.200:656): avc: denied { open } for pid=3477 comm="mingetty" name="fd" dev=proc ino=14614 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=dir type=AVC msg=audit(1266615884.200:657): avc: denied { read } for pid=3477 comm="mingetty" name="0" dev=proc ino=14615 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=lnk_file type=AVC msg=audit(1266615884.201:658): avc: denied { getattr } for pid=3479 comm="mingetty" path="socket:[14631]" dev=sockfs ino=14631 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=unix_dgram_socket type=AVC msg=audit(1266615884.202:659): avc: denied { getattr } for pid=3480 comm="mingetty" path="pipe:[14635]" dev=pipefs ino=14635 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=fifo_file type=AVC msg=audit(1266615884.202:660): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[14637]" dev=sockfs ino=14637 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=unix_stream_socket type=AVC msg=audit(1266615884.203:661): avc: denied { getattr } for pid=3477 comm="mingetty" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:inotifyfs_t tclass=dir type=AVC msg=audit(1266615884.203:662): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[14642]" dev=sockfs ino=14642 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=udp_socket type=AVC msg=audit(1266615884.203:663): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[14644]" dev=sockfs ino=14644 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=netlink_route_socket type=AVC msg=audit(1266615884.204:664): avc: denied { search } for pid=3480 comm="mingetty" name="2997" dev=proc ino=14682 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=dir type=AVC msg=audit(1266615884.204:665): avc: denied { read } for pid=3479 comm="mingetty" name="maps" dev=proc ino=17163 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=file type=AVC msg=audit(1266615884.205:666): avc: denied { open } for pid=3477 comm="mingetty" name="maps" dev=proc ino=17163 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=file type=AVC msg=audit(1266615884.205:667): avc: denied { getattr } for pid=3477 comm="mingetty" path="/proc/2997/maps" dev=proc ino=17163 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=file type=AVC msg=audit(1266615884.206:668): avc: denied { read } for pid=3477 comm="mingetty" name="fd" dev=proc ino=16215 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=dir type=AVC msg=audit(1266615884.209:669): avc: denied { getattr } for pid=3484 comm="mingetty" path="/var/log/audit/audit.log" dev=sda2 ino=144034 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:auditd_log_t tclass=file type=AVC msg=audit(1266615884.210:670): avc: denied { open } for pid=3480 comm="mingetty" name="fd" dev=proc ino=16215 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=dir type=AVC msg=audit(1266615884.212:671): avc: denied { read } for pid=3479 comm="mingetty" name="0" dev=proc ino=16216 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=lnk_file type=AVC msg=audit(1266615884.213:672): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[14675]" dev=sockfs ino=14675 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=tcp_socket type=AVC msg=audit(1266615884.220:673): avc: denied { getattr } for pid=3480 comm="mingetty" path="/var/log/cups/error_log" dev=sda2 ino=27013 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:cupsd_log_t tclass=file type=AVC msg=audit(1266615884.220:674): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[14677]" dev=sockfs ino=14677 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=unix_stream_socket type=AVC msg=audit(1266615884.230:675): avc: denied { getattr } for pid=3480 comm="mingetty" path="socket:[14679]" dev=sockfs ino=14679 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=udp_socket type=AVC msg=audit(1266615884.230:676): avc: denied { getattr } for pid=3477 comm="mingetty" path="pipe:[14680]" dev=pipefs ino=14680 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=fifo_file type=AVC msg=audit(1266615884.231:677): avc: denied { search } for pid=3479 comm="mingetty" name="3155" dev=proc ino=14884 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=dir type=AVC msg=audit(1266615884.231:678): avc: denied { read } for pid=3480 comm="mingetty" name="maps" dev=proc ino=17164 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=file type=AVC msg=audit(1266615884.231:679): avc: denied { open } for pid=3477 comm="mingetty" name="maps" dev=proc ino=17164 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=file type=AVC msg=audit(1266615884.231:680): avc: denied { getattr } for pid=3477 comm="mingetty" path="/proc/3155/maps" dev=proc ino=17164 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=file type=AVC msg=audit(1266615884.232:681): avc: denied { read } for pid=3480 comm="mingetty" name="fd" dev=proc ino=16237 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=dir type=AVC msg=audit(1266615884.232:682): avc: denied { open } for pid=3477 comm="mingetty" name="fd" dev=proc ino=16237 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=dir type=AVC msg=audit(1266615884.233:683): avc: denied { read } for pid=3479 comm="mingetty" name="0" dev=proc ino=16238 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=lnk_file type=AVC msg=audit(1266615884.233:684): avc: denied { getattr } for pid=3480 comm="mingetty" path="/var/log/nscd.log" dev=sda2 ino=129828 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:nscd_log_t tclass=file type=AVC msg=audit(1266615884.233:685): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[14877]" dev=sockfs ino=14877 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=unix_stream_socket type=AVC msg=audit(1266615884.235:686): avc: denied { search } for pid=3480 comm="mingetty" name="3321" dev=proc ino=15274 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=dir type=AVC msg=audit(1266615884.237:687): avc: denied { read } for pid=3477 comm="mingetty" name="maps" dev=proc ino=17168 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=file type=AVC msg=audit(1266615884.239:688): avc: denied { open } for pid=3479 comm="mingetty" name="maps" dev=proc ino=17168 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=file type=AVC msg=audit(1266615884.243:689): avc: denied { getattr } for pid=3482 comm="mingetty" path="/proc/3321/maps" dev=proc ino=17168 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=file type=AVC msg=audit(1266615884.248:690): avc: denied { read } for pid=3484 comm="mingetty" name="fd" dev=proc ino=16278 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=dir type=AVC msg=audit(1266615884.251:691): avc: denied { open } for pid=3477 comm="mingetty" name="fd" dev=proc ino=16278 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=dir type=AVC msg=audit(1266615884.252:692): avc: denied { read } for pid=3479 comm="mingetty" name="0" dev=proc ino=16279 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=lnk_file type=AVC msg=audit(1266615884.252:693): avc: denied { read } for pid=3480 comm="mingetty" name="0" dev=proc ino=16279 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=lnk_file type=AVC msg=audit(1266615884.253:694): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[15266]" dev=sockfs ino=15266 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=unix_dgram_socket type=AVC msg=audit(1266615884.253:695): avc: denied { getattr } for pid=3479 comm="mingetty" path="/var/spool/postfix/pid/master.pid" dev=sda2 ino=144049 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:postfix_var_run_t tclass=file type=AVC msg=audit(1266615884.270:696): avc: denied { getattr } for pid=3477 comm="mingetty" path="/var/lib/postfix/master.lock" dev=sda2 ino=129843 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:postfix_data_t tclass=file type=AVC msg=audit(1266615884.270:697): avc: denied { getattr } for pid=3480 comm="mingetty" path="pipe:[16404]" dev=pipefs ino=16404 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=fifo_file type=AVC msg=audit(1266615884.271:698): avc: denied { getattr } for pid=3479 comm="mingetty" path="socket:[15910]" dev=sockfs ino=15910 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=tcp_socket type=AVC msg=audit(1266615884.271:699): avc: denied { getattr } for pid=3477 comm="mingetty" path="anon_inode:[eventpoll]" dev=anon_inodefs ino=357 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266615884.271:700): avc: denied { getattr } for pid=3480 comm="mingetty" path="socket:[16117]" dev=sockfs ino=16117 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=unix_stream_socket type=AVC msg=audit(1266615884.272:701): avc: denied { getattr } for pid=3477 comm="mingetty" path="/var/spool/postfix/public/pickup" dev=sda2 ino=144019 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:postfix_public_t tclass=fifo_file type=AVC msg=audit(1266615884.274:702): avc: denied { search } for pid=3479 comm="mingetty" name="3348" dev=proc ino=16427 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=dir type=AVC msg=audit(1266615884.276:703): avc: denied { read } for pid=3477 comm="mingetty" name="maps" dev=proc ino=17172 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=file type=AVC msg=audit(1266615884.278:704): avc: denied { open } for pid=3480 comm="mingetty" name="maps" dev=proc ino=17172 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=file type=AVC msg=audit(1266615884.286:705): avc: denied { getattr } for pid=3477 comm="mingetty" path="/proc/3348/maps" dev=proc ino=17172 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=file type=AVC msg=audit(1266615884.286:706): avc: denied { read } for pid=3480 comm="mingetty" name="fd" dev=proc ino=16657 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=dir type=AVC msg=audit(1266615884.287:707): avc: denied { open } for pid=3479 comm="mingetty" name="fd" dev=proc ino=16657 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=dir type=AVC msg=audit(1266615884.287:708): avc: denied { read } for pid=3477 comm="mingetty" name="0" dev=proc ino=16658 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=lnk_file type=AVC msg=audit(1266615884.290:709): avc: denied { getattr } for pid=3484 comm="mingetty" path="socket:[16407]" dev=sockfs ino=16407 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=unix_dgram_socket type=AVC msg=audit(1266615884.294:710): avc: denied { search } for pid=3482 comm="mingetty" name="3349" dev=proc ino=16437 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=dir type=AVC msg=audit(1266615884.296:711): avc: denied { read } for pid=3479 comm="mingetty" name="maps" dev=proc ino=17173 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=file type=AVC msg=audit(1266615884.297:712): avc: denied { open } for pid=3480 comm="mingetty" name="maps" dev=proc ino=17173 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=file type=AVC msg=audit(1266615884.297:713): avc: denied { getattr } for pid=3480 comm="mingetty" path="/proc/3349/maps" dev=proc ino=17173 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=file type=AVC msg=audit(1266615884.297:714): avc: denied { read } for pid=3480 comm="mingetty" name="fd" dev=proc ino=16669 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=dir type=AVC msg=audit(1266615884.303:715): avc: denied { open } for pid=3477 comm="mingetty" name="fd" dev=proc ino=16669 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=dir type=AVC msg=audit(1266615884.304:716): avc: denied { read } for pid=3479 comm="mingetty" name="0" dev=proc ino=16670 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=lnk_file type=AVC msg=audit(1266615884.304:717): avc: denied { getattr } for pid=3477 comm="mingetty" path="/var/run/cron.pid" dev=sda2 ino=138377 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:crond_var_run_t tclass=file type=AVC msg=audit(1266615884.305:718): avc: denied { getattr } for pid=3480 comm="mingetty" path="socket:[16436]" dev=sockfs ino=16436 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=unix_dgram_socket type=AVC msg=audit(1266615884.305:719): avc: denied { search } for pid=3477 comm="mingetty" name="3350" dev=proc ino=16456 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=dir type=AVC msg=audit(1266615884.305:720): avc: denied { read } for pid=3479 comm="mingetty" name="maps" dev=proc ino=17174 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=file type=AVC msg=audit(1266615884.306:721): avc: denied { open } for pid=3477 comm="mingetty" name="maps" dev=proc ino=17174 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=file type=AVC msg=audit(1266615884.306:722): avc: denied { getattr } for pid=3477 comm="mingetty" path="/proc/3350/maps" dev=proc ino=17174 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=file type=AVC msg=audit(1266615884.306:723): avc: denied { read } for pid=3480 comm="mingetty" name="fd" dev=proc ino=16677 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=dir type=AVC msg=audit(1266615884.307:724): avc: denied { open } for pid=3477 comm="mingetty" name="fd" dev=proc ino=16677 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=dir type=AVC msg=audit(1266615884.313:725): avc: denied { read } for pid=3479 comm="mingetty" name="0" dev=proc ino=16678 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=lnk_file type=AVC msg=audit(1266615884.314:726): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[16442]" dev=sockfs ino=16442 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=unix_dgram_socket type=AVC msg=audit(1266615884.314:727): avc: denied { getattr } for pid=3480 comm="mingetty" path="/etc/postfix/relay.db" dev=sda2 ino=129689 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:postfix_etc_t tclass=file type=AVC msg=audit(1266615884.316:728): avc: denied { getattr } for pid=3479 comm="mingetty" path="/usr/sbin/stop_preload" dev=sda2 ino=104834 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=file type=AVC msg=audit(1266615884.321:729): avc: denied { getattr } for pid=3477 comm="mingetty" path="/proc/3387/fd" dev=proc ino=16721 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=dir type=AVC msg=audit(1266615884.327:730): avc: denied { getattr } for pid=3480 comm="mingetty" path="/proc/3348/fd" dev=proc ino=16657 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=dir type=AVC msg=audit(1266615884.353:731): avc: denied { getattr } for pid=3479 comm="mingetty" path="/proc/3447/fd" dev=proc ino=16812 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266615884.354:732): avc: denied { getattr } for pid=3485 comm="mingetty" path="socket:[14644]" dev=sockfs ino=14644 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=netlink_route_socket type=AVC msg=audit(1266615884.355:733): avc: denied { read } for pid=3485 comm="mingetty" name="0" dev=proc ino=16216 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=lnk_file type=AVC msg=audit(1266615884.381:734): avc: denied { read } for pid=3485 comm="mingetty" name="0" dev=proc ino=16238 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=lnk_file type=AVC msg=audit(1266615884.386:735): avc: denied { search } for pid=3485 comm="mingetty" name="3348" dev=proc ino=16427 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=dir type=AVC msg=audit(1266615884.396:736): avc: denied { getattr } for pid=3480 comm="mingetty" path="/sys/kernel/debug/systemtap/preloadtrace/.cmd" dev=debugfs ino=3963 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:debugfs_t tclass=file type=AVC msg=audit(1266615884.407:737): avc: denied { getattr } for pid=3484 comm="mingetty" path="/dev/.udev/queue.bin" dev=tmpfs ino=6743 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:tmpfs_t tclass=file type=AVC msg=audit(1266615884.408:738): avc: denied { getattr } for pid=3482 comm="mingetty" path="/proc/287/fd" dev=proc ino=10627 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=dir type=AVC msg=audit(1266615884.416:739): avc: denied { getattr } for pid=3482 comm="mingetty" path="/proc/acpi/event" dev=proc ino=4026531938 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:proc_t tclass=file type=AVC msg=audit(1266615884.416:740): avc: denied { read } for pid=3485 comm="mingetty" name="fd" dev=proc ino=16657 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=dir type=AVC msg=audit(1266615884.417:741): avc: denied { open } for pid=3485 comm="mingetty" name="fd" dev=proc ino=16657 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=dir type=AVC msg=audit(1266615884.417:742): avc: denied { read } for pid=3485 comm="mingetty" name="0" dev=proc ino=16670 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=lnk_file type=AVC msg=audit(1266615884.418:743): avc: denied { getattr } for pid=3485 comm="mingetty" path="/var/run/cron.pid" dev=sda2 ino=138377 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:crond_var_run_t tclass=file type=AVC msg=audit(1266615884.424:744): avc: denied { getattr } for pid=3477 comm="mingetty" path="socket:[6759]" dev=sockfs ino=6759 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=unix_stream_socket type=AVC msg=audit(1266615884.424:745): avc: denied { read } for pid=3485 comm="mingetty" name="maps" dev=proc ino=17174 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=file type=AVC msg=audit(1266615884.424:746): avc: denied { open } for pid=3485 comm="mingetty" name="maps" dev=proc ino=17174 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=file type=AVC msg=audit(1266615884.425:747): avc: denied { getattr } for pid=3485 comm="mingetty" path="/proc/3350/maps" dev=proc ino=17174 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=file type=AVC msg=audit(1266615884.435:748): avc: denied { getattr } for pid=3479 comm="mingetty" path="socket:[6901]" dev=sockfs ino=6901 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=unix_dgram_socket type=AVC msg=audit(1266615884.443:749): avc: denied { getattr } for pid=2082 comm="polkitd" path="/var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.hal.dockstation.undock.pkla" dev=sda2 ino=26270 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266615884.443:750): avc: denied { read } for pid=2082 comm="polkitd" name="org.freedesktop.hal.dockstation.undock.pkla" dev=sda2 ino=26270 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266615884.445:751): avc: denied { open } for pid=2082 comm="polkitd" name="org.freedesktop.hal.dockstation.undock.pkla" dev=sda2 ino=26270 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266615884.470:752): avc: denied { getattr } for pid=3485 comm="mingetty" path="/proc/1117/fd" dev=proc ino=10654 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=dir type=AVC msg=audit(1266615884.473:753): avc: denied { getattr } for pid=3480 comm="mingetty" path="/var/log/gdm/:0-slave.log" dev=sda2 ino=144025 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:xserver_log_t tclass=file type=AVC msg=audit(1266615884.625:754): avc: denied { getattr } for pid=3479 comm="mingetty" path="socket:[10857]" dev=sockfs ino=10857 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=netlink_selinux_socket type=AVC msg=audit(1266615884.900:755): avc: denied { getattr } for pid=3484 comm="mingetty" path="socket:[13825]" dev=sockfs ino=13825 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=udp_socket type=AVC msg=audit(1266615884.917:756): avc: denied { search } for pid=2107 comm="rtkit-daemon" name="3367" dev=proc ino=16517 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266615884.918:757): avc: denied { read } for pid=2107 comm="rtkit-daemon" name="stat" dev=proc ino=16523 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266615884.918:758): avc: denied { open } for pid=2107 comm="rtkit-daemon" name="stat" dev=proc ino=16523 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266615884.918:759): avc: denied { getattr } for pid=2107 comm="rtkit-daemon" path="/3367/task/3367/stat" dev=proc ino=16523 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266615884.919:760): avc: denied { getsched } for pid=2107 comm="rtkit-daemon" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=process type=AVC msg=audit(1266615884.924:761): avc: denied { getattr } for pid=2082 comm="polkitd" path="/proc/3367" dev=proc ino=16517 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266615885.188:762): avc: denied { getattr } for pid=3480 comm="mingetty" path="socket:[14135]" dev=sockfs ino=14135 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket type=AVC msg=audit(1266615885.215:763): avc: denied { getattr } for pid=3479 comm="mingetty" path="socket:[14162]" dev=sockfs ino=14162 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=tcp_socket type=AVC msg=audit(1266615885.245:764): avc: denied { getattr } for pid=3480 comm="mingetty" path="pipe:[14572]" dev=pipefs ino=14572 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=fifo_file type=AVC msg=audit(1266615885.254:765): avc: denied { getattr } for pid=3479 comm="mingetty" path="pipe:[14635]" dev=pipefs ino=14635 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=fifo_file type=AVC msg=audit(1266615885.269:766): avc: denied { getattr } for pid=3480 comm="mingetty" path="socket:[15910]" dev=sockfs ino=15910 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=tcp_socket type=AVC msg=audit(1266615885.285:767): avc: denied { read } for pid=3477 comm="mingetty" name="maps" dev=proc ino=17172 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=file type=AVC msg=audit(1266615885.296:768): avc: denied { open } for pid=3484 comm="mingetty" name="maps" dev=proc ino=17172 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=file type=AVC msg=audit(1266615885.298:769): avc: denied { getattr } for pid=3480 comm="mingetty" path="/proc/3348/maps" dev=proc ino=17172 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=file type=AVC msg=audit(1266615885.309:770): avc: denied { getattr } for pid=3480 comm="mingetty" path="/proc/3321/fd" dev=proc ino=16278 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=dir type=AVC msg=audit(1266615885.320:771): avc: denied { getattr } for pid=3479 comm="mingetty" path="/dev/pts/3" dev=devpts ino=6 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:devpts_t tclass=chr_file type=AVC msg=audit(1266615885.560:772): avc: denied { write } for pid=2113 comm="rtkit-daemon" path="anon_inode:[eventfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266615885.560:773): avc: denied { read } for pid=2114 comm="rtkit-daemon" path="anon_inode:[eventfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266615886.615:774): avc: denied { write } for pid=2819 comm="rsyslogd" path="/dev/xconsole" dev=tmpfs ino=6594 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file type=AVC msg=audit(1266615886.644:775): avc: denied { sys_ptrace } for pid=2107 comm="rtkit-daemon" capability=19 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=capability type=AVC msg=audit(1266615887.052:776): avc: denied { append } for pid=2655 comm="packagekitd" path="/var/log/pk_backend_zypp" dev=sda2 ino=129898 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266615887.981:777): avc: denied { search } for pid=3523 comm="nscd" name="sbin" dev=sda2 ino=10305 scontext=system_u:system_r:nscd_t tcontext=system_u:object_r:bin_t tclass=dir type=AVC msg=audit(1266615887.999:778): avc: denied { write } for pid=3155 comm="nscd" path="pipe:[17411]" dev=pipefs ino=17411 scontext=system_u:system_r:nscd_t tcontext=system_u:system_r:nscd_t tclass=fifo_file type=AVC msg=audit(1266615901.313:779): avc: denied { read open } for pid=3552 comm="cron" name="shadow" dev=sda2 ino=129609 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:shadow_t tclass=file type=AVC msg=audit(1266615901.400:780): avc: denied { search } for pid=1034 comm="dbus-daemon" name="3557" dev=proc ino=17582 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_cronjob_t tclass=dir type=AVC msg=audit(1266615901.401:781): avc: denied { read } for pid=1034 comm="dbus-daemon" name="cmdline" dev=proc ino=17583 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_cronjob_t tclass=file type=AVC msg=audit(1266615901.401:782): avc: denied { open } for pid=1034 comm="dbus-daemon" name="cmdline" dev=proc ino=17583 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_cronjob_t tclass=file type=AVC msg=audit(1266615901.409:783): avc: denied { search } for pid=1034 comm="dbus-daemon" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266615901.409:784): avc: denied { write } for pid=1034 comm="dbus-daemon" name="log" dev=tmpfs ino=14136 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266615903.002:785): avc: denied { read } for pid=2578 comm="devkit-disks-da" name="sr0" dev=tmpfs ino=5146 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:removable_device_t tclass=blk_file type=AVC msg=audit(1266615903.004:786): avc: denied { open } for pid=2578 comm="devkit-disks-da" name="sr0" dev=tmpfs ino=5146 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:removable_device_t tclass=blk_file type=AVC msg=audit(1266615905.581:787): avc: denied { write } for pid=2113 comm="rtkit-daemon" path="anon_inode:[eventfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266615905.582:788): avc: denied { read } for pid=2114 comm="rtkit-daemon" path="anon_inode:[eventfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266615910.970:789): avc: denied { execstack } for pid=3585 comm="scp" scontext=system_u:system_r:xdm_t tcontext=system_u:system_r:xdm_t tclass=process ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-19 21:53 ` Alan Rouse @ 2010-02-22 14:10 ` Stephen Smalley [not found] ` <5A5E55DF96F73844AF7DFB0F48721F0F52E41FF16B@EUSAACMS0703.eamcs.ericsson.se> 0 siblings, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-22 14:10 UTC (permalink / raw) To: Alan Rouse; +Cc: 'selinux@tycho.nsa.gov' On Fri, 2010-02-19 at 16:53 -0500, Alan Rouse wrote: > Stephen wrote: > > Can you move aside the audit.log, add the line below to the > > end of /etc/audit/audit.rules, reboot, and then send the new > > audit.log? > > > > -a exit,always -S chroot > > See attached Hmm...still no PATH or SYSCALL records. auditctl -s reports what? auditctl -l reports what? The first few denials indicate that you don't have polkit policy defined, so the daemon and the files are not in the right security context. You likely just need a newer upstream policy for that. dbusd denials indicate that your policy lacks rules to allow dbusd to read the /proc/pid/cmdline of other domains. That is also present in current upstream refpolicy. So it may make sense to retry upstream refpolicy now. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
[parent not found: <5A5E55DF96F73844AF7DFB0F48721F0F52E41FF16B@EUSAACMS0703.eamcs.ericsson.se>]
[parent not found: <1266850844.15933.38.camel@moss-pluto.epoch.ncsc.mil>]
* RE: SELinux Policy in OpenSUSE 11.2 [not found] ` <1266850844.15933.38.camel@moss-pluto.epoch.ncsc.mil> @ 2010-02-22 17:39 ` Alan Rouse 2010-02-22 17:56 ` Stephen Smalley 0 siblings, 1 reply; 113+ messages in thread From: Alan Rouse @ 2010-02-22 17:39 UTC (permalink / raw) To: Stephen Smalley; +Cc: 'selinux@tycho.nsa.gov' [-- Attachment #1: Type: text/plain, Size: 452 bytes --] Stephen wrote: > Hmm...enabled=0, i.e. disabled. > Might need to boot with audit=1 on the kernel command line then. > Or enable auditd (chkconfig auditd on). audit=1 on the kernel command line doesn't change things. auditctl -s still says enabled=0. Same for "chkconfig auditd on" and reboot. I've installed the latest refpolicy from the tresys source repository. Attached is the audit.log after booting that policy (init_upstart --> on) [-- Attachment #2: audit.log --] [-- Type: application/octet-stream, Size: 110993 bytes --] type=DAEMON_START msg=audit(1266859979.919:6730): auditd start, ver=1.7.13 format=raw kernel=2.6.31.5-0.1-desktop auid=4294967295 pid=2704 subj=system_u:system_r:auditd_t res=success type=KERNEL msg=audit(1266859931.800:1): initialized type=MAC_POLICY_LOAD msg=audit(1266859934.700:2): policy loaded auid=4294967295 ses=4294967295 type=AVC msg=audit(1266859935.114:3): avc: denied { read write } for pid=234 comm="mount" name="null" dev=tmpfs ino=3899 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:lib_t tclass=chr_file type=AVC msg=audit(1266859935.114:3): avc: denied { open } for pid=234 comm="mount" name="null" dev=tmpfs ino=3899 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:lib_t tclass=chr_file type=SYSCALL msg=audit(1266859935.114:3): arch=40000003 syscall=5 success=yes exit=3 a0=8056c84 a1=8002 a2=0 a3=8 items=0 ppid=208 pid=234 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t key=(null) type=AVC msg=audit(1266859935.117:4): avc: denied { mounton } for pid=234 comm="mount" path="/dev/pts" dev=tmpfs ino=892 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:lib_t tclass=dir type=SYSCALL msg=audit(1266859935.117:4): arch=40000003 syscall=21 success=yes exit=0 a0=805e870 a1=805e880 a2=805e890 a3=c0ed0000 items=0 ppid=208 pid=234 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t key=(null) type=AVC msg=audit(1266859936.828:5): avc: denied { read write } for pid=280 comm="udevadm" name="console" dev=tmpfs ino=3892 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=chr_file type=SYSCALL msg=audit(1266859936.828:5): arch=40000003 syscall=11 success=yes exit=0 a0=80e0ad0 a1=80e0aa0 a2=80e3ba8 a3=80e0ad0 items=0 ppid=272 pid=280 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="udevadm" exe="/sbin/udevadm" subj=system_u:system_r:udev_t key=(null) type=AVC msg=audit(1266859937.537:6): avc: denied { search } for pid=282 comm="udevd" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859937.537:6): avc: denied { open } for pid=282 comm="udevd" name="null" dev=tmpfs ino=3899 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=chr_file type=SYSCALL msg=audit(1266859937.537:6): arch=40000003 syscall=5 success=yes exit=3 a0=806315b a1=8002 a2=0 a3=0 items=0 ppid=272 pid=282 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) type=AVC msg=audit(1266859937.541:7): avc: denied { read } for pid=282 comm="udevd" name="rules.d" dev=tmpfs ino=4078 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=SYSCALL msg=audit(1266859937.541:7): arch=40000003 syscall=292 success=yes exit=3 a0=6 a1=bf8821bc a2=3c8 a3=3 items=0 ppid=272 pid=282 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) type=AVC msg=audit(1266859937.541:8): avc: denied { getattr } for pid=282 comm="udevd" path="/dev/.udev/rules.d" dev=tmpfs ino=4078 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=SYSCALL msg=audit(1266859937.541:8): arch=40000003 syscall=195 success=yes exit=0 a0=bf88102c a1=bf880fb0 a2=b782cff4 a3=80713f8 items=0 ppid=272 pid=282 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) type=AVC msg=audit(1266859937.541:9): avc: denied { open } for pid=282 comm="udevd" name="rules.d" dev=tmpfs ino=4078 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=SYSCALL msg=audit(1266859937.541:9): arch=40000003 syscall=5 success=yes exit=10 a0=bf88102c a1=98800 a2=80713f8 a3=80713f8 items=0 ppid=272 pid=282 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) type=AVC msg=audit(1266859937.541:10): avc: denied { getattr } for pid=282 comm="udevd" path="/dev/.udev/rules.d/10-root-symlink.rules" dev=tmpfs ino=4079 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file type=SYSCALL msg=audit(1266859937.541:10): arch=40000003 syscall=195 success=yes exit=0 a0=806f950 a1=bf880fb0 a2=b782cff4 a3=806f950 items=0 ppid=272 pid=282 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) type=AVC msg=audit(1266859937.541:11): avc: denied { read } for pid=282 comm="udevd" name="10-root-symlink.rules" dev=tmpfs ino=4079 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file type=AVC msg=audit(1266859937.541:11): avc: denied { open } for pid=282 comm="udevd" name="10-root-symlink.rules" dev=tmpfs ino=4079 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file type=SYSCALL msg=audit(1266859937.541:11): arch=40000003 syscall=5 success=yes exit=10 a0=806f950 a1=8000 a2=1b6 a3=8069658 items=0 ppid=272 pid=282 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) type=AVC msg=audit(1266859937.560:12): avc: denied { write } for pid=282 comm="udevd" name=".udev" dev=tmpfs ino=4077 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859937.560:12): avc: denied { add_name } for pid=282 comm="udevd" name="queue.tmp" scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859937.560:12): avc: denied { create } for pid=282 comm="udevd" name="queue.tmp" scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file type=AVC msg=audit(1266859937.560:12): avc: denied { write } for pid=282 comm="udevd" name="queue.tmp" dev=tmpfs ino=4092 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file type=SYSCALL msg=audit(1266859937.560:12): arch=40000003 syscall=5 success=yes exit=10 a0=bf88180c a1=8242 a2=1b6 a3=8069658 items=0 ppid=272 pid=282 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) type=AVC msg=audit(1266859937.560:13): avc: denied { remove_name } for pid=282 comm="udevd" name="queue.tmp" dev=tmpfs ino=4092 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859937.560:13): avc: denied { rename } for pid=282 comm="udevd" name="queue.tmp" dev=tmpfs ino=4092 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file type=SYSCALL msg=audit(1266859937.560:13): arch=40000003 syscall=38 success=yes exit=0 a0=bf88180c a1=bf881c0c a2=8067ff4 a3=bf881c0c items=0 ppid=272 pid=282 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) type=AVC msg=audit(1266859937.561:14): avc: denied { getattr } for pid=283 comm="udevd" path="/dev/kmsg" dev=tmpfs ino=3895 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=chr_file type=SYSCALL msg=audit(1266859937.561:14): arch=40000003 syscall=197 success=yes exit=0 a0=b a1=bf8819e8 a2=b782cff4 a3=8078a10 items=0 ppid=282 pid=283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) type=AVC msg=audit(1266859937.561:15): avc: denied { ioctl } for pid=283 comm="udevd" path="/dev/kmsg" dev=tmpfs ino=3895 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=chr_file type=SYSCALL msg=audit(1266859937.561:15): arch=40000003 syscall=54 success=no exit=-25 a0=b a1=5401 a2=bf88194c a3=bf88198c items=0 ppid=282 pid=283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) type=AVC msg=audit(1266859937.598:16): avc: denied { unlink } for pid=283 comm="udevd" name="queue.bin" dev=tmpfs ino=4092 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file type=SYSCALL msg=audit(1266859937.598:16): arch=40000003 syscall=38 success=yes exit=0 a0=bf88178c a1=bf881b8c a2=8067ff4 a3=bf881b8c items=0 ppid=1 pid=283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) type=AVC msg=audit(1266859937.648:17): avc: denied { associate } for pid=292 comm="modprobe" name="event2" scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem type=SYSCALL msg=audit(1266859937.648:17): arch=40000003 syscall=128 success=yes exit=0 a0=b778e000 a1=2edc a2=8058a10 a3=10 items=0 ppid=285 pid=292 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/sbin/modprobe" subj=system_u:system_r:insmod_t key=(null) type=AVC msg=audit(1266859937.879:18): avc: denied { getattr } for pid=308 comm="udevd" path="/dev/ttyS3" dev=tmpfs ino=1009 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=chr_file type=SYSCALL msg=audit(1266859937.879:18): arch=40000003 syscall=196 success=yes exit=0 a0=807f808 a1=bf8810b8 a2=b782cff4 a3=8070db9 items=0 ppid=283 pid=308 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) type=AVC msg=audit(1266859937.883:19): avc: denied { relabelfrom } for pid=308 comm="udevd" name="ttyS3" dev=tmpfs ino=1009 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=chr_file type=SYSCALL msg=audit(1266859937.883:19): arch=40000003 syscall=227 success=yes exit=0 a0=807f808 a1=b784737d a2=816cae0 a3=1f items=0 ppid=283 pid=308 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) type=AVC msg=audit(1266859937.885:20): avc: denied { getattr } for pid=308 comm="udevd" path="/dev/char/4:67" dev=tmpfs ino=1014 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=lnk_file type=SYSCALL msg=audit(1266859937.885:20): arch=40000003 syscall=196 success=yes exit=0 a0=806ff20 a1=bf8804b4 a2=b782cff4 a3=806ff25 items=0 ppid=283 pid=308 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) type=AVC msg=audit(1266859937.886:21): avc: denied { read } for pid=308 comm="udevd" name="4:67" dev=tmpfs ino=1014 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=lnk_file type=CONFIG_CHANGE msg=audit(1266859980.027:208): audit_enabled=0 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t res=1 type=AVC msg=audit(1266859980.096:209): avc: denied { search } for pid=2727 comm="avahi-daemon" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:avahi_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859980.109:210): avc: denied { write } for pid=2731 comm="avahi-daemon" name="log" dev=tmpfs ino=10931 scontext=system_u:system_r:avahi_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266859980.547:211): avc: denied { execstack } for pid=2756 comm="cupsd" scontext=system_u:system_r:cupsd_t tcontext=system_u:system_r:cupsd_t tclass=process type=AVC msg=audit(1266859980.547:212): avc: denied { execmem } for pid=2756 comm="cupsd" scontext=system_u:system_r:cupsd_t tcontext=system_u:system_r:cupsd_t tclass=process type=AVC msg=audit(1266859980.575:213): avc: denied { search } for pid=2757 comm="cupsd" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859981.181:214): avc: denied { execstack } for pid=2588 comm="ssh-agent" scontext=system_u:system_r:xdm_t tcontext=system_u:system_r:xdm_t tclass=process type=AVC msg=audit(1266859981.549:215): avc: denied { write } for pid=2493 comm="rsyslogd" path="/dev/xconsole" dev=tmpfs ino=6279 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file type=AVC msg=audit(1266859982.178:216): avc: denied { search } for pid=2957 comm="nscd" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:nscd_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859982.262:217): avc: denied { write } for pid=2958 comm="nscd" path="pipe:[12479]" dev=pipefs ino=12479 scontext=system_u:system_r:nscd_t tcontext=system_u:system_r:nscd_t tclass=fifo_file type=AVC msg=audit(1266859982.396:218): avc: denied { search } for pid=2973 comm="postfix" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:postfix_master_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859982.397:219): avc: denied { write } for pid=2973 comm="postfix" name="log" dev=tmpfs ino=10931 scontext=system_u:system_r:postfix_master_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266859982.583:220): avc: denied { read } for pid=2994 comm="smartd" name="drivedb.h" dev=sda2 ino=103893 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:usr_t tclass=file type=AVC msg=audit(1266859982.602:221): avc: denied { open } for pid=2994 comm="smartd" name="drivedb.h" dev=sda2 ino=103893 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:usr_t tclass=file type=AVC msg=audit(1266859982.602:222): avc: denied { getattr } for pid=2994 comm="smartd" path="/usr/share/smartmontools/drivedb.h" dev=sda2 ino=103893 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:usr_t tclass=file type=AVC msg=audit(1266859982.633:223): avc: denied { search } for pid=2994 comm="smartd" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859982.652:224): avc: denied { write } for pid=2994 comm="smartd" name="log" dev=tmpfs ino=10931 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266859982.654:225): avc: denied { read } for pid=2994 comm="smartd" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859982.654:226): avc: denied { open } for pid=2994 comm="smartd" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859982.659:227): avc: denied { search } for pid=283 comm="udevd" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859982.662:228): avc: denied { write } for pid=283 comm="udevd" path="/dev/.udev/queue.bin" dev=tmpfs ino=6487 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file type=AVC msg=audit(1266859982.803:229): avc: denied { getattr } for pid=503 comm="udevd" path="/dev" dev=tmpfs ino=864 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859982.805:230): avc: denied { search } for pid=3028 comm="sh" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:postfix_master_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859982.809:231): avc: denied { write } for pid=503 comm="udevd" name="disk" dev=tmpfs ino=1522 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859982.819:232): avc: denied { add_name } for pid=503 comm="udevd" name="by-id" scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859983.766:233): avc: denied { write } for pid=2364 comm="rtkit-daemon" path="anon_inode:[eventfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266859983.766:234): avc: denied { read } for pid=2365 comm="rtkit-daemon" path="anon_inode:[eventfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266859983.975:235): avc: denied { execstack } for pid=3058 comm="seahorse-daemon" scontext=system_u:system_r:xdm_t tcontext=system_u:system_r:xdm_t tclass=process type=AVC msg=audit(1266859984.100:236): avc: denied { append } for pid=2493 comm="rsyslogd" path="/var/log/mail" dev=sda2 ino=26237 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:sendmail_log_t tclass=file type=AVC msg=audit(1266859984.457:237): avc: denied { execstack } for pid=3125 comm="slptool" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=process type=AVC msg=audit(1266859984.457:238): avc: denied { execmem } for pid=3125 comm="slptool" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=process type=AVC msg=audit(1266859984.521:239): avc: denied { search } for pid=3130 comm="pickup" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:postfix_pickup_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859984.542:240): avc: denied { search } for pid=3133 comm="qmgr" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:postfix_qmgr_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859984.550:241): avc: denied { write } for pid=3130 comm="pickup" name="log" dev=tmpfs ino=10931 scontext=system_u:system_r:postfix_pickup_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266859984.569:242): avc: denied { write } for pid=3133 comm="qmgr" name="log" dev=tmpfs ino=10931 scontext=system_u:system_r:postfix_qmgr_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266859984.601:243): avc: denied { search } for pid=972 comm="dbus-daemon" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859984.601:244): avc: denied { write } for pid=972 comm="dbus-daemon" name="log" dev=tmpfs ino=10931 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266859984.614:245): avc: denied { search } for pid=3135 comm="cron" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859984.615:246): avc: denied { write } for pid=3135 comm="cron" name="log" dev=tmpfs ino=10931 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266859984.700:247): avc: denied { write } for pid=283 comm="udevd" path="/dev/.udev/queue.bin" dev=tmpfs ino=6487 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file type=AVC msg=audit(1266859984.701:248): avc: denied { search } for pid=503 comm="udevd" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859985.244:249): avc: denied { write } for pid=283 comm="udevd" path="/dev/.udev/queue.bin" dev=tmpfs ino=6487 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file type=AVC msg=audit(1266859985.244:250): avc: denied { search } for pid=503 comm="udevd" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859985.349:251): avc: denied { sys_ptrace } for pid=2363 comm="rtkit-daemon" capability=19 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=capability type=AVC msg=audit(1266859985.349:252): avc: denied { getsched } for pid=2363 comm="rtkit-daemon" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=process type=AVC msg=audit(1266859985.360:253): avc: denied { getattr } for pid=2294 comm="polkitd" path="/var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.devicekit.power.qos.request-latency-persistent.pkla" dev=sda2 ino=26258 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266859985.361:254): avc: denied { read } for pid=2294 comm="polkitd" name="org.freedesktop.devicekit.power.qos.request-latency-persistent.pkla" dev=sda2 ino=26258 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266859985.361:255): avc: denied { open } for pid=2294 comm="polkitd" name="org.freedesktop.devicekit.power.qos.request-latency-persistent.pkla" dev=sda2 ino=26258 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266859985.710:256): avc: denied { search } for pid=3204 comm="postfix" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:postfix_master_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859985.710:257): avc: denied { write } for pid=3204 comm="postfix" name="log" dev=tmpfs ino=10931 scontext=system_u:system_r:postfix_master_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266859985.757:258): avc: denied { read } for pid=2294 comm="polkitd" path="/var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.hal.dockstation.undock.pkla" dev=sda2 ino=26270 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266859985.758:259): avc: denied { getattr } for pid=2294 comm="polkitd" path="/var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.hal.power-management.keyboard-backlight.pkla" dev=sda2 ino=26271 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266859985.758:260): avc: denied { open } for pid=2294 comm="polkitd" name="org.freedesktop.hal.power-management.keyboard-backlight.pkla" dev=sda2 ino=26271 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266859985.916:261): avc: denied { search } for pid=3218 comm="postqueue" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:postfix_postqueue_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859985.917:262): avc: denied { write } for pid=3218 comm="postqueue" name="log" dev=tmpfs ino=10931 scontext=system_u:system_r:postfix_postqueue_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266859986.719:263): avc: denied { execstack } for pid=3233 comm="gnome-panel" scontext=system_u:system_r:xdm_t tcontext=system_u:system_r:xdm_t tclass=process type=AVC msg=audit(1266859987.206:264): avc: denied { write } for pid=283 comm="udevd" path="/dev/.udev/queue.bin" dev=tmpfs ino=6487 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file type=AVC msg=audit(1266859987.207:265): avc: denied { search } for pid=503 comm="udevd" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859987.852:266): avc: denied { write } for pid=2958 comm="nscd" path="pipe:[15024]" dev=pipefs ino=15024 scontext=system_u:system_r:nscd_t tcontext=system_u:system_r:nscd_t tclass=fifo_file type=AVC msg=audit(1266859987.875:267): avc: denied { search } for pid=3332 comm="mingetty" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859987.879:268): avc: denied { search } for pid=3332 comm="mingetty" name="2" dev=proc ino=5816 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=dir type=AVC msg=audit(1266859987.879:269): avc: denied { read } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15031 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=file type=AVC msg=audit(1266859987.880:270): avc: denied { open } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15031 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=file type=AVC msg=audit(1266859987.880:271): avc: denied { getattr } for pid=3332 comm="mingetty" path="/proc/2/maps" dev=proc ino=15031 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=file type=AVC msg=audit(1266859987.886:272): avc: denied { read } for pid=3332 comm="mingetty" name="fd" dev=proc ino=11520 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=dir type=AVC msg=audit(1266859987.886:273): avc: denied { open } for pid=3332 comm="mingetty" name="fd" dev=proc ino=11520 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=dir type=AVC msg=audit(1266859987.891:274): avc: denied { search } for pid=3332 comm="mingetty" name="251" dev=proc ino=5851 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=dir type=AVC msg=audit(1266859987.914:275): avc: denied { read } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15066 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=file type=AVC msg=audit(1266859987.923:276): avc: denied { open } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15066 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=file type=AVC msg=audit(1266859987.923:277): avc: denied { getattr } for pid=3332 comm="mingetty" path="/proc/251/maps" dev=proc ino=15066 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=file type=AVC msg=audit(1266859987.933:278): avc: denied { read } for pid=3332 comm="mingetty" name="fd" dev=proc ino=11583 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=dir type=AVC msg=audit(1266859987.934:279): avc: denied { open } for pid=3332 comm="mingetty" name="fd" dev=proc ino=11583 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=dir type=AVC msg=audit(1266859987.934:280): avc: denied { read } for pid=3332 comm="mingetty" name="0" dev=proc ino=13245 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=lnk_file type=AVC msg=audit(1266859987.935:281): avc: denied { getattr } for pid=3332 comm="mingetty" path="/sys/kernel/debug/systemtap/preloadtrace/.cmd" dev=debugfs ino=4023 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:debugfs_t tclass=file type=AVC msg=audit(1266859987.936:282): avc: denied { getattr } for pid=3332 comm="mingetty" path="/dev/ptmx" dev=tmpfs ino=3901 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:ptmx_t tclass=chr_file type=AVC msg=audit(1266859987.938:283): avc: denied { search } for pid=3332 comm="mingetty" name="283" dev=proc ino=5854 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=dir type=AVC msg=audit(1266859987.938:284): avc: denied { read } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15070 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=file type=AVC msg=audit(1266859987.939:285): avc: denied { open } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15070 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=file type=AVC msg=audit(1266859987.939:286): avc: denied { getattr } for pid=3332 comm="mingetty" path="/proc/283/maps" dev=proc ino=15070 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=file type=AVC msg=audit(1266859987.939:287): avc: denied { read } for pid=3332 comm="mingetty" name="fd" dev=proc ino=11587 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=dir type=AVC msg=audit(1266859987.939:288): avc: denied { open } for pid=3332 comm="mingetty" name="fd" dev=proc ino=11587 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=dir type=AVC msg=audit(1266859987.939:289): avc: denied { read } for pid=3332 comm="mingetty" name="0" dev=proc ino=13281 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=lnk_file type=AVC msg=audit(1266859987.939:290): avc: denied { getattr } for pid=3332 comm="mingetty" path="/dev/.udev/queue.bin" dev=tmpfs ino=6487 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:tmpfs_t tclass=file type=AVC msg=audit(1266859987.940:291): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[4086]" dev=sockfs ino=4086 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=unix_dgram_socket type=AVC msg=audit(1266859987.940:292): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[4087]" dev=sockfs ino=4087 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266859987.940:293): avc: denied { getattr } for pid=3332 comm="mingetty" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:inotifyfs_t tclass=dir type=AVC msg=audit(1266859987.940:294): avc: denied { getattr } for pid=3332 comm="mingetty" path="anon_inode:[signalfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266859987.941:295): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[5628]" dev=sockfs ino=5628 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266859987.944:296): avc: denied { search } for pid=3332 comm="mingetty" name="972" dev=proc ino=6309 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=dir type=AVC msg=audit(1266859988.018:297): avc: denied { read } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15077 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=file type=AVC msg=audit(1266859988.018:298): avc: denied { open } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15077 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=file type=AVC msg=audit(1266859988.018:299): avc: denied { getattr } for pid=3332 comm="mingetty" path="/proc/972/maps" dev=proc ino=15077 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=file type=AVC msg=audit(1266859988.018:300): avc: denied { sys_ptrace } for pid=3332 comm="mingetty" capability=19 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t tclass=capability type=AVC msg=audit(1266859988.018:301): avc: denied { read } for pid=3332 comm="mingetty" name="fd" dev=proc ino=11597 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=dir type=AVC msg=audit(1266859988.018:302): avc: denied { open } for pid=3332 comm="mingetty" name="fd" dev=proc ino=11597 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=dir type=AVC msg=audit(1266859988.018:303): avc: denied { read } for pid=3332 comm="mingetty" name="0" dev=proc ino=13349 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=lnk_file type=AVC msg=audit(1266859988.018:304): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[6306]" dev=sockfs ino=6306 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=unix_stream_socket type=AVC msg=audit(1266859988.020:305): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[6308]" dev=sockfs ino=6308 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=netlink_selinux_socket type=AVC msg=audit(1266859988.020:306): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[14070]" dev=sockfs ino=14070 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=unix_dgram_socket type=AVC msg=audit(1266859988.020:307): avc: denied { getattr } for pid=3332 comm="mingetty" path="/proc/acpi/event" dev=proc ino=4026531938 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:proc_t tclass=file type=AVC msg=audit(1266859988.020:308): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[6391]" dev=sockfs ino=6391 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket type=AVC msg=audit(1266859988.022:309): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[6393]" dev=sockfs ino=6393 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=unix_dgram_socket type=AVC msg=audit(1266859988.022:310): avc: denied { search } for pid=3332 comm="mingetty" name="1094" dev=proc ino=6504 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=dir type=AVC msg=audit(1266859988.023:311): avc: denied { read } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15079 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=file type=AVC msg=audit(1266859988.023:312): avc: denied { open } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15079 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=file type=AVC msg=audit(1266859988.023:313): avc: denied { getattr } for pid=3332 comm="mingetty" path="/proc/1094/maps" dev=proc ino=15079 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=file type=AVC msg=audit(1266859988.023:314): avc: denied { read } for pid=3332 comm="mingetty" name="fd" dev=proc ino=11599 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=dir type=AVC msg=audit(1266859988.023:315): avc: denied { open } for pid=3332 comm="mingetty" name="fd" dev=proc ino=11599 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=dir type=AVC msg=audit(1266859988.023:316): avc: denied { read } for pid=3332 comm="mingetty" name="0" dev=proc ino=13387 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=lnk_file type=AVC msg=audit(1266859988.023:317): avc: denied { getattr } for pid=3332 comm="mingetty" path="pipe:[6500]" dev=pipefs ino=6500 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=fifo_file type=AVC msg=audit(1266859988.023:318): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[6501]" dev=sockfs ino=6501 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=unix_stream_socket type=AVC msg=audit(1266859988.023:319): avc: denied { getattr } for pid=3332 comm="mingetty" path="/proc/mdstat" dev=proc ino=4026531930 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:proc_mdstat_t tclass=file type=AVC msg=audit(1266859988.023:320): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[6590]" dev=sockfs ino=6590 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=unix_dgram_socket type=AVC msg=audit(1266859988.024:321): avc: denied { search } for pid=3332 comm="mingetty" name="1100" dev=proc ino=6543 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266859988.024:322): avc: denied { read } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15080 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266859988.024:323): avc: denied { open } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15080 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266859988.024:324): avc: denied { getattr } for pid=3332 comm="mingetty" path="/proc/1100/maps" dev=proc ino=15080 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266859988.025:325): avc: denied { read } for pid=3332 comm="mingetty" name="fd" dev=proc ino=6544 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266859988.025:326): avc: denied { open } for pid=3332 comm="mingetty" name="fd" dev=proc ino=6544 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266859988.038:327): avc: denied { read } for pid=3332 comm="mingetty" name="0" dev=proc ino=6545 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=lnk_file type=AVC msg=audit(1266859988.038:328): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[6578]" dev=sockfs ino=6578 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=unix_stream_socket type=AVC msg=audit(1266859988.039:329): avc: denied { getattr } for pid=3332 comm="mingetty" path="/var/run/gdm/auth-for-gdm-uV3Xw7/database" dev=sda2 ino=129776 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:xdm_var_run_t tclass=file type=AVC msg=audit(1266859988.039:330): avc: denied { search } for pid=3332 comm="mingetty" name="1103" dev=proc ino=6574 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:consolekit_t tclass=dir type=AVC msg=audit(1266859988.039:331): avc: denied { read } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15081 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:consolekit_t tclass=file type=AVC msg=audit(1266859988.039:332): avc: denied { open } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15081 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:consolekit_t tclass=file type=AVC msg=audit(1266859988.039:333): avc: denied { getattr } for pid=3332 comm="mingetty" path="/proc/1103/maps" dev=proc ino=15081 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:consolekit_t tclass=file type=AVC msg=audit(1266859988.039:334): avc: denied { read } for pid=3332 comm="mingetty" name="fd" dev=proc ino=11600 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:consolekit_t tclass=dir type=AVC msg=audit(1266859988.039:335): avc: denied { open } for pid=3332 comm="mingetty" name="fd" dev=proc ino=11600 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:consolekit_t tclass=dir type=AVC msg=audit(1266859988.040:336): avc: denied { read } for pid=3332 comm="mingetty" name="0" dev=proc ino=13409 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:consolekit_t tclass=lnk_file type=AVC msg=audit(1266859988.040:337): avc: denied { getattr } for pid=3332 comm="mingetty" path="pipe:[6551]" dev=pipefs ino=6551 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:consolekit_t tclass=fifo_file type=AVC msg=audit(1266859988.040:338): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[6572]" dev=sockfs ino=6572 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:consolekit_t tclass=unix_stream_socket type=AVC msg=audit(1266859988.040:339): avc: denied { getattr } for pid=3332 comm="mingetty" path="/var/log/ConsoleKit/history" dev=sda2 ino=129645 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:consolekit_log_t tclass=file type=AVC msg=audit(1266859988.041:340): avc: denied { getattr } for pid=3332 comm="mingetty" path="/var/log/gdm/:0-slave.log" dev=sda2 ino=160308 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:xserver_log_t tclass=file type=AVC msg=audit(1266859988.042:341): avc: denied { search } for pid=3332 comm="mingetty" name="1199" dev=proc ino=6721 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=dir type=AVC msg=audit(1266859988.045:342): avc: denied { read } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15085 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=file type=AVC msg=audit(1266859988.046:343): avc: denied { open } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15085 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=file type=AVC msg=audit(1266859988.046:344): avc: denied { getattr } for pid=3332 comm="mingetty" path="/proc/1199/maps" dev=proc ino=15085 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=file type=AVC msg=audit(1266859988.046:345): avc: denied { read } for pid=3332 comm="mingetty" name="fd" dev=proc ino=6722 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=dir type=AVC msg=audit(1266859988.071:346): avc: denied { open } for pid=3332 comm="mingetty" name="fd" dev=proc ino=6722 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=dir type=AVC msg=audit(1266859988.071:347): avc: denied { read } for pid=3332 comm="mingetty" name="0" dev=proc ino=6723 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=lnk_file type=AVC msg=audit(1266859988.071:348): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[6780]" dev=sockfs ino=6780 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=unix_stream_socket type=AVC msg=audit(1266859988.072:349): avc: denied { getattr } for pid=3332 comm="mingetty" path="/proc/mtrr" dev=proc ino=4026531908 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:mtrr_device_t tclass=file type=AVC msg=audit(1266859988.072:350): avc: denied { getattr } for pid=3332 comm="mingetty" path="/dev/input/event1" dev=tmpfs ino=1752 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:event_device_t tclass=chr_file type=AVC msg=audit(1266859988.076:351): avc: denied { getattr } for pid=3332 comm="mingetty" path="/dev/cpu_dma_latency" dev=tmpfs ino=1143 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:netcontrol_device_t tclass=chr_file type=AVC msg=audit(1266859988.076:352): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[8081]" dev=sockfs ino=8081 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266859988.076:353): avc: denied { search } for pid=3332 comm="mingetty" name="2278" dev=proc ino=10289 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=dir type=AVC msg=audit(1266859988.076:354): avc: denied { read } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15095 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=file type=AVC msg=audit(1266859988.076:355): avc: denied { open } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15095 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=file type=AVC msg=audit(1266859988.076:356): avc: denied { getattr } for pid=3332 comm="mingetty" path="/proc/2278/maps" dev=proc ino=15095 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=file type=AVC msg=audit(1266859988.076:357): avc: denied { read } for pid=3332 comm="mingetty" name="fd" dev=proc ino=11608 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=dir type=AVC msg=audit(1266859988.076:358): avc: denied { open } for pid=3332 comm="mingetty" name="fd" dev=proc ino=11608 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=dir type=AVC msg=audit(1266859988.076:359): avc: denied { read } for pid=3332 comm="mingetty" name="0" dev=proc ino=13472 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=lnk_file type=AVC msg=audit(1266859988.076:360): avc: denied { getattr } for pid=3332 comm="mingetty" path="/var/run/dhcpcd-eth0.pid" dev=sda2 ino=129778 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:dhcpc_var_run_t tclass=file type=AVC msg=audit(1266859988.078:361): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[7613]" dev=sockfs ino=7613 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=unix_dgram_socket type=AVC msg=audit(1266859988.078:362): avc: denied { getattr } for pid=3332 comm="mingetty" path="pipe:[7616]" dev=pipefs ino=7616 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=fifo_file type=AVC msg=audit(1266859988.078:363): avc: denied { getattr } for pid=3332 comm="mingetty" path="/var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.packagekit.package-install-untrusted.pkla" dev=sda2 ino=26322 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266859988.080:364): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[11754]" dev=sockfs ino=11754 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=unix_dgram_socket type=AVC msg=audit(1266859988.096:365): avc: denied { search } for pid=3334 comm="mingetty" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859988.107:366): avc: denied { getattr } for pid=3335 comm="mingetty" path="/dev/ptmx" dev=tmpfs ino=3901 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:ptmx_t tclass=chr_file type=AVC msg=audit(1266859988.151:367): avc: denied { getattr } for pid=3335 comm="mingetty" path="/dev/cpu_dma_latency" dev=tmpfs ino=1143 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:netcontrol_device_t tclass=chr_file type=AVC msg=audit(1266859988.198:368): avc: denied { getattr } for pid=3335 comm="mingetty" path="socket:[11687]" dev=sockfs ino=11687 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266859988.204:369): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[11687]" dev=sockfs ino=11687 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266859988.205:370): avc: denied { search } for pid=3332 comm="mingetty" name="2492" dev=proc ino=10932 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=dir type=AVC msg=audit(1266859988.205:371): avc: denied { read } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15121 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=file type=AVC msg=audit(1266859988.205:372): avc: denied { open } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15121 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=file type=AVC msg=audit(1266859988.205:373): avc: denied { getattr } for pid=3332 comm="mingetty" path="/proc/2492/maps" dev=proc ino=15121 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=file type=AVC msg=audit(1266859988.205:374): avc: denied { read } for pid=3332 comm="mingetty" name="fd" dev=proc ino=11614 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=dir type=AVC msg=audit(1266859988.205:375): avc: denied { open } for pid=3332 comm="mingetty" name="fd" dev=proc ino=11614 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=dir type=AVC msg=audit(1266859988.205:376): avc: denied { read } for pid=3332 comm="mingetty" name="0" dev=proc ino=13514 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=lnk_file type=AVC msg=audit(1266859988.206:377): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[10930]" dev=sockfs ino=10930 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket type=AVC msg=audit(1266859988.206:378): avc: denied { getattr } for pid=3332 comm="mingetty" path="/dev/xconsole" dev=tmpfs ino=6279 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file type=AVC msg=audit(1266859988.206:379): avc: denied { getattr } for pid=3332 comm="mingetty" path="/var/log/firewall" dev=sda2 ino=26232 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266859988.206:380): avc: denied { getattr } for pid=3332 comm="mingetty" path="/var/log/acpid" dev=sda2 ino=26239 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:apmd_log_t tclass=file type=AVC msg=audit(1266859988.221:381): avc: denied { getattr } for pid=3337 comm="mingetty" path="/var/lib/polkit-1/localauthority/10-vendor.d" dev=sda2 ino=26257 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:var_lib_t tclass=dir type=AVC msg=audit(1266859988.224:382): avc: denied { getattr } for pid=3337 comm="mingetty" path="/var/log/mail" dev=sda2 ino=26237 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:sendmail_log_t tclass=file type=AVC msg=audit(1266859988.231:383): avc: denied { getattr } for pid=3332 comm="mingetty" path="/var/log/news/news.crit" dev=sda2 ino=26244 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:innd_log_t tclass=file type=AVC msg=audit(1266859988.231:384): avc: denied { getattr } for pid=3332 comm="mingetty" path="/proc/kmsg" dev=proc ino=4026531989 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:proc_kmsg_t tclass=file type=AVC msg=audit(1266859988.232:385): avc: denied { search } for pid=3332 comm="mingetty" name="2510" dev=proc ino=10984 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=dir type=AVC msg=audit(1266859988.232:386): avc: denied { read } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15123 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=file type=AVC msg=audit(1266859988.232:387): avc: denied { open } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15123 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=file type=AVC msg=audit(1266859988.232:388): avc: denied { getattr } for pid=3332 comm="mingetty" path="/proc/2510/maps" dev=proc ino=15123 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=file type=AVC msg=audit(1266859988.232:389): avc: denied { read } for pid=3332 comm="mingetty" name="fd" dev=proc ino=11617 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=dir type=AVC msg=audit(1266859988.232:390): avc: denied { open } for pid=3332 comm="mingetty" name="fd" dev=proc ino=11617 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=dir type=AVC msg=audit(1266859988.232:391): avc: denied { read } for pid=3332 comm="mingetty" name="0" dev=proc ino=13535 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=lnk_file type=AVC msg=audit(1266859988.232:392): avc: denied { getattr } for pid=3332 comm="mingetty" path="/var/run/rpcbind.lock" dev=sda2 ino=160300 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:rpcbind_var_run_t tclass=file type=AVC msg=audit(1266859988.233:393): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[11090]" dev=sockfs ino=11090 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=udp_socket type=AVC msg=audit(1266859988.233:394): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[10962]" dev=sockfs ino=10962 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=unix_stream_socket type=AVC msg=audit(1266859988.233:395): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[10969]" dev=sockfs ino=10969 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=tcp_socket type=AVC msg=audit(1266859988.236:396): avc: denied { getattr } for pid=3332 comm="mingetty" path="/home/alan/.xsession-errors" dev=sda3 ino=60 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:xauth_home_t tclass=file type=AVC msg=audit(1266859988.236:397): avc: denied { search } for pid=3332 comm="mingetty" name="2704" dev=proc ino=11816 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=dir type=AVC msg=audit(1266859988.236:398): avc: denied { read } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15128 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=file type=AVC msg=audit(1266859988.245:399): avc: denied { open } for pid=3334 comm="mingetty" name="maps" dev=proc ino=15128 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=file type=AVC msg=audit(1266859988.253:400): avc: denied { getattr } for pid=3335 comm="mingetty" path="/proc/2704/maps" dev=proc ino=15128 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=file type=AVC msg=audit(1266859988.257:401): avc: denied { read } for pid=3335 comm="mingetty" name="fd" dev=proc ino=13570 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=dir type=AVC msg=audit(1266859988.258:402): avc: denied { getattr } for pid=3339 comm="mingetty" path="socket:[6570]" dev=sockfs ino=6570 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=unix_stream_socket type=AVC msg=audit(1266859988.329:403): avc: denied { open } for pid=3332 comm="mingetty" name="fd" dev=proc ino=13570 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=dir type=AVC msg=audit(1266859988.329:404): avc: denied { read } for pid=3332 comm="mingetty" name="0" dev=proc ino=13571 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=lnk_file type=AVC msg=audit(1266859988.329:405): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[11808]" dev=sockfs ino=11808 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=netlink_audit_socket type=AVC msg=audit(1266859988.335:406): avc: denied { getattr } for pid=3332 comm="mingetty" path="anon_inode:[eventpoll]" dev=anon_inodefs ino=357 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266859988.335:407): avc: denied { getattr } for pid=3332 comm="mingetty" path="/var/log/audit/audit.log" dev=sda2 ino=160313 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:auditd_log_t tclass=file type=AVC msg=audit(1266859988.335:408): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[11815]" dev=sockfs ino=11815 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=unix_dgram_socket type=AVC msg=audit(1266859988.336:409): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[11811]" dev=sockfs ino=11811 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=unix_stream_socket type=AVC msg=audit(1266859988.336:410): avc: denied { search } for pid=3332 comm="mingetty" name="2706" dev=proc ino=11823 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=dir type=AVC msg=audit(1266859988.336:411): avc: denied { read } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15140 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=file type=AVC msg=audit(1266859988.337:412): avc: denied { open } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15140 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=file type=AVC msg=audit(1266859988.337:413): avc: denied { getattr } for pid=3332 comm="mingetty" path="/proc/2706/maps" dev=proc ino=15140 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=file type=AVC msg=audit(1266859988.337:414): avc: denied { read } for pid=3332 comm="mingetty" name="fd" dev=proc ino=13582 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=dir type=AVC msg=audit(1266859988.338:415): avc: denied { open } for pid=3335 comm="mingetty" name="fd" dev=proc ino=13582 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=dir type=AVC msg=audit(1266859988.338:416): avc: denied { read } for pid=3332 comm="mingetty" name="0" dev=proc ino=13583 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=lnk_file type=AVC msg=audit(1266859988.339:417): avc: denied { getattr } for pid=3332 comm="mingetty" path="pipe:[11807]" dev=pipefs ino=11807 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=fifo_file type=AVC msg=audit(1266859988.344:418): avc: denied { getattr } for pid=3337 comm="mingetty" path="socket:[12680]" dev=sockfs ino=12680 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=unix_stream_socket type=AVC msg=audit(1266859988.344:419): avc: denied { getattr } for pid=3334 comm="mingetty" path="socket:[11813]" dev=sockfs ino=11813 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=unix_stream_socket type=AVC msg=audit(1266859988.345:420): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[11812]" dev=sockfs ino=11812 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=unix_dgram_socket type=AVC msg=audit(1266859988.347:421): avc: denied { search } for pid=3335 comm="mingetty" name="2731" dev=proc ino=11846 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=dir type=AVC msg=audit(1266859988.347:422): avc: denied { read } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15141 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=file type=AVC msg=audit(1266859988.347:423): avc: denied { open } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15141 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=file type=AVC msg=audit(1266859988.347:424): avc: denied { getattr } for pid=3332 comm="mingetty" path="/proc/2731/maps" dev=proc ino=15141 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=file type=AVC msg=audit(1266859988.347:425): avc: denied { read } for pid=3332 comm="mingetty" name="fd" dev=proc ino=11847 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=dir type=AVC msg=audit(1266859988.347:426): avc: denied { open } for pid=3332 comm="mingetty" name="fd" dev=proc ino=11847 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=dir type=AVC msg=audit(1266859988.347:427): avc: denied { read } for pid=3332 comm="mingetty" name="0" dev=proc ino=11848 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=lnk_file type=AVC msg=audit(1266859988.347:428): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[11858]" dev=sockfs ino=11858 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=unix_dgram_socket type=AVC msg=audit(1266859988.348:429): avc: denied { getattr } for pid=3332 comm="mingetty" path="pipe:[11860]" dev=pipefs ino=11860 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=fifo_file type=AVC msg=audit(1266859988.348:430): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[11862]" dev=sockfs ino=11862 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=unix_stream_socket type=AVC msg=audit(1266859988.348:431): avc: denied { getattr } for pid=3332 comm="mingetty" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:inotifyfs_t tclass=dir type=AVC msg=audit(1266859988.348:432): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[11867]" dev=sockfs ino=11867 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=udp_socket type=AVC msg=audit(1266859988.348:433): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[11869]" dev=sockfs ino=11869 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=netlink_route_socket type=AVC msg=audit(1266859988.348:434): avc: denied { search } for pid=3332 comm="mingetty" name="2757" dev=proc ino=11929 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=dir type=AVC msg=audit(1266859988.349:435): avc: denied { read } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15142 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=file type=AVC msg=audit(1266859988.349:436): avc: denied { open } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15142 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=file type=AVC msg=audit(1266859988.349:437): avc: denied { getattr } for pid=3332 comm="mingetty" path="/proc/2757/maps" dev=proc ino=15142 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=file type=AVC msg=audit(1266859988.350:438): avc: denied { read } for pid=3332 comm="mingetty" name="fd" dev=proc ino=13603 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=dir type=AVC msg=audit(1266859988.350:439): avc: denied { open } for pid=3332 comm="mingetty" name="fd" dev=proc ino=13603 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=dir type=AVC msg=audit(1266859988.350:440): avc: denied { read } for pid=3332 comm="mingetty" name="0" dev=proc ino=13604 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=lnk_file type=AVC msg=audit(1266859988.350:441): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[11947]" dev=sockfs ino=11947 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=tcp_socket type=AVC msg=audit(1266859988.350:442): avc: denied { getattr } for pid=3332 comm="mingetty" path="/var/log/cups/error_log" dev=sda2 ino=27013 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:cupsd_log_t tclass=file type=AVC msg=audit(1266859988.350:443): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[11949]" dev=sockfs ino=11949 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=unix_stream_socket type=AVC msg=audit(1266859988.350:444): avc: denied { getattr } for pid=3332 comm="mingetty" path="socket:[11951]" dev=sockfs ino=11951 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=udp_socket type=AVC msg=audit(1266859988.352:445): avc: denied { getattr } for pid=3332 comm="mingetty" path="pipe:[11952]" dev=pipefs ino=11952 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=fifo_file type=AVC msg=audit(1266859988.355:446): avc: denied { read } for pid=3335 comm="mingetty" name="0" dev=proc ino=11848 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=lnk_file type=AVC msg=audit(1266859988.360:447): avc: denied { getattr } for pid=3335 comm="mingetty" path="socket:[12144]" dev=sockfs ino=12144 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=netlink_selinux_socket type=AVC msg=audit(1266859988.383:448): avc: denied { getattr } for pid=3334 comm="mingetty" path="/home/alan/.gconfd/saved_state" dev=sda3 ino=188 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:gconf_home_t tclass=file type=AVC msg=audit(1266859988.394:449): avc: denied { search } for pid=3343 comm="mingetty" name="251" dev=proc ino=5851 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=dir type=AVC msg=audit(1266859988.404:450): avc: denied { read } for pid=3343 comm="mingetty" name="fd" dev=proc ino=11583 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=dir type=AVC msg=audit(1266859988.404:451): avc: denied { open } for pid=3343 comm="mingetty" name="fd" dev=proc ino=11583 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=dir type=AVC msg=audit(1266859988.404:452): avc: denied { getattr } for pid=3343 comm="mingetty" path="/sys/kernel/debug/systemtap/preloadtrace/.cmd" dev=debugfs ino=4023 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:debugfs_t tclass=file type=AVC msg=audit(1266859988.407:453): avc: denied { getattr } for pid=3343 comm="mingetty" path="/dev/.udev/queue.bin" dev=tmpfs ino=6487 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:tmpfs_t tclass=file type=AVC msg=audit(1266859988.407:454): avc: denied { getattr } for pid=3339 comm="mingetty" path="socket:[11687]" dev=sockfs ino=11687 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266859988.409:455): avc: denied { getattr } for pid=3343 comm="mingetty" path="socket:[4086]" dev=sockfs ino=4086 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=unix_dgram_socket type=AVC msg=audit(1266859988.410:456): avc: denied { getattr } for pid=3339 comm="mingetty" path="socket:[10602]" dev=sockfs ino=10602 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=unix_dgram_socket type=AVC msg=audit(1266859988.413:457): avc: denied { getattr } for pid=3343 comm="mingetty" path="/proc/acpi/event" dev=proc ino=4026531938 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:proc_t tclass=file type=AVC msg=audit(1266859988.417:458): avc: denied { search } for pid=3332 comm="mingetty" name="2958" dev=proc ino=12470 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=dir type=AVC msg=audit(1266859988.419:459): avc: denied { read } for pid=3335 comm="mingetty" name="maps" dev=proc ino=15148 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=file type=AVC msg=audit(1266859988.425:460): avc: denied { getattr } for pid=3339 comm="mingetty" path="socket:[10930]" dev=sockfs ino=10930 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket type=AVC msg=audit(1266859988.436:461): avc: denied { open } for pid=3335 comm="mingetty" name="maps" dev=proc ino=15148 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=file type=AVC msg=audit(1266859988.436:462): avc: denied { getattr } for pid=3335 comm="mingetty" path="/proc/2958/maps" dev=proc ino=15148 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=file type=AVC msg=audit(1266859988.437:463): avc: denied { read } for pid=3335 comm="mingetty" name="fd" dev=proc ino=13694 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=dir type=AVC msg=audit(1266859988.438:464): avc: denied { open } for pid=3335 comm="mingetty" name="fd" dev=proc ino=13694 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=dir type=AVC msg=audit(1266859988.438:465): avc: denied { read } for pid=3334 comm="mingetty" name="0" dev=proc ino=13695 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=lnk_file type=AVC msg=audit(1266859988.439:466): avc: denied { getattr } for pid=3335 comm="mingetty" path="/var/log/nscd.log" dev=sda2 ino=129828 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:nscd_log_t tclass=file type=AVC msg=audit(1266859988.439:467): avc: denied { getattr } for pid=3339 comm="mingetty" path="/var/log/firewall" dev=sda2 ino=26232 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266859988.439:468): avc: denied { getattr } for pid=3335 comm="mingetty" path="socket:[12465]" dev=sockfs ino=12465 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=unix_stream_socket type=AVC msg=audit(1266859988.450:469): avc: denied { getattr } for pid=3335 comm="mingetty" path="/dev/urandom" dev=tmpfs ino=889 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file type=AVC msg=audit(1266859988.483:470): avc: denied { search } for pid=3337 comm="mingetty" name="3098" dev=proc ino=13242 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=dir type=AVC msg=audit(1266859988.496:471): avc: denied { getattr } for pid=3343 comm="mingetty" path="socket:[6572]" dev=sockfs ino=6572 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:consolekit_t tclass=unix_stream_socket type=AVC msg=audit(1266859988.498:472): avc: denied { read } for pid=3334 comm="mingetty" name="maps" dev=proc ino=15161 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=file type=AVC msg=audit(1266859988.500:473): avc: denied { read } for pid=3339 comm="mingetty" name="0" dev=proc ino=13604 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=lnk_file type=AVC msg=audit(1266859988.508:474): avc: denied { open } for pid=3332 comm="mingetty" name="maps" dev=proc ino=15161 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=file type=AVC msg=audit(1266859988.511:475): avc: denied { getattr } for pid=3343 comm="mingetty" path="socket:[6780]" dev=sockfs ino=6780 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=unix_stream_socket type=AVC msg=audit(1266859988.512:476): avc: denied { getattr } for pid=3335 comm="mingetty" path="/proc/3098/maps" dev=proc ino=15161 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=file type=AVC msg=audit(1266859988.512:477): avc: denied { read } for pid=3335 comm="mingetty" name="fd" dev=proc ino=13817 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=dir type=AVC msg=audit(1266859988.513:478): avc: denied { open } for pid=3334 comm="mingetty" name="fd" dev=proc ino=13817 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=dir type=AVC msg=audit(1266859988.513:479): avc: denied { read } for pid=3335 comm="mingetty" name="0" dev=proc ino=13818 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=lnk_file type=AVC msg=audit(1266859988.524:480): avc: denied { getattr } for pid=3335 comm="mingetty" path="socket:[13232]" dev=sockfs ino=13232 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=unix_dgram_socket type=AVC msg=audit(1266859988.526:481): avc: denied { getattr } for pid=3334 comm="mingetty" path="/var/spool/postfix/pid/master.pid" dev=sda2 ino=160320 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:postfix_var_run_t tclass=file type=AVC msg=audit(1266859988.528:482): avc: denied { getattr } for pid=3335 comm="mingetty" path="/var/lib/postfix/master.lock" dev=sda2 ino=129843 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:postfix_data_t tclass=file type=AVC msg=audit(1266859988.528:483): avc: denied { getattr } for pid=3334 comm="mingetty" path="pipe:[13965]" dev=pipefs ino=13965 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=fifo_file type=AVC msg=audit(1266859988.528:484): avc: denied { getattr } for pid=3334 comm="mingetty" path="socket:[13805]" dev=sockfs ino=13805 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=tcp_socket type=AVC msg=audit(1266859988.529:485): avc: denied { getattr } for pid=3334 comm="mingetty" path="socket:[13808]" dev=sockfs ino=13808 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=unix_stream_socket type=AVC msg=audit(1266859988.529:486): avc: denied { getattr } for pid=3334 comm="mingetty" path="/var/spool/postfix/public/pickup" dev=sda2 ino=160311 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:postfix_public_t tclass=fifo_file type=AVC msg=audit(1266859988.533:487): avc: denied { write } for pid=2364 comm="rtkit-daemon" path="anon_inode:[eventfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266859988.533:488): avc: denied { read } for pid=2365 comm="rtkit-daemon" path="anon_inode:[eventfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266859988.540:489): avc: denied { search } for pid=3335 comm="mingetty" name="3130" dev=proc ino=14030 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=dir type=AVC msg=audit(1266859988.550:490): avc: denied { read } for pid=3334 comm="mingetty" name="maps" dev=proc ino=15165 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=file type=AVC msg=audit(1266859988.556:491): avc: denied { getattr } for pid=3343 comm="mingetty" path="/dev/input/event1" dev=tmpfs ino=1752 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:event_device_t tclass=chr_file type=AVC msg=audit(1266859988.572:492): avc: denied { open } for pid=3337 comm="mingetty" name="maps" dev=proc ino=15165 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=file type=AVC msg=audit(1266859988.577:493): avc: denied { getattr } for pid=3334 comm="mingetty" path="/proc/3130/maps" dev=proc ino=15165 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=file type=AVC msg=audit(1266859988.577:494): avc: denied { read } for pid=3334 comm="mingetty" name="fd" dev=proc ino=14539 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=dir type=AVC msg=audit(1266859988.579:495): avc: denied { open } for pid=3335 comm="mingetty" name="fd" dev=proc ino=14539 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=dir type=AVC msg=audit(1266859988.579:496): avc: denied { read } for pid=3332 comm="mingetty" name="0" dev=proc ino=14540 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=lnk_file type=AVC msg=audit(1266859988.580:497): avc: denied { getattr } for pid=3334 comm="mingetty" path="socket:[13982]" dev=sockfs ino=13982 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=unix_dgram_socket type=AVC msg=audit(1266859988.580:498): avc: denied { search } for pid=3334 comm="mingetty" name="3133" dev=proc ino=14056 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=dir type=AVC msg=audit(1266859988.581:499): avc: denied { read } for pid=3335 comm="mingetty" name="maps" dev=proc ino=15166 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=file type=AVC msg=audit(1266859988.581:500): avc: denied { open } for pid=3334 comm="mingetty" name="maps" dev=proc ino=15166 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=file type=AVC msg=audit(1266859988.583:501): avc: denied { getattr } for pid=3334 comm="mingetty" path="/proc/3133/maps" dev=proc ino=15166 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=file type=AVC msg=audit(1266859988.583:502): avc: denied { read } for pid=3334 comm="mingetty" name="fd" dev=proc ino=14551 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=dir type=AVC msg=audit(1266859988.583:503): avc: denied { open } for pid=3334 comm="mingetty" name="fd" dev=proc ino=14551 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=dir type=AVC msg=audit(1266859988.583:504): avc: denied { read } for pid=3334 comm="mingetty" name="0" dev=proc ino=14552 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=lnk_file type=AVC msg=audit(1266859988.583:505): avc: denied { getattr } for pid=3334 comm="mingetty" path="socket:[14012]" dev=sockfs ino=14012 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=unix_dgram_socket type=AVC msg=audit(1266859988.583:506): avc: denied { getattr } for pid=3334 comm="mingetty" path="/etc/postfix/relay.db" dev=sda2 ino=129689 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:postfix_etc_t tclass=file type=AVC msg=audit(1266859988.583:507): avc: denied { search } for pid=3334 comm="mingetty" name="3135" dev=proc ino=14074 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=dir type=AVC msg=audit(1266859988.584:508): avc: denied { read } for pid=3334 comm="mingetty" name="maps" dev=proc ino=15167 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=file type=AVC msg=audit(1266859988.584:509): avc: denied { open } for pid=3334 comm="mingetty" name="maps" dev=proc ino=15167 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=file type=AVC msg=audit(1266859988.584:510): avc: denied { getattr } for pid=3334 comm="mingetty" path="/proc/3135/maps" dev=proc ino=15167 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=file type=AVC msg=audit(1266859988.584:511): avc: denied { read } for pid=3334 comm="mingetty" name="fd" dev=proc ino=14565 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=dir type=AVC msg=audit(1266859988.584:512): avc: denied { open } for pid=3334 comm="mingetty" name="fd" dev=proc ino=14565 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=dir type=AVC msg=audit(1266859988.584:513): avc: denied { read } for pid=3334 comm="mingetty" name="0" dev=proc ino=14566 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=lnk_file type=AVC msg=audit(1266859988.584:514): avc: denied { getattr } for pid=3334 comm="mingetty" path="/var/run/cron.pid" dev=sda2 ino=153284 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:crond_var_run_t tclass=file type=AVC msg=audit(1266859988.584:515): avc: denied { getattr } for pid=3334 comm="mingetty" path="socket:[14073]" dev=sockfs ino=14073 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=unix_dgram_socket type=AVC msg=audit(1266859988.585:516): avc: denied { getattr } for pid=3334 comm="mingetty" path="/dev/fuse" dev=tmpfs ino=5780 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:fuse_device_t tclass=chr_file type=AVC msg=audit(1266859988.589:517): avc: denied { getattr } for pid=3334 comm="mingetty" path="/tmp/pulse-Q8Nfxl6bbSV3/autospawn.lock" dev=sda2 ino=159023 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:xdm_tmp_t tclass=file type=AVC msg=audit(1266859988.589:518): avc: denied { getattr } for pid=3335 comm="mingetty" path="pipe:[13966]" dev=pipefs ino=13966 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=fifo_file type=AVC msg=audit(1266859988.595:519): avc: denied { read } for pid=3335 comm="mingetty" name="maps" dev=proc ino=15173 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=file type=AVC msg=audit(1266859988.642:520): avc: denied { getattr } for pid=3339 comm="mingetty" path="/dev/urandom" dev=tmpfs ino=889 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file type=AVC msg=audit(1266859988.657:521): avc: denied { open } for pid=3337 comm="mingetty" name="maps" dev=proc ino=15173 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=file type=AVC msg=audit(1266859988.663:522): avc: denied { getattr } for pid=3332 comm="mingetty" path="/proc/3192/maps" dev=proc ino=15173 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=file type=AVC msg=audit(1266859988.721:523): avc: denied { read } for pid=3343 comm="mingetty" name="0" dev=proc ino=13571 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=lnk_file type=AVC msg=audit(1266859988.722:524): avc: denied { read } for pid=3343 comm="mingetty" name="0" dev=proc ino=13583 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=lnk_file type=AVC msg=audit(1266859988.728:525): avc: denied { getattr } for pid=3343 comm="mingetty" path="socket:[11869]" dev=sockfs ino=11869 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=netlink_route_socket type=AVC msg=audit(1266859988.732:526): avc: denied { getattr } for pid=3334 comm="mingetty" path="/usr/sbin/stop_preload" dev=sda2 ino=104834 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=file type=AVC msg=audit(1266859988.736:527): avc: denied { getattr } for pid=3335 comm="mingetty" path="/proc/3323/fd" dev=proc ino=15263 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=dir type=AVC msg=audit(1266859988.847:528): avc: denied { getattr } for pid=3343 comm="mingetty" path="socket:[12144]" dev=sockfs ino=12144 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=netlink_selinux_socket type=AVC msg=audit(1266859988.892:529): avc: denied { getattr } for pid=3339 comm="mingetty" path="/proc/283/fd" dev=proc ino=11587 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=dir type=AVC msg=audit(1266859988.897:530): avc: denied { getattr } for pid=3335 comm="mingetty" path="/var/log/ConsoleKit/history" dev=sda2 ino=129645 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:consolekit_log_t tclass=file type=AVC msg=audit(1266859988.962:531): avc: denied { getattr } for pid=3339 comm="mingetty" path="/proc/1103/fd" dev=proc ino=11600 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:consolekit_t tclass=dir type=AVC msg=audit(1266859988.970:532): avc: denied { sys_ptrace } for pid=2363 comm="rtkit-daemon" capability=19 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=capability type=AVC msg=audit(1266859988.971:533): avc: denied { getsched } for pid=2363 comm="rtkit-daemon" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=process type=AVC msg=audit(1266859989.112:534): avc: denied { getattr } for pid=3335 comm="mingetty" path="socket:[10962]" dev=sockfs ino=10962 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=unix_stream_socket type=AVC msg=audit(1266859989.180:536): avc: denied { getattr } for pid=3343 comm="mingetty" path="/proc/2363/fd" dev=proc ino=11611 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=dir type=AVC msg=audit(1266859989.161:535): avc: denied { getattr } for pid=3335 comm="mingetty" path="socket:[11811]" dev=sockfs ino=11811 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=unix_stream_socket type=AVC msg=audit(1266859989.217:537): avc: denied { getattr } for pid=3343 comm="mingetty" path="/proc/1199/fd" dev=proc ino=6722 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=dir type=AVC msg=audit(1266859989.768:538): avc: denied { getattr } for pid=3332 comm="mingetty" path="/proc/3310/fd" dev=proc ino=14941 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266859989.884:539): avc: denied { getattr } for pid=3334 comm="mingetty" path="/tmp/unique" dev=sda2 ino=129877 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:file_t tclass=dir type=AVC msg=audit(1266859990.674:540): avc: denied { execstack } for pid=3354 comm="main-menu" scontext=system_u:system_r:xdm_t tcontext=system_u:system_r:xdm_t tclass=process type=AVC msg=audit(1266859991.259:541): avc: denied { write } for pid=2958 comm="nscd" path="pipe:[16235]" dev=pipefs ino=16235 scontext=system_u:system_r:nscd_t tcontext=system_u:system_r:nscd_t tclass=fifo_file type=AVC msg=audit(1266859991.269:542): avc: denied { execute } for pid=3399 comm="dbus-daemon-lau" name="packagekitd" dev=sda2 ino=33216 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file type=AVC msg=audit(1266859991.271:543): avc: denied { read open } for pid=3399 comm="dbus-daemon-lau" name="packagekitd" dev=sda2 ino=33216 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file type=AVC msg=audit(1266859991.272:544): avc: denied { execute_no_trans } for pid=3399 comm="dbus-daemon-lau" path="/usr/sbin/packagekitd" dev=sda2 ino=33216 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file type=AVC msg=audit(1266859992.013:545): avc: denied { getattr } for pid=3399 comm="packagekitd" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:inotifyfs_t tclass=dir type=AVC msg=audit(1266859993.161:546): avc: denied { execstack } for pid=3399 comm="packagekitd" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=process type=AVC msg=audit(1266859993.161:547): avc: denied { execmem } for pid=3399 comm="packagekitd" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=process type=AVC msg=audit(1266859993.197:548): avc: denied { read } for pid=3406 comm="nm-system-setti" name="PolicyKit.reload" dev=sda2 ino=66055 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:policykit_reload_t tclass=file type=AVC msg=audit(1266859993.431:549): avc: denied { search } for pid=3406 comm="nm-system-setti" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266859993.432:550): avc: denied { write } for pid=3406 comm="nm-system-setti" name="log" dev=tmpfs ino=10931 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file type=AVC msg=audit(1266859993.538:551): avc: denied { write } for pid=2364 comm="rtkit-daemon" path="anon_inode:[eventfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266859993.538:552): avc: denied { read } for pid=2365 comm="rtkit-daemon" path="anon_inode:[eventfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266859993.562:553): avc: denied { search } for pid=3399 comm="packagekitd" name="log" dev=sda2 ino=26231 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=dir type=AVC msg=audit(1266859993.562:554): avc: denied { getattr } for pid=3399 comm="packagekitd" path="/var/log/pk_backend_zypp" dev=sda2 ino=129898 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266859993.562:555): avc: denied { append } for pid=3399 comm="packagekitd" name="pk_backend_zypp" dev=sda2 ino=129898 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266859993.562:556): avc: denied { open } for pid=3399 comm="packagekitd" name="pk_backend_zypp" dev=sda2 ino=129898 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266859993.562:557): avc: denied { setattr } for pid=3399 comm="packagekitd" name="pk_backend_zypp" dev=sda2 ino=129898 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266859995.745:558): avc: denied { getattr } for pid=3399 comm="packagekitd" path="/var/lib/rpm" dev=sda2 ino=66039 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=dir type=AVC msg=audit(1266859995.746:559): avc: denied { search } for pid=3399 comm="packagekitd" name="rpm" dev=sda2 ino=66039 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=dir type=AVC msg=audit(1266859995.746:560): avc: denied { getattr } for pid=3399 comm="packagekitd" path="/var/lib/rpm/Packages" dev=sda2 ino=66329 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=file type=AVC msg=audit(1266859995.788:561): avc: denied { execute_no_trans } for pid=3420 comm="dbus-daemon-lau" path="/usr/lib/DeviceKit-disks/devkit-disks-daemon" dev=sda2 ino=43826 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:lib_t tclass=file type=AVC msg=audit(1266859995.931:562): avc: denied { write } for pid=3399 comm="packagekitd" name="rpm" dev=sda2 ino=66039 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=dir type=AVC msg=audit(1266859995.931:563): avc: denied { read } for pid=3399 comm="packagekitd" name="Packages" dev=sda2 ino=66329 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=file type=AVC msg=audit(1266859995.931:564): avc: denied { open } for pid=3399 comm="packagekitd" name="Packages" dev=sda2 ino=66329 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=file type=AVC msg=audit(1266859996.196:565): avc: denied { lock } for pid=3399 comm="packagekitd" path="/var/lib/rpm/Packages" dev=sda2 ino=66329 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=file type=AVC msg=audit(1266859996.347:566): avc: denied { execute } for pid=3423 comm="packagekitd" name="gpg2" dev=sda2 ino=10780 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:gpg_exec_t tclass=file type=AVC msg=audit(1266859996.348:567): avc: denied { read open } for pid=3423 comm="packagekitd" name="gpg2" dev=sda2 ino=10780 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:gpg_exec_t tclass=file type=AVC msg=audit(1266859996.348:568): avc: denied { execute_no_trans } for pid=3423 comm="packagekitd" path="/usr/bin/gpg2" dev=sda2 ino=10780 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:gpg_exec_t tclass=file type=AVC msg=audit(1266859996.354:569): avc: denied { ipc_lock } for pid=3423 comm="gpg2" capability=14 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=capability type=AVC msg=audit(1266859996.487:570): avc: denied { read } for pid=3420 comm="devkit-disks-da" name="mdstat" dev=proc ino=4026531930 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:proc_mdstat_t tclass=file type=AVC msg=audit(1266859996.487:571): avc: denied { open } for pid=3420 comm="devkit-disks-da" name="mdstat" dev=proc ino=4026531930 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:proc_mdstat_t tclass=file type=AVC msg=audit(1266859996.487:572): avc: denied { getattr } for pid=3420 comm="devkit-disks-da" path="/proc/mdstat" dev=proc ino=4026531930 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:proc_mdstat_t tclass=file type=AVC msg=audit(1266859996.489:573): avc: denied { create } for pid=3420 comm="devkit-disks-da" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266859996.489:574): avc: denied { setopt } for pid=3420 comm="devkit-disks-da" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266859996.489:575): avc: denied { bind } for pid=3420 comm="devkit-disks-da" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266859996.489:576): avc: denied { getattr } for pid=3420 comm="devkit-disks-da" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266859996.531:577): avc: denied { search } for pid=3420 comm="devkit-disks-da" name="DeviceKit-disks" dev=sda2 ino=66061 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:devicekit_var_lib_t tclass=dir type=AVC msg=audit(1266859996.566:578): avc: denied { read } for pid=3420 comm="devkit-disks-da" name="mtab" dev=sda2 ino=159035 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:devicekit_var_lib_t tclass=file type=AVC msg=audit(1266859996.566:579): avc: denied { open } for pid=3420 comm="devkit-disks-da" name="mtab" dev=sda2 ino=159035 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:devicekit_var_lib_t tclass=file type=AVC msg=audit(1266859996.566:580): avc: denied { getattr } for pid=3420 comm="devkit-disks-da" path="/var/lib/DeviceKit-disks/mtab" dev=sda2 ino=159035 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:devicekit_var_lib_t tclass=file type=AVC msg=audit(1266859996.738:581): avc: denied { search } for pid=3420 comm="devkit-disks-da" name="media" dev=sda2 ino=36613 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mnt_t tclass=dir type=AVC msg=audit(1266859996.738:582): avc: denied { write } for pid=3420 comm="devkit-disks-da" name="media" dev=sda2 ino=36613 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mnt_t tclass=dir type=AVC msg=audit(1266859996.738:583): avc: denied { remove_name } for pid=3420 comm="devkit-disks-da" name="CDROM" dev=sda2 ino=160337 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mnt_t tclass=dir type=AVC msg=audit(1266859996.738:584): avc: denied { rmdir } for pid=3420 comm="devkit-disks-da" name="CDROM" dev=sda2 ino=160337 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mnt_t tclass=dir type=AVC msg=audit(1266859997.086:585): avc: denied { append } for pid=3399 comm="packagekitd" path="/var/log/pk_backend_zypp" dev=sda2 ino=129898 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266859997.182:586): avc: denied { write } for pid=2493 comm="rsyslogd" path="/dev/xconsole" dev=tmpfs ino=6279 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file type=AVC msg=audit(1266859998.230:587): avc: denied { write } for pid=3420 comm="devkit-disks-da" name="DeviceKit-disks" dev=sda2 ino=66061 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:devicekit_var_lib_t tclass=dir type=AVC msg=audit(1266859998.230:588): avc: denied { add_name } for pid=3420 comm="devkit-disks-da" name="mtab.G6CH8U" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:devicekit_var_lib_t tclass=dir type=AVC msg=audit(1266859998.230:589): avc: denied { create } for pid=3420 comm="devkit-disks-da" name="mtab.G6CH8U" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:devicekit_var_lib_t tclass=file type=AVC msg=audit(1266859998.230:590): avc: denied { write } for pid=3420 comm="devkit-disks-da" name="mtab.G6CH8U" dev=sda2 ino=160337 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:devicekit_var_lib_t tclass=file type=AVC msg=audit(1266859998.230:591): avc: denied { remove_name } for pid=3420 comm="devkit-disks-da" name="mtab.G6CH8U" dev=sda2 ino=160337 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:devicekit_var_lib_t tclass=dir type=AVC msg=audit(1266859998.230:592): avc: denied { rename } for pid=3420 comm="devkit-disks-da" name="mtab.G6CH8U" dev=sda2 ino=160337 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:devicekit_var_lib_t tclass=file type=AVC msg=audit(1266859998.230:593): avc: denied { unlink } for pid=3420 comm="devkit-disks-da" name="mtab" dev=sda2 ino=159035 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:devicekit_var_lib_t tclass=file type=AVC msg=audit(1266859998.265:594): avc: denied { execute } for pid=3427 comm="packagekitd" name="gpg2" dev=sda2 ino=10780 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:gpg_exec_t tclass=file type=AVC msg=audit(1266859998.267:595): avc: denied { read open } for pid=3427 comm="packagekitd" name="gpg2" dev=sda2 ino=10780 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:gpg_exec_t tclass=file type=AVC msg=audit(1266859998.267:596): avc: denied { execute_no_trans } for pid=3427 comm="packagekitd" path="/usr/bin/gpg2" dev=sda2 ino=10780 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:gpg_exec_t tclass=file type=AVC msg=audit(1266859998.283:597): avc: denied { getattr } for pid=2294 comm="polkitd" path="/var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.devicekit.power.qos.request-latency-persistent.pkla" dev=sda2 ino=26258 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266859998.283:598): avc: denied { read } for pid=2294 comm="polkitd" name="org.freedesktop.devicekit.power.qos.request-latency-persistent.pkla" dev=sda2 ino=26258 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266859998.283:599): avc: denied { open } for pid=2294 comm="polkitd" name="org.freedesktop.devicekit.power.qos.request-latency-persistent.pkla" dev=sda2 ino=26258 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266859998.424:600): avc: denied { read } for pid=3432 comm="packagekitd" name="gpg" dev=sda2 ino=44794 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=lnk_file type=AVC msg=audit(1266859999.000:601): avc: denied { read } for pid=3424 comm="devkit-disks-da" name="sr0" dev=tmpfs ino=5255 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:removable_device_t tclass=blk_file type=AVC msg=audit(1266859999.000:602): avc: denied { open } for pid=3424 comm="devkit-disks-da" name="sr0" dev=tmpfs ino=5255 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:removable_device_t tclass=blk_file type=AVC msg=audit(1266860002.311:603): avc: denied { write } for pid=2493 comm="rsyslogd" path="/dev/xconsole" dev=tmpfs ino=6279 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file type=AVC msg=audit(1266860007.086:604): avc: denied { getattr } for pid=3399 comm="packagekitd" path="/var/log/zypp" dev=sda2 ino=65987 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=dir type=AVC msg=audit(1266860007.373:605): avc: denied { getattr } for pid=3399 comm="packagekitd" path="/var/cache/zypp/solv/@System/solv" dev=sda2 ino=136065 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_t tclass=file type=AVC msg=audit(1266860007.374:606): avc: denied { read } for pid=3399 comm="packagekitd" name="cookie" dev=sda2 ino=66335 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_t tclass=file type=AVC msg=audit(1266860007.374:607): avc: denied { open } for pid=3399 comm="packagekitd" name="cookie" dev=sda2 ino=66335 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_t tclass=file type=AVC msg=audit(1266860007.451:608): avc: denied { write } for pid=3399 comm="packagekitd" name="transactions.db" dev=sda2 ino=35546 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266860007.451:609): avc: denied { lock } for pid=3399 comm="packagekitd" path="/var/lib/PackageKit/transactions.db" dev=sda2 ino=35546 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266860007.623:610): avc: denied { read } for pid=3399 comm="packagekitd" name="route" dev=proc ino=4026531941 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:proc_net_t tclass=file type=AVC msg=audit(1266860007.624:611): avc: denied { open } for pid=3399 comm="packagekitd" name="route" dev=proc ino=4026531941 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:proc_net_t tclass=file type=AVC msg=audit(1266860007.624:612): avc: denied { getattr } for pid=3399 comm="packagekitd" path="/proc/3399/net/route" dev=proc ino=4026531941 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:proc_net_t tclass=file type=AVC msg=audit(1266860012.424:613): avc: denied { getattr } for pid=3420 comm="devkit-disks-da" path="/dev" dev=tmpfs ino=864 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266860012.424:614): avc: denied { getattr } for pid=3420 comm="devkit-disks-da" path="/dev/sda2" dev=tmpfs ino=1793 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file type=AVC msg=audit(1266860012.918:615): avc: denied { add_name } for pid=3420 comm="devkit-disks-da" name="CDROM" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mnt_t tclass=dir type=AVC msg=audit(1266860012.918:616): avc: denied { create } for pid=3420 comm="devkit-disks-da" name="CDROM" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mnt_t tclass=dir type=AVC msg=audit(1266860012.921:617): avc: denied { execute } for pid=3467 comm="devkit-disks-da" name="mount" dev=sda2 ino=130 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mount_exec_t tclass=file type=AVC msg=audit(1266860012.922:618): avc: denied { read open } for pid=3467 comm="devkit-disks-da" name="mount" dev=sda2 ino=130 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mount_exec_t tclass=file type=AVC msg=audit(1266860012.922:619): avc: denied { execute_no_trans } for pid=3467 comm="devkit-disks-da" path="/bin/mount" dev=sda2 ino=130 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mount_exec_t tclass=file type=AVC msg=audit(1266860012.926:620): avc: denied { mounton } for pid=3467 comm="mount" path="/media/CDROM" dev=sda2 ino=160340 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mnt_t tclass=dir type=AVC msg=audit(1266860012.998:621): avc: denied { write } for pid=283 comm="udevd" path="/dev/.udev/queue.bin" dev=tmpfs ino=6487 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file type=AVC msg=audit(1266860012.999:622): avc: denied { search } for pid=503 comm="udevd" name="/" dev=tmpfs ino=864 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir type=AVC msg=audit(1266860013.008:623): avc: denied { mount } for pid=3467 comm="mount" name="/" dev=sr0 ino=1856 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:iso9660_t tclass=filesystem type=AVC msg=audit(1266860013.009:624): avc: denied { search } for pid=3467 comm="mount" name="media" dev=sda2 ino=36613 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mnt_t tclass=dir type=AVC msg=audit(1266860013.013:625): avc: denied { getattr } for pid=3467 comm="mount" path="/etc/mtab" dev=sda2 ino=127820 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_runtime_t tclass=file type=AVC msg=audit(1266860013.013:626): avc: denied { read write } for pid=3467 comm="mount" name="mtab" dev=sda2 ino=127820 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_runtime_t tclass=file type=AVC msg=audit(1266860013.014:627): avc: denied { open } for pid=3467 comm="mount" name="mtab" dev=sda2 ino=127820 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_runtime_t tclass=file type=AVC msg=audit(1266860013.014:628): avc: denied { write } for pid=3467 comm="mount" name="etc" dev=sda2 ino=8001 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_t tclass=dir type=AVC msg=audit(1266860013.014:629): avc: denied { ioctl } for pid=3406 comm="nm-system-setti" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:inotifyfs_t tclass=dir type=AVC msg=audit(1266860013.015:630): avc: denied { add_name } for pid=3467 comm="mount" name="mtab~3467" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_t tclass=dir type=AVC msg=audit(1266860013.015:631): avc: denied { create } for pid=3467 comm="mount" name="mtab~3467" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_t tclass=file type=AVC msg=audit(1266860013.016:632): avc: denied { write } for pid=3467 comm="mount" name="mtab~3467" dev=sda2 ino=159048 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_t tclass=file type=AVC msg=audit(1266860013.016:633): avc: denied { link } for pid=3467 comm="mount" name="mtab~3467" dev=sda2 ino=159048 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_t tclass=file type=AVC msg=audit(1266860013.016:634): avc: denied { remove_name } for pid=3467 comm="mount" name="mtab~3467" dev=sda2 ino=159048 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_t tclass=dir type=AVC msg=audit(1266860013.017:635): avc: denied { unlink } for pid=3467 comm="mount" name="mtab~3467" dev=sda2 ino=159048 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_t tclass=file type=AVC msg=audit(1266860013.017:636): avc: denied { append } for pid=3467 comm="mount" name="mtab" dev=sda2 ino=127820 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_runtime_t tclass=file type=AVC msg=audit(1266860013.035:637): avc: denied { read } for pid=3406 comm="nm-system-setti" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:inotifyfs_t tclass=dir type=AVC msg=audit(1266860058.471:638): avc: denied { getattr } for pid=3558 comm="packagekitd" path="/var/log/pk_backend_zypp" dev=sda2 ino=129898 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266860058.471:639): avc: denied { open } for pid=3558 comm="packagekitd" name="pk_backend_zypp" dev=sda2 ino=129898 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266860058.471:640): avc: denied { setattr } for pid=3558 comm="packagekitd" name="pk_backend_zypp" dev=sda2 ino=129898 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266860058.552:641): avc: denied { read } for pid=3562 comm="packagekitd" name="gpg" dev=sda2 ino=44794 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=lnk_file type=AVC msg=audit(1266860059.021:642): avc: denied { write } for pid=3558 comm="packagekitd" name="PackageKit" dev=sda2 ino=35545 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=dir type=AVC msg=audit(1266860059.021:643): avc: denied { add_name } for pid=3558 comm="packagekitd" name="transactions.db-journal" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=dir type=AVC msg=audit(1266860059.021:644): avc: denied { create } for pid=3558 comm="packagekitd" name="transactions.db-journal" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266860059.092:645): avc: denied { remove_name } for pid=3558 comm="packagekitd" name="transactions.db-journal" dev=sda2 ino=160338 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=dir type=AVC msg=audit(1266860059.092:646): avc: denied { unlink } for pid=3558 comm="packagekitd" name="transactions.db-journal" dev=sda2 ino=160338 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266860061.499:647): avc: denied { getattr } for pid=3580 comm="packagekitd" path="/sys/fs/fuse/connections" dev=fusectl ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:fusefs_t tclass=dir type=AVC msg=audit(1266860061.500:648): avc: denied { read } for pid=3580 comm="packagekitd" name="/" dev=fusectl ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:fusefs_t tclass=dir type=AVC msg=audit(1266860061.500:649): avc: denied { open } for pid=3580 comm="packagekitd" name="/" dev=fusectl ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:fusefs_t tclass=dir type=AVC msg=audit(1266860061.500:650): avc: denied { search } for pid=3580 comm="packagekitd" name="/" dev=fusectl ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:fusefs_t tclass=dir type=AVC msg=audit(1266860061.501:651): avc: denied { getattr } for pid=3580 comm="packagekitd" path="/sys/fs/fuse/connections/18/abort" dev=fusectl ino=14128 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:fusefs_t tclass=file type=AVC msg=audit(1266860061.685:652): avc: denied { getattr } for pid=3580 comm="packagekitd" path="/sys/kernel/debug" dev=debugfs ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:debugfs_t tclass=dir type=AVC msg=audit(1266860061.686:653): avc: denied { read } for pid=3580 comm="packagekitd" name="/" dev=debugfs ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:debugfs_t tclass=dir type=AVC msg=audit(1266860061.686:654): avc: denied { open } for pid=3580 comm="packagekitd" name="/" dev=debugfs ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:debugfs_t tclass=dir type=AVC msg=audit(1266860061.686:655): avc: denied { search } for pid=3580 comm="packagekitd" name="/" dev=debugfs ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:debugfs_t tclass=dir type=AVC msg=audit(1266860061.688:656): avc: denied { getattr } for pid=3580 comm="packagekitd" path="/sys/kernel/debug/systemtap/preloadtrace/.cmd" dev=debugfs ino=4023 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:debugfs_t tclass=file ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-22 17:39 ` Alan Rouse @ 2010-02-22 17:56 ` Stephen Smalley 2010-02-22 19:12 ` Alan Rouse 0 siblings, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-22 17:56 UTC (permalink / raw) To: Alan Rouse; +Cc: 'selinux@tycho.nsa.gov' On Mon, 2010-02-22 at 12:39 -0500, Alan Rouse wrote: > Stephen wrote: > > Hmm...enabled=0, i.e. disabled. > > Might need to boot with audit=1 on the kernel command line then. > > Or enable auditd (chkconfig auditd on). > > audit=1 on the kernel command line doesn't change things. auditctl -s still says enabled=0. > Same for "chkconfig auditd on" and reboot. > > I've installed the latest refpolicy from the tresys source repository. Attached is the audit.log after booting that policy (init_upstart --> on) You need to perform a restorecon -R /dev from /etc/rc.d/rc.sysinit so that the tmpfs /dev mount is properly labeled. File a bug against whatever package owns that file in OpenSUSE (in Fedora, it is the initscripts rpm). You should also perform a complete filesystem relabel to ensure that all file labels are correct for the latest refpolicy. There are SYSCALL records in your latest audit.log, so you have enabled auditing now. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-22 17:56 ` Stephen Smalley @ 2010-02-22 19:12 ` Alan Rouse 2010-02-22 19:37 ` Stephen Smalley 0 siblings, 1 reply; 113+ messages in thread From: Alan Rouse @ 2010-02-22 19:12 UTC (permalink / raw) To: Stephen Smalley; +Cc: 'selinux@tycho.nsa.gov' [-- Attachment #1: Type: text/plain, Size: 560 bytes --] Stephen wrote: > You need to perform a restorecon -R /dev from /etc/rc.d/rc.sysinit so that the tmpfs /dev mount is properly > labeled. File a bug against whatever package owns that file in OpenSUSE (in Fedora, it is the initscripts > rpm). The scripts are different in suse. I've placed the restorecon command in /etc/init.d/boot prior to the first mount attempt. That seems to do the trick -- the denied messages related to tempfs are now gone. See attached audit.log from the subsequent boot. -- Stephen Smalley National Security Agency [-- Attachment #2: audit.log --] [-- Type: application/octet-stream, Size: 101423 bytes --] type=DAEMON_START msg=audit(1266865692.826:6559): auditd start, ver=1.7.13 format=raw kernel=2.6.31.5-0.1-desktop auid=4294967295 pid=2762 subj=system_u:system_r:auditd_t res=success type=SYSCALL msg=audit(1266865636.770:16): arch=40000003 syscall=21 success=yes exit=0 a0=805eac8 a1=805e970 a2=805ed98 a3=c0ed0000 items=0 ppid=474 pid=514 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t key=(null) type=AVC msg=audit(1266865639.888:17): avc: denied { syslog_read } for pid=549 comm="klogd" scontext=system_u:system_r:klogd_t tcontext=system_u:system_r:kernel_t tclass=system type=SYSCALL msg=audit(1266865639.888:17): arch=40000003 syscall=103 success=yes exit=262144 a0=a a1=0 a2=0 a3=bfc5ee01 items=0 ppid=525 pid=549 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="klogd" exe="/sbin/klogd" subj=system_u:system_r:klogd_t key=(null) type=AVC msg=audit(1266865640.026:18): avc: denied { search } for pid=549 comm="klogd" name="log" dev=sda2 ino=26231 scontext=system_u:system_r:klogd_t tcontext=system_u:object_r:var_log_t tclass=dir type=AVC msg=audit(1266865640.026:18): avc: denied { write } for pid=549 comm="klogd" name="log" dev=sda2 ino=26231 scontext=system_u:system_r:klogd_t tcontext=system_u:object_r:var_log_t tclass=dir type=AVC msg=audit(1266865640.026:18): avc: denied { add_name } for pid=549 comm="klogd" name="boot.msg" scontext=system_u:system_r:klogd_t tcontext=system_u:object_r:var_log_t tclass=dir type=AVC msg=audit(1266865640.026:18): avc: denied { create } for pid=549 comm="klogd" name="boot.msg" scontext=system_u:system_r:klogd_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266865640.026:18): avc: denied { write open } for pid=549 comm="klogd" name="boot.msg" dev=sda2 ino=127820 scontext=system_u:system_r:klogd_t tcontext=system_u:object_r:var_log_t tclass=file type=SYSCALL msg=audit(1266865640.026:18): arch=40000003 syscall=5 success=yes exit=3 a0=bfc5ee01 a1=8241 a2=1b6 a3=b771b170 items=0 ppid=525 pid=549 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="klogd" exe="/sbin/klogd" subj=system_u:system_r:klogd_t key=(null) type=AVC msg=audit(1266865640.026:19): avc: denied { getattr } for pid=549 comm="klogd" path="/var/log/boot.msg" dev=sda2 ino=127820 scontext=system_u:system_r:klogd_t tcontext=system_u:object_r:var_log_t tclass=file type=SYSCALL msg=audit(1266865640.026:19): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bfc5d518 a2=b76daff4 a3=b771b170 items=0 ppid=525 pid=549 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="klogd" exe="/sbin/klogd" subj=system_u:system_r:klogd_t key=(null) type=AVC msg=audit(1266865650.710:20): avc: denied { read write } for pid=1044 comm="rsyslogd" name="xconsole" dev=tmpfs ino=6557 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:device_t tclass=fifo_file type=AVC msg=audit(1266865650.710:20): avc: denied { open } for pid=1044 comm="rsyslogd" name="xconsole" dev=tmpfs ino=6557 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:device_t tclass=fifo_file type=SYSCALL msg=audit(1266865650.710:20): arch=40000003 syscall=5 success=yes exit=4 a0=80a0360 a1=88802 a2=0 a3=0 items=0 ppid=1041 pid=1044 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/sbin/rsyslogd" subj=system_u:system_r:syslogd_t key=(null) type=AVC msg=audit(1266865650.710:21): avc: denied { ioctl } for pid=1044 comm="rsyslogd" path="/dev/xconsole" dev=tmpfs ino=6557 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:device_t tclass=fifo_file type=SYSCALL msg=audit(1266865650.710:21): arch=40000003 syscall=54 success=no exit=-22 a0=4 a1=5401 a2=bfd591ac a3=bfd591ec items=0 ppid=1041 pid=1044 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/sbin/rsyslogd" subj=system_u:system_r:syslogd_t key=(null) type=AVC msg=audit(1266865650.711:22): avc: denied { append } for pid=1044 comm="rsyslogd" name="acpid" dev=sda2 ino=26239 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:apmd_log_t tclass=file type=AVC msg=audit(1266865650.711:22): avc: denied { open } for pid=1044 comm="rsyslogd" name="acpid" dev=sda2 ino=26239 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:apmd_log_t tclass=file type=CONFIG_CHANGE msg=audit(1266865692.961:184): audit_backlog_limit=320 old=64 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditctl_t res=1 type=CONFIG_CHANGE msg=audit(1266865692.996:185): audit_enabled=0 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t res=1 type=AVC msg=audit(1266865694.002:186): avc: denied { read } for pid=2733 comm="devkit-disks-da" name="sr0" dev=tmpfs ino=5301 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:removable_device_t tclass=blk_file type=AVC msg=audit(1266865694.002:187): avc: denied { open } for pid=2733 comm="devkit-disks-da" name="sr0" dev=tmpfs ino=5301 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:removable_device_t tclass=blk_file type=AVC msg=audit(1266865695.329:188): avc: denied { sys_ptrace } for pid=1951 comm="rtkit-daemon" capability=19 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=capability type=AVC msg=audit(1266865695.329:189): avc: denied { getsched } for pid=1951 comm="rtkit-daemon" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=process type=AVC msg=audit(1266865695.519:190): avc: denied { execute } for pid=2807 comm="dbus-daemon-lau" name="packagekitd" dev=sda2 ino=33216 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file type=AVC msg=audit(1266865695.519:191): avc: denied { read open } for pid=2807 comm="dbus-daemon-lau" name="packagekitd" dev=sda2 ino=33216 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file type=AVC msg=audit(1266865695.519:192): avc: denied { execute_no_trans } for pid=2807 comm="dbus-daemon-lau" path="/usr/sbin/packagekitd" dev=sda2 ino=33216 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file type=AVC msg=audit(1266865695.731:193): avc: denied { getattr } for pid=2807 comm="packagekitd" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:inotifyfs_t tclass=dir type=AVC msg=audit(1266865695.777:194): avc: denied { execstack } for pid=2807 comm="packagekitd" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=process type=AVC msg=audit(1266865695.784:195): avc: denied { execmem } for pid=2807 comm="packagekitd" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=process type=AVC msg=audit(1266865696.044:196): avc: denied { execstack } for pid=2820 comm="cupsd" scontext=system_u:system_r:cupsd_t tcontext=system_u:system_r:cupsd_t tclass=process type=AVC msg=audit(1266865696.060:197): avc: denied { execmem } for pid=2820 comm="cupsd" scontext=system_u:system_r:cupsd_t tcontext=system_u:system_r:cupsd_t tclass=process type=AVC msg=audit(1266865696.205:198): avc: denied { search } for pid=2807 comm="packagekitd" name="log" dev=sda2 ino=26231 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=dir type=AVC msg=audit(1266865696.207:199): avc: denied { getattr } for pid=2807 comm="packagekitd" path="/var/log/pk_backend_zypp" dev=sda2 ino=129898 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266865696.208:200): avc: denied { append } for pid=2807 comm="packagekitd" name="pk_backend_zypp" dev=sda2 ino=129898 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266865696.208:201): avc: denied { open } for pid=2807 comm="packagekitd" name="pk_backend_zypp" dev=sda2 ino=129898 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266865696.208:202): avc: denied { setattr } for pid=2807 comm="packagekitd" name="pk_backend_zypp" dev=sda2 ino=129898 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266865696.620:203): avc: denied { getattr } for pid=2807 comm="packagekitd" path="/var/lib/rpm" dev=sda2 ino=66039 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=dir type=AVC msg=audit(1266865696.643:204): avc: denied { search } for pid=2807 comm="packagekitd" name="rpm" dev=sda2 ino=66039 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=dir type=AVC msg=audit(1266865696.644:205): avc: denied { getattr } for pid=2807 comm="packagekitd" path="/var/lib/rpm/Packages" dev=sda2 ino=66329 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=file type=AVC msg=audit(1266865696.694:206): avc: denied { write } for pid=2807 comm="packagekitd" name="rpm" dev=sda2 ino=66039 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=dir type=AVC msg=audit(1266865696.696:207): avc: denied { read } for pid=2807 comm="packagekitd" name="Packages" dev=sda2 ino=66329 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=file type=AVC msg=audit(1266865696.708:208): avc: denied { open } for pid=2807 comm="packagekitd" name="Packages" dev=sda2 ino=66329 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=file type=AVC msg=audit(1266865696.708:209): avc: denied { lock } for pid=2807 comm="packagekitd" path="/var/lib/rpm/Packages" dev=sda2 ino=66329 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=file type=AVC msg=audit(1266865696.717:210): avc: denied { execute } for pid=2833 comm="packagekitd" name="gpg2" dev=sda2 ino=10780 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:gpg_exec_t tclass=file type=AVC msg=audit(1266865696.783:211): avc: denied { read open } for pid=2833 comm="packagekitd" name="gpg2" dev=sda2 ino=10780 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:gpg_exec_t tclass=file type=AVC msg=audit(1266865696.784:212): avc: denied { execute_no_trans } for pid=2833 comm="packagekitd" path="/usr/bin/gpg2" dev=sda2 ino=10780 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:gpg_exec_t tclass=file type=AVC msg=audit(1266865696.791:213): avc: denied { ipc_lock } for pid=2833 comm="gpg2" capability=14 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=capability type=AVC msg=audit(1266865696.852:214): avc: denied { getattr } for pid=2807 comm="packagekitd" path="/var/lib/rpm/Packages" dev=sda2 ino=66329 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=file type=AVC msg=audit(1266865696.853:215): avc: denied { read } for pid=2807 comm="packagekitd" name="Packages" dev=sda2 ino=66329 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=file type=AVC msg=audit(1266865696.853:216): avc: denied { open } for pid=2807 comm="packagekitd" name="Packages" dev=sda2 ino=66329 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=file type=AVC msg=audit(1266865696.854:217): avc: denied { lock } for pid=2807 comm="packagekitd" path="/var/lib/rpm/Packages" dev=sda2 ino=66329 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=file type=AVC msg=audit(1266865696.875:218): avc: denied { execute } for pid=2837 comm="dbus-daemon-lau" name="nm-system-settings" dev=sda2 ino=33236 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file type=AVC msg=audit(1266865696.879:219): avc: denied { read open } for pid=2837 comm="dbus-daemon-lau" name="nm-system-settings" dev=sda2 ino=33236 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file type=AVC msg=audit(1266865696.879:220): avc: denied { execute_no_trans } for pid=2837 comm="dbus-daemon-lau" path="/usr/sbin/nm-system-settings" dev=sda2 ino=33236 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file type=AVC msg=audit(1266865697.032:221): avc: denied { read } for pid=2842 comm="packagekitd" name="gpg" dev=sda2 ino=44794 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=lnk_file type=AVC msg=audit(1266865697.047:222): avc: denied { read } for pid=2837 comm="nm-system-setti" name="PolicyKit.reload" dev=sda2 ino=66055 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:policykit_reload_t tclass=file type=AVC msg=audit(1266865697.047:223): avc: denied { getattr } for pid=2837 comm="nm-system-setti" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:inotifyfs_t tclass=dir type=AVC msg=audit(1266865697.539:224): avc: denied { search } for pid=2807 comm="packagekitd" name="rpm" dev=sda2 ino=66039 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=dir type=AVC msg=audit(1266865697.550:225): avc: denied { getattr } for pid=2807 comm="packagekitd" path="/var/lib/rpm" dev=sda2 ino=66039 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=dir type=AVC msg=audit(1266865697.551:226): avc: denied { write } for pid=1952 comm="rtkit-daemon" path="anon_inode:[eventfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266865697.551:227): avc: denied { read } for pid=1956 comm="rtkit-daemon" path="anon_inode:[eventfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266865697.551:228): avc: denied { write } for pid=2807 comm="packagekitd" name="rpm" dev=sda2 ino=66039 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=dir type=AVC msg=audit(1266865699.112:229): avc: denied { getattr } for pid=2807 comm="packagekitd" path="/var/log/zypp" dev=sda2 ino=65987 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=dir type=AVC msg=audit(1266865699.147:230): avc: denied { getattr } for pid=2807 comm="packagekitd" path="/var/cache/zypp/solv/@System/solv" dev=sda2 ino=136065 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_t tclass=file type=AVC msg=audit(1266865699.158:231): avc: denied { read } for pid=2807 comm="packagekitd" name="cookie" dev=sda2 ino=66335 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_t tclass=file type=AVC msg=audit(1266865699.158:232): avc: denied { open } for pid=2807 comm="packagekitd" name="cookie" dev=sda2 ino=66335 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_t tclass=file type=AVC msg=audit(1266865699.195:233): avc: denied { write } for pid=2807 comm="packagekitd" name="transactions.db" dev=sda2 ino=35546 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266865699.196:234): avc: denied { lock } for pid=2807 comm="packagekitd" path="/var/lib/PackageKit/transactions.db" dev=sda2 ino=35546 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266865699.203:235): avc: denied { execmem } for pid=2807 comm="packagekitd" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=process type=AVC msg=audit(1266865699.302:236): avc: denied { read } for pid=2807 comm="packagekitd" name="route" dev=proc ino=4026531941 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:proc_net_t tclass=file type=AVC msg=audit(1266865699.303:237): avc: denied { open } for pid=2807 comm="packagekitd" name="route" dev=proc ino=4026531941 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:proc_net_t tclass=file type=AVC msg=audit(1266865699.303:238): avc: denied { getattr } for pid=2807 comm="packagekitd" path="/proc/2807/net/route" dev=proc ino=4026531941 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:proc_net_t tclass=file type=AVC msg=audit(1266865701.945:239): avc: denied { write } for pid=3026 comm="nscd" path="pipe:[14830]" dev=pipefs ino=14830 scontext=system_u:system_r:nscd_t tcontext=system_u:system_r:nscd_t tclass=fifo_file type=AVC msg=audit(1266865702.891:240): avc: denied { getattr } for pid=2732 comm="devkit-disks-da" path="/dev/sda2" dev=tmpfs ino=1798 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file type=AVC msg=audit(1266865702.892:241): avc: denied { read } for pid=3059 comm="smartd" name="drivedb.h" dev=sda2 ino=103893 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:usr_t tclass=file type=AVC msg=audit(1266865702.893:242): avc: denied { open } for pid=3059 comm="smartd" name="drivedb.h" dev=sda2 ino=103893 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:usr_t tclass=file type=AVC msg=audit(1266865702.893:243): avc: denied { getattr } for pid=3059 comm="smartd" path="/usr/share/smartmontools/drivedb.h" dev=sda2 ino=103893 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:usr_t tclass=file type=AVC msg=audit(1266865703.272:244): avc: denied { read } for pid=2732 comm="devkit-disks-da" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266865703.580:245): avc: denied { read } for pid=1934 comm="polkitd" path="/var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.hal.power-management.cpufreq.pkla" dev=sda2 ino=26328 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266865703.580:246): avc: denied { getattr } for pid=1934 comm="polkitd" path="/var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.consolekit.system.stop.pkla" dev=sda2 ino=26329 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266865703.581:247): avc: denied { open } for pid=1934 comm="polkitd" name="org.freedesktop.consolekit.system.stop.pkla" dev=sda2 ino=26329 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266865704.311:248): avc: denied { search } for pid=2732 comm="devkit-disks-da" name="media" dev=sda2 ino=36613 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mnt_t tclass=dir type=AVC msg=audit(1266865704.312:249): avc: denied { write } for pid=2732 comm="devkit-disks-da" name="media" dev=sda2 ino=36613 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mnt_t tclass=dir type=AVC msg=audit(1266865704.312:250): avc: denied { add_name } for pid=2732 comm="devkit-disks-da" name="CDROM" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mnt_t tclass=dir type=AVC msg=audit(1266865704.312:251): avc: denied { create } for pid=2732 comm="devkit-disks-da" name="CDROM" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mnt_t tclass=dir type=AVC msg=audit(1266865704.315:252): avc: denied { search } for pid=2732 comm="devkit-disks-da" name="DeviceKit-disks" dev=sda2 ino=66061 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:devicekit_var_lib_t tclass=dir type=AVC msg=audit(1266865704.315:253): avc: denied { read } for pid=2732 comm="devkit-disks-da" name="mtab" dev=sda2 ino=160300 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:devicekit_var_lib_t tclass=file type=AVC msg=audit(1266865704.315:254): avc: denied { open } for pid=2732 comm="devkit-disks-da" name="mtab" dev=sda2 ino=160300 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:devicekit_var_lib_t tclass=file type=AVC msg=audit(1266865704.316:255): avc: denied { getattr } for pid=2732 comm="devkit-disks-da" path="/var/lib/DeviceKit-disks/mtab" dev=sda2 ino=160300 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:devicekit_var_lib_t tclass=file type=AVC msg=audit(1266865704.316:256): avc: denied { write } for pid=2732 comm="devkit-disks-da" name="DeviceKit-disks" dev=sda2 ino=66061 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:devicekit_var_lib_t tclass=dir type=AVC msg=audit(1266865704.316:257): avc: denied { add_name } for pid=2732 comm="devkit-disks-da" name="mtab.HF2N8U" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:devicekit_var_lib_t tclass=dir type=AVC msg=audit(1266865704.317:258): avc: denied { create } for pid=2732 comm="devkit-disks-da" name="mtab.HF2N8U" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:devicekit_var_lib_t tclass=file type=AVC msg=audit(1266865704.317:259): avc: denied { write } for pid=2732 comm="devkit-disks-da" name="mtab.HF2N8U" dev=sda2 ino=159051 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:devicekit_var_lib_t tclass=file type=AVC msg=audit(1266865704.317:260): avc: denied { remove_name } for pid=2732 comm="devkit-disks-da" name="mtab.HF2N8U" dev=sda2 ino=159051 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:devicekit_var_lib_t tclass=dir type=AVC msg=audit(1266865704.318:261): avc: denied { rename } for pid=2732 comm="devkit-disks-da" name="mtab.HF2N8U" dev=sda2 ino=159051 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:devicekit_var_lib_t tclass=file type=AVC msg=audit(1266865704.318:262): avc: denied { unlink } for pid=2732 comm="devkit-disks-da" name="mtab" dev=sda2 ino=160300 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:devicekit_var_lib_t tclass=file type=AVC msg=audit(1266865704.320:263): avc: denied { execute } for pid=3110 comm="devkit-disks-da" name="mount" dev=sda2 ino=130 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mount_exec_t tclass=file type=AVC msg=audit(1266865704.321:264): avc: denied { read open } for pid=3110 comm="devkit-disks-da" name="mount" dev=sda2 ino=130 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mount_exec_t tclass=file type=AVC msg=audit(1266865704.322:265): avc: denied { execute_no_trans } for pid=3110 comm="devkit-disks-da" path="/bin/mount" dev=sda2 ino=130 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mount_exec_t tclass=file type=AVC msg=audit(1266865704.328:266): avc: denied { mounton } for pid=3110 comm="mount" path="/media/CDROM" dev=sda2 ino=160353 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:mnt_t tclass=dir type=AVC msg=audit(1266865704.487:267): avc: denied { mount } for pid=3110 comm="mount" name="/" dev=sr0 ino=1856 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:iso9660_t tclass=filesystem type=AVC msg=audit(1266865704.498:268): avc: denied { getattr } for pid=3110 comm="mount" path="/etc/mtab" dev=sda2 ino=26249 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_runtime_t tclass=file type=AVC msg=audit(1266865704.499:269): avc: denied { read write } for pid=3110 comm="mount" name="mtab" dev=sda2 ino=26249 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_runtime_t tclass=file type=AVC msg=audit(1266865704.499:270): avc: denied { open } for pid=3110 comm="mount" name="mtab" dev=sda2 ino=26249 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_runtime_t tclass=file type=AVC msg=audit(1266865704.499:271): avc: denied { write } for pid=3110 comm="mount" name="etc" dev=sda2 ino=8001 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_t tclass=dir type=AVC msg=audit(1266865704.499:272): avc: denied { add_name } for pid=3110 comm="mount" name="mtab~3110" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_t tclass=dir type=AVC msg=audit(1266865704.499:273): avc: denied { create } for pid=3110 comm="mount" name="mtab~3110" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_t tclass=file type=AVC msg=audit(1266865704.499:274): avc: denied { ioctl } for pid=2837 comm="nm-system-setti" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:inotifyfs_t tclass=dir type=AVC msg=audit(1266865704.509:275): avc: denied { read } for pid=2837 comm="nm-system-setti" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:inotifyfs_t tclass=dir type=AVC msg=audit(1266865704.668:276): avc: denied { write } for pid=3110 comm="mount" name="mtab~3110" dev=sda2 ino=159053 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_t tclass=file type=AVC msg=audit(1266865704.669:277): avc: denied { link } for pid=3110 comm="mount" name="mtab~3110" dev=sda2 ino=159053 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_t tclass=file type=AVC msg=audit(1266865704.669:278): avc: denied { remove_name } for pid=3110 comm="mount" name="mtab~3110" dev=sda2 ino=159053 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_t tclass=dir type=AVC msg=audit(1266865704.669:279): avc: denied { unlink } for pid=3110 comm="mount" name="mtab~3110" dev=sda2 ino=159053 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_t tclass=file type=AVC msg=audit(1266865704.669:280): avc: denied { append } for pid=3110 comm="mount" name="mtab" dev=sda2 ino=26249 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:etc_runtime_t tclass=file type=AVC msg=audit(1266865705.310:281): avc: denied { sys_ptrace } for pid=1951 comm="rtkit-daemon" capability=19 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=capability type=AVC msg=audit(1266865705.310:282): avc: denied { getsched } for pid=1951 comm="rtkit-daemon" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=process type=AVC msg=audit(1266865706.001:283): avc: denied { read } for pid=2733 comm="devkit-disks-da" name="sr0" dev=tmpfs ino=5301 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:removable_device_t tclass=blk_file type=AVC msg=audit(1266865706.001:284): avc: denied { open } for pid=2733 comm="devkit-disks-da" name="sr0" dev=tmpfs ino=5301 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:removable_device_t tclass=blk_file type=AVC msg=audit(1266865707.458:285): avc: denied { write } for pid=3026 comm="nscd" path="pipe:[15253]" dev=pipefs ino=15253 scontext=system_u:system_r:nscd_t tcontext=system_u:system_r:nscd_t tclass=fifo_file type=AVC msg=audit(1266865708.130:286): avc: denied { append } for pid=2513 comm="rsyslogd" path="/var/log/mail" dev=sda2 ino=26237 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:sendmail_log_t tclass=file type=AVC msg=audit(1266865708.577:287): avc: denied { execstack } for pid=3212 comm="slptool" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=process type=AVC msg=audit(1266865708.578:288): avc: denied { execmem } for pid=3212 comm="slptool" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=process type=AVC msg=audit(1266865708.747:289): avc: denied { getattr } for pid=1934 comm="polkitd" path="/var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.consolekit.system.stop-multiple-users.pkla" dev=sda2 ino=26310 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266865708.750:290): avc: denied { read } for pid=1934 comm="polkitd" name="org.freedesktop.consolekit.system.stop-multiple-users.pkla" dev=sda2 ino=26310 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266865708.751:291): avc: denied { open } for pid=1934 comm="polkitd" name="org.freedesktop.consolekit.system.stop-multiple-users.pkla" dev=sda2 ino=26310 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266865709.381:292): avc: denied { getattr } for pid=1934 comm="polkitd" path="/var/lib/polkit-1/localauthority/10-vendor.d/org.gnome.policykit.examples.kick-baz.pkla" dev=sda2 ino=26299 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266865709.382:293): avc: denied { read } for pid=1934 comm="polkitd" path="/var/lib/polkit-1/localauthority/10-vendor.d/org.gnome.policykit.examples.kick-baz.pkla" dev=sda2 ino=26299 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266865709.383:294): avc: denied { open } for pid=1934 comm="polkitd" name="org.freedesktop.packagekit.package-remove.pkla" dev=sda2 ino=26298 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266865709.691:295): avc: denied { sys_ptrace } for pid=1951 comm="rtkit-daemon" capability=19 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=capability type=AVC msg=audit(1266865709.691:296): avc: denied { getsched } for pid=1951 comm="rtkit-daemon" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=process type=AVC msg=audit(1266865710.002:297): avc: denied { read } for pid=2733 comm="devkit-disks-da" name="sr0" dev=tmpfs ino=5301 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:removable_device_t tclass=blk_file type=AVC msg=audit(1266865710.003:298): avc: denied { open } for pid=2733 comm="devkit-disks-da" name="sr0" dev=tmpfs ino=5301 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:removable_device_t tclass=blk_file type=AVC msg=audit(1266865710.144:299): avc: denied { write } for pid=3026 comm="nscd" path="pipe:[16858]" dev=pipefs ino=16858 scontext=system_u:system_r:nscd_t tcontext=system_u:system_r:nscd_t tclass=fifo_file type=AVC msg=audit(1266865710.762:300): avc: denied { sys_ptrace } for pid=1951 comm="rtkit-daemon" capability=19 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=capability type=AVC msg=audit(1266865710.763:301): avc: denied { getsched } for pid=1951 comm="rtkit-daemon" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=process type=AVC msg=audit(1266865710.953:302): avc: denied { execstack } for pid=3305 comm="git" scontext=system_u:system_r:xdm_t tcontext=system_u:system_r:xdm_t tclass=process type=AVC msg=audit(1266865711.887:303): avc: denied { write } for pid=2513 comm="rsyslogd" path="/dev/xconsole" dev=tmpfs ino=6557 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:device_t tclass=fifo_file type=AVC msg=audit(1266865712.213:304): avc: denied { search } for pid=3369 comm="mingetty" name="2" dev=proc ino=5955 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=dir type=AVC msg=audit(1266865712.243:305): avc: denied { read } for pid=3369 comm="mingetty" name="maps" dev=proc ino=17184 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=file type=AVC msg=audit(1266865712.266:306): avc: denied { open } for pid=3369 comm="mingetty" name="maps" dev=proc ino=17184 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=file type=AVC msg=audit(1266865712.266:307): avc: denied { getattr } for pid=3369 comm="mingetty" path="/proc/2/maps" dev=proc ino=17184 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=file type=AVC msg=audit(1266865712.266:308): avc: denied { read } for pid=3369 comm="mingetty" name="fd" dev=proc ino=10600 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=dir type=AVC msg=audit(1266865712.267:309): avc: denied { open } for pid=3369 comm="mingetty" name="fd" dev=proc ino=10600 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=dir type=AVC msg=audit(1266865712.270:310): avc: denied { search } for pid=3369 comm="mingetty" name="258" dev=proc ino=5990 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=dir type=AVC msg=audit(1266865712.292:311): avc: denied { read } for pid=3369 comm="mingetty" name="maps" dev=proc ino=17220 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=file type=AVC msg=audit(1266865712.292:312): avc: denied { open } for pid=3369 comm="mingetty" name="maps" dev=proc ino=17220 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=file type=AVC msg=audit(1266865712.293:313): avc: denied { getattr } for pid=3369 comm="mingetty" path="/proc/258/maps" dev=proc ino=17220 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=file type=AVC msg=audit(1266865712.293:314): avc: denied { read } for pid=3369 comm="mingetty" name="fd" dev=proc ino=10695 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=dir type=AVC msg=audit(1266865712.293:315): avc: denied { open } for pid=3369 comm="mingetty" name="fd" dev=proc ino=10695 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=dir type=AVC msg=audit(1266865712.294:316): avc: denied { read } for pid=3369 comm="mingetty" name="0" dev=proc ino=15360 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=lnk_file type=AVC msg=audit(1266865712.326:317): avc: denied { getattr } for pid=3369 comm="mingetty" path="/sys/kernel/debug/systemtap/preloadtrace/.cmd" dev=debugfs ino=4088 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:debugfs_t tclass=file type=AVC msg=audit(1266865712.327:318): avc: denied { getattr } for pid=3369 comm="mingetty" path="/dev/ptmx" dev=tmpfs ino=3967 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:ptmx_t tclass=chr_file type=AVC msg=audit(1266865712.327:319): avc: denied { search } for pid=3369 comm="mingetty" name="290" dev=proc ino=5994 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=dir type=AVC msg=audit(1266865712.328:320): avc: denied { read } for pid=3369 comm="mingetty" name="maps" dev=proc ino=17230 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=file type=AVC msg=audit(1266865712.328:321): avc: denied { open } for pid=3369 comm="mingetty" name="maps" dev=proc ino=17230 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=file type=AVC msg=audit(1266865712.328:322): avc: denied { getattr } for pid=3369 comm="mingetty" path="/proc/290/maps" dev=proc ino=17230 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=file type=AVC msg=audit(1266865712.329:323): avc: denied { read } for pid=3369 comm="mingetty" name="fd" dev=proc ino=10702 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=dir type=AVC msg=audit(1266865712.329:324): avc: denied { open } for pid=3369 comm="mingetty" name="fd" dev=proc ino=10702 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=dir type=AVC msg=audit(1266865712.333:325): avc: denied { read } for pid=3369 comm="mingetty" name="0" dev=proc ino=15369 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=lnk_file type=AVC msg=audit(1266865712.334:326): avc: denied { getattr } for pid=3369 comm="mingetty" path="socket:[4162]" dev=sockfs ino=4162 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=unix_dgram_socket type=AVC msg=audit(1266865712.345:327): avc: denied { getattr } for pid=3369 comm="mingetty" path="socket:[4163]" dev=sockfs ino=4163 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266865712.345:328): avc: denied { getattr } for pid=3369 comm="mingetty" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:inotifyfs_t tclass=dir type=AVC msg=audit(1266865712.346:329): avc: denied { getattr } for pid=3369 comm="mingetty" path="anon_inode:[signalfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266865712.348:330): avc: denied { getattr } for pid=3369 comm="mingetty" path="/proc/acpi/event" dev=proc ino=4026531938 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:proc_t tclass=file type=AVC msg=audit(1266865712.348:331): avc: denied { getattr } for pid=3369 comm="mingetty" path="socket:[6523]" dev=sockfs ino=6523 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket type=AVC msg=audit(1266865712.349:332): avc: denied { getattr } for pid=3369 comm="mingetty" path="socket:[7018]" dev=sockfs ino=7018 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=unix_dgram_socket type=AVC msg=audit(1266865712.355:333): avc: denied { search } for pid=3369 comm="mingetty" name="1049" dev=proc ino=6601 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=dir type=AVC msg=audit(1266865712.355:334): avc: denied { read } for pid=3369 comm="mingetty" name="maps" dev=proc ino=17240 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=file type=AVC msg=audit(1266865712.356:335): avc: denied { open } for pid=3369 comm="mingetty" name="maps" dev=proc ino=17240 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=file type=AVC msg=audit(1266865712.356:336): avc: denied { getattr } for pid=3369 comm="mingetty" path="/proc/1049/maps" dev=proc ino=17240 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=file type=AVC msg=audit(1266865712.356:337): avc: denied { sys_ptrace } for pid=3369 comm="mingetty" capability=19 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t tclass=capability type=AVC msg=audit(1266865712.357:338): avc: denied { read } for pid=3369 comm="mingetty" name="fd" dev=proc ino=10744 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=dir type=AVC msg=audit(1266865712.371:339): avc: denied { open } for pid=3375 comm="mingetty" name="fd" dev=proc ino=10744 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=dir type=AVC msg=audit(1266865712.372:340): avc: denied { read } for pid=3369 comm="mingetty" name="0" dev=proc ino=15433 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=lnk_file type=AVC msg=audit(1266865712.381:342): avc: denied { getattr } for pid=3369 comm="mingetty" path="socket:[6600]" dev=sockfs ino=6600 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=netlink_selinux_socket type=AVC msg=audit(1266865712.386:343): avc: denied { getattr } for pid=3369 comm="mingetty" path="socket:[7817]" dev=sockfs ino=7817 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=unix_dgram_socket type=AVC msg=audit(1266865712.390:344): avc: denied { search } for pid=3371 comm="mingetty" name="1128" dev=proc ino=6681 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=dir type=AVC msg=audit(1266865712.391:345): avc: denied { read } for pid=3369 comm="mingetty" name="maps" dev=proc ino=17249 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=file type=AVC msg=audit(1266865712.393:346): avc: denied { open } for pid=3369 comm="mingetty" name="maps" dev=proc ino=17249 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=file type=AVC msg=audit(1266865712.393:347): avc: denied { getattr } for pid=3369 comm="mingetty" path="/proc/1128/maps" dev=proc ino=17249 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=file type=AVC msg=audit(1266865712.394:348): avc: denied { read } for pid=3369 comm="mingetty" name="fd" dev=proc ino=10749 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=dir type=AVC msg=audit(1266865712.394:349): avc: denied { open } for pid=3369 comm="mingetty" name="fd" dev=proc ino=10749 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=dir type=AVC msg=audit(1266865712.394:350): avc: denied { read } for pid=3369 comm="mingetty" name="0" dev=proc ino=15487 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=lnk_file type=AVC msg=audit(1266865712.394:351): avc: denied { getattr } for pid=3369 comm="mingetty" path="pipe:[6677]" dev=pipefs ino=6677 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=fifo_file type=AVC msg=audit(1266865712.403:352): avc: denied { getattr } for pid=3369 comm="mingetty" path="socket:[6678]" dev=sockfs ino=6678 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=unix_stream_socket type=AVC msg=audit(1266865712.403:353): avc: denied { getattr } for pid=3369 comm="mingetty" path="/proc/mdstat" dev=proc ino=4026531930 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:proc_mdstat_t tclass=file type=AVC msg=audit(1266865712.404:354): avc: denied { getattr } for pid=3369 comm="mingetty" path="socket:[6783]" dev=sockfs ino=6783 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=unix_dgram_socket type=AVC msg=audit(1266865712.404:355): avc: denied { search } for pid=3369 comm="mingetty" name="1141" dev=proc ino=6737 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:consolekit_t tclass=dir type=AVC msg=audit(1266865712.404:356): avc: denied { read } for pid=3369 comm="mingetty" name="maps" dev=proc ino=17254 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:consolekit_t tclass=file type=AVC msg=audit(1266865712.405:357): avc: denied { open } for pid=3369 comm="mingetty" name="maps" dev=proc ino=17254 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:consolekit_t tclass=file type=AVC msg=audit(1266865712.405:358): avc: denied { getattr } for pid=3369 comm="mingetty" path="/proc/1141/maps" dev=proc ino=17254 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:consolekit_t tclass=file type=AVC msg=audit(1266865712.407:359): avc: denied { read } for pid=3371 comm="mingetty" name="fd" dev=proc ino=10751 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:consolekit_t tclass=dir type=AVC msg=audit(1266865712.408:360): avc: denied { open } for pid=3369 comm="mingetty" name="fd" dev=proc ino=10751 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:consolekit_t tclass=dir type=AVC msg=audit(1266865712.421:361): avc: denied { read } for pid=3373 comm="mingetty" name="0" dev=proc ino=15505 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:consolekit_t tclass=lnk_file type=AVC msg=audit(1266865712.454:362): avc: denied { getattr } for pid=3371 comm="mingetty" path="pipe:[6733]" dev=pipefs ino=6733 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:consolekit_t tclass=fifo_file type=AVC msg=audit(1266865712.455:363): avc: denied { getattr } for pid=3371 comm="mingetty" path="socket:[6735]" dev=sockfs ino=6735 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:consolekit_t tclass=unix_stream_socket type=AVC msg=audit(1266865712.458:364): avc: denied { getattr } for pid=3371 comm="mingetty" path="/var/log/ConsoleKit/history" dev=sda2 ino=129645 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:consolekit_log_t tclass=file type=AVC msg=audit(1266865712.461:365): avc: denied { search } for pid=3369 comm="mingetty" name="1250" dev=proc ino=6864 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266865712.467:366): avc: denied { read } for pid=3375 comm="mingetty" name="maps" dev=proc ino=17256 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266865712.380:341): avc: denied { getattr } for pid=3374 comm="mingetty" path="socket:[6598]" dev=sockfs ino=6598 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=unix_stream_socket type=AVC msg=audit(1266865712.468:367): avc: denied { read } for pid=3371 comm="mingetty" name="maps" dev=proc ino=17256 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266865712.472:368): avc: denied { open } for pid=3374 comm="mingetty" name="maps" dev=proc ino=17256 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266865712.473:369): avc: denied { getattr } for pid=3369 comm="mingetty" path="/proc/1250/maps" dev=proc ino=17256 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=file type=AVC msg=audit(1266865712.473:370): avc: denied { read } for pid=3371 comm="mingetty" name="fd" dev=proc ino=6865 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266865712.474:371): avc: denied { open } for pid=3369 comm="mingetty" name="fd" dev=proc ino=6865 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266865712.480:372): avc: denied { read } for pid=3371 comm="mingetty" name="0" dev=proc ino=6866 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=lnk_file type=AVC msg=audit(1266865712.481:373): avc: denied { getattr } for pid=3369 comm="mingetty" path="socket:[6904]" dev=sockfs ino=6904 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=unix_stream_socket type=AVC msg=audit(1266865712.482:374): avc: denied { getattr } for pid=3371 comm="mingetty" path="/var/run/gdm/auth-for-gdm-hFrrXm/database" dev=sda2 ino=129773 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:xdm_var_run_t tclass=file type=AVC msg=audit(1266865712.483:375): avc: denied { getattr } for pid=3369 comm="mingetty" path="/var/log/gdm/:0-slave.log" dev=sda2 ino=160310 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:xserver_log_t tclass=file type=AVC msg=audit(1266865712.488:376): avc: denied { write } for pid=1952 comm="rtkit-daemon" path="anon_inode:[eventfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266865712.488:377): avc: denied { read } for pid=1956 comm="rtkit-daemon" path="anon_inode:[eventfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266865712.490:378): avc: denied { search } for pid=3371 comm="mingetty" name="1282" dev=proc ino=6988 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=dir type=AVC msg=audit(1266865712.491:379): avc: denied { read } for pid=3369 comm="mingetty" name="maps" dev=proc ino=17259 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=file type=AVC msg=audit(1266865712.492:380): avc: denied { open } for pid=3369 comm="mingetty" name="maps" dev=proc ino=17259 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=file type=AVC msg=audit(1266865712.492:381): avc: denied { getattr } for pid=3369 comm="mingetty" path="/proc/1282/maps" dev=proc ino=17259 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=file type=AVC msg=audit(1266865712.493:382): avc: denied { read } for pid=3369 comm="mingetty" name="fd" dev=proc ino=6989 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=dir type=AVC msg=audit(1266865712.494:383): avc: denied { open } for pid=3371 comm="mingetty" name="fd" dev=proc ino=6989 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=dir type=AVC msg=audit(1266865712.498:384): avc: denied { read } for pid=3374 comm="mingetty" name="0" dev=proc ino=6990 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=lnk_file type=AVC msg=audit(1266865712.505:385): avc: denied { getattr } for pid=3373 comm="mingetty" path="socket:[7007]" dev=sockfs ino=7007 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xserver_t tclass=unix_stream_socket type=AVC msg=audit(1266865712.513:386): avc: denied { getattr } for pid=3369 comm="mingetty" path="/proc/mtrr" dev=proc ino=4026531908 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:mtrr_device_t tclass=file type=AVC msg=audit(1266865712.513:387): avc: denied { getattr } for pid=3371 comm="mingetty" path="/dev/input/event1" dev=tmpfs ino=1696 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:event_device_t tclass=chr_file type=AVC msg=audit(1266865712.518:388): avc: denied { getattr } for pid=3369 comm="mingetty" path="/dev/cpu_dma_latency" dev=tmpfs ino=1116 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:netcontrol_device_t tclass=chr_file type=AVC msg=audit(1266865712.522:389): avc: denied { getattr } for pid=3371 comm="mingetty" path="socket:[8114]" dev=sockfs ino=8114 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266865712.550:390): avc: denied { getattr } for pid=3373 comm="mingetty" path="/var/lib/polkit-1/localauthority/10-vendor.d" dev=sda2 ino=26257 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:var_lib_t tclass=dir type=AVC msg=audit(1266865712.552:391): avc: denied { getattr } for pid=3369 comm="mingetty" path="/var/lib/polkit-1/localauthority/10-vendor.d/org.opensuse.yast.scr.error.pkla" dev=sda2 ino=26330 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266865712.556:392): avc: denied { getattr } for pid=3371 comm="mingetty" path="socket:[11686]" dev=sockfs ino=11686 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=unix_dgram_socket type=AVC msg=audit(1266865712.572:393): avc: denied { getattr } for pid=3369 comm="mingetty" path="socket:[11652]" dev=sockfs ino=11652 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266865712.585:394): avc: denied { getattr } for pid=3371 comm="mingetty" path="/home/alan/.xsession-errors" dev=sda3 ino=43 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:xauth_home_t tclass=file type=AVC msg=audit(1266865712.588:395): avc: denied { search } for pid=3369 comm="mingetty" name="2242" dev=proc ino=10588 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=dir type=AVC msg=audit(1266865712.593:396): avc: denied { read } for pid=3373 comm="mingetty" name="maps" dev=proc ino=17275 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=file type=AVC msg=audit(1266865712.600:397): avc: denied { open } for pid=3371 comm="mingetty" name="maps" dev=proc ino=17275 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=file type=AVC msg=audit(1266865712.603:398): avc: denied { getattr } for pid=3375 comm="mingetty" path="/proc/2242/maps" dev=proc ino=17275 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=file type=AVC msg=audit(1266865712.603:399): avc: denied { read } for pid=3369 comm="mingetty" name="fd" dev=proc ino=10789 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=dir type=AVC msg=audit(1266865712.604:400): avc: denied { open } for pid=3371 comm="mingetty" name="fd" dev=proc ino=10789 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=dir type=AVC msg=audit(1266865712.604:401): avc: denied { read } for pid=3369 comm="mingetty" name="0" dev=proc ino=15648 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=lnk_file type=AVC msg=audit(1266865712.605:402): avc: denied { getattr } for pid=3369 comm="mingetty" path="/var/run/dhcpcd-eth0.pid" dev=sda2 ino=129776 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:dhcpc_var_run_t tclass=file type=AVC msg=audit(1266865712.605:403): avc: denied { getattr } for pid=3371 comm="mingetty" path="socket:[8007]" dev=sockfs ino=8007 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=unix_dgram_socket type=AVC msg=audit(1266865712.607:404): avc: denied { getattr } for pid=3374 comm="mingetty" path="pipe:[8010]" dev=pipefs ino=8010 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:dhcpc_t tclass=fifo_file type=AVC msg=audit(1266865712.631:405): avc: denied { getattr } for pid=3369 comm="mingetty" path="/home/alan/.gconfd/saved_state" dev=sda3 ino=206 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:gconf_home_t tclass=file type=AVC msg=audit(1266865712.648:406): avc: denied { getattr } for pid=3371 comm="mingetty" path="socket:[11410]" dev=sockfs ino=11410 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=netlink_selinux_socket type=AVC msg=audit(1266865712.669:407): avc: denied { search } for pid=3375 comm="mingetty" name="2508" dev=proc ino=12223 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=dir type=AVC msg=audit(1266865712.679:408): avc: denied { read } for pid=3373 comm="mingetty" name="maps" dev=proc ino=17286 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=file type=AVC msg=audit(1266865712.686:409): avc: denied { open } for pid=3371 comm="mingetty" name="maps" dev=proc ino=17286 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=file type=AVC msg=audit(1266865712.686:410): avc: denied { getattr } for pid=3369 comm="mingetty" path="/proc/2508/maps" dev=proc ino=17286 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=file type=AVC msg=audit(1266865712.687:411): avc: denied { read } for pid=3369 comm="mingetty" name="fd" dev=proc ino=15863 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=dir type=AVC msg=audit(1266865712.687:412): avc: denied { open } for pid=3369 comm="mingetty" name="fd" dev=proc ino=15863 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=dir type=AVC msg=audit(1266865712.688:413): avc: denied { read } for pid=3371 comm="mingetty" name="0" dev=proc ino=15864 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=lnk_file type=AVC msg=audit(1266865712.689:414): avc: denied { getattr } for pid=3369 comm="mingetty" path="socket:[12240]" dev=sockfs ino=12240 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket type=AVC msg=audit(1266865712.689:415): avc: denied { getattr } for pid=3369 comm="mingetty" path="/dev/xconsole" dev=tmpfs ino=6557 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:device_t tclass=fifo_file type=AVC msg=audit(1266865712.689:416): avc: denied { getattr } for pid=3369 comm="mingetty" path="/var/log/firewall" dev=sda2 ino=26232 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266865712.690:417): avc: denied { getattr } for pid=3371 comm="mingetty" path="/var/log/acpid" dev=sda2 ino=26239 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:apmd_log_t tclass=file type=AVC msg=audit(1266865712.690:418): avc: denied { getattr } for pid=3369 comm="mingetty" path="/var/log/mail" dev=sda2 ino=26237 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:sendmail_log_t tclass=file type=AVC msg=audit(1266865712.691:419): avc: denied { getattr } for pid=3374 comm="mingetty" path="/var/log/news/news.crit" dev=sda2 ino=26244 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:innd_log_t tclass=file type=AVC msg=audit(1266865712.692:420): avc: denied { getattr } for pid=3369 comm="mingetty" path="/proc/kmsg" dev=proc ino=4026531989 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:proc_kmsg_t tclass=file type=AVC msg=audit(1266865712.693:421): avc: denied { getattr } for pid=3371 comm="mingetty" path="/dev/urandom" dev=tmpfs ino=889 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file type=AVC msg=audit(1266865712.700:422): avc: denied { search } for pid=3369 comm="mingetty" name="2531" dev=proc ino=12297 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=dir type=AVC msg=audit(1266865712.707:423): avc: denied { read } for pid=3375 comm="mingetty" name="maps" dev=proc ino=17290 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=file type=AVC msg=audit(1266865712.719:424): avc: denied { open } for pid=3371 comm="mingetty" name="maps" dev=proc ino=17290 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=file type=AVC msg=audit(1266865712.750:425): avc: denied { getattr } for pid=3373 comm="mingetty" path="/proc/2531/maps" dev=proc ino=17290 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=file type=AVC msg=audit(1266865712.751:426): avc: denied { read } for pid=3369 comm="mingetty" name="fd" dev=proc ino=15950 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=dir type=AVC msg=audit(1266865712.752:427): avc: denied { open } for pid=3374 comm="mingetty" name="fd" dev=proc ino=15950 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=dir type=AVC msg=audit(1266865712.754:428): avc: denied { read } for pid=3369 comm="mingetty" name="0" dev=proc ino=15951 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=lnk_file type=AVC msg=audit(1266865712.755:429): avc: denied { getattr } for pid=3371 comm="mingetty" path="/var/run/rpcbind.lock" dev=sda2 ino=153262 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:rpcbind_var_run_t tclass=file type=AVC msg=audit(1266865712.755:430): avc: denied { getattr } for pid=3369 comm="mingetty" path="socket:[12452]" dev=sockfs ino=12452 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=udp_socket type=AVC msg=audit(1266865712.755:431): avc: denied { getattr } for pid=3369 comm="mingetty" path="socket:[12281]" dev=sockfs ino=12281 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=unix_stream_socket type=AVC msg=audit(1266865712.756:432): avc: denied { getattr } for pid=3369 comm="mingetty" path="socket:[12288]" dev=sockfs ino=12288 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=tcp_socket type=AVC msg=audit(1266865712.761:433): avc: denied { getattr } for pid=3374 comm="mingetty" path="/dev/fuse" dev=tmpfs ino=5910 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:fuse_device_t tclass=chr_file type=AVC msg=audit(1266865712.772:434): avc: denied { getattr } for pid=3375 comm="mingetty" path="/home/alan/.pulse/34218fbf2b09493b6a2222c24aef434d-device-volumes.i686-pc-linux-gnu.gdbm" dev=sda3 ino=55 scontext=system_u:system_r:getty_t tcontext=user_u:object_r:user_home_t tclass=file type=AVC msg=audit(1266865712.856:435): avc: denied { getattr } for pid=3375 comm="mingetty" path="/home/alan/.local/share/gvfs-metadata/home" dev=sda3 ino=61 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:user_home_t tclass=file type=AVC msg=audit(1266865712.929:436): avc: denied { getattr } for pid=3375 comm="mingetty" path="/usr/bin/gnome-do" dev=sda2 ino=44659 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=file type=AVC msg=audit(1266865712.935:437): avc: denied { getattr } for pid=3369 comm="mingetty" path="/usr/bin/gnome-do" dev=sda2 ino=44659 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:bin_t tclass=file type=AVC msg=audit(1266865712.941:438): avc: denied { getattr } for pid=3374 comm="mingetty" path="/proc/stat" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:proc_t tclass=file type=AVC msg=audit(1266865712.951:439): avc: denied { getattr } for pid=3369 comm="mingetty" path="socket:[14383]" dev=sockfs ino=14383 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=udp_socket type=AVC msg=audit(1266865712.972:440): avc: denied { getattr } for pid=3371 comm="mingetty" path="/tmp/pulse-rwJIRDT5E6vQ/autospawn.lock" dev=sda2 ino=129659 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:xdm_tmp_t tclass=file type=AVC msg=audit(1266865713.062:441): avc: denied { getattr } for pid=3371 comm="mingetty" path="pipe:[13872]" dev=pipefs ino=13872 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:system_dbusd_t tclass=fifo_file type=AVC msg=audit(1266865713.081:442): avc: denied { search } for pid=3375 comm="mingetty" name="2762" dev=proc ino=14036 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=dir type=AVC msg=audit(1266865713.102:443): avc: denied { read } for pid=3369 comm="mingetty" name="maps" dev=proc ino=17331 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=file type=AVC msg=audit(1266865713.105:444): avc: denied { open } for pid=3371 comm="mingetty" name="maps" dev=proc ino=17331 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=file type=AVC msg=audit(1266865713.115:445): avc: denied { getattr } for pid=3372 comm="mingetty" path="/proc/2762/maps" dev=proc ino=17331 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=file type=AVC msg=audit(1266865713.124:446): avc: denied { read } for pid=3371 comm="mingetty" name="fd" dev=proc ino=16217 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=dir type=AVC msg=audit(1266865713.125:447): avc: denied { open } for pid=3374 comm="mingetty" name="fd" dev=proc ino=16217 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=dir type=AVC msg=audit(1266865713.126:448): avc: denied { read } for pid=3369 comm="mingetty" name="0" dev=proc ino=16218 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=lnk_file type=AVC msg=audit(1266865713.126:449): avc: denied { getattr } for pid=3371 comm="mingetty" path="socket:[14030]" dev=sockfs ino=14030 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=netlink_audit_socket type=AVC msg=audit(1266865713.126:450): avc: denied { getattr } for pid=3371 comm="mingetty" path="/var/log/audit/audit.log" dev=sda2 ino=160301 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:auditd_log_t tclass=file type=AVC msg=audit(1266865713.127:451): avc: denied { getattr } for pid=3369 comm="mingetty" path="socket:[14034]" dev=sockfs ino=14034 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=unix_dgram_socket type=AVC msg=audit(1266865713.128:452): avc: denied { getattr } for pid=3375 comm="mingetty" path="socket:[14033]" dev=sockfs ino=14033 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=unix_stream_socket type=AVC msg=audit(1266865713.128:453): avc: denied { search } for pid=3371 comm="mingetty" name="2764" dev=proc ino=14047 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=dir type=AVC msg=audit(1266865713.129:454): avc: denied { read } for pid=3374 comm="mingetty" name="maps" dev=proc ino=17332 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=file type=AVC msg=audit(1266865713.129:455): avc: denied { getattr } for pid=3369 comm="mingetty" path="anon_inode:[eventfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266865713.129:456): avc: denied { open } for pid=3369 comm="mingetty" name="maps" dev=proc ino=17332 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=file type=AVC msg=audit(1266865713.130:457): avc: denied { getattr } for pid=3371 comm="mingetty" path="/proc/2764/maps" dev=proc ino=17332 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=file type=AVC msg=audit(1266865713.130:458): avc: denied { read } for pid=3371 comm="mingetty" name="fd" dev=proc ino=16229 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=dir type=AVC msg=audit(1266865713.131:459): avc: denied { open } for pid=3369 comm="mingetty" name="fd" dev=proc ino=16229 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=dir type=AVC msg=audit(1266865713.131:460): avc: denied { read } for pid=3374 comm="mingetty" name="0" dev=proc ino=16230 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=lnk_file type=AVC msg=audit(1266865713.132:461): avc: denied { getattr } for pid=3375 comm="mingetty" path="pipe:[14029]" dev=pipefs ino=14029 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=fifo_file type=AVC msg=audit(1266865713.132:462): avc: denied { getattr } for pid=3369 comm="mingetty" path="socket:[14041]" dev=sockfs ino=14041 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=unix_stream_socket type=AVC msg=audit(1266865713.133:463): avc: denied { getattr } for pid=3371 comm="mingetty" path="socket:[14035]" dev=sockfs ino=14035 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=unix_dgram_socket type=AVC msg=audit(1266865713.133:464): avc: denied { search } for pid=3369 comm="mingetty" name="2786" dev=proc ino=14084 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=dir type=AVC msg=audit(1266865713.135:465): avc: denied { read } for pid=3371 comm="mingetty" name="maps" dev=proc ino=17333 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=file type=AVC msg=audit(1266865713.135:466): avc: denied { open } for pid=3374 comm="mingetty" name="maps" dev=proc ino=17333 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=file type=AVC msg=audit(1266865713.136:467): avc: denied { getattr } for pid=3374 comm="mingetty" path="/proc/2786/maps" dev=proc ino=17333 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=file type=AVC msg=audit(1266865713.137:468): avc: denied { read } for pid=3369 comm="mingetty" name="fd" dev=proc ino=14085 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=dir type=AVC msg=audit(1266865713.139:469): avc: denied { open } for pid=3373 comm="mingetty" name="fd" dev=proc ino=14085 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=dir type=AVC msg=audit(1266865713.139:470): avc: denied { read } for pid=3375 comm="mingetty" name="0" dev=proc ino=14086 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=lnk_file type=AVC msg=audit(1266865713.140:471): avc: denied { getattr } for pid=3371 comm="mingetty" path="socket:[14096]" dev=sockfs ino=14096 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=unix_dgram_socket type=AVC msg=audit(1266865713.141:472): avc: denied { getattr } for pid=3369 comm="mingetty" path="pipe:[14098]" dev=pipefs ino=14098 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=fifo_file type=AVC msg=audit(1266865713.141:473): avc: denied { getattr } for pid=3369 comm="mingetty" path="socket:[14100]" dev=sockfs ino=14100 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=unix_stream_socket type=AVC msg=audit(1266865713.142:474): avc: denied { getattr } for pid=3374 comm="mingetty" path="socket:[14108]" dev=sockfs ino=14108 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=udp_socket type=AVC msg=audit(1266865713.142:475): avc: denied { getattr } for pid=3375 comm="mingetty" path="socket:[14110]" dev=sockfs ino=14110 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=netlink_route_socket type=AVC msg=audit(1266865713.146:476): avc: denied { getattr } for pid=3371 comm="mingetty" path="/var/run/zypp.pid" dev=sda2 ino=159041 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:system_dbusd_var_run_t tclass=file type=AVC msg=audit(1266865713.152:477): avc: denied { search } for pid=3369 comm="mingetty" name="2821" dev=proc ino=14327 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=dir type=AVC msg=audit(1266865713.156:478): avc: denied { read } for pid=3375 comm="mingetty" name="maps" dev=proc ino=17337 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=file type=AVC msg=audit(1266865713.162:479): avc: denied { open } for pid=3374 comm="mingetty" name="maps" dev=proc ino=17337 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=file type=AVC msg=audit(1266865713.173:480): avc: denied { getattr } for pid=3372 comm="mingetty" path="/proc/2821/maps" dev=proc ino=17337 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=file type=AVC msg=audit(1266865713.175:481): avc: denied { read } for pid=3371 comm="mingetty" name="fd" dev=proc ino=16360 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=dir type=AVC msg=audit(1266865713.176:482): avc: denied { open } for pid=3375 comm="mingetty" name="fd" dev=proc ino=16360 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=dir type=AVC msg=audit(1266865713.177:483): avc: denied { read } for pid=3369 comm="mingetty" name="0" dev=proc ino=16361 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=lnk_file type=AVC msg=audit(1266865713.181:484): avc: denied { getattr } for pid=3374 comm="mingetty" path="socket:[14371]" dev=sockfs ino=14371 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=tcp_socket type=AVC msg=audit(1266865713.184:485): avc: denied { getattr } for pid=1934 comm="polkitd" path="/var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.packagekit.system-network-proxy-configure.pkla" dev=sda2 ino=26380 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266865713.184:486): avc: denied { read } for pid=1934 comm="polkitd" name="org.freedesktop.packagekit.system-network-proxy-configure.pkla" dev=sda2 ino=26380 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266865713.184:487): avc: denied { open } for pid=1934 comm="polkitd" name="org.freedesktop.packagekit.system-network-proxy-configure.pkla" dev=sda2 ino=26380 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266865713.194:488): avc: denied { getattr } for pid=3371 comm="mingetty" path="/var/log/cups/error_log" dev=sda2 ino=27013 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:cupsd_log_t tclass=file type=AVC msg=audit(1266865713.194:489): avc: denied { getattr } for pid=3375 comm="mingetty" path="socket:[14373]" dev=sockfs ino=14373 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=unix_stream_socket type=AVC msg=audit(1266865713.195:490): avc: denied { getattr } for pid=3369 comm="mingetty" path="socket:[14375]" dev=sockfs ino=14375 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=udp_socket type=AVC msg=audit(1266865713.195:491): avc: denied { getattr } for pid=3371 comm="mingetty" path="pipe:[14376]" dev=pipefs ino=14376 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:cupsd_t tclass=fifo_file type=AVC msg=audit(1266865713.197:492): avc: denied { search } for pid=3375 comm="mingetty" name="3026" dev=proc ino=14791 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=dir type=AVC msg=audit(1266865713.198:493): avc: denied { read } for pid=3371 comm="mingetty" name="maps" dev=proc ino=17339 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=file type=AVC msg=audit(1266865713.201:494): avc: denied { open } for pid=3373 comm="mingetty" name="maps" dev=proc ino=17339 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=file type=AVC msg=audit(1266865713.202:495): avc: denied { getattr } for pid=3369 comm="mingetty" path="/proc/3026/maps" dev=proc ino=17339 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=file type=AVC msg=audit(1266865713.204:496): avc: denied { read } for pid=3374 comm="mingetty" name="fd" dev=proc ino=16385 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=dir type=AVC msg=audit(1266865713.204:497): avc: denied { open } for pid=3371 comm="mingetty" name="fd" dev=proc ino=16385 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=dir type=AVC msg=audit(1266865713.205:498): avc: denied { read } for pid=3369 comm="mingetty" name="0" dev=proc ino=16386 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=lnk_file type=AVC msg=audit(1266865713.205:499): avc: denied { getattr } for pid=3375 comm="mingetty" path="/var/log/nscd.log" dev=sda2 ino=129828 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:nscd_log_t tclass=file type=AVC msg=audit(1266865713.206:500): avc: denied { getattr } for pid=3371 comm="mingetty" path="socket:[14786]" dev=sockfs ino=14786 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:nscd_t tclass=unix_stream_socket type=AVC msg=audit(1266865713.211:501): avc: denied { search } for pid=3369 comm="mingetty" name="3186" dev=proc ino=15357 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=dir type=AVC msg=audit(1266865713.220:502): avc: denied { read } for pid=3371 comm="mingetty" name="maps" dev=proc ino=17346 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=file type=AVC msg=audit(1266865713.227:503): avc: denied { getattr } for pid=3372 comm="mingetty" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:inotifyfs_t tclass=dir type=AVC msg=audit(1266865713.234:504): avc: denied { open } for pid=3373 comm="mingetty" name="maps" dev=proc ino=17346 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=file type=AVC msg=audit(1266865713.241:505): avc: denied { getattr } for pid=3372 comm="mingetty" path="/proc/3186/maps" dev=proc ino=17346 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=file type=AVC msg=audit(1266865713.243:506): avc: denied { read } for pid=3374 comm="mingetty" name="fd" dev=proc ino=16474 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=dir type=AVC msg=audit(1266865713.244:507): avc: denied { open } for pid=3375 comm="mingetty" name="fd" dev=proc ino=16474 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=dir type=AVC msg=audit(1266865713.245:508): avc: denied { read } for pid=3371 comm="mingetty" name="0" dev=proc ino=16475 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=lnk_file type=AVC msg=audit(1266865713.246:509): avc: denied { getattr } for pid=3369 comm="mingetty" path="socket:[15409]" dev=sockfs ino=15409 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=unix_dgram_socket type=AVC msg=audit(1266865713.246:510): avc: denied { getattr } for pid=3374 comm="mingetty" path="/var/spool/postfix/pid/master.pid" dev=sda2 ino=160300 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:postfix_var_run_t tclass=file type=AVC msg=audit(1266865713.247:511): avc: denied { getattr } for pid=3371 comm="mingetty" path="/var/lib/postfix/master.lock" dev=sda2 ino=129843 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:postfix_data_t tclass=file type=AVC msg=audit(1266865713.247:512): avc: denied { getattr } for pid=3375 comm="mingetty" path="pipe:[16406]" dev=pipefs ino=16406 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=fifo_file type=AVC msg=audit(1266865713.248:513): avc: denied { getattr } for pid=3374 comm="mingetty" path="socket:[16041]" dev=sockfs ino=16041 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=tcp_socket type=AVC msg=audit(1266865713.248:514): avc: denied { getattr } for pid=3371 comm="mingetty" path="socket:[16044]" dev=sockfs ino=16044 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=unix_stream_socket type=AVC msg=audit(1266865713.249:515): avc: denied { getattr } for pid=3369 comm="mingetty" path="/var/spool/postfix/public/pickup" dev=sda2 ino=160311 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:postfix_public_t tclass=fifo_file type=AVC msg=audit(1266865713.251:516): avc: denied { search } for pid=3374 comm="mingetty" name="3211" dev=proc ino=16309 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=dir type=AVC msg=audit(1266865713.253:517): avc: denied { read } for pid=3375 comm="mingetty" name="maps" dev=proc ino=17347 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=file type=AVC msg=audit(1266865713.255:518): avc: denied { open } for pid=3371 comm="mingetty" name="maps" dev=proc ino=17347 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=file type=AVC msg=audit(1266865713.258:519): avc: denied { getattr } for pid=3373 comm="mingetty" path="/proc/3211/maps" dev=proc ino=17347 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=file type=AVC msg=audit(1266865713.260:520): avc: denied { read } for pid=3369 comm="mingetty" name="fd" dev=proc ino=16781 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=dir type=AVC msg=audit(1266865713.266:521): avc: denied { open } for pid=3371 comm="mingetty" name="fd" dev=proc ino=16781 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=dir type=AVC msg=audit(1266865713.266:522): avc: denied { read } for pid=3375 comm="mingetty" name="0" dev=proc ino=16782 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=lnk_file type=AVC msg=audit(1266865713.267:523): avc: denied { getattr } for pid=3374 comm="mingetty" path="/var/run/cron.pid" dev=sda2 ino=153272 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:crond_var_run_t tclass=file type=AVC msg=audit(1266865713.270:524): avc: denied { getattr } for pid=3372 comm="mingetty" path="socket:[16301]" dev=sockfs ino=16301 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=unix_dgram_socket type=AVC msg=audit(1266865713.272:525): avc: denied { search } for pid=3371 comm="mingetty" name="3215" dev=proc ino=16602 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=dir type=AVC msg=audit(1266865713.273:526): avc: denied { read } for pid=3369 comm="mingetty" name="maps" dev=proc ino=17348 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=file type=AVC msg=audit(1266865713.273:527): avc: denied { open } for pid=3369 comm="mingetty" name="maps" dev=proc ino=17348 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=file type=AVC msg=audit(1266865713.273:528): avc: denied { getattr } for pid=3369 comm="mingetty" path="/proc/3215/maps" dev=proc ino=17348 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=file type=AVC msg=audit(1266865713.274:529): avc: denied { read } for pid=3375 comm="mingetty" name="fd" dev=proc ino=16790 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=dir type=AVC msg=audit(1266865713.275:530): avc: denied { open } for pid=3374 comm="mingetty" name="fd" dev=proc ino=16790 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=dir type=AVC msg=audit(1266865713.276:531): avc: denied { read } for pid=3371 comm="mingetty" name="0" dev=proc ino=16791 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=lnk_file type=AVC msg=audit(1266865713.276:532): avc: denied { getattr } for pid=3369 comm="mingetty" path="socket:[16581]" dev=sockfs ino=16581 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_pickup_t tclass=unix_dgram_socket type=AVC msg=audit(1266865713.278:533): avc: denied { search } for pid=3373 comm="mingetty" name="3218" dev=proc ino=16684 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=dir type=AVC msg=audit(1266865713.278:534): avc: denied { read } for pid=3374 comm="mingetty" name="maps" dev=proc ino=17349 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=file type=AVC msg=audit(1266865713.279:535): avc: denied { open } for pid=3375 comm="mingetty" name="maps" dev=proc ino=17349 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=file type=AVC msg=audit(1266865713.279:536): avc: denied { getattr } for pid=3371 comm="mingetty" path="/proc/3218/maps" dev=proc ino=17349 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=file type=AVC msg=audit(1266865713.280:537): avc: denied { read } for pid=3374 comm="mingetty" name="fd" dev=proc ino=16816 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=dir type=AVC msg=audit(1266865713.280:538): avc: denied { open } for pid=3375 comm="mingetty" name="fd" dev=proc ino=16816 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=dir type=AVC msg=audit(1266865713.281:539): avc: denied { read } for pid=3371 comm="mingetty" name="0" dev=proc ino=16817 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=lnk_file type=AVC msg=audit(1266865713.282:540): avc: denied { getattr } for pid=3369 comm="mingetty" path="socket:[16611]" dev=sockfs ino=16611 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_qmgr_t tclass=unix_dgram_socket type=AVC msg=audit(1266865713.282:541): avc: denied { getattr } for pid=3374 comm="mingetty" path="/etc/postfix/relay.db" dev=sda2 ino=129689 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:postfix_etc_t tclass=file type=AVC msg=audit(1266865713.287:542): avc: denied { getattr } for pid=3375 comm="mingetty" path="/dev/pts/4" dev=devpts ino=7 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:devpts_t tclass=chr_file type=AVC msg=audit(1266865713.291:543): avc: denied { search } for pid=3371 comm="mingetty" name="3358" dev=proc ino=17131 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=dir type=AVC msg=audit(1266865713.296:544): avc: denied { read } for pid=3374 comm="mingetty" name="fd" dev=proc ino=17365 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=dir type=AVC msg=audit(1266865713.306:545): avc: denied { open } for pid=3369 comm="mingetty" name="fd" dev=proc ino=17365 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=dir type=AVC msg=audit(1266865713.313:546): avc: denied { getattr } for pid=3373 comm="mingetty" path="/proc/3211/fd" dev=proc ino=16781 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:crond_t tclass=dir type=AVC msg=audit(1266865713.330:547): avc: denied { getattr } for pid=3372 comm="mingetty" path="/proc/3269/fd" dev=proc ino=16921 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=dir type=AVC msg=audit(1266865713.332:548): avc: denied { read } for pid=3375 comm="mingetty" name="maps" dev=proc ino=17364 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=file type=AVC msg=audit(1266865713.333:549): avc: denied { open } for pid=3374 comm="mingetty" name="maps" dev=proc ino=17370 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=file type=AVC msg=audit(1266865713.333:550): avc: denied { getattr } for pid=3369 comm="mingetty" path="/proc/3359/maps" dev=proc ino=17370 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=file type=AVC msg=audit(1266865713.345:551): avc: denied { getattr } for pid=3369 comm="mingetty" path="/proc/196/fd" dev=proc ino=10693 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t tclass=dir type=AVC msg=audit(1266865713.353:552): avc: denied { getattr } for pid=3375 comm="mingetty" path="/sys/kernel/debug/systemtap/preloadtrace/.cmd" dev=debugfs ino=4088 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:debugfs_t tclass=file type=AVC msg=audit(1266865713.353:553): avc: denied { getattr } for pid=3369 comm="mingetty" path="/proc/258/fd" dev=proc ino=10695 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:initrc_t tclass=dir type=AVC msg=audit(1266865713.380:554): avc: denied { getattr } for pid=3372 comm="mingetty" path="socket:[4162]" dev=sockfs ino=4162 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=unix_dgram_socket type=AVC msg=audit(1266865713.381:555): avc: denied { getattr } for pid=3374 comm="mingetty" path="socket:[4163]" dev=sockfs ino=4163 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1266865713.392:556): avc: denied { getattr } for pid=3375 comm="mingetty" path="socket:[6783]" dev=sockfs ino=6783 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:hald_t tclass=unix_dgram_socket type=AVC msg=audit(1266865713.425:557): avc: denied { getattr } for pid=3373 comm="mingetty" path="socket:[4162]" dev=sockfs ino=4162 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:udev_t tclass=unix_dgram_socket type=AVC msg=audit(1266865713.475:558): avc: denied { getattr } for pid=3369 comm="mingetty" path="socket:[11686]" dev=sockfs ino=11686 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:xdm_t tclass=unix_dgram_socket type=AVC msg=audit(1266865713.575:559): avc: denied { getattr } for pid=3369 comm="mingetty" path="/var/log/firewall" dev=sda2 ino=26232 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266865713.595:560): avc: denied { getattr } for pid=3372 comm="mingetty" path="/var/log/acpid" dev=sda2 ino=26239 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:apmd_log_t tclass=file type=AVC msg=audit(1266865713.633:561): avc: denied { getattr } for pid=3374 comm="mingetty" path="socket:[12452]" dev=sockfs ino=12452 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=udp_socket type=AVC msg=audit(1266865713.644:562): avc: denied { getattr } for pid=3369 comm="mingetty" path="socket:[12281]" dev=sockfs ino=12281 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:rpcbind_t tclass=unix_stream_socket type=AVC msg=audit(1266865713.677:563): avc: denied { getattr } for pid=3374 comm="mingetty" path="/dev/fuse" dev=tmpfs ino=5910 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:fuse_device_t tclass=chr_file type=AVC msg=audit(1266865714.005:564): avc: denied { write } for pid=3026 comm="nscd" path="pipe:[17433]" dev=pipefs ino=17433 scontext=system_u:system_r:nscd_t tcontext=system_u:system_r:nscd_t tclass=fifo_file type=AVC msg=audit(1266865714.022:565): avc: denied { getattr } for pid=3369 comm="mingetty" path="socket:[14030]" dev=sockfs ino=14030 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=netlink_audit_socket type=AVC msg=audit(1266865714.026:566): avc: denied { getattr } for pid=3373 comm="mingetty" path="socket:[14033]" dev=sockfs ino=14033 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:auditd_t tclass=unix_stream_socket type=AVC msg=audit(1266865714.029:567): avc: denied { getattr } for pid=3375 comm="mingetty" path="socket:[14041]" dev=sockfs ino=14041 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:audisp_t tclass=unix_stream_socket type=AVC msg=audit(1266865714.033:568): avc: denied { getattr } for pid=3374 comm="mingetty" path="socket:[14100]" dev=sockfs ino=14100 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=unix_stream_socket type=AVC msg=audit(1266865714.034:569): avc: denied { getattr } for pid=3369 comm="mingetty" path="socket:[14108]" dev=sockfs ino=14108 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:avahi_t tclass=udp_socket type=AVC msg=audit(1266865714.122:570): avc: denied { read } for pid=3374 comm="mingetty" name="0" dev=proc ino=16475 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=lnk_file type=AVC msg=audit(1266865714.392:571): avc: denied { getsched } for pid=1951 comm="rtkit-daemon" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=process type=AVC msg=audit(1266865714.418:572): avc: denied { execstack } for pid=3398 comm="git" scontext=system_u:system_r:xdm_t tcontext=system_u:system_r:xdm_t tclass=process type=AVC msg=audit(1266865718.002:573): avc: denied { read } for pid=2733 comm="devkit-disks-da" name="sr0" dev=tmpfs ino=5301 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:removable_device_t tclass=blk_file type=AVC msg=audit(1266865718.003:574): avc: denied { open } for pid=2733 comm="devkit-disks-da" name="sr0" dev=tmpfs ino=5301 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:removable_device_t tclass=blk_file type=AVC msg=audit(1266865720.056:575): avc: denied { append } for pid=2807 comm="packagekitd" path="/var/log/pk_backend_zypp" dev=sda2 ino=129898 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266865749.357:576): avc: denied { execute } for pid=3428 comm="dbus-daemon-lau" name="packagekitd" dev=sda2 ino=33216 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file type=AVC msg=audit(1266865749.358:577): avc: denied { read open } for pid=3428 comm="dbus-daemon-lau" name="packagekitd" dev=sda2 ino=33216 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file type=AVC msg=audit(1266865749.358:578): avc: denied { execute_no_trans } for pid=3428 comm="dbus-daemon-lau" path="/usr/sbin/packagekitd" dev=sda2 ino=33216 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file type=AVC msg=audit(1266865749.404:579): avc: denied { getattr } for pid=3428 comm="packagekitd" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:inotifyfs_t tclass=dir type=AVC msg=audit(1266865749.408:580): avc: denied { execstack } for pid=3428 comm="packagekitd" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=process type=AVC msg=audit(1266865749.408:581): avc: denied { execmem } for pid=3428 comm="packagekitd" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=process type=AVC msg=audit(1266865749.443:582): avc: denied { search } for pid=3428 comm="packagekitd" name="log" dev=sda2 ino=26231 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=dir type=AVC msg=audit(1266865749.444:583): avc: denied { getattr } for pid=3428 comm="packagekitd" path="/var/log/pk_backend_zypp" dev=sda2 ino=129898 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266865749.444:584): avc: denied { open } for pid=3428 comm="packagekitd" name="pk_backend_zypp" dev=sda2 ino=129898 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266865749.445:585): avc: denied { setattr } for pid=3428 comm="packagekitd" name="pk_backend_zypp" dev=sda2 ino=129898 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file type=AVC msg=audit(1266865749.483:586): avc: denied { getattr } for pid=3428 comm="packagekitd" path="/var/lib/rpm" dev=sda2 ino=66039 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=dir type=AVC msg=audit(1266865749.483:587): avc: denied { search } for pid=3428 comm="packagekitd" name="rpm" dev=sda2 ino=66039 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=dir type=AVC msg=audit(1266865749.483:588): avc: denied { getattr } for pid=3428 comm="packagekitd" path="/var/lib/rpm/Packages" dev=sda2 ino=66329 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=file type=AVC msg=audit(1266865749.485:589): avc: denied { write } for pid=3428 comm="packagekitd" name="rpm" dev=sda2 ino=66039 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=dir type=AVC msg=audit(1266865749.486:590): avc: denied { read } for pid=3428 comm="packagekitd" name="Packages" dev=sda2 ino=66329 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=file type=AVC msg=audit(1266865749.486:591): avc: denied { open } for pid=3428 comm="packagekitd" name="Packages" dev=sda2 ino=66329 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=file type=AVC msg=audit(1266865749.486:592): avc: denied { lock } for pid=3428 comm="packagekitd" path="/var/lib/rpm/Packages" dev=sda2 ino=66329 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:rpm_var_lib_t tclass=file type=AVC msg=audit(1266865749.494:593): avc: denied { execute } for pid=3432 comm="packagekitd" name="gpg2" dev=sda2 ino=10780 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:gpg_exec_t tclass=file type=AVC msg=audit(1266865749.494:594): avc: denied { read open } for pid=3432 comm="packagekitd" name="gpg2" dev=sda2 ino=10780 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:gpg_exec_t tclass=file type=AVC msg=audit(1266865749.494:595): avc: denied { execute_no_trans } for pid=3432 comm="packagekitd" path="/usr/bin/gpg2" dev=sda2 ino=10780 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:gpg_exec_t tclass=file type=AVC msg=audit(1266865749.503:596): avc: denied { ipc_lock } for pid=3432 comm="gpg2" capability=14 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=capability type=AVC msg=audit(1266865749.538:597): avc: denied { read } for pid=3434 comm="packagekitd" name="gpg" dev=sda2 ino=44794 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=lnk_file type=AVC msg=audit(1266865749.917:598): avc: denied { getattr } for pid=3428 comm="packagekitd" path="/var/log/zypp" dev=sda2 ino=65987 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=dir type=AVC msg=audit(1266865749.942:599): avc: denied { write } for pid=3428 comm="packagekitd" name="transactions.db" dev=sda2 ino=35546 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266865749.943:600): avc: denied { lock } for pid=3428 comm="packagekitd" path="/var/lib/PackageKit/transactions.db" dev=sda2 ino=35546 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266865750.039:601): avc: denied { write } for pid=3428 comm="packagekitd" name="PackageKit" dev=sda2 ino=35545 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=dir type=AVC msg=audit(1266865750.040:602): avc: denied { add_name } for pid=3428 comm="packagekitd" name="transactions.db-journal" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=dir type=AVC msg=audit(1266865750.040:603): avc: denied { create } for pid=3428 comm="packagekitd" name="transactions.db-journal" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266865750.114:604): avc: denied { remove_name } for pid=3428 comm="packagekitd" name="transactions.db-journal" dev=sda2 ino=160363 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=dir type=AVC msg=audit(1266865750.115:605): avc: denied { unlink } for pid=3428 comm="packagekitd" name="transactions.db-journal" dev=sda2 ino=160363 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1266865752.737:606): avc: denied { getattr } for pid=3452 comm="packagekitd" path="/sys/fs/fuse/connections" dev=fusectl ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:fusefs_t tclass=dir type=AVC msg=audit(1266865752.738:607): avc: denied { read } for pid=3452 comm="packagekitd" name="/" dev=fusectl ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:fusefs_t tclass=dir type=AVC msg=audit(1266865752.738:608): avc: denied { open } for pid=3452 comm="packagekitd" name="/" dev=fusectl ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:fusefs_t tclass=dir type=AVC msg=audit(1266865752.738:609): avc: denied { search } for pid=3452 comm="packagekitd" name="/" dev=fusectl ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:fusefs_t tclass=dir type=AVC msg=audit(1266865752.739:610): avc: denied { getattr } for pid=3452 comm="packagekitd" path="/sys/fs/fuse/connections/18/abort" dev=fusectl ino=12388 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:fusefs_t tclass=file type=AVC msg=audit(1266865752.910:611): avc: denied { getattr } for pid=3452 comm="packagekitd" path="/sys/kernel/debug" dev=debugfs ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:debugfs_t tclass=dir type=AVC msg=audit(1266865752.910:612): avc: denied { read } for pid=3452 comm="packagekitd" name="/" dev=debugfs ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:debugfs_t tclass=dir type=AVC msg=audit(1266865752.911:613): avc: denied { open } for pid=3452 comm="packagekitd" name="/" dev=debugfs ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:debugfs_t tclass=dir type=AVC msg=audit(1266865752.911:614): avc: denied { search } for pid=3452 comm="packagekitd" name="/" dev=debugfs ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:debugfs_t tclass=dir type=AVC msg=audit(1266865752.912:615): avc: denied { getattr } for pid=3452 comm="packagekitd" path="/sys/kernel/debug/systemtap/preloadtrace/.cmd" dev=debugfs ino=4088 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:debugfs_t tclass=file type=AVC msg=audit(1266865832.609:616): avc: denied { write } for pid=1952 comm="rtkit-daemon" path="anon_inode:[eventfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:anon_inodefs_t tclass=file type=AVC msg=audit(1266865832.610:617): avc: denied { read } for pid=1956 comm="rtkit-daemon" path="anon_inode:[eventfd]" dev=anon_inodefs ino=357 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:anon_inodefs_t tclass=file ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-22 19:12 ` Alan Rouse @ 2010-02-22 19:37 ` Stephen Smalley 0 siblings, 0 replies; 113+ messages in thread From: Stephen Smalley @ 2010-02-22 19:37 UTC (permalink / raw) To: Alan Rouse; +Cc: 'selinux@tycho.nsa.gov' On Mon, 2010-02-22 at 14:12 -0500, Alan Rouse wrote: > Stephen wrote: > > You need to perform a restorecon -R /dev from /etc/rc.d/rc.sysinit so that the tmpfs /dev mount is properly > > labeled. File a bug against whatever package owns that file in OpenSUSE (in Fedora, it is the initscripts > > rpm). > > The scripts are different in suse. I've placed the restorecon command in /etc/init.d/boot prior to the first mount attempt. That seems to do the trick -- the denied messages related to tempfs are now gone. > > See attached audit.log from the subsequent boot. At this point, I think you can take the particular avc messages (split up by logical grouping, e.g. for each unique scontext=) to the refpolicy list (refpolicy@oss.tresys.com) and see about getting them resolved upstream. There may need to be some suse-specific rules added to the refpolicy. In the interim, you can always create a local policy module via audit2allow to enable your system to work. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-19 21:37 ` Stephen Smalley 2010-02-19 21:53 ` Alan Rouse @ 2010-02-19 23:48 ` Justin P. mattock 2010-02-22 1:29 ` Justin P. mattock 2 siblings, 0 replies; 113+ messages in thread From: Justin P. mattock @ 2010-02-19 23:48 UTC (permalink / raw) To: Stephen Smalley Cc: Alan Rouse, Dominick Grift, 'selinux@tycho.nsa.gov' hmm.. just rebuilt dbus from scratch and am still hitting this dbus error (so maybe it's something else other than dbus). also rebuilt userspace tools/libs loaded them up as well but still dbus error. Main thing right now is I've a bug in the kernel that needs looking at, so maybe alan can look into this, and/or file a bug so the suse guys can. (reason for the re-installing this morning). Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-19 21:37 ` Stephen Smalley 2010-02-19 21:53 ` Alan Rouse 2010-02-19 23:48 ` Justin P. mattock @ 2010-02-22 1:29 ` Justin P. mattock 2 siblings, 0 replies; 113+ messages in thread From: Justin P. mattock @ 2010-02-22 1:29 UTC (permalink / raw) To: Stephen Smalley Cc: Alan Rouse, Dominick Grift, 'selinux@tycho.nsa.gov' hmm... this dbus error is a bugger.. spent yesterday and most of today on this. (and I know I said I was going to goto a kernel bug). Anyways: seems after doing a fresh install then installing the selinux apps/libs the system has not done an initial relabel, upon reboot gdm will restart/flicker 5 times before erroring out, then drop you to a general login. If I chmod 644 /etc/selinux/config this goes away. (my guess is libselinux didn't have the permissions to read the config defaulting to "targeted"). but as soon as I relabel the filesystem the dbus error will appear(but not the screen flickering 5 times). when this happens I: vim /etc/selinux/refpolicy-standard/booleans and change init_upstart to true. then I can bootup. why is init_upstart needed in order for this to work, when this system uses sysvinit? positive side is this thing boots up without the need for the policy to be named targeted. Justin P. mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-19 21:25 ` Stephen Smalley 2010-02-19 21:30 ` Alan Rouse @ 2010-02-19 21:47 ` Justin P. mattock 2010-02-22 14:00 ` Stephen Smalley 2010-02-22 17:58 ` Alan Rouse 1 sibling, 2 replies; 113+ messages in thread From: Justin P. mattock @ 2010-02-19 21:47 UTC (permalink / raw) To: Stephen Smalley Cc: Alan Rouse, Dominick Grift, 'selinux@tycho.nsa.gov' On 02/19/2010 01:25 PM, Stephen Smalley wrote: > On Fri, 2010-02-19 at 16:08 -0500, Alan Rouse wrote: >> Ok, in case this might be useful to someone else, here's my recipe for an OpenSuse 11.2 system booting to the desktop using SELinux in permissive mode. (Next step for me is to fix a few pages of AVC denied messages...) >> >> 1. Default install of OpenSuse 11.2 (used Gnome desktop) >> 2. Boot normally to desktop, open terminal, su - >> 3. Do this: >> >> zypper install selinux-tools selinux-policy libselinux* libsemanage* policycoreutils checkpolicy setools-console make m4 gcc findutils-locate git >> >> vi /boot/grub/menu.lst >> -- and add to the Desktop kernel boot line: "security=selinux selinux=1 enforcing=0" >> >> cd /etc/selinux >> cp -R refpolicy-standard targeted >> usermod -s /sbin/nologin nobody >> reboot<should boot to desktop> >> =============== >> Get policy src: >> =============== >> -- launch firefox, go to http://software.opensuse.org/search/ >> -- search for selinux-policy, download src >> -- install src rpm >> cp /usr/src/packages/SOURCES/refpolicy-2.20081210.tar.bz2 /tmp >> cd /tmp >> bunzip2 refpolicy-2.20081210.tar.bz2 >> tar xvf refpolicy-2.20081210.tar >> cd refpolicy >> vi build.conf (set NAME = refpolicy-standard; set DISTRO = suse; set MONOLITHIC = n) >> make clean; make conf; make; make install; make load; make install-src >> cd /etc/selinux/refpolicy-standard/src/policy >> make clean; make conf; make; make install; make load >> cd /etc/selinux >> rsync -avz refpolicy-standard/ targeted > > Why is it necessary to download and rebuild the source policy? Did they > build it as a monolithic policy? > it is monolithic.. I looked in /usr/share/ but nothing pertaining to SELinux. so instead of hunting around for the package I just downloaded the source.(I'm sure suse has the source somewhere). >> reboot >> ============================= >> End of getting policy source: >> ============================= >> setsebool -P init_upstart=on >> setsebool -P xdm_sysadm_login=on >> setsebool -P xserver_object_manager=on > > I think you only need the first boolean setting. > And we should likely introduce an ifdef for suse in refpolicy that > always disables that transition so that you don't have to artificially > turn on that boolean. > as a test I built the policy with init_upstart=off system crashes and burns with gdm/xserver(dbus error). then changing to init_upstart=on xserver/gdm started right up. my question is why? especially if this is sysvinit. >> fixfiles relabel >> -- put SETLOCALDEFS=0 in /etc/selinux/config >> reboot >> >> And we're now in the desktop with a relabeled system and selinux in permissive mode. >> ================================================================================ >> >> Here's what "audit2allow -al" shows now... >> >> #============= avahi_t ============== >> allow avahi_t tmpfs_t:dir search; >> allow avahi_t tmpfs_t:sock_file write; > > It would be useful to see the raw audit message with what directory/file > is being accessed. tmpfs_t indicates a tmpfs mount, which might mean > you have a mislabeled tmpfs mount (e.g. /dev is a tmpfs mount that > should be relabeled by rc.sysinit via restorecon -R /dev). > I can send a seperat attachment with messages/audit.log but wont be surprised if the contents are too large. (I'll send anyways). > alan, here is a good tutorial on the login: http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&chap=4 just make sure /etc/pam.d/* has pam_selinux.so close/open (in the certain files) Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-19 21:47 ` Justin P. mattock @ 2010-02-22 14:00 ` Stephen Smalley 2010-02-22 19:27 ` Justin Mattock 2010-02-22 17:58 ` Alan Rouse 1 sibling, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-22 14:00 UTC (permalink / raw) To: Justin P. mattock Cc: Alan Rouse, Dominick Grift, 'selinux@tycho.nsa.gov', Christopher J. PeBenito On Fri, 2010-02-19 at 13:47 -0800, Justin P. mattock wrote: > On 02/19/2010 01:25 PM, Stephen Smalley wrote: > > On Fri, 2010-02-19 at 16:08 -0500, Alan Rouse wrote: > >> setsebool -P init_upstart=on > >> setsebool -P xdm_sysadm_login=on > >> setsebool -P xserver_object_manager=on > > > > I think you only need the first boolean setting. > > And we should likely introduce an ifdef for suse in refpolicy that > > always disables that transition so that you don't have to artificially > > turn on that boolean. > > > > as a test I built the policy with init_upstart=off > system crashes and burns with gdm/xserver(dbus error). > then changing to init_upstart=on xserver/gdm started right up. > > my question is why? especially if this is sysvinit. The refpolicy defines a domain transition from init_t to sysadm_t upon executing a shell so that the single-user mode shell is automatically run in sysadm_t, and it defines a domain transition from init_t to initrc_t upon executing an rc script (initrc_exec_t) so that rc scripts are automatically run in initrc_t. This worked with sysvinit in Fedora and Debian. However, upstart launches all services via shell command and thus all services would be run in sysadm_t if we kept that transition, so the refpolicy has the following logic (in system/init.te): tunable_policy(`init_upstart',` corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. # causes problems with upstart sysadm_shell_domtrans(init_t) ') This snippet means: if init_upstart=on, then transition from init_t to initrc_t upon executing a shell, else transition from init_t to sysadm_t upon executing a shell. I had suggested trying init_upstart=on in OpenSUSE because the sestatus and pstree output showed that most processes launched by init were running in sysadm_t, similar to what would happen on a system using upstart if that boolean were not enabled. This suggests that something is different about the sysvinit setup in OpenSUSE. It might be useful to see your /etc/inittab file contents. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-22 14:00 ` Stephen Smalley @ 2010-02-22 19:27 ` Justin Mattock [not found] ` <dd18b0c31002221129s4be9b56cha13b7be39c2cba36@mail.gmail.com> 0 siblings, 1 reply; 113+ messages in thread From: Justin Mattock @ 2010-02-22 19:27 UTC (permalink / raw) To: Stephen Smalley Cc: Alan Rouse, Dominick Grift, selinux@tycho.nsa.gov, Christopher J. PeBenito [-- Attachment #1: Type: text/plain, Size: 2965 bytes --] On Mon, Feb 22, 2010 at 6:00 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Fri, 2010-02-19 at 13:47 -0800, Justin P. mattock wrote: >> On 02/19/2010 01:25 PM, Stephen Smalley wrote: >> > On Fri, 2010-02-19 at 16:08 -0500, Alan Rouse wrote: >> >> setsebool -P init_upstart=on >> >> setsebool -P xdm_sysadm_login=on >> >> setsebool -P xserver_object_manager=on >> > >> > I think you only need the first boolean setting. >> > And we should likely introduce an ifdef for suse in refpolicy that >> > always disables that transition so that you don't have to artificially >> > turn on that boolean. >> > >> >> as a test I built the policy with init_upstart=off >> system crashes and burns with gdm/xserver(dbus error). >> then changing to init_upstart=on xserver/gdm started right up. >> >> my question is why? especially if this is sysvinit. > > The refpolicy defines a domain transition from init_t to sysadm_t upon > executing a shell so that the single-user mode shell is automatically > run in sysadm_t, and it defines a domain transition from init_t to > initrc_t upon executing an rc script (initrc_exec_t) so that rc scripts > are automatically run in initrc_t. This worked with sysvinit in Fedora > and Debian. However, upstart launches all services via shell command > and thus all services would be run in sysadm_t if we kept that > transition, so the refpolicy has the following logic (in > system/init.te): > > tunable_policy(`init_upstart',` > corecmd_shell_domtrans(init_t, initrc_t) > ',` > # Run the shell in the sysadm role for single-user mode. > # causes problems with upstart > sysadm_shell_domtrans(init_t) > ') > > This snippet means: if init_upstart=on, then transition from init_t to > initrc_t upon executing a shell, else transition from init_t to sysadm_t > upon executing a shell. > > I had suggested trying init_upstart=on in OpenSUSE because the sestatus > and pstree output showed that most processes launched by init were > running in sysadm_t, similar to what would happen on a system using > upstart if that boolean were not enabled. > > This suggests that something is different about the sysvinit setup in > OpenSUSE. It might be useful to see your /etc/inittab file contents. > > -- > Stephen Smalley > National Security Agency > > alright attached is dmesg and audit.log both were cleaned out before the initial boot. yesterday I rebuilt sysvinit with the version I use on my system and the patch that dan had given me. but during the whole thing I can't remember If I was able to bootup without the init_upstart boolean turned on.(I'll rebuild that package and see if this is the case, if so then this tells me that whatever/however suse built sysvinit acts more like upstart(but could be wrong)). (BTW: I'll go(if need be) and file these, later on once I get this thing cleaned and sorted out) -- Justin P. Mattock [-- Attachment #2: dmesg --] [-- Type: application/octet-stream, Size: 92044 bytes --] [ 0.000000] Linux version 2.6.31.5-0.1-desktop (geeko@buildhost) (gcc version 4.4.1 [gcc-4_4-branch revision 150839] (SUSE Linux) ) #1 SMP PREEMPT 2009-10-26 15:49:03 +0100 [ 0.000000] Command line: root=/dev/disk/by-id/ata-FUJITSU_MHW2120BH_NZ0ST6C2ANJR-part3 resume=/dev/disk/by-id/ata-FUJITSU_MHW2120BH_NZ0ST6C2ANJR-part4 splash=silent quiet security=selinux selinux=1 enforcing=0 audit=1 vga=0x317 [ 0.000000] KERNEL supported cpus: [ 0.000000] Intel GenuineIntel [ 0.000000] AMD AuthenticAMD [ 0.000000] Centaur CentaurHauls [ 0.000000] BIOS-provided physical RAM map: [ 0.000000] BIOS-e820: 0000000000000000 - 000000000009fc00 (usable) [ 0.000000] BIOS-e820: 000000000009fc00 - 00000000000a0000 (reserved) [ 0.000000] BIOS-e820: 00000000000e0000 - 0000000000100000 (reserved) [ 0.000000] BIOS-e820: 0000000000100000 - 000000003f0ea000 (usable) [ 0.000000] BIOS-e820: 000000003f0ea000 - 000000003f2eb000 (ACPI NVS) [ 0.000000] BIOS-e820: 000000003f2eb000 - 000000003febe000 (ACPI data) [ 0.000000] BIOS-e820: 000000003febe000 - 000000003feef000 (ACPI NVS) [ 0.000000] BIOS-e820: 000000003feef000 - 000000003ff00000 (ACPI data) [ 0.000000] BIOS-e820: 000000003ff00000 - 0000000040000000 (reserved) [ 0.000000] BIOS-e820: 00000000f0000000 - 00000000f4000000 (reserved) [ 0.000000] BIOS-e820: 00000000fec00000 - 00000000fec01000 (reserved) [ 0.000000] BIOS-e820: 00000000fed14000 - 00000000fed1a000 (reserved) [ 0.000000] BIOS-e820: 00000000fed1c000 - 00000000fed20000 (reserved) [ 0.000000] BIOS-e820: 00000000fee00000 - 00000000fee01000 (reserved) [ 0.000000] BIOS-e820: 00000000ffe00000 - 0000000100000000 (reserved) [ 0.000000] DMI 2.4 present. [ 0.000000] last_pfn = 0x3f0ea max_arch_pfn = 0x400000000 [ 0.000000] MTRR default type: uncachable [ 0.000000] MTRR fixed ranges enabled: [ 0.000000] 00000-9FFFF write-back [ 0.000000] A0000-BFFFF uncachable [ 0.000000] C0000-CFFFF write-protect [ 0.000000] D0000-DFFFF uncachable [ 0.000000] E0000-FFFFF write-protect [ 0.000000] MTRR variable ranges enabled: [ 0.000000] 0 base 0FFE00000 mask FFFE00000 write-protect [ 0.000000] 1 base 000000000 mask FC0000000 write-back [ 0.000000] 2 base 03FF00000 mask FFFF00000 uncachable [ 0.000000] 3 disabled [ 0.000000] 4 disabled [ 0.000000] 5 disabled [ 0.000000] 6 disabled [ 0.000000] 7 disabled [ 0.000000] x86 PAT enabled: cpu 0, old 0x7040600070406, new 0x7010600070106 [ 0.000000] e820 update range: 0000000000001000 - 0000000000006000 (usable) ==> (reserved) [ 0.000000] Scanning 1 areas for low memory corruption [ 0.000000] modified physical RAM map: [ 0.000000] modified: 0000000000000000 - 0000000000001000 (usable) [ 0.000000] modified: 0000000000001000 - 0000000000006000 (reserved) [ 0.000000] modified: 0000000000006000 - 000000000009fc00 (usable) [ 0.000000] modified: 000000000009fc00 - 00000000000a0000 (reserved) [ 0.000000] modified: 00000000000e0000 - 0000000000100000 (reserved) [ 0.000000] modified: 0000000000100000 - 000000003f0ea000 (usable) [ 0.000000] modified: 000000003f0ea000 - 000000003f2eb000 (ACPI NVS) [ 0.000000] modified: 000000003f2eb000 - 000000003febe000 (ACPI data) [ 0.000000] modified: 000000003febe000 - 000000003feef000 (ACPI NVS) [ 0.000000] modified: 000000003feef000 - 000000003ff00000 (ACPI data) [ 0.000000] modified: 000000003ff00000 - 0000000040000000 (reserved) [ 0.000000] modified: 00000000f0000000 - 00000000f4000000 (reserved) [ 0.000000] modified: 00000000fec00000 - 00000000fec01000 (reserved) [ 0.000000] modified: 00000000fed14000 - 00000000fed1a000 (reserved) [ 0.000000] modified: 00000000fed1c000 - 00000000fed20000 (reserved) [ 0.000000] modified: 00000000fee00000 - 00000000fee01000 (reserved) [ 0.000000] modified: 00000000ffe00000 - 0000000100000000 (reserved) [ 0.000000] initial memory mapped : 0 - 20000000 [ 0.000000] init_memory_mapping: 0000000000000000-000000003f0ea000 [ 0.000000] 0000000000 - 003f000000 page 2M [ 0.000000] 003f000000 - 003f0ea000 page 4k [ 0.000000] kernel direct mapping tables up to 3f0ea000 @ 8000-b000 [ 0.000000] RAMDISK: 37974000 - 37fefc2f [ 0.000000] ACPI: RSDP 00000000000fe020 00024 (v02 APPLE ) [ 0.000000] ACPI: XSDT 000000003fefd1c0 00074 (v01 APPLE Apple00 000000A5 01000013) [ 0.000000] ACPI: FACP 000000003fefb000 000F4 (v03 APPLE Apple00 000000A5 Loki 0000005F) [ 0.000000] ACPI: DSDT 000000003fef0000 048D1 (v01 APPLE MacBookP 00020002 INTL 20050309) [ 0.000000] ACPI: FACS 000000003fec0000 00040 [ 0.000000] ACPI: HPET 000000003fefa000 00038 (v01 APPLE Apple00 00000001 Loki 0000005F) [ 0.000000] ACPI: APIC 000000003fef9000 00068 (v01 APPLE Apple00 00000001 Loki 0000005F) [ 0.000000] ACPI: MCFG 000000003fef8000 0003C (v01 APPLE Apple00 00000001 Loki 0000005F) [ 0.000000] ACPI: ASF! 000000003fef7000 000A0 (v32 APPLE Apple00 00000001 Loki 0000005F) [ 0.000000] ACPI: SBST 000000003fef6000 00030 (v01 APPLE Apple00 00000001 Loki 0000005F) [ 0.000000] ACPI: ECDT 000000003fef5000 00053 (v01 APPLE Apple00 00000001 Loki 0000005F) [ 0.000000] ACPI: SSDT 000000003feef000 004DC (v01 APPLE CpuPm 00003000 INTL 20050309) [ 0.000000] ACPI: SSDT 000000003febd000 0064F (v01 SataRe SataPri 00001000 INTL 20050309) [ 0.000000] ACPI: SSDT 000000003febc000 0069C (v01 SataRe SataSec 00001000 INTL 20050309) [ 0.000000] ACPI: Local APIC address 0xfee00000 [ 0.000000] No NUMA configuration found [ 0.000000] Faking a node at 0000000000000000-000000003f0ea000 [ 0.000000] Bootmem setup node 0 0000000000000000-000000003f0ea000 [ 0.000000] NODE_DATA [0000000000009000 - 0000000000020fff] [ 0.000000] bootmap [0000000000021000 - 0000000000028e1f] pages 8 [ 0.000000] (7 early reservations) ==> bootmem [0000000000 - 003f0ea000] [ 0.000000] #0 [0000000000 - 0000001000] BIOS data page ==> [0000000000 - 0000001000] [ 0.000000] #1 [0000006000 - 0000008000] TRAMPOLINE ==> [0000006000 - 0000008000] [ 0.000000] #2 [0001000000 - 0001c4bf70] TEXT DATA BSS ==> [0001000000 - 0001c4bf70] [ 0.000000] #3 [0037974000 - 0037fefc2f] RAMDISK ==> [0037974000 - 0037fefc2f] [ 0.000000] #4 [000009fc00 - 0000100000] BIOS reserved ==> [000009fc00 - 0000100000] [ 0.000000] #5 [0001c4c000 - 0001c4c271] BRK ==> [0001c4c000 - 0001c4c271] [ 0.000000] #6 [0000008000 - 0000009000] PGTABLE ==> [0000008000 - 0000009000] [ 0.000000] [ffffea0000000000-ffffea0000dfffff] PMD -> [ffff880002200000-ffff880002ffffff] on node 0 [ 0.000000] Zone PFN ranges: [ 0.000000] DMA 0x00000000 -> 0x00001000 [ 0.000000] DMA32 0x00001000 -> 0x00100000 [ 0.000000] Normal 0x00100000 -> 0x00100000 [ 0.000000] Movable zone start PFN for each node [ 0.000000] early_node_map[3] active PFN ranges [ 0.000000] 0: 0x00000000 -> 0x00000001 [ 0.000000] 0: 0x00000006 -> 0x0000009f [ 0.000000] 0: 0x00000100 -> 0x0003f0ea [ 0.000000] On node 0 totalpages: 258180 [ 0.000000] DMA zone: 56 pages used for memmap [ 0.000000] DMA zone: 100 pages reserved [ 0.000000] DMA zone: 3838 pages, LIFO batch:0 [ 0.000000] DMA32 zone: 3476 pages used for memmap [ 0.000000] DMA32 zone: 250710 pages, LIFO batch:31 [ 0.000000] ACPI: PM-Timer IO Port: 0x408 [ 0.000000] ACPI: Local APIC address 0xfee00000 [ 0.000000] ACPI: LAPIC (acpi_id[0x00] lapic_id[0x00] enabled) [ 0.000000] ACPI: LAPIC (acpi_id[0x01] lapic_id[0x01] enabled) [ 0.000000] ACPI: LAPIC_NMI (acpi_id[0x00] high edge lint[0x1]) [ 0.000000] ACPI: LAPIC_NMI (acpi_id[0x01] high edge lint[0x1]) [ 0.000000] ACPI: IOAPIC (id[0x01] address[0xfec00000] gsi_base[0]) [ 0.000000] IOAPIC[0]: apic_id 1, version 32, address 0xfec00000, GSI 0-23 [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl) [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level) [ 0.000000] ACPI: IRQ0 used by override. [ 0.000000] ACPI: IRQ2 used by override. [ 0.000000] ACPI: IRQ9 used by override. [ 0.000000] Using ACPI (MADT) for SMP configuration information [ 0.000000] ACPI: HPET id: 0x8086a201 base: 0xfed00000 [ 0.000000] SMP: Allowing 2 CPUs, 0 hotplug CPUs [ 0.000000] nr_irqs_gsi: 24 [ 0.000000] PM: Registered nosave memory: 0000000000001000 - 0000000000006000 [ 0.000000] PM: Registered nosave memory: 000000000009f000 - 00000000000a0000 [ 0.000000] PM: Registered nosave memory: 00000000000a0000 - 00000000000e0000 [ 0.000000] PM: Registered nosave memory: 00000000000e0000 - 0000000000100000 [ 0.000000] Allocating PCI resources starting at 40000000 (gap: 40000000:b0000000) [ 0.000000] NR_CPUS:512 nr_cpumask_bits:512 nr_cpu_ids:2 nr_node_ids:1 [ 0.000000] PERCPU: Embedded 28 pages at ffff880001c80000, static data 82784 bytes [ 0.000000] Built 1 zonelists in Node order, mobility grouping on. Total pages: 254548 [ 0.000000] Policy zone: DMA32 [ 0.000000] Kernel command line: root=/dev/disk/by-id/ata-FUJITSU_MHW2120BH_NZ0ST6C2ANJR-part3 resume=/dev/disk/by-id/ata-FUJITSU_MHW2120BH_NZ0ST6C2ANJR-part4 splash=silent quiet security=selinux selinux=1 enforcing=0 audit=1 vga=0x317 [ 0.000000] bootsplash: silent mode. [ 0.000000] audit: enabled (after initialization) [ 0.000000] PID hash table entries: 4096 (order: 12, 32768 bytes) [ 0.000000] Initializing CPU#0 [ 0.000000] Checking aperture... [ 0.000000] No AGP bridge found [ 0.000000] Calgary: detecting Calgary via BIOS EBDA area [ 0.000000] Calgary: Unable to locate Rio Grande table in EBDA - bailing! [ 0.000000] Memory: 998544k/1033128k available (5497k kernel code, 408k absent, 34176k reserved, 4473k data, 980k init) [ 0.000000] Hierarchical RCU implementation. [ 0.000000] NR_IRQS:4352 nr_irqs:424 [ 0.000000] Extended CMOS year: 2000 [ 0.000000] Fast TSC calibration failed [ 0.000000] TSC: Unable to calibrate against PIT [ 0.000000] TSC: using PMTIMER reference calibration [ 0.000000] Detected 2161.236 MHz processor. [ 0.000209] Console: colour dummy device 80x25 [ 0.000216] console [tty0] enabled [ 0.000474] hpet clockevent registered [ 0.000481] HPET: 3 timers in total, 0 timers will be used for per-cpu timer [ 0.000491] Calibrating delay loop (skipped), value calculated using timer frequency.. 4322.47 BogoMIPS (lpj=2161236) [ 0.000690] kdb version 4.4 by Keith Owens, Scott Lurndal. Copyright SGI, All Rights Reserved [ 0.000906] Security Framework initialized [ 0.000932] SELinux: Initializing. [ 0.000977] SELinux: Starting in permissive mode [ 0.000984] AppArmor: AppArmor disabled by boot time parameter [ 0.000986] [ 0.000999] Dentry cache hash table entries: 131072 (order: 8, 1048576 bytes) [ 0.001784] Inode-cache hash table entries: 65536 (order: 7, 524288 bytes) [ 0.002576] Mount-cache hash table entries: 256 [ 0.002951] CPU: L1 I cache: 32K, L1 D cache: 32K [ 0.002957] CPU: L2 cache: 4096K [ 0.002964] CPU 0/0x0 -> Node 0 [ 0.002968] CPU: Physical Processor ID: 0 [ 0.002972] CPU: Processor Core ID: 0 [ 0.002978] mce: CPU supports 6 MCE banks [ 0.003011] CPU0: Thermal monitoring enabled (TM2) [ 0.003019] using mwait in idle threads. [ 0.003023] Performance Counters: Core2 events, Intel PMU driver. [ 0.003035] ... version: 2 [ 0.003038] ... bit width: 40 [ 0.003041] ... generic counters: 2 [ 0.003045] ... value mask: 000000ffffffffff [ 0.003048] ... max period: 000000007fffffff [ 0.003052] ... fixed-purpose counters: 3 [ 0.003055] ... counter mask: 0000000700000003 [ 0.005122] ACPI: Core revision 20090521 [ 0.020921] Setting APIC routing to flat [ 0.021357] ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1 [ 0.031375] CPU0: Intel(R) Core(TM)2 CPU T7400 @ 2.16GHz stepping 06 [ 0.031995] Booting processor 1 APIC 0x1 ip 0x6000 [ 0.000999] Initializing CPU#1 [ 0.000999] Calibrating delay using timer specific routine.. 4322.38 BogoMIPS (lpj=2161190) [ 0.000999] CPU: L1 I cache: 32K, L1 D cache: 32K [ 0.000999] CPU: L2 cache: 4096K [ 0.000999] CPU 1/0x1 -> Node 0 [ 0.000999] CPU: Physical Processor ID: 0 [ 0.000999] CPU: Processor Core ID: 1 [ 0.000999] mce: CPU supports 6 MCE banks [ 0.000999] CPU1: Thermal monitoring enabled (TM2) [ 0.000999] x86 PAT enabled: cpu 1, old 0x7040600070406, new 0x7010600070106 [ 0.104902] CPU1: Intel(R) Core(TM)2 CPU T7400 @ 2.16GHz stepping 06 [ 0.104920] checking TSC synchronization [CPU#0 -> CPU#1]: passed. [ 0.106003] Brought up 2 CPUs [ 0.106010] Total of 2 processors activated (8644.85 BogoMIPS). [ 0.106126] CPU0 attaching sched-domain: [ 0.106132] domain 0: span 0-1 level MC [ 0.106138] groups: 0 1 [ 0.106151] CPU1 attaching sched-domain: [ 0.106156] domain 0: span 0-1 level MC [ 0.106160] groups: 1 0 [ 0.110090] devtmpfs: initialized [ 0.118163] Booting paravirtualized kernel on bare hardware [ 0.118495] regulator: core version 0.5 [ 0.118495] Time: 3:01:25 Date: 02/22/10 [ 0.118495] NET: Registered protocol family 16 [ 0.118523] ACPI: bus type pci registered [ 0.118657] PCI: MCFG configuration 0: base f0000000 segment 0 buses 0 - 255 [ 0.118665] PCI: MCFG area at f0000000 reserved in E820 [ 0.118670] PCI: updated MCFG configuration 0: base f0000000 segment 0 buses 0 - 63 [ 0.121039] PCI: Using MMCONFIG at f0000000 - f3ffffff [ 0.121044] PCI: Using configuration type 1 for base access [ 0.123172] bio: create slab <bio-0> at 0 [ 0.125367] ACPI: EC: EC description table is found, configuring boot EC [ 0.126007] ACPI: EC: non-query interrupt received, switching to interrupt mode [ 0.134025] ACPI: BIOS _OSI(Linux) query ignored [ 0.134965] ACPI: Interpreter enabled [ 0.134973] ACPI: (supports S0 S3 S4 S5) [ 0.135038] ACPI: Using IOAPIC for interrupt routing [ 0.159083] ACPI: EC: GPE = 0x17, I/O: command/status = 0x66, data = 0x62 [ 0.159089] ACPI: EC: driver started in interrupt mode [ 0.159926] ACPI: No dock devices found. [ 0.161732] ACPI: PCI Root Bridge [PCI0] (0000:00) [ 0.161968] pci 0000:00:01.0: PME# supported from D0 D3hot D3cold [ 0.161984] pci 0000:00:01.0: PME# disabled [ 0.162043] pci 0000:00:07.0: reg 10 32bit mmio: [0x50404000-0x50404fff] [ 0.162203] pci 0000:00:1b.0: reg 10 64bit mmio: [0x50400000-0x50403fff] [ 0.162289] pci 0000:00:1b.0: PME# supported from D0 D3hot D3cold [ 0.162297] pci 0000:00:1b.0: PME# disabled [ 0.162418] pci 0000:00:1c.0: PME# supported from D0 D3hot D3cold [ 0.162426] pci 0000:00:1c.0: PME# disabled [ 0.162552] pci 0000:00:1c.1: PME# supported from D0 D3hot D3cold [ 0.162561] pci 0000:00:1c.1: PME# disabled [ 0.162685] pci 0000:00:1c.2: PME# supported from D0 D3hot D3cold [ 0.162693] pci 0000:00:1c.2: PME# disabled [ 0.162791] pci 0000:00:1d.0: reg 20 io port: [0x4080-0x409f] [ 0.162883] pci 0000:00:1d.1: reg 20 io port: [0x4060-0x407f] [ 0.162986] pci 0000:00:1d.2: reg 20 io port: [0x4040-0x405f] [ 0.163078] pci 0000:00:1d.3: reg 20 io port: [0x4020-0x403f] [ 0.163178] pci 0000:00:1d.7: reg 10 32bit mmio: [0x50405400-0x504057ff] [ 0.163266] pci 0000:00:1d.7: PME# supported from D0 D3hot D3cold [ 0.163275] pci 0000:00:1d.7: PME# disabled [ 0.163503] pci 0000:00:1f.0: quirk: region 0400-047f claimed by ICH6 ACPI/GPIO/TCO [ 0.163511] pci 0000:00:1f.0: quirk: region 0500-053f claimed by ICH6 GPIO [ 0.163519] pci 0000:00:1f.0: ICH7 LPC Generic IO decode 1 PIO at 0680 (mask 000f) [ 0.163527] pci 0000:00:1f.0: ICH7 LPC Generic IO decode 2 PIO at 1640 (mask 000f) [ 0.163537] pci 0000:00:1f.0: ICH7 LPC Generic IO decode 4 PIO at 0300 (mask 001f) [ 0.163610] pci 0000:00:1f.1: reg 10 io port: [0x40d8-0x40df] [ 0.163622] pci 0000:00:1f.1: reg 14 io port: [0x40ec-0x40ef] [ 0.163634] pci 0000:00:1f.1: reg 18 io port: [0x40d0-0x40d7] [ 0.163647] pci 0000:00:1f.1: reg 1c io port: [0x40e8-0x40eb] [ 0.163659] pci 0000:00:1f.1: reg 20 io port: [0x40b0-0x40bf] [ 0.163741] pci 0000:00:1f.2: reg 10 io port: [0x40c8-0x40cf] [ 0.163754] pci 0000:00:1f.2: reg 14 io port: [0x40e4-0x40e7] [ 0.163767] pci 0000:00:1f.2: reg 18 io port: [0x40c0-0x40c7] [ 0.163779] pci 0000:00:1f.2: reg 1c io port: [0x40e0-0x40e3] [ 0.163791] pci 0000:00:1f.2: reg 20 io port: [0x40a0-0x40af] [ 0.163804] pci 0000:00:1f.2: reg 24 32bit mmio: [0x50405000-0x504053ff] [ 0.163847] pci 0000:00:1f.2: PME# supported from D3hot [ 0.163855] pci 0000:00:1f.2: PME# disabled [ 0.163939] pci 0000:00:1f.3: reg 20 io port: [0xefa0-0xefbf] [ 0.164053] pci 0000:01:00.0: reg 10 32bit mmio: [0x40000000-0x47ffffff] [ 0.164066] pci 0000:01:00.0: reg 14 io port: [0x3000-0x30ff] [ 0.164080] pci 0000:01:00.0: reg 18 32bit mmio: [0x50300000-0x5030ffff] [ 0.164109] pci 0000:01:00.0: reg 30 32bit mmio: [0xfffe0000-0xffffffff] [ 0.164154] pci 0000:01:00.0: supports D1 D2 [ 0.164185] pci 0000:01:00.0: disabling ASPM on pre-1.1 PCIe device. You can enable it with 'pcie_aspm=force' [ 0.164302] pci 0000:00:01.0: bridge io port: [0x3000-0x3fff] [ 0.164309] pci 0000:00:01.0: bridge 32bit mmio: [0x50300000-0x503fffff] [ 0.164319] pci 0000:00:01.0: bridge 64bit mmio pref: [0x40000000-0x47ffffff] [ 0.164423] pci 0000:02:00.0: reg 10 64bit mmio: [0x50200000-0x50203fff] [ 0.164439] pci 0000:02:00.0: reg 18 io port: [0x2000-0x20ff] [ 0.164485] pci 0000:02:00.0: reg 30 32bit mmio: [0xfffe0000-0xffffffff] [ 0.164555] pci 0000:02:00.0: supports D1 D2 [ 0.164560] pci 0000:02:00.0: PME# supported from D0 D1 D2 D3hot D3cold [ 0.164570] pci 0000:02:00.0: PME# disabled [ 0.164617] pci 0000:02:00.0: disabling ASPM on pre-1.1 PCIe device. You can enable it with 'pcie_aspm=force' [ 0.164763] pci 0000:00:1c.0: bridge io port: [0x2000-0x2fff] [ 0.164772] pci 0000:00:1c.0: bridge 32bit mmio: [0x50200000-0x502fffff] [ 0.164875] pci 0000:03:00.0: reg 10 64bit mmio: [0x50100000-0x5010ffff] [ 0.165000] pci 0000:03:00.0: supports D1 [ 0.165005] pci 0000:03:00.0: PME# supported from D0 D1 D3hot [ 0.165014] pci 0000:03:00.0: PME# disabled [ 0.165073] pci 0000:03:00.0: disabling ASPM on pre-1.1 PCIe device. You can enable it with 'pcie_aspm=force' [ 0.165213] pci 0000:00:1c.1: bridge 32bit mmio: [0x50100000-0x501fffff] [ 0.165315] pci 0000:00:1c.2: bridge io port: [0x1000-0x1fff] [ 0.165324] pci 0000:00:1c.2: bridge 32bit mmio: [0x4c100000-0x500fffff] [ 0.165337] pci 0000:00:1c.2: bridge 64bit mmio pref: [0x48000000-0x4bffffff] [ 0.165414] pci 0000:0c:03.0: reg 10 32bit mmio: [0x4c004000-0x4c0047ff] [ 0.165428] pci 0000:0c:03.0: reg 14 32bit mmio: [0x4c000000-0x4c003fff] [ 0.165512] pci 0000:0c:03.0: supports D1 D2 [ 0.165516] pci 0000:0c:03.0: PME# supported from D0 D1 D2 D3hot [ 0.165525] pci 0000:0c:03.0: PME# disabled [ 0.165614] pci 0000:00:1e.0: transparent bridge [ 0.165626] pci 0000:00:1e.0: bridge 32bit mmio: [0x4c000000-0x4c0fffff] [ 0.165684] ACPI: PCI Interrupt Routing Table [\_SB_.PCI0._PRT] [ 0.166122] ACPI: PCI Interrupt Routing Table [\_SB_.PCI0.PEGP._PRT] [ 0.166317] ACPI: PCI Interrupt Routing Table [\_SB_.PCI0.RP01._PRT] [ 0.166504] ACPI: PCI Interrupt Routing Table [\_SB_.PCI0.RP02._PRT] [ 0.166689] ACPI: PCI Interrupt Routing Table [\_SB_.PCI0.RP03._PRT] [ 0.166929] ACPI: PCI Interrupt Routing Table [\_SB_.PCI0.PCIB._PRT] [ 0.184081] ACPI: PCI Interrupt Link [LNKA] (IRQs 1 3 4 5 6 7 10 12 14 15) *11 [ 0.184335] ACPI: PCI Interrupt Link [LNKB] (IRQs 1 3 4 5 6 7 *11 12 14 15) [ 0.184579] ACPI: PCI Interrupt Link [LNKC] (IRQs 1 3 4 5 6 7 10 12 14 15) *11 [ 0.184823] ACPI: PCI Interrupt Link [LNKD] (IRQs 1 3 4 5 6 7 *11 12 14 15) [ 0.185079] ACPI: PCI Interrupt Link [LNKE] (IRQs 1 3 4 5 6 7 10 12 14 15) *0, disabled. [ 0.185322] ACPI: PCI Interrupt Link [LNKF] (IRQs 1 3 4 5 6 7 11 12 14 15) *0, disabled. [ 0.185566] ACPI: PCI Interrupt Link [LNKG] (IRQs 1 3 4 5 6 7 *10 12 14 15) [ 0.185807] ACPI: PCI Interrupt Link [LNKH] (IRQs 3 4 5 6 7 *11 12 14 15) [ 0.186271] SCSI subsystem initialized [ 0.186318] libata version 3.00 loaded. [ 0.186318] usbcore: registered new interface driver usbfs [ 0.186318] usbcore: registered new interface driver hub [ 0.186318] usbcore: registered new device driver usb [ 0.186318] PCI: Using ACPI for IRQ routing [ 0.189035] hpet0: at MMIO 0xfed00000, IRQs 2, 8, 0 [ 0.189046] hpet0: 3 comparators, 64-bit 14.318180 MHz counter [ 0.196989] pnp: PnP ACPI init [ 0.197012] ACPI: bus type pnp registered [ 0.200713] pnp 00:07: io resource (0x1640-0x164f) overlaps 0000:00:1c.2 BAR 13 (0x1000-0x1fff), disabling [ 0.208175] pnp: PnP ACPI: found 9 devices [ 0.208181] ACPI: ACPI bus type pnp unregistered [ 0.208205] system 00:01: iomem range 0xf0000000-0xf3ffffff has been reserved [ 0.208212] system 00:01: iomem range 0xfed14000-0xfed17fff has been reserved [ 0.208219] system 00:01: iomem range 0xfed18000-0xfed18fff has been reserved [ 0.208225] system 00:01: iomem range 0xfed19000-0xfed19fff has been reserved [ 0.208232] system 00:01: iomem range 0xfed1c000-0xfed1ffff has been reserved [ 0.208238] system 00:01: iomem range 0xfed20000-0xfed8ffff has been reserved [ 0.208254] system 00:05: iomem range 0xfed00000-0xfed003ff has been reserved [ 0.208269] system 00:07: ioport range 0x680-0x6ef has been reserved [ 0.208275] system 00:07: ioport range 0x800-0x80f has been reserved [ 0.208281] system 00:07: ioport range 0x810-0x817 has been reserved [ 0.208287] system 00:07: ioport range 0x400-0x47f has been reserved [ 0.208294] system 00:07: ioport range 0x500-0x53f has been reserved [ 0.213424] pci 0000:01:00.0: BAR 6: no parent found for of device [0xfffe0000-0xffffffff] [ 0.213443] pci 0000:02:00.0: BAR 6: no parent found for of device [0xfffe0000-0xffffffff] [ 0.213529] pci 0000:00:01.0: PCI bridge, secondary bus 0000:01 [ 0.213535] pci 0000:00:01.0: IO window: 0x3000-0x3fff [ 0.213544] pci 0000:00:01.0: MEM window: 0x50300000-0x503fffff [ 0.213551] pci 0000:00:01.0: PREFETCH window: 0x00000040000000-0x00000047ffffff [ 0.213562] pci 0000:00:1c.0: PCI bridge, secondary bus 0000:02 [ 0.213569] pci 0000:00:1c.0: IO window: 0x2000-0x2fff [ 0.213579] pci 0000:00:1c.0: MEM window: 0x50200000-0x502fffff [ 0.213588] pci 0000:00:1c.0: PREFETCH window: 0x50500000-0x505fffff [ 0.213597] pci 0000:00:1c.1: PCI bridge, secondary bus 0000:03 [ 0.213602] pci 0000:00:1c.1: IO window: disabled [ 0.213611] pci 0000:00:1c.1: MEM window: 0x50100000-0x501fffff [ 0.213619] pci 0000:00:1c.1: PREFETCH window: disabled [ 0.213628] pci 0000:00:1c.2: PCI bridge, secondary bus 0000:04 [ 0.213634] pci 0000:00:1c.2: IO window: 0x1000-0x1fff [ 0.213644] pci 0000:00:1c.2: MEM window: 0x4c100000-0x500fffff [ 0.213654] pci 0000:00:1c.2: PREFETCH window: 0x00000048000000-0x0000004bffffff [ 0.213667] pci 0000:00:1e.0: PCI bridge, secondary bus 0000:0c [ 0.213671] pci 0000:00:1e.0: IO window: disabled [ 0.213680] pci 0000:00:1e.0: MEM window: 0x4c000000-0x4c0fffff [ 0.213688] pci 0000:00:1e.0: PREFETCH window: disabled [ 0.213707] alloc irq_desc for 16 on node 0 [ 0.213712] alloc kstat_irqs on node 0 [ 0.213722] pci 0000:00:01.0: PCI INT A -> GSI 16 (level, low) -> IRQ 16 [ 0.213731] pci 0000:00:01.0: setting latency timer to 64 [ 0.213745] alloc irq_desc for 17 on node 0 [ 0.213748] alloc kstat_irqs on node 0 [ 0.213756] pci 0000:00:1c.0: PCI INT A -> GSI 17 (level, low) -> IRQ 17 [ 0.213765] pci 0000:00:1c.0: setting latency timer to 64 [ 0.213781] pci 0000:00:1c.1: PCI INT B -> GSI 16 (level, low) -> IRQ 16 [ 0.213789] pci 0000:00:1c.1: setting latency timer to 64 [ 0.213803] alloc irq_desc for 18 on node 0 [ 0.213807] alloc kstat_irqs on node 0 [ 0.213814] pci 0000:00:1c.2: PCI INT C -> GSI 18 (level, low) -> IRQ 18 [ 0.213823] pci 0000:00:1c.2: setting latency timer to 64 [ 0.213978] pci 0000:00:1e.0: power state changed by ACPI to D0 [ 0.213991] pci 0000:00:1e.0: setting latency timer to 64 [ 0.213999] pci_bus 0000:00: resource 0 io: [0x00-0xffff] [ 0.214005] pci_bus 0000:00: resource 1 mem: [0x000000-0xffffffffffffffff] [ 0.214011] pci_bus 0000:01: resource 0 io: [0x3000-0x3fff] [ 0.214016] pci_bus 0000:01: resource 1 mem: [0x50300000-0x503fffff] [ 0.214021] pci_bus 0000:01: resource 2 pref mem [0x40000000-0x47ffffff] [ 0.214027] pci_bus 0000:02: resource 0 io: [0x2000-0x2fff] [ 0.214032] pci_bus 0000:02: resource 1 mem: [0x50200000-0x502fffff] [ 0.214037] pci_bus 0000:02: resource 2 pref mem [0x50500000-0x505fffff] [ 0.214042] pci_bus 0000:03: resource 1 mem: [0x50100000-0x501fffff] [ 0.214048] pci_bus 0000:04: resource 0 io: [0x1000-0x1fff] [ 0.214053] pci_bus 0000:04: resource 1 mem: [0x4c100000-0x500fffff] [ 0.214058] pci_bus 0000:04: resource 2 pref mem [0x48000000-0x4bffffff] [ 0.214063] pci_bus 0000:0c: resource 1 mem: [0x4c000000-0x4c0fffff] [ 0.214068] pci_bus 0000:0c: resource 3 io: [0x00-0xffff] [ 0.214073] pci_bus 0000:0c: resource 4 mem: [0x000000-0xffffffffffffffff] [ 0.214216] NET: Registered protocol family 2 [ 0.214491] IP route cache hash table entries: 32768 (order: 6, 262144 bytes) [ 0.215890] TCP established hash table entries: 131072 (order: 9, 2097152 bytes) [ 0.217190] TCP bind hash table entries: 65536 (order: 8, 1048576 bytes) [ 0.217865] TCP: Hash tables configured (established 131072 bind 65536) [ 0.217871] TCP reno registered [ 0.218121] NET: Registered protocol family 1 [ 0.218273] Unpacking initramfs... [ 0.492168] Freeing initrd memory: 6639k freed [ 0.499020] Scanning for low memory corruption every 60 seconds [ 0.499456] audit: initializing netlink socket (enabled) [ 0.499490] type=2000 audit(1266807685.498:1): initialized [ 0.500946] Switched to high resolution mode on CPU 1 [ 0.500961] Switched to high resolution mode on CPU 0 [ 0.507084] HugeTLB registered 2 MB page size, pre-allocated 0 pages [ 0.507416] VFS: Disk quotas dquot_6.5.2 [ 0.507501] Dquot-cache hash table entries: 512 (order 0, 4096 bytes) [ 0.507843] msgmni has been set to 490 [ 0.508012] SELinux: Registering netfilter hooks [ 0.508275] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 253) [ 0.508282] io scheduler noop registered [ 0.508286] io scheduler anticipatory registered [ 0.508290] io scheduler deadline registered [ 0.508333] io scheduler cfq registered (default) [ 0.508639] pci 0000:01:00.0: Boot video device [ 0.508942] alloc irq_desc for 24 on node 0 [ 0.508947] alloc kstat_irqs on node 0 [ 0.508970] pcieport-driver 0000:00:01.0: irq 24 for MSI/MSI-X [ 0.508983] pcieport-driver 0000:00:01.0: setting latency timer to 64 [ 0.509297] alloc irq_desc for 25 on node 0 [ 0.509302] alloc kstat_irqs on node 0 [ 0.509319] pcieport-driver 0000:00:1c.0: irq 25 for MSI/MSI-X [ 0.509335] pcieport-driver 0000:00:1c.0: setting latency timer to 64 [ 0.509642] alloc irq_desc for 26 on node 0 [ 0.509647] alloc kstat_irqs on node 0 [ 0.509662] pcieport-driver 0000:00:1c.1: irq 26 for MSI/MSI-X [ 0.509679] pcieport-driver 0000:00:1c.1: setting latency timer to 64 [ 0.509982] alloc irq_desc for 27 on node 0 [ 0.509987] alloc kstat_irqs on node 0 [ 0.510012] pcieport-driver 0000:00:1c.2: irq 27 for MSI/MSI-X [ 0.510029] pcieport-driver 0000:00:1c.2: setting latency timer to 64 [ 0.510266] pci-stub: invalid id string "" [ 0.510476] vesafb: framebuffer at 0x40000000, mapped to 0xffffc90004580000, using 3072k, total 16384k [ 0.510483] vesafb: mode is 1024x768x16, linelength=2048, pages=9 [ 0.510487] vesafb: scrolling: redraw [ 0.510493] vesafb: Truecolor: size=0:5:6:5, shift=0:11:5:0 [ 0.510818] bootsplash 3.1.6-2004/03/31: looking for picture... [ 0.530441] bootsplash: silentjpeg size 100573 bytes [ 0.556889] bootsplash: ...found (1024x768, 27393 bytes, v3). [ 0.633717] Console: switching to colour frame buffer device 124x44 [ 0.709883] fb0: VESA VGA frame buffer device [ 0.713729] Non-volatile memory driver v1.3 [ 0.713735] Linux agpgart interface v0.103 [ 0.713744] Serial: 8250/16550 driver, 8 ports, IRQ sharing disabled [ 0.714856] ata_piix 0000:00:1f.1: version 2.13 [ 0.714962] ata_piix 0000:00:1f.1: power state changed by ACPI to D0 [ 0.714980] ata_piix 0000:00:1f.1: PCI INT A -> GSI 18 (level, low) -> IRQ 18 [ 0.715063] ata_piix 0000:00:1f.1: setting latency timer to 64 [ 0.715192] scsi0 : ata_piix [ 0.715414] scsi1 : ata_piix [ 0.716675] ata1: PATA max UDMA/100 cmd 0x1f0 ctl 0x3f6 bmdma 0x40b0 irq 14 [ 0.716682] ata2: PATA max UDMA/100 cmd 0x170 ctl 0x376 bmdma 0x40b8 irq 15 [ 0.716880] alloc irq_desc for 19 on node 0 [ 0.716886] alloc kstat_irqs on node 0 [ 0.716899] ata_piix 0000:00:1f.2: PCI INT B -> GSI 19 (level, low) -> IRQ 19 [ 0.716910] ata_piix 0000:00:1f.2: MAP [ P0 P2 -- -- ] [ 0.867053] ata_piix 0000:00:1f.2: setting latency timer to 64 [ 0.867167] scsi2 : ata_piix [ 0.867290] scsi3 : ata_piix [ 0.869587] ata3: SATA max UDMA/133 cmd 0x40c8 ctl 0x40e4 bmdma 0x40a0 irq 19 [ 0.869593] ata4: SATA max UDMA/133 cmd 0x40c0 ctl 0x40e0 bmdma 0x40a8 irq 19 [ 0.879797] Fixed MDIO Bus: probed [ 0.879809] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver [ 0.880223] ata1.00: ATAPI: MATSHITADVD-R UJ-857D, KCV9, max UDMA/66 [ 0.881032] alloc irq_desc for 23 on node 0 [ 0.881037] alloc kstat_irqs on node 0 [ 0.881048] ehci_hcd 0000:00:1d.7: PCI INT A -> GSI 23 (level, low) -> IRQ 23 [ 0.881073] ehci_hcd 0000:00:1d.7: setting latency timer to 64 [ 0.881080] ehci_hcd 0000:00:1d.7: EHCI Host Controller [ 0.881140] ehci_hcd 0000:00:1d.7: new USB bus registered, assigned bus number 1 [ 0.885092] ehci_hcd 0000:00:1d.7: debug port 1 [ 0.885103] ehci_hcd 0000:00:1d.7: cache line size of 32 is not supported [ 0.885129] ehci_hcd 0000:00:1d.7: irq 23, io mem 0x50405400 [ 0.886799] ata1.00: configured for UDMA/66 [ 0.888953] scsi 0:0:0:0: CD-ROM MATSHITA DVD-R UJ-857D KCV9 PQ: 0 ANSI: 5 [ 0.895016] ehci_hcd 0000:00:1d.7: USB 2.0 started, EHCI 1.00 [ 0.895083] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002 [ 0.895089] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1 [ 0.895094] usb usb1: Product: EHCI Host Controller [ 0.895099] usb usb1: Manufacturer: Linux 2.6.31.5-0.1-desktop ehci_hcd [ 0.895104] usb usb1: SerialNumber: 0000:00:1d.7 [ 0.895255] usb usb1: configuration #1 chosen from 1 choice [ 0.895318] hub 1-0:1.0: USB hub found [ 0.895335] hub 1-0:1.0: 8 ports detected [ 0.895479] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver [ 0.895511] uhci_hcd: USB Universal Host Controller Interface driver [ 0.895632] uhci_hcd 0000:00:1d.0: PCI INT A -> GSI 23 (level, low) -> IRQ 23 [ 0.895647] uhci_hcd 0000:00:1d.0: setting latency timer to 64 [ 0.895654] uhci_hcd 0000:00:1d.0: UHCI Host Controller [ 0.895673] uhci_hcd 0000:00:1d.0: new USB bus registered, assigned bus number 2 [ 0.895713] uhci_hcd 0000:00:1d.0: irq 23, io base 0x00004080 [ 0.895781] usb usb2: New USB device found, idVendor=1d6b, idProduct=0001 [ 0.895786] usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1 [ 0.895791] usb usb2: Product: UHCI Host Controller [ 0.895796] usb usb2: Manufacturer: Linux 2.6.31.5-0.1-desktop uhci_hcd [ 0.895800] usb usb2: SerialNumber: 0000:00:1d.0 [ 0.895940] usb usb2: configuration #1 chosen from 1 choice [ 0.895998] hub 2-0:1.0: USB hub found [ 0.896026] hub 2-0:1.0: 2 ports detected [ 0.896182] uhci_hcd 0000:00:1d.1: PCI INT B -> GSI 19 (level, low) -> IRQ 19 [ 0.896194] uhci_hcd 0000:00:1d.1: setting latency timer to 64 [ 0.896200] uhci_hcd 0000:00:1d.1: UHCI Host Controller [ 0.896224] uhci_hcd 0000:00:1d.1: new USB bus registered, assigned bus number 3 [ 0.896261] uhci_hcd 0000:00:1d.1: irq 19, io base 0x00004060 [ 0.896333] usb usb3: New USB device found, idVendor=1d6b, idProduct=0001 [ 0.896339] usb usb3: New USB device strings: Mfr=3, Product=2, SerialNumber=1 [ 0.896344] usb usb3: Product: UHCI Host Controller [ 0.896348] usb usb3: Manufacturer: Linux 2.6.31.5-0.1-desktop uhci_hcd [ 0.896352] usb usb3: SerialNumber: 0000:00:1d.1 [ 0.896487] usb usb3: configuration #1 chosen from 1 choice [ 0.896550] hub 3-0:1.0: USB hub found [ 0.896564] hub 3-0:1.0: 2 ports detected [ 0.896713] uhci_hcd 0000:00:1d.2: PCI INT C -> GSI 18 (level, low) -> IRQ 18 [ 0.896725] uhci_hcd 0000:00:1d.2: setting latency timer to 64 [ 0.896732] uhci_hcd 0000:00:1d.2: UHCI Host Controller [ 0.896749] uhci_hcd 0000:00:1d.2: new USB bus registered, assigned bus number 4 [ 0.896800] uhci_hcd 0000:00:1d.2: irq 18, io base 0x00004040 [ 0.896874] usb usb4: New USB device found, idVendor=1d6b, idProduct=0001 [ 0.896880] usb usb4: New USB device strings: Mfr=3, Product=2, SerialNumber=1 [ 0.896885] usb usb4: Product: UHCI Host Controller [ 0.896889] usb usb4: Manufacturer: Linux 2.6.31.5-0.1-desktop uhci_hcd [ 0.896894] usb usb4: SerialNumber: 0000:00:1d.2 [ 0.897044] usb usb4: configuration #1 chosen from 1 choice [ 0.897101] hub 4-0:1.0: USB hub found [ 0.897116] hub 4-0:1.0: 2 ports detected [ 0.898279] uhci_hcd 0000:00:1d.3: PCI INT D -> GSI 16 (level, low) -> IRQ 16 [ 0.898291] uhci_hcd 0000:00:1d.3: setting latency timer to 64 [ 0.898298] uhci_hcd 0000:00:1d.3: UHCI Host Controller [ 0.898317] uhci_hcd 0000:00:1d.3: new USB bus registered, assigned bus number 5 [ 0.898365] uhci_hcd 0000:00:1d.3: irq 16, io base 0x00004020 [ 0.898439] usb usb5: New USB device found, idVendor=1d6b, idProduct=0001 [ 0.898444] usb usb5: New USB device strings: Mfr=3, Product=2, SerialNumber=1 [ 0.898449] usb usb5: Product: UHCI Host Controller [ 0.898453] usb usb5: Manufacturer: Linux 2.6.31.5-0.1-desktop uhci_hcd [ 0.898458] usb usb5: SerialNumber: 0000:00:1d.3 [ 0.898593] usb usb5: configuration #1 chosen from 1 choice [ 0.898652] hub 5-0:1.0: USB hub found [ 0.898666] hub 5-0:1.0: 2 ports detected [ 0.898793] Initializing USB Mass Storage driver... [ 0.898859] usbcore: registered new interface driver usb-storage [ 0.898865] USB Mass Storage support registered. [ 0.898930] usbcore: registered new interface driver libusual [ 0.898955] usbcore: registered new interface driver ums-alauda [ 0.898980] usbcore: registered new interface driver ums-cypress [ 0.899005] usbcore: registered new interface driver ums-datafab [ 0.899030] usbcore: registered new interface driver ums-freecom [ 0.899055] usbcore: registered new interface driver ums-isd200 [ 0.899080] usbcore: registered new interface driver ums-jumpshot [ 0.899108] usbcore: registered new interface driver ums-karma [ 0.899132] usbcore: registered new interface driver ums-onetouch [ 0.899158] usbcore: registered new interface driver ums-sddr09 [ 0.899183] usbcore: registered new interface driver ums-sddr55 [ 0.899207] usbcore: registered new interface driver ums-usbat [ 0.899309] PNP: No PS/2 controller found. Probing ports directly. [ 0.900181] i8042.c: No controller found. [ 0.900331] mice: PS/2 mouse device common for all mice [ 0.900488] rtc_cmos 00:08: RTC can wake from S4 [ 0.900585] rtc_cmos 00:08: rtc core: registered rtc_cmos as rtc0 [ 0.900628] rtc0: alarms up to one month, y3k, 242 bytes nvram, hpet irqs [ 0.900649] cpuidle: using governor ladder [ 0.900653] cpuidle: using governor menu [ 0.901227] usbcore: registered new interface driver hiddev [ 0.901268] usbcore: registered new interface driver usbhid [ 0.901275] usbhid: v2.6:USB HID core driver [ 1.054614] ata3.01: ATA-8: FUJITSU MHW2120BH, 00810013, max UDMA/100 [ 1.054621] ata3.01: 234441648 sectors, multi 16: LBA48 NCQ (depth 0/32) [ 1.060551] ata3.01: configured for UDMA/100 [ 1.060707] scsi 2:0:1:0: Direct-Access ATA FUJITSU MHW2120B 0081 PQ: 0 ANSI: 5 [ 1.060931] sd 2:0:1:0: [sda] 234441648 512-byte logical blocks: (120 GB/111 GiB) [ 1.061048] sd 2:0:1:0: [sda] Write Protect is off [ 1.061054] sd 2:0:1:0: [sda] Mode Sense: 00 3a 00 00 [ 1.061109] sd 2:0:1:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA [ 1.111266] TCP cubic registered [ 1.111397] NET: Registered protocol family 10 [ 1.112366] lo: Disabled Privacy Extensions [ 1.113084] lib80211: common routines for IEEE802.11 drivers [ 1.113090] lib80211_crypt: registered algorithm 'NULL' [ 1.113294] PM: Checking image partition /dev/disk/by-id/ata-FUJITSU_MHW2120BH_NZ0ST6C2ANJR-part4 [ 1.113553] sda: sda1 sda2 sda3 sda4 [ 1.159186] sd 2:0:1:0: [sda] Attached SCSI disk [ 1.159202] PM: Resume from disk failed. [ 1.159233] registered taskstats version 1 [ 1.159472] Magic number: 14:902:7 [ 1.159591] rtc_cmos 00:08: setting system clock to 2010-02-22 03:01:26 UTC (1266807686) [ 1.159803] Freeing unused kernel memory: 980k freed [ 1.160350] Write protecting the kernel read-only data: 8856k [ 1.229991] ACPI: SSDT 000000003feb8c10 002AE (v01 APPLE Cpu0Ist 00003000 INTL 20050309) [ 1.230947] ACPI: SSDT 000000003feb8910 002A0 (v01 APPLE Cpu0Cst 00003001 INTL 20050309) [ 1.231792] Monitor-Mwait will be used to enter C-1 state [ 1.231857] Monitor-Mwait will be used to enter C-2 state [ 1.231913] Monitor-Mwait will be used to enter C-3 state [ 1.231932] Marking TSC unstable due to TSC halts in idle [ 1.232072] ACPI: CPU0 (power states: C1[C1] C2[C2] C3[C3]) [ 1.232134] processor LNXCPU:00: registered as cooling_device0 [ 1.232142] ACPI: Processor [CPU0] (supports 8 throttling states) [ 1.232974] ACPI: SSDT 000000003feb8f10 00087 (v01 APPLE Cpu1Ist 00003000 INTL 20050309) [ 1.233778] ACPI: SSDT 000000003feb7f10 00085 (v01 APPLE Cpu1Cst 00003000 INTL 20050309) [ 1.237378] ACPI: CPU1 (power states: C1[C1] C2[C2] C3[C3]) [ 1.237421] processor LNXCPU:01: registered as cooling_device1 [ 1.237430] ACPI: Processor [CPU1] (supports 8 throttling states) [ 1.258605] udev: starting version 146 [ 1.368301] usb 1-4: new high speed USB device using ehci_hcd and address 4 [ 1.482471] usb 1-4: New USB device found, idVendor=05ac, idProduct=8300 [ 1.482480] usb 1-4: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 1.482656] usb 1-4: configuration #1 chosen from 1 choice [ 1.872323] PM: Marking nosave pages: 0000000000001000 - 0000000000006000 [ 1.872331] PM: Marking nosave pages: 000000000009f000 - 0000000000100000 [ 1.872341] PM: Basic memory bitmaps created [ 1.882828] PM: Basic memory bitmaps freed [ 1.893071] usb 2-1: new low speed USB device using uhci_hcd and address 2 [ 1.950537] PM: Starting manual resume from disk [ 1.950545] PM: Resume from partition 8:4 [ 1.950548] PM: Checking hibernation image. [ 1.950851] PM: Resume from disk failed. [ 2.000078] Clocksource tsc unstable (delta = -75577743 ns) [ 2.059799] usb 2-1: New USB device found, idVendor=05ac, idProduct=0304 [ 2.059807] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0 [ 2.059813] usb 2-1: Product: Apple Optical USB Mouse [ 2.059817] usb 2-1: Manufacturer: Mitsumi Electric [ 2.059999] usb 2-1: configuration #1 chosen from 1 choice [ 2.077396] input: Mitsumi Electric Apple Optical USB Mouse as /devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1:1.0/input/input0 [ 2.077600] apple 0003:05AC:0304.0001: input,hidraw0: USB HID v1.10 Mouse [Mitsumi Electric Apple Optical USB Mouse] on usb-0000:00:1d.0-1/input0 [ 2.085113] EXT4-fs (sda3): barriers enabled [ 2.091905] kjournald2 starting: pid 239, dev sda3:8, commit interval 5 seconds [ 2.092426] EXT4-fs (sda3): internal journal on sda3:8 [ 2.092436] EXT4-fs (sda3): delayed allocation enabled [ 2.092442] EXT4-fs: file extents enabled [ 2.105648] EXT4-fs: mballoc enabled [ 2.105674] EXT4-fs (sda3): mounted filesystem with ordered data mode [ 2.170303] CE: hpet increasing min_delta_ns to 15000 nsec [ 2.283069] usb 2-2: new full speed USB device using uhci_hcd and address 3 [ 2.457857] usb 2-2: New USB device found, idVendor=05ac, idProduct=021a [ 2.457865] usb 2-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0 [ 2.457871] usb 2-2: Product: Apple Internal Keyboard / Trackpad [ 2.457875] usb 2-2: Manufacturer: Apple Computer [ 2.458155] usb 2-2: configuration #1 chosen from 1 choice [ 2.467414] input: Apple Computer Apple Internal Keyboard / Trackpad as /devices/pci0000:00/0000:00:1d.0/usb2/2-2/2-2:1.0/input/input1 [ 2.467551] apple 0003:05AC:021A.0002: input,hidraw1: USB HID v1.11 Keyboard [Apple Computer Apple Internal Keyboard / Trackpad] on usb-0000:00:1d.0-2/input0 [ 2.475885] input: Apple Computer Apple Internal Keyboard / Trackpad as /devices/pci0000:00/0000:00:1d.0/usb2/2-2/2-2:1.2/input/input2 [ 2.476027] apple 0003:05AC:021A.0003: input,hidraw2: USB HID v1.11 Device [Apple Computer Apple Internal Keyboard / Trackpad] on usb-0000:00:1d.0-2/input2 [ 2.682052] usb 4-2: new full speed USB device using uhci_hcd and address 2 [ 2.847890] usb 4-2: New USB device found, idVendor=05ac, idProduct=8240 [ 2.847898] usb 4-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0 [ 2.847904] usb 4-2: Product: IR Receiver [ 2.847908] usb 4-2: Manufacturer: Apple Computer, Inc. [ 2.848122] usb 4-2: configuration #1 chosen from 1 choice [ 2.857121] generic-usb 0003:05AC:8240.0004: hiddev0,hidraw3: USB HID v1.11 Device [Apple Computer, Inc. IR Receiver] on usb-0000:00:1d.2-2/input0 [ 3.063048] usb 5-1: new full speed USB device using uhci_hcd and address 2 [ 3.255474] usb 5-1: New USB device found, idVendor=05ac, idProduct=1000 [ 3.255482] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 3.255728] usb 5-1: configuration #1 chosen from 1 choice [ 3.259519] usbhid 5-1:1.0: couldn't find an input interrupt endpoint [ 3.565240] SELinux: 8192 avtab hash slots, 173019 rules. [ 3.631305] SELinux: 8192 avtab hash slots, 173019 rules. [ 3.730474] SELinux: 7 users, 9 roles, 3231 types, 100 bools [ 3.730482] SELinux: 73 classes, 173019 rules [ 3.733843] SELinux: class kernel_service not defined in policy [ 3.733869] SELinux: permission open in class sock_file not defined in policy [ 3.733965] SELinux: permission nlmsg_tty_audit in class netlink_audit_socket not defined in policy [ 3.734182] SELinux: the above unknown classes and permissions will be denied [ 3.734187] SELinux: Completing initialization. [ 3.734190] SELinux: Setting up existing superblocks. [ 3.734213] SELinux: initialized (dev sda3, type ext4), uses xattr [ 3.734401] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs [ 3.736034] SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts [ 3.736058] SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts [ 3.736107] SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs [ 3.736119] SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts [ 3.736129] SELinux: initialized (dev devpts, type devpts), uses transition SIDs [ 3.736145] SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts [ 3.736155] SELinux: initialized (dev anon_inodefs, type anon_inodefs), uses genfs_contexts [ 3.736164] SELinux: initialized (dev pipefs, type pipefs), uses task SIDs [ 3.736174] SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts [ 3.736592] SELinux: initialized (dev sockfs, type sockfs), uses task SIDs [ 3.736601] SELinux: initialized (dev devtmpfs, type devtmpfs), not configured for labeling [ 3.736720] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs [ 3.736735] SELinux: initialized (dev proc, type proc), uses genfs_contexts [ 3.736758] SELinux: initialized (dev bdev, type bdev), uses genfs_contexts [ 3.736768] SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts [ 3.736779] SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts [ 3.750100] type=1403 audit(1266807689.090:2): policy loaded auid=4294967295 ses=4294967295 [ 4.618763] type=1400 audit(1266807689.958:3): avc: denied { read write } for pid=282 comm="mount" name="null" dev=tmpfs ino=4242 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:lib_t tclass=chr_file [ 4.618801] type=1300 audit(1266807689.958:3): arch=c000003e syscall=2 success=yes exit=3 a0=40eb80 a1=2 a2=0 a3=0 items=0 ppid=256 pid=282 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t key=(null) [ 4.619038] type=1400 audit(1266807689.958:4): avc: denied { mounton } for pid=282 comm="mount" path="/dev/pts" dev=tmpfs ino=930 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:lib_t tclass=dir [ 4.619137] type=1300 audit(1266807689.958:4): arch=c000003e syscall=165 success=yes exit=0 a0=616a80 a1=616aa0 a2=616ac0 a3=ffffffffc0ed0000 items=0 ppid=256 pid=282 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t key=(null) [ 5.436923] preloadtrace: systemtap: 0.9.9/0.142, base: ffffffffa00bd000, memory: 49196+82372+22256+14000 data+text+ctx+net, probes: 44 [ 7.488403] type=1400 audit(1266807692.827:5): avc: denied { read write } for pid=331 comm="udevd" name="console" dev=tmpfs ino=4235 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=chr_file [ 7.489164] type=1300 audit(1266807692.827:5): arch=c000003e syscall=59 success=yes exit=0 a0=6c0c50 a1=6a8190 a2=6c0290 a3=0 items=0 ppid=321 pid=331 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) [ 7.508268] type=1400 audit(1266807692.848:6): avc: denied { search } for pid=331 comm="udevd" name="/" dev=tmpfs ino=902 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir [ 7.508318] type=1300 audit(1266807692.848:6): arch=c000003e syscall=2 success=yes exit=3 a0=419071 a1=2 a2=7f6bdc57e114 a3=0 items=0 ppid=321 pid=331 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) [ 7.509262] type=1400 audit(1266807692.849:7): avc: denied { read } for pid=331 comm="udevd" name="rules.d" dev=tmpfs ino=4429 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir [ 7.509294] type=1300 audit(1266807692.849:7): arch=c000003e syscall=254 success=yes exit=3 a0=6 a1=7ffff57cf690 a2=3c8 a3=0 items=0 ppid=321 pid=331 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) [ 7.509551] type=1400 audit(1266807692.849:8): avc: denied { getattr } for pid=331 comm="udevd" path="/dev/.udev/rules.d" dev=tmpfs ino=4429 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir [ 7.509586] type=1300 audit(1266807692.849:8): arch=c000003e syscall=4 success=yes exit=0 a0=7ffff57ce4e0 a1=7ffff57ce420 a2=7ffff57ce420 a3=0 items=0 ppid=321 pid=331 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) [ 7.510222] type=1400 audit(1266807692.850:9): avc: denied { getattr } for pid=331 comm="udevd" path="/dev/.udev/rules.d/10-root-symlink.rules" dev=tmpfs ino=4430 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file [ 7.510263] type=1300 audit(1266807692.850:9): arch=c000003e syscall=4 success=yes exit=0 a0=62cfa0 a1=7ffff57ce420 a2=7ffff57ce420 a3=64656c2d69666977 items=0 ppid=321 pid=331 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) [ 7.545703] udev: starting version 146 [ 7.721612] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input3 [ 7.721735] ACPI: Power Button [PWRF] [ 7.721864] input: Lid Switch as /devices/LNXSYSTM:00/device:00/PNP0C0D:00/input/input4 [ 7.722060] ACPI: Lid Switch [LID0] [ 7.722167] input: Power Button as /devices/LNXSYSTM:00/device:00/PNP0C0C:00/input/input5 [ 7.722232] ACPI: Power Button [PWRB] [ 7.722363] input: Sleep Button as /devices/LNXSYSTM:00/device:00/PNP0C0E:00/input/input6 [ 7.722427] ACPI: Sleep Button [SLPB] [ 7.761016] ACPI: AC Adapter [ADP1] (on-line) [ 7.767573] sky2 driver version 1.23 [ 7.777792] sky2 0000:02:00.0: PCI INT A -> GSI 16 (level, low) -> IRQ 16 [ 7.779801] sky2 0000:02:00.0: setting latency timer to 64 [ 7.779878] sky2 0000:02:00.0: Yukon-2 EC chip revision 2 [ 7.782638] alloc irq_desc for 28 on node 0 [ 7.782644] alloc kstat_irqs on node 0 [ 7.782670] sky2 0000:02:00.0: irq 28 for MSI/MSI-X [ 7.783724] ACPI: Battery Slot [BAT0] (battery absent) [ 7.786565] sky2 eth0: addr 00:17:f2:cb:e3:71 [ 7.881794] appletouch: Geyser mode initialized. [ 7.881907] input: appletouch as /devices/pci0000:00/0000:00:1d.0/usb2/2-2/2-2:1.1/input/input7 [ 7.882099] usbcore: registered new interface driver appletouch [ 7.904229] intel_rng: FWH not detected [ 7.909574] iTCO_vendor_support: vendor-support=0 [ 7.911850] iTCO_wdt: Intel TCO WatchDog Timer Driver v1.05 [ 7.911988] iTCO_wdt: Found a ICH7-M or ICH7-U TCO device (Version=2, TCOBASE=0x0460) [ 7.912095] iTCO_wdt: initialized. heartbeat=30 sec (nowayout=0) [ 7.920840] input: PC Speaker as /devices/platform/pcspkr/input/input8 [ 7.926637] sr 0:0:0:0: Attached scsi generic sg0 type 5 [ 7.926714] sd 2:0:1:0: Attached scsi generic sg1 type 0 [ 7.945273] sr0: scsi3-mmc drive: 24x/24x writer cd/rw xa/form2 cdda tray [ 7.945281] Uniform CD-ROM driver Revision: 3.20 [ 7.945572] sr 0:0:0:0: Attached scsi CD-ROM sr0 [ 7.953585] i801_smbus 0000:00:1f.3: PCI INT B -> GSI 19 (level, low) -> IRQ 19 [ 7.953597] ACPI: I/O resource 0000:00:1f.3 [0xefa0-0xefbf] conflicts with ACPI region SMBI [0xefa0-0xefaf] [ 7.953622] ACPI: If an ACPI driver is available for this device, you should use it instead of the native driver [ 7.954139] cfg80211: Calling CRDA to update world regulatory domain [ 7.991321] ohci1394 0000:0c:03.0: PCI INT A -> GSI 19 (level, low) -> IRQ 19 [ 8.043088] ohci1394: fw-host0: OHCI-1394 1.1 (PCI): IRQ=[19] MMIO=[4c004000-4c0047ff] Max Packet=[4096] IR/IT contexts=[4/8] [ 8.106227] alloc irq_desc for 22 on node 0 [ 8.106234] alloc kstat_irqs on node 0 [ 8.106250] HDA Intel 0000:00:1b.0: PCI INT A -> GSI 22 (level, low) -> IRQ 22 [ 8.106314] HDA Intel 0000:00:1b.0: setting latency timer to 64 [ 8.128953] usb 1-4: firmware: requesting isight.fw [ 8.134351] applesmc: Apple MacBook Pro detected: [ 8.134357] applesmc: - Model with accelerometer [ 8.134360] applesmc: - Model with light sensors and backlight [ 8.134365] applesmc: - Model with 12 temperature sensors [ 8.135058] applesmc: device has already been initialized (0xe0, 0x00). [ 8.135063] applesmc: device successfully initialized. [ 8.135913] applesmc: 2 fans found. [ 8.137795] input: applesmc as /devices/platform/applesmc.768/input/input9 [ 8.138405] Registered led device: smc::kbd_backlight [ 8.138446] applesmc: driver successfully loaded. [ 8.139834] ath9k 0000:03:00.0: PCI INT A -> GSI 17 (level, low) -> IRQ 17 [ 8.139853] ath9k 0000:03:00.0: setting latency timer to 64 [ 8.260408] hda_codec: STAC922x, Apple subsys_id=106b1e00 [ 8.260495] ALSA /usr/src/packages/BUILD/kernel-desktop-2.6.31.5/linux-2.6.31/sound/pci/hda/hda_codec.c:3881: autoconfig: line_outs=1 (0xc/0x0/0x0/0x0/0x0) [ 8.260510] ALSA /usr/src/packages/BUILD/kernel-desktop-2.6.31.5/linux-2.6.31/sound/pci/hda/hda_codec.c:3885: speaker_outs=0 (0x0/0x0/0x0/0x0/0x0) [ 8.260518] ALSA /usr/src/packages/BUILD/kernel-desktop-2.6.31.5/linux-2.6.31/sound/pci/hda/hda_codec.c:3889: hp_outs=1 (0xa/0x0/0x0/0x0/0x0) [ 8.260531] ALSA /usr/src/packages/BUILD/kernel-desktop-2.6.31.5/linux-2.6.31/sound/pci/hda/hda_codec.c:3890: mono: mono_out=0x0 [ 8.260539] ALSA /usr/src/packages/BUILD/kernel-desktop-2.6.31.5/linux-2.6.31/sound/pci/hda/hda_codec.c:3893: dig-out=0x10/0x0 [ 8.260551] ALSA /usr/src/packages/BUILD/kernel-desktop-2.6.31.5/linux-2.6.31/sound/pci/hda/hda_codec.c:3901: inputs: mic=0xb, fmic=0x0, line=0xf, fline=0x0, cd=0x0, aux=0x0 [ 8.260560] ALSA /usr/src/packages/BUILD/kernel-desktop-2.6.31.5/linux-2.6.31/sound/pci/hda/hda_codec.c:3903: dig-in=0x11 [ 8.261430] ALSA /usr/src/packages/BUILD/kernel-desktop-2.6.31.5/linux-2.6.31/sound/pci/hda/patch_sigmatel.c:2969: stac92xx: dac_nids=1 (0x3/0x0/0x0/0x0/0x0) [ 8.264649] input: HDA Intel Line In at Ext Rear Jack as /devices/pci0000:00/0000:00:1b.0/sound/card0/input10 [ 8.264813] input: HDA Intel HP Out at Ext Rear Jack as /devices/pci0000:00/0000:00:1b.0/sound/card0/input11 [ 8.378356] ath: EEPROM regdomain: 0x64 [ 8.378362] ath: EEPROM indicates we should expect a direct regpair map [ 8.378369] ath: Country alpha2 being used: 00 [ 8.378373] ath: Regpair used: 0x64 [ 8.386358] usb 5-1: USB disconnect, address 2 [ 8.465221] Unable to load isight firmware [ 8.465309] usbcore: registered new interface driver isight_firmware [ 8.592342] usb 5-1: new full speed USB device using uhci_hcd and address 3 [ 8.879468] usb 5-1: New USB device found, idVendor=05ac, idProduct=8205 [ 8.879476] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 8.879667] usb 5-1: configuration #1 chosen from 1 choice [ 8.925885] Bluetooth: Core ver 2.15 [ 8.931124] NET: Registered protocol family 31 [ 8.931130] Bluetooth: HCI device and connection manager initialized [ 8.931136] Bluetooth: HCI socket layer initialized [ 8.934222] Bluetooth: Generic Bluetooth USB driver ver 0.5 [ 8.934778] usbcore: registered new interface driver btusb [ 9.028837] phy0: Selected rate control algorithm 'ath9k_rate_control' [ 9.031181] Registered led device: ath9k-phy0::radio [ 9.031220] Registered led device: ath9k-phy0::assoc [ 9.031259] Registered led device: ath9k-phy0::tx [ 9.031296] Registered led device: ath9k-phy0::rx [ 9.031327] phy0: Atheros AR5418 MAC/BB Rev:2 AR5133 RF Rev:81: mem=0xffffc900054e0000, irq=17 [ 9.216929] Adding 390616k swap on /dev/sda4. Priority:-1 extents:1 across:390616k [ 9.335577] ieee1394: Host added: ID:BUS[0-00:1023] GUID[0019e3fffe2ad87e] [ 10.437568] device-mapper: uevent: version 1.0.3 [ 10.437970] device-mapper: ioctl: 4.15.0-ioctl (2009-04-01) initialised: dm-devel@redhat.com [ 10.800075] loop: module loaded [ 11.109860] fuse init (API version 7.12) [ 11.128214] SELinux: initialized (dev fusectl, type fusectl), uses genfs_contexts [ 12.613575] type=1400 audit(1266807697.952:49): avc: denied { write } for pid=1023 comm="modprobe" path="/tmp/SuSEfirewall2_iptables.AcNNrbzj" dev=sda3 ino=131991 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:initrc_tmp_t tclass=file [ 12.613666] type=1300 audit(1266807697.952:49): arch=c000003e syscall=59 success=yes exit=0 a0=60a010 a1=7fffae4ea560 a2=7fffae4ea910 a3=0 items=0 ppid=1022 pid=1023 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/sbin/modprobe" subj=system_u:system_r:insmod_t key=(null) [ 12.676342] ip6_tables: (C) 2000-2006 Netfilter Core Team [ 12.850166] ip_tables: (C) 2000-2006 Netfilter Core Team [ 14.160704] nf_conntrack version 0.5.0 (7860 buckets, 31440 max) [ 14.160920] CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use [ 14.160932] nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or [ 14.160943] sysctl net.netfilter.nf_conntrack_acct=1 to enable it. [ 15.498832] type=1400 audit(1266807700.838:50): avc: denied { search } for pid=1095 comm="dbus-daemon" name="/" dev=tmpfs ino=902 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=dir [ 15.498916] type=1300 audit(1266807700.838:50): arch=c000003e syscall=2 success=yes exit=3 a0=7fd4bf7b6ba2 a1=0 a2=1 a3=0 items=0 ppid=1081 pid=1095 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t key=(null) [ 15.564015] type=1400 audit(1266807700.903:51): avc: denied { search } for pid=1115 comm="rsyslogd" name="/" dev=tmpfs ino=902 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir [ 15.564109] type=1300 audit(1266807700.903:51): arch=c000003e syscall=2 success=no exit=-6 a0=434680 a1=80002 a2=9 a3=0 items=0 ppid=1114 pid=1115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/sbin/rsyslogd" subj=system_u:system_r:syslogd_t key=(null) [ 15.566059] type=1400 audit(1266807700.905:52): avc: denied { append } for pid=1115 comm="rsyslogd" name="tty10" dev=tmpfs ino=1309 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tty_device_t tclass=chr_file [ 15.566133] type=1300 audit(1266807700.905:52): arch=c000003e syscall=2 success=yes exit=3 a0=65bb20 a1=80541 a2=1a4 a3=0 items=0 ppid=1114 pid=1115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/sbin/rsyslogd" subj=system_u:system_r:syslogd_t key=(null) [ 15.566197] type=1400 audit(1266807700.906:53): avc: denied { ioctl } for pid=1115 comm="rsyslogd" path="/dev/tty10" dev=tmpfs ino=1309 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tty_device_t tclass=chr_file [ 15.566248] type=1300 audit(1266807700.906:53): arch=c000003e syscall=16 success=yes exit=0 a0=3 a1=5401 a2=7fff9847b810 a3=0 items=0 ppid=1114 pid=1115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/sbin/rsyslogd" subj=system_u:system_r:syslogd_t key=(null) [ 15.566458] type=1400 audit(1266807700.906:54): avc: denied { read write } for pid=1115 comm="rsyslogd" name="xconsole" dev=tmpfs ino=7783 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file [ 15.566517] type=1300 audit(1266807700.906:54): arch=c000003e syscall=2 success=yes exit=4 a0=65c100 a1=80802 a2=7fff9847ba0d a3=65bc70 items=0 ppid=1114 pid=1115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/sbin/rsyslogd" subj=system_u:system_r:syslogd_t key=(null) [ 15.566572] type=1400 audit(1266807700.906:55): avc: denied { ioctl } for pid=1115 comm="rsyslogd" path="/dev/xconsole" dev=tmpfs ino=7783 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file [ 15.566616] type=1300 audit(1266807700.906:55): arch=c000003e syscall=16 success=no exit=-22 a0=4 a1=5401 a2=7fff9847b810 a3=65bc70 items=0 ppid=1114 pid=1115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/sbin/rsyslogd" subj=system_u:system_r:syslogd_t key=(null) [ 15.567066] type=1400 audit(1266807700.906:56): avc: denied { append } for pid=1115 comm="rsyslogd" name="acpid" dev=sda3 ino=1892 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:apmd_log_t tclass=file [ 15.567120] type=1300 audit(1266807700.906:56): arch=c000003e syscall=2 success=yes exit=6 a0=65f400 a1=80541 a2=1a4 a3=65e710 items=0 ppid=1114 pid=1115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/sbin/rsyslogd" subj=system_u:system_r:syslogd_t key=(null) [ 15.567174] type=1400 audit(1266807700.907:57): avc: denied { ioctl } for pid=1115 comm="rsyslogd" path="/var/log/acpid" dev=sda3 ino=1892 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:apmd_log_t tclass=file [ 15.567223] type=1300 audit(1266807700.907:57): arch=c000003e syscall=16 success=no exit=-25 a0=6 a1=5401 a2=7fff9847b810 a3=65e710 items=0 ppid=1114 pid=1115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/sbin/rsyslogd" subj=system_u:system_r:syslogd_t key=(null) [ 15.567562] type=1400 audit(1266807700.907:58): avc: denied { append } for pid=1115 comm="rsyslogd" name="mail" dev=sda3 ino=1903 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:sendmail_log_t tclass=file [ 15.567620] type=1300 audit(1266807700.907:58): arch=c000003e syscall=2 success=yes exit=8 a0=661c00 a1=80541 a2=1a4 a3=6617c0 items=0 ppid=1114 pid=1115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/sbin/rsyslogd" subj=system_u:system_r:syslogd_t key=(null) [ 15.567681] type=1400 audit(1266807700.907:59): avc: denied { ioctl } for pid=1115 comm="rsyslogd" path="/var/log/mail" dev=sda3 ino=1903 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:sendmail_log_t tclass=file [ 15.567730] type=1300 audit(1266807700.907:59): arch=c000003e syscall=16 success=no exit=-25 a0=8 a1=5401 a2=7fff9847b810 a3=6617c0 items=0 ppid=1114 pid=1115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/sbin/rsyslogd" subj=system_u:system_r:syslogd_t key=(null) [ 15.596619] type=1400 audit(1266807700.936:60): avc: denied { write } for pid=1115 comm="rsyslogd" name="/" dev=tmpfs ino=902 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir [ 15.596665] type=1400 audit(1266807700.936:60): avc: denied { add_name } for pid=1115 comm="rsyslogd" name="log" scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir [ 15.596831] type=1400 audit(1266807700.936:60): avc: denied { create } for pid=1115 comm="rsyslogd" name="log" scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file [ 15.596891] type=1300 audit(1266807700.936:60): arch=c000003e syscall=49 success=yes exit=0 a0=0 a1=7fff9847cd50 a2=a a3=7f86be5a29e0 items=0 ppid=1114 pid=1115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/sbin/rsyslogd" subj=system_u:system_r:syslogd_t key=(null) [ 15.596957] type=1400 audit(1266807700.936:61): avc: denied { setattr } for pid=1115 comm="rsyslogd" name="log" dev=tmpfs ino=7804 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file [ 15.597008] type=1300 audit(1266807700.936:61): arch=c000003e syscall=90 success=yes exit=0 a0=7f86befadbc0 a1=1b6 a2=a a3=7f86be5a29e0 items=0 ppid=1114 pid=1115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/sbin/rsyslogd" subj=system_u:system_r:syslogd_t key=(null) [ 17.804992] type=1400 audit(1266807703.144:62): avc: denied { read } for pid=332 comm="udevd" path="anon_inode:[signalfd]" dev=anon_inodefs ino=362 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:anon_inodefs_t tclass=file [ 17.805086] type=1300 audit(1266807703.144:62): arch=c000003e syscall=0 success=yes exit=128 a0=7 a1=7ffff57cf690 a2=80 a3=40 items=0 ppid=1 pid=332 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) [ 20.360967] type=1400 audit(1266807705.700:63): avc: denied { search } for pid=504 comm="udevd" name="/" dev=tmpfs ino=902 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir [ 20.361043] type=1300 audit(1266807705.700:63): arch=c000003e syscall=4 success=yes exit=0 a0=7ffff57ce4b0 a1=7ffff57ce420 a2=7ffff57ce420 a3=65776f706632785c items=0 ppid=332 pid=504 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) [ 20.401906] type=1400 audit(1266807705.741:64): avc: denied { search } for pid=1122 comm="dbus-daemon" name="1176" dev=proc ino=7889 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=dir [ 20.402113] type=1400 audit(1266807705.741:64): avc: denied { read } for pid=1122 comm="dbus-daemon" name="cmdline" dev=proc ino=7901 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_t tclass=file [ 20.402192] type=1300 audit(1266807705.741:64): arch=c000003e syscall=2 success=yes exit=10 a0=7fd4bf9d0500 a1=0 a2=7fd4bf9d0512 a3=0 items=0 ppid=1 pid=1122 auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101 fsgid=101 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t key=(null) [ 20.415796] type=1400 audit(1266807705.755:65): avc: denied { write } for pid=332 comm="udevd" name=".udev" dev=tmpfs ino=4428 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir [ 20.415844] type=1400 audit(1266807705.755:65): avc: denied { add_name } for pid=332 comm="udevd" name="queue.tmp" scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir [ 20.415947] type=1300 audit(1266807705.755:65): arch=c000003e syscall=2 success=yes exit=3 a0=7ffff57cec60 a1=242 a2=1b6 a3=2 items=0 ppid=1 pid=332 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) [ 20.416086] type=1400 audit(1266807705.756:66): avc: denied { remove_name } for pid=332 comm="udevd" name="queue.tmp" dev=tmpfs ino=7911 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir [ 20.416156] type=1300 audit(1266807705.756:66): arch=c000003e syscall=82 success=yes exit=0 a0=7ffff57cec60 a1=7ffff57cf060 a2=0 a3=22 items=0 ppid=1 pid=332 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) [ 20.449155] type=1400 audit(1266807705.789:67): avc: denied { search } for pid=1122 comm="dbus-daemon" name="1193" dev=proc ino=7940 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:hald_t tclass=dir [ 20.449241] type=1400 audit(1266807705.789:67): avc: denied { read } for pid=1122 comm="dbus-daemon" name="cmdline" dev=proc ino=7941 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:hald_t tclass=file [ 20.449342] type=1300 audit(1266807705.789:67): arch=c000003e syscall=2 success=yes exit=11 a0=7fd4bf9e8540 a1=0 a2=7fd4bf9e8552 a3=0 items=0 ppid=1 pid=1122 auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101 fsgid=101 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t key=(null) [ 20.453522] type=1400 audit(1266807705.793:68): avc: denied { execute_no_trans } for pid=1196 comm="dbus-daemon" path="/lib/dbus-1/dbus-daemon-launch-helper" dev=sda3 ino=131074 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:lib_t tclass=file [ 20.453880] type=1300 audit(1266807705.793:68): arch=c000003e syscall=59 success=yes exit=0 a0=7fd4bf9ea7b0 a1=7fd4bf9e99e0 a2=7fd4bf9ea920 a3=0 items=0 ppid=1194 pid=1196 auid=4294967295 uid=100 gid=101 euid=0 suid=0 fsuid=0 egid=101 sgid=101 fsgid=101 tty=(none) ses=4294967295 comm="dbus-daemon-lau" exe="/lib/dbus-1/dbus-daemon-launch-helper" subj=system_u:system_r:system_dbusd_t key=(null) [ 20.458323] type=1400 audit(1266807705.798:69): avc: denied { execute } for pid=1196 comm="dbus-daemon-lau" name="console-kit-daemon" dev=sda3 ino=87257 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:consolekit_exec_t tclass=file [ 20.458379] type=1400 audit(1266807705.798:69): avc: denied { read } for pid=1196 comm="dbus-daemon-lau" name="console-kit-daemon" dev=sda3 ino=87257 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:consolekit_exec_t tclass=file [ 20.458455] type=1400 audit(1266807705.798:69): avc: denied { execute_no_trans } for pid=1196 comm="dbus-daemon-lau" path="/usr/sbin/console-kit-daemon" dev=sda3 ino=87257 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:consolekit_exec_t tclass=file [ 20.458787] type=1300 audit(1266807705.798:69): arch=c000003e syscall=59 success=yes exit=0 a0=60ee30 a1=60ede0 a2=60c010 a3=0 items=0 ppid=1194 pid=1196 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:system_dbusd_t key=(null) [ 20.459905] type=1400 audit(1266807705.799:70): avc: denied { remove_name } for pid=1115 comm="rsyslogd" name="log" dev=tmpfs ino=7804 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir [ 20.459952] type=1400 audit(1266807705.799:70): avc: denied { unlink } for pid=1115 comm="rsyslogd" name="log" dev=tmpfs ino=7804 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file [ 20.460012] type=1300 audit(1266807705.799:70): arch=c000003e syscall=87 success=yes exit=0 a0=7f86befadbc0 a1=7f86beda39d0 a2=0 a3=0 items=0 ppid=1 pid=1115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/sbin/rsyslogd" subj=system_u:system_r:syslogd_t key=(null) [ 20.464469] type=1400 audit(1266807705.804:71): avc: denied { getsched } for pid=1196 comm="console-kit-dae" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=process [ 20.464526] type=1300 audit(1266807705.804:71): arch=c000003e syscall=143 success=yes exit=0 a0=4ac a1=7f50d1be4bc8 a2=7fff8f57b490 a3=0 items=0 ppid=1194 pid=1196 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:system_dbusd_t key=(null) [ 20.466425] type=1400 audit(1266807705.806:72): avc: denied { getattr } for pid=1199 comm="console-kit-dae" path="pipe:[7951]" dev=pipefs ino=7951 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=fifo_file [ 20.466493] type=1300 audit(1266807705.806:72): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff8f57b410 a2=7fff8f57b410 a3=0 items=0 ppid=1 pid=1199 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:system_dbusd_t key=(null) [ 20.472235] type=1400 audit(1266807705.812:73): avc: denied { getattr } for pid=1199 comm="console-kit-dae" path="/var/log" dev=sda3 ino=49153 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=dir [ 20.472327] type=1300 audit(1266807705.812:73): arch=c000003e syscall=4 success=yes exit=0 a0=632b90 a1=7fff8f57ab10 a2=7fff8f57ab10 a3=1 items=0 ppid=1 pid=1199 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:system_dbusd_t key=(null) [ 20.472396] type=1400 audit(1266807705.812:74): avc: denied { search } for pid=1199 comm="console-kit-dae" name="log" dev=sda3 ino=49153 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=dir [ 20.472449] type=1300 audit(1266807705.812:74): arch=c000003e syscall=21 success=yes exit=0 a0=632b90 a1=0 a2=7fff8f57ab10 a3=1 items=0 ppid=1 pid=1199 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:system_dbusd_t key=(null) [ 20.472565] type=1400 audit(1266807705.812:75): avc: denied { append } for pid=1199 comm="console-kit-dae" name="history" dev=sda3 ino=1899 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file [ 20.472623] type=1300 audit(1266807705.812:75): arch=c000003e syscall=2 success=yes exit=9 a0=632b40 a1=20401 a2=180 a3=1 items=0 ppid=1 pid=1199 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:system_dbusd_t key=(null) [ 20.472697] type=1400 audit(1266807705.812:76): avc: denied { setattr } for pid=1199 comm="console-kit-dae" name="history" dev=sda3 ino=1899 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file [ 20.472757] type=1300 audit(1266807705.812:76): arch=c000003e syscall=93 success=yes exit=0 a0=9 a1=0 a2=0 a3=0 items=0 ppid=1 pid=1199 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:system_dbusd_t key=(null) [ 20.472848] type=1400 audit(1266807705.812:77): avc: denied { getattr } for pid=1199 comm="console-kit-dae" path="/var/log/ConsoleKit/history" dev=sda3 ino=1899 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file [ 20.472913] type=1300 audit(1266807705.812:77): arch=c000003e syscall=5 success=yes exit=0 a0=9 a1=7fff8f57aa10 a2=7fff8f57aa10 a3=0 items=0 ppid=1 pid=1199 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:system_dbusd_t key=(null) [ 20.473805] type=1400 audit(1266807705.813:78): avc: denied { read } for pid=1199 comm="console-kit-dae" name="tty0" dev=tmpfs ino=4249 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tty_device_t tclass=chr_file [ 20.473875] type=1300 audit(1266807705.813:78): arch=c000003e syscall=2 success=yes exit=11 a0=41bdd8 a1=100 a2=6 a3=1 items=0 ppid=1 pid=1199 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:system_dbusd_t key=(null) [ 20.473943] type=1400 audit(1266807705.813:79): avc: denied { ioctl } for pid=1199 comm="console-kit-dae" path="/dev/tty0" dev=tmpfs ino=4249 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tty_device_t tclass=chr_file [ 20.473999] type=1300 audit(1266807705.813:79): arch=c000003e syscall=16 success=yes exit=0 a0=b a1=5603 a2=7fff8f57a630 a3=0 items=0 ppid=1 pid=1199 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:system_dbusd_t key=(null) [ 20.482530] type=1400 audit(1266807705.822:80): avc: denied { read } for pid=1201 comm="console-kit-dae" name="history" dev=sda3 ino=1899 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:var_log_t tclass=file [ 20.482613] type=1300 audit(1266807705.822:80): arch=c000003e syscall=2 success=yes exit=12 a0=632b40 a1=800 a2=180 a3=0 items=0 ppid=1 pid=1201 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:system_dbusd_t key=(null) [ 20.495431] type=1400 audit(1266807705.835:81): avc: denied { read } for pid=1193 comm="hald" name="PolicyKit.reload" dev=sda3 ino=524928 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:var_lib_t tclass=file [ 20.495493] type=1300 audit(1266807705.835:81): arch=c000003e syscall=254 success=yes exit=3 a0=d a1=7fd876c3d730 a2=106 a3=0 items=0 ppid=1192 pid=1193 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hald" exe="/usr/sbin/hald" subj=system_u:system_r:hald_t key=(null) [ 20.499748] type=1400 audit(1266807705.839:82): avc: denied { associate } for pid=1185 comm="gdm-simple-slav" name="vcs7" scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem [ 20.499919] type=1300 audit(1266807705.839:82): arch=c000003e syscall=2 success=yes exit=7 a0=64f870 a1=102 a2=0 a3=0 items=0 ppid=1176 pid=1185 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdm-simple-slav" exe="/usr/lib/gdm/gdm-simple-slave" subj=system_u:system_r:xdm_t key=(null) [ 20.501678] type=1400 audit(1266807705.841:83): avc: denied { getattr } for pid=535 comm="udevd" path="/dev" dev=tmpfs ino=902 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir [ 20.501741] type=1300 audit(1266807705.841:83): arch=c000003e syscall=4 success=yes exit=0 a0=7ffff57ce580 a1=7ffff57ce4f0 a2=7ffff57ce4f0 a3=746165726373662f items=0 ppid=332 pid=535 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) [ 20.676647] type=1400 audit(1266807706.016:84): avc: denied { append } for pid=1286 comm="rsyslogd" name="acpid" dev=sda3 ino=1892 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:apmd_log_t tclass=file [ 20.676718] type=1300 audit(1266807706.016:84): arch=c000003e syscall=2 success=yes exit=6 a0=65f400 a1=80541 a2=1a4 a3=65e710 items=0 ppid=1285 pid=1286 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/sbin/rsyslogd" subj=system_u:system_r:syslogd_t key=(null) [ 20.676781] type=1400 audit(1266807706.016:85): avc: denied { ioctl } for pid=1286 comm="rsyslogd" path="/var/log/acpid" dev=sda3 ino=1892 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:apmd_log_t tclass=file [ 20.676832] type=1300 audit(1266807706.016:85): arch=c000003e syscall=16 success=no exit=-25 a0=6 a1=5401 a2=7fff24c4cea0 a3=65e710 items=0 ppid=1285 pid=1286 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/sbin/rsyslogd" subj=system_u:system_r:syslogd_t key=(null) [ 20.677069] type=1400 audit(1266807706.017:86): avc: denied { append } for pid=1286 comm="rsyslogd" name="mail" dev=sda3 ino=1903 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:sendmail_log_t tclass=file [ 20.677129] type=1300 audit(1266807706.017:86): arch=c000003e syscall=2 success=yes exit=8 a0=661c00 a1=80541 a2=1a4 a3=6617c0 items=0 ppid=1285 pid=1286 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/sbin/rsyslogd" subj=system_u:system_r:syslogd_t key=(null) [ 20.677191] type=1400 audit(1266807706.017:87): avc: denied { ioctl } for pid=1286 comm="rsyslogd" path="/var/log/mail" dev=sda3 ino=1903 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:sendmail_log_t tclass=file [ 20.677241] type=1300 audit(1266807706.017:87): arch=c000003e syscall=16 success=no exit=-25 a0=8 a1=5401 a2=7fff24c4cea0 a3=6617c0 items=0 ppid=1285 pid=1286 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/sbin/rsyslogd" subj=system_u:system_r:syslogd_t key=(null) [ 20.954480] type=1400 audit(1266807706.294:88): avc: denied { search } for pid=1316 comm="rpcbind" name="/" dev=tmpfs ino=902 scontext=system_u:system_r:rpcbind_t tcontext=system_u:object_r:tmpfs_t tclass=dir [ 20.954557] type=1300 audit(1266807706.294:88): arch=c000003e syscall=2 success=yes exit=4 a0=7f3d7aea540a a1=2 a2=0 a3=7f3d7b2f9220 items=0 ppid=1315 pid=1316 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpcbind" exe="/sbin/rpcbind" subj=system_u:system_r:rpcbind_t key=(null) [ 21.056346] type=1400 audit(1266807706.395:89): avc: denied { read write } for pid=1329 comm="modprobe" name="tty7" dev=tmpfs ino=1759 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:tty_device_t tclass=chr_file [ 21.057627] type=1300 audit(1266807706.395:89): arch=c000003e syscall=59 success=yes exit=0 a0=7fffc41bf790 a1=7fffc41bd6f0 a2=7fffc41c0198 a3=0 items=0 ppid=1268 pid=1329 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty7 ses=4294967295 comm="modprobe" exe="/sbin/modprobe" subj=system_u:system_r:insmod_t key=(null) [ 21.099926] [drm] Initialized drm 1.1.0 20060810 [ 21.108224] pci 0000:01:00.0: PCI INT A -> GSI 16 (level, low) -> IRQ 16 [ 21.108246] pci 0000:01:00.0: setting latency timer to 64 [ 21.108544] [drm] Initialized radeon 1.31.0 20080528 for 0000:01:00.0 on minor 0 [ 21.109377] type=1400 audit(1266807706.449:90): avc: denied { getattr } for pid=504 comm="udevd" path="/var/run/ConsoleKit/database" dev=sda3 ino=262325 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:system_dbusd_var_run_t tclass=file [ 21.109458] type=1300 audit(1266807706.449:90): arch=c000003e syscall=4 success=yes exit=0 a0=7ffff57cea00 a1=7ffff57cd560 a2=7ffff57cd560 a3=1 items=0 ppid=332 pid=504 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) [ 21.109846] type=1400 audit(1266807706.449:91): avc: denied { getattr } for pid=504 comm="udevd" path="/dev/dri" dev=tmpfs ino=8220 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:xdm_xserver_tmpfs_t tclass=dir [ 21.109906] type=1300 audit(1266807706.449:91): arch=c000003e syscall=4 success=yes exit=0 a0=7ffff57ce580 a1=7ffff57ce4f0 a2=7ffff57ce4f0 a3=ffffffff items=0 ppid=332 pid=504 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) [ 21.109977] type=1400 audit(1266807706.449:92): avc: denied { search } for pid=504 comm="udevd" name="dri" dev=tmpfs ino=8220 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:xdm_xserver_tmpfs_t tclass=dir [ 21.110037] type=1300 audit(1266807706.449:92): arch=c000003e syscall=6 success=no exit=-2 a0=78d1f0 a1=7ffff57ce4c0 a2=7ffff57ce4c0 a3=ffffffff items=0 ppid=332 pid=504 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) [ 21.115806] type=1400 audit(1266807706.455:93): avc: denied { write } for pid=504 comm="udevd" name="log" dev=tmpfs ino=8154 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file [ 21.115960] type=1300 audit(1266807706.455:93): arch=c000003e syscall=42 success=yes exit=0 a0=4 a1=7f6bdc581140 a2=6e a3=fffffff5 items=0 ppid=332 pid=504 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t key=(null) [ 21.118393] type=1400 audit(1266807706.458:94): avc: denied { append } for pid=1289 comm="rsyslogd" path="/dev/tty10" dev=tmpfs ino=1309 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tty_device_t tclass=chr_file [ 21.118486] type=1300 audit(1266807706.458:94): arch=c000003e syscall=1 success=yes exit=102 a0=3 a1=68c950 a2=66 a3=28202c3036363032 items=0 ppid=1 pid=1289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/sbin/rsyslogd" subj=system_u:system_r:syslogd_t key=(null) [ 21.250198] type=1400 audit(1266807706.590:95): avc: denied { write } for pid=1347 comm="hald-addon-macb" name="mem" dev=tmpfs ino=1160 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:memory_device_t tclass=chr_file [ 21.250274] type=1300 audit(1266807706.590:95): arch=c000003e syscall=2 success=yes exit=4 a0=4029d4 a1=2 a2=7fff6d59703f a3=0 items=0 ppid=1200 pid=1347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hald-addon-macb" exe="/usr/lib/hal/hald-addon-macbookpro-backlight" subj=system_u:system_r:hald_t key=(null) [ 21.251674] type=1400 audit(1266807706.591:96): avc: denied { read } for pid=1122 comm="dbus-daemon" name="cmdline" dev=proc ino=8494 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:hald_t tclass=file [ 21.251750] type=1300 audit(1266807706.591:96): arch=c000003e syscall=2 success=yes exit=15 a0=7fd4bf9f7390 a1=0 a2=7fd4bf9f73a2 a3=0 items=0 ppid=1 pid=1122 auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101 fsgid=101 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t key=(null) [ 21.300814] [drm] Setting GART location based on new memory map [ 21.302171] [drm] Loading R500 Microcode [ 21.302244] [drm] Num pipes: 1 [ 21.302261] [drm] writeback test succeeded in 1 usecs [ 21.326184] type=1400 audit(1266807706.666:97): avc: denied { write } for pid=1366 comm="hald-addon-acpi" name="acpid.socket" dev=sda3 ino=262315 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:var_run_t tclass=sock_file [ 21.326640] type=1400 audit(1266807706.666:97): avc: denied { connectto } for pid=1366 comm="hald-addon-acpi" path="/var/run/acpid.socket" scontext=system_u:system_r:hald_t tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket [ 21.327180] type=1300 audit(1266807706.666:97): arch=c000003e syscall=42 success=yes exit=0 a0=4 a1=7fffd1e3bcb0 a2=6e a3=0 items=0 ppid=1200 pid=1366 auid=4294967295 uid=102 gid=104 euid=102 suid=102 fsuid=102 egid=104 sgid=104 fsgid=104 tty=(none) ses=4294967295 comm="hald-addon-acpi" exe="/usr/lib/hal/hald-addon-acpi" subj=system_u:system_r:hald_t key=(null) [ 21.539496] type=1400 audit(1266807706.879:98): avc: denied { search } for pid=1122 comm="dbus-daemon" name="1268" dev=proc ino=8054 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_xserver_t tclass=dir [ 21.539665] type=1400 audit(1266807706.879:98): avc: denied { read } for pid=1122 comm="dbus-daemon" name="cmdline" dev=proc ino=8595 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:xdm_xserver_t tclass=file [ 21.539740] type=1300 audit(1266807706.879:98): arch=c000003e syscall=2 success=yes exit=17 a0=7fd4bf9fb6d0 a1=0 a2=7fd4bf9fb6e2 a3=0 items=0 ppid=1 pid=1122 auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101 fsgid=101 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t key=(null) [ 23.684308] type=1400 audit(1266807709.024:99): avc: denied { search } for pid=1386 comm="auditd" name="/" dev=tmpfs ino=902 scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:tmpfs_t tclass=dir [ 23.684385] type=1300 audit(1266807709.024:99): arch=c000003e syscall=2 success=yes exit=3 a0=7fa021f64715 a1=2 a2=7fa0216afe60 a3=7fa0218cb220 items=0 ppid=1385 pid=1386 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="auditd" exe="/sbin/auditd" subj=system_u:system_r:auditd_t key=(null) [ 23.686120] type=1400 audit(1266807709.025:100): avc: denied { write } for pid=1386 comm="auditd" name="log" dev=tmpfs ino=8154 scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file [ 23.686211] type=1300 audit(1266807709.025:100): arch=c000003e syscall=42 success=yes exit=0 a0=6 a1=7fa0216b1140 a2=6e a3=0 items=0 ppid=1385 pid=1386 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="auditd" exe="/sbin/auditd" subj=system_u:system_r:auditd_t key=(null) [ 23.688312] type=1400 audit(1266807709.028:101): avc: denied { search } for pid=1388 comm="audispd" name="/" dev=tmpfs ino=902 scontext=system_u:system_r:audisp_t tcontext=system_u:object_r:tmpfs_t tclass=dir [ 23.688383] type=1300 audit(1266807709.028:101): arch=c000003e syscall=2 success=yes exit=5 a0=7f82fe63d751 a1=2 a2=7f82fe63d8f8 a3=0 items=0 ppid=1386 pid=1388 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="audispd" exe="/sbin/audispd" subj=system_u:system_r:audisp_t key=(null) [ 23.689138] type=1400 audit(1266807709.028:102): avc: denied { write } for pid=1388 comm="audispd" name="log" dev=tmpfs ino=8154 scontext=system_u:system_r:audisp_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file [ 23.689342] type=1305 audit(1266807709.029:103): audit_pid=1386 old=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t res=1 [ 26.932530] BIOS EDD facility v0.16 2004-Jun-25, 1 devices found [ 27.749520] Bluetooth: L2CAP ver 2.13 [ 27.749537] Bluetooth: L2CAP socket layer initialized [ 27.886206] Bluetooth: BNEP (Ethernet Emulation) ver 1.3 [ 27.886228] Bluetooth: BNEP filters: protocol multicast [ 28.557177] Bridge firewalling registered [ 28.859900] Bluetooth: SCO (Voice Link) ver 0.6 [ 28.859918] Bluetooth: SCO socket layer initialized [ 29.173775] Bluetooth: RFCOMM TTY layer initialized [ 29.173798] Bluetooth: RFCOMM socket layer initialized [ 29.173809] Bluetooth: RFCOMM ver 1.11 [ 30.578315] bootsplash: status on console 0 changed to on [ 32.661804] sky2 eth0: enabling interface [ 32.662133] ADDRCONF(NETDEV_UP): eth0: link is not ready [ 32.674856] ADDRCONF(NETDEV_UP): wlan0: link is not ready [ 32.753342] NET: Registered protocol family 17 [ 38.456651] SELinux: initialized (dev fuse, type fuse), uses genfs_contexts [ 44.639225] wlan0: authenticate with AP 00:1e:2a:00:67:f0 [ 44.645413] wlan0: authenticated [ 44.645423] wlan0: associate with AP 00:1e:2a:00:67:f0 [ 44.647709] wlan0: RX AssocResp from 00:1e:2a:00:67:f0 (capab=0x431 status=0 aid=3) [ 44.647717] wlan0: associated [ 44.648514] ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 53.105739] RPC: Registered udp transport module. [ 53.105757] RPC: Registered tcp transport module. [ 53.129325] Slow work thread pool: Starting up [ 53.129443] Slow work thread pool: Ready [ 53.129534] FS-Cache: Loaded [ 53.163862] FS-Cache: Netfs 'nfs' registered for caching [ 53.178228] SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts [ 54.870033] wlan0: no IPv6 routers present ^ permalink raw reply [flat|nested] 113+ messages in thread
[parent not found: <dd18b0c31002221129s4be9b56cha13b7be39c2cba36@mail.gmail.com>]
* Re: SELinux Policy in OpenSUSE 11.2 [not found] ` <dd18b0c31002221129s4be9b56cha13b7be39c2cba36@mail.gmail.com> @ 2010-02-22 19:57 ` Justin P. mattock 2010-02-22 20:24 ` Stephen Smalley 0 siblings, 1 reply; 113+ messages in thread From: Justin P. mattock @ 2010-02-22 19:57 UTC (permalink / raw) To: Stephen Smalley Cc: Alan Rouse, Dominick Grift, selinux@tycho.nsa.gov, Christopher J. PeBenito On 02/22/2010 11:29 AM, Justin Mattock wrote: > On Mon, Feb 22, 2010 at 11:27 AM, Justin Mattock > <justinmattock@gmail.com> wrote: >> On Mon, Feb 22, 2010 at 6:00 AM, Stephen Smalley<sds@tycho.nsa.gov> wrote: >>> On Fri, 2010-02-19 at 13:47 -0800, Justin P. mattock wrote: >>>> On 02/19/2010 01:25 PM, Stephen Smalley wrote: >>>>> On Fri, 2010-02-19 at 16:08 -0500, Alan Rouse wrote: >>>>>> setsebool -P init_upstart=on >>>>>> setsebool -P xdm_sysadm_login=on >>>>>> setsebool -P xserver_object_manager=on >>>>> >>>>> I think you only need the first boolean setting. >>>>> And we should likely introduce an ifdef for suse in refpolicy that >>>>> always disables that transition so that you don't have to artificially >>>>> turn on that boolean. >>>>> >>>> >>>> as a test I built the policy with init_upstart=off >>>> system crashes and burns with gdm/xserver(dbus error). >>>> then changing to init_upstart=on xserver/gdm started right up. >>>> >>>> my question is why? especially if this is sysvinit. >>> >>> The refpolicy defines a domain transition from init_t to sysadm_t upon >>> executing a shell so that the single-user mode shell is automatically >>> run in sysadm_t, and it defines a domain transition from init_t to >>> initrc_t upon executing an rc script (initrc_exec_t) so that rc scripts >>> are automatically run in initrc_t. This worked with sysvinit in Fedora >>> and Debian. However, upstart launches all services via shell command >>> and thus all services would be run in sysadm_t if we kept that >>> transition, so the refpolicy has the following logic (in >>> system/init.te): >>> >>> tunable_policy(`init_upstart',` >>> corecmd_shell_domtrans(init_t, initrc_t) >>> ',` >>> # Run the shell in the sysadm role for single-user mode. >>> # causes problems with upstart >>> sysadm_shell_domtrans(init_t) >>> ') >>> >>> This snippet means: if init_upstart=on, then transition from init_t to >>> initrc_t upon executing a shell, else transition from init_t to sysadm_t >>> upon executing a shell. >>> >>> I had suggested trying init_upstart=on in OpenSUSE because the sestatus >>> and pstree output showed that most processes launched by init were >>> running in sysadm_t, similar to what would happen on a system using >>> upstart if that boolean were not enabled. >>> >>> This suggests that something is different about the sysvinit setup in >>> OpenSUSE. It might be useful to see your /etc/inittab file contents. >>> >>> -- >>> Stephen Smalley >>> National Security Agency >>> >>> >> >> alright attached is dmesg and audit.log >> both were cleaned out before the initial boot. >> >> yesterday I rebuilt sysvinit with the version >> I use on my system and the patch that dan had >> given me. but during the whole thing I can't remember >> If I was able to bootup without the init_upstart boolean >> turned on.(I'll rebuild that package and see if this is the case, >> if so then this tells me that whatever/however suse built sysvinit >> acts more like upstart(but could be wrong)). >> >> (BTW: I'll go(if need be) and file these, later on once >> I get this thing cleaned and sorted out) >> >> -- >> Justin P. Mattock >> > > hmm.. audit.log didn't go through > resend > alright built sysvinit with dan's patch he had provided me a while back. seems init is still hitting some dbus thing without having init_upstart enabled. maybe /etc/inittab is doing something. I'll look at this today and see if I can find anything. Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-22 19:57 ` Justin P. mattock @ 2010-02-22 20:24 ` Stephen Smalley 2010-02-22 21:25 ` Justin Mattock 0 siblings, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-22 20:24 UTC (permalink / raw) To: Justin P. mattock Cc: Alan Rouse, Dominick Grift, selinux@tycho.nsa.gov, Christopher J. PeBenito On Mon, 2010-02-22 at 11:57 -0800, Justin P. mattock wrote: > On 02/22/2010 11:29 AM, Justin Mattock wrote: > > On Mon, Feb 22, 2010 at 11:27 AM, Justin Mattock > > <justinmattock@gmail.com> wrote: > >> On Mon, Feb 22, 2010 at 6:00 AM, Stephen Smalley<sds@tycho.nsa.gov> wrote: > >>> On Fri, 2010-02-19 at 13:47 -0800, Justin P. mattock wrote: > >>>> On 02/19/2010 01:25 PM, Stephen Smalley wrote: > >>>>> On Fri, 2010-02-19 at 16:08 -0500, Alan Rouse wrote: > >>>>>> setsebool -P init_upstart=on > >>>>>> setsebool -P xdm_sysadm_login=on > >>>>>> setsebool -P xserver_object_manager=on > >>>>> > >>>>> I think you only need the first boolean setting. > >>>>> And we should likely introduce an ifdef for suse in refpolicy that > >>>>> always disables that transition so that you don't have to artificially > >>>>> turn on that boolean. > >>>>> > >>>> > >>>> as a test I built the policy with init_upstart=off > >>>> system crashes and burns with gdm/xserver(dbus error). > >>>> then changing to init_upstart=on xserver/gdm started right up. > >>>> > >>>> my question is why? especially if this is sysvinit. > >>> > >>> The refpolicy defines a domain transition from init_t to sysadm_t upon > >>> executing a shell so that the single-user mode shell is automatically > >>> run in sysadm_t, and it defines a domain transition from init_t to > >>> initrc_t upon executing an rc script (initrc_exec_t) so that rc scripts > >>> are automatically run in initrc_t. This worked with sysvinit in Fedora > >>> and Debian. However, upstart launches all services via shell command > >>> and thus all services would be run in sysadm_t if we kept that > >>> transition, so the refpolicy has the following logic (in > >>> system/init.te): > >>> > >>> tunable_policy(`init_upstart',` > >>> corecmd_shell_domtrans(init_t, initrc_t) > >>> ',` > >>> # Run the shell in the sysadm role for single-user mode. > >>> # causes problems with upstart > >>> sysadm_shell_domtrans(init_t) > >>> ') > >>> > >>> This snippet means: if init_upstart=on, then transition from init_t to > >>> initrc_t upon executing a shell, else transition from init_t to sysadm_t > >>> upon executing a shell. > >>> > >>> I had suggested trying init_upstart=on in OpenSUSE because the sestatus > >>> and pstree output showed that most processes launched by init were > >>> running in sysadm_t, similar to what would happen on a system using > >>> upstart if that boolean were not enabled. > >>> > >>> This suggests that something is different about the sysvinit setup in > >>> OpenSUSE. It might be useful to see your /etc/inittab file contents. > >>> > >>> -- > >>> Stephen Smalley > >>> National Security Agency > >>> > >>> > >> > >> alright attached is dmesg and audit.log > >> both were cleaned out before the initial boot. > >> > >> yesterday I rebuilt sysvinit with the version > >> I use on my system and the patch that dan had > >> given me. but during the whole thing I can't remember > >> If I was able to bootup without the init_upstart boolean > >> turned on.(I'll rebuild that package and see if this is the case, > >> if so then this tells me that whatever/however suse built sysvinit > >> acts more like upstart(but could be wrong)). > >> > >> (BTW: I'll go(if need be) and file these, later on once > >> I get this thing cleaned and sorted out) > >> > >> -- > >> Justin P. Mattock > >> > > > > hmm.. audit.log didn't go through > > resend > > > > > alright built sysvinit > with dan's patch he had provided me > a while back. > > seems init is still hitting some dbus > thing without having init_upstart enabled. > maybe /etc/inittab is doing something. > > I'll look at this today and see if I can find anything. You don't need to rebuild sysvinit; it already has the selinux support in opensuse. The only issue is how they have configured /etc/inittab (which you still haven't sent) or how they have set up their init scripts. Things to look for: - Does /etc/inittab invoke the rc scripts directly or indirectly via a shell command? - Are the scripts under /etc/init.d and /etc/rc.d labeled properly (e.g. with initrc_exec_t)? Otherwise they won't transition properly. - Do the scripts under /etc/init.d and /etc/rc.d have a #! header? If not, then an attempt to execve() them will fail and it will fall back on the caller to feed them to the shell, at which point you won't have the normal domain transition. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-22 20:24 ` Stephen Smalley @ 2010-02-22 21:25 ` Justin Mattock 2010-02-22 21:42 ` Stephen Smalley 2010-02-22 22:10 ` Justin P. mattock 0 siblings, 2 replies; 113+ messages in thread From: Justin Mattock @ 2010-02-22 21:25 UTC (permalink / raw) To: Stephen Smalley Cc: Alan Rouse, Dominick Grift, selinux@tycho.nsa.gov, Christopher J. PeBenito [-- Attachment #1: Type: text/plain, Size: 1053 bytes --] > You don't need to rebuild sysvinit; it already has the selinux support > in opensuse. > > The only issue is how they have configured /etc/inittab (which you still > haven't sent) or how they have set up their init scripts. Things to > look for: > - Does /etc/inittab invoke the rc scripts directly or indirectly via a > shell command? > - Are the scripts under /etc/init.d and /etc/rc.d labeled properly (e.g. > with initrc_exec_t)? Otherwise they won't transition properly. > - Do the scripts under /etc/init.d and /etc/rc.d have a #! header? If > not, then an attempt to execve() them will fail and it will fall back on > the caller to feed them to the shell, at which point you won't have the > normal domain transition. > > -- > Stephen Smalley > National Security Agency > > my bad.. got tied up looking for the avc's denial of init. attached is inittab-orig of what suse has. I'll throw in the inittab from my other system to see if it changes things, then if not look at the file labels -- Justin P. Mattock [-- Attachment #2: inittab-orig --] [-- Type: application/octet-stream, Size: 2982 bytes --] # # /etc/inittab # # Copyright (c) 1996-2002 SuSE Linux AG, Nuernberg, Germany. All rights reserved. # # Author: Florian La Roche, 1996 # Please send feedback to http://www.suse.de/feedback # # This is the main configuration file of /sbin/init, which # is executed by the kernel on startup. It describes what # scripts are used for the different run-levels. # # All scripts for runlevel changes are in /etc/init.d/. # # This file may be modified by SuSEconfig unless CHECK_INITTAB # in /etc/sysconfig/suseconfig is set to "no" # # The default runlevel is defined here id:5:initdefault: # First script to be executed, if not booting in emergency (-b) mode si::bootwait:/etc/init.d/boot # /etc/init.d/rc takes care of runlevel handling # # runlevel 0 is System halt (Do not use this for initdefault!) # runlevel 1 is Single user mode # runlevel 2 is Local multiuser without remote network (e.g. NFS) # runlevel 3 is Full multiuser with network # runlevel 4 is Not used # runlevel 5 is Full multiuser with network and xdm # runlevel 6 is System reboot (Do not use this for initdefault!) # l0:0:wait:/etc/init.d/rc 0 l1:1:wait:/etc/init.d/rc 1 l2:2:wait:/etc/init.d/rc 2 l3:3:wait:/etc/init.d/rc 3 #l4:4:wait:/etc/init.d/rc 4 l5:5:wait:/etc/init.d/rc 5 l6:6:wait:/etc/init.d/rc 6 # what to do in single-user mode ls:S:wait:/etc/init.d/rc S ~~:S:respawn:/sbin/sulogin # what to do when CTRL-ALT-DEL is pressed ca::ctrlaltdel:/sbin/shutdown -r -t 4 now # special keyboard request (Alt-UpArrow) # look into the kbd-0.90 docs for this kb::kbrequest:/bin/echo "Keyboard Request -- edit /etc/inittab to let this work." # what to do when power fails/returns pf::powerwait:/etc/init.d/powerfail start pn::powerfailnow:/etc/init.d/powerfail now #pn::powerfail:/etc/init.d/powerfail now po::powerokwait:/etc/init.d/powerfail stop # for ARGO UPS sh:12345:powerfail:/sbin/shutdown -h now THE POWER IS FAILING # getty-programs for the normal runlevels # <id>:<runlevels>:<action>:<process> # The "id" field MUST be the same as the last # characters of the device (after "tty"). 1:2345:respawn:/sbin/mingetty --noclear tty1 2:2345:respawn:/sbin/mingetty tty2 3:2345:respawn:/sbin/mingetty tty3 4:2345:respawn:/sbin/mingetty tty4 5:2345:respawn:/sbin/mingetty tty5 6:2345:respawn:/sbin/mingetty tty6 # #S0:12345:respawn:/sbin/agetty -L 9600 ttyS0 vt102 #cons:12345:respawn:/sbin/smart_agetty -L 38400 console # # Note: Do not use tty7 in runlevel 3, this virtual line # is occupied by the programm xdm. # # This is for the package xdmsc, after installing and # and configuration you should remove the comment character # from the following line: #7:3:respawn:+/etc/init.d/rx tty7 # modem getty. # mo:235:respawn:/usr/sbin/mgetty -s 38400 modem # fax getty (hylafax) # mo:35:respawn:/usr/lib/fax/faxgetty /dev/modem # vbox (voice box) getty # I6:35:respawn:/usr/sbin/vboxgetty -d /dev/ttyI6 # I7:35:respawn:/usr/sbin/vboxgetty -d /dev/ttyI7 # end of /etc/inittab ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-22 21:25 ` Justin Mattock @ 2010-02-22 21:42 ` Stephen Smalley 2010-02-22 22:10 ` Justin P. mattock 1 sibling, 0 replies; 113+ messages in thread From: Stephen Smalley @ 2010-02-22 21:42 UTC (permalink / raw) To: Justin Mattock Cc: Alan Rouse, Dominick Grift, selinux@tycho.nsa.gov, Christopher J. PeBenito On Mon, 2010-02-22 at 13:25 -0800, Justin Mattock wrote: > > You don't need to rebuild sysvinit; it already has the selinux support > > in opensuse. > > > > The only issue is how they have configured /etc/inittab (which you still > > haven't sent) or how they have set up their init scripts. Things to > > look for: > > - Does /etc/inittab invoke the rc scripts directly or indirectly via a > > shell command? > > - Are the scripts under /etc/init.d and /etc/rc.d labeled properly (e.g. > > with initrc_exec_t)? Otherwise they won't transition properly. > > - Do the scripts under /etc/init.d and /etc/rc.d have a #! header? If > > not, then an attempt to execve() them will fail and it will fall back on > > the caller to feed them to the shell, at which point you won't have the > > normal domain transition. > > > > -- > > Stephen Smalley > > National Security Agency > > > > > > my bad.. got tied up looking for the avc's denial > of init. attached is inittab-orig of what suse has. Ok, so they invoke /etc/init.d/rc with the runlevel as an argument. So: - What does ls -Z /etc/init.d/rc show? - What does head /etc/init.d/rc show? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-22 21:25 ` Justin Mattock 2010-02-22 21:42 ` Stephen Smalley @ 2010-02-22 22:10 ` Justin P. mattock 2010-02-22 22:35 ` Justin Mattock 1 sibling, 1 reply; 113+ messages in thread From: Justin P. mattock @ 2010-02-22 22:10 UTC (permalink / raw) To: Stephen Smalley Cc: Alan Rouse, Dominick Grift, selinux@tycho.nsa.gov, Christopher J. PeBenito On 02/22/2010 01:25 PM, Justin Mattock wrote: >> You don't need to rebuild sysvinit; it already has the selinux support >> in opensuse. >> >> The only issue is how they have configured /etc/inittab (which you still >> haven't sent) or how they have set up their init scripts. Things to >> look for: >> - Does /etc/inittab invoke the rc scripts directly or indirectly via a >> shell command? >> - Are the scripts under /etc/init.d and /etc/rc.d labeled properly (e.g. >> with initrc_exec_t)? Otherwise they won't transition properly. >> - Do the scripts under /etc/init.d and /etc/rc.d have a #! header? If >> not, then an attempt to execve() them will fail and it will fall back on >> the caller to feed them to the shell, at which point you won't have the >> normal domain transition. >> >> -- >> Stephen Smalley >> National Security Agency >> >> > > my bad.. got tied up looking for the avc's denial > of init. attached is inittab-orig of what suse has. > > I'll throw in the inittab from my other system to see > if it changes things, then if not look at the file labels > alright here's what I see in /etc/init* for /etc/init.d I have all init.d daemons labeled as system_u:object_r:initrc_exec_t. in that directory there is rc0.d that is labeled system_u:object_r:etc_t inside rc0.d the label is the same. there also is boot.d which is labeled the same as rc0.d ls -lZ /sbin/init system_u:object_r:init_exec_t ls -Z /etc/init.d/rc* has system_u:object_r:etc_t (I'll go through each one to make sure). head /etc/init.d/rc* shows all files having #! /bin/sh (I can send you those, but might be too big of a file). I think this might be label related due to the system booting the first time without any issues, then crashing after lebeling Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-22 22:10 ` Justin P. mattock @ 2010-02-22 22:35 ` Justin Mattock 2010-02-23 6:17 ` Justin P. mattock 0 siblings, 1 reply; 113+ messages in thread From: Justin Mattock @ 2010-02-22 22:35 UTC (permalink / raw) To: Stephen Smalley Cc: Alan Rouse, Dominick Grift, selinux@tycho.nsa.gov, Christopher J. PeBenito [-- Attachment #1: Type: text/plain, Size: 2132 bytes --] On Mon, Feb 22, 2010 at 2:10 PM, Justin P. mattock <justinmattock@gmail.com> wrote: > On 02/22/2010 01:25 PM, Justin Mattock wrote: >>> >>> You don't need to rebuild sysvinit; it already has the selinux support >>> in opensuse. >>> >>> The only issue is how they have configured /etc/inittab (which you still >>> haven't sent) or how they have set up their init scripts. Things to >>> look for: >>> - Does /etc/inittab invoke the rc scripts directly or indirectly via a >>> shell command? >>> - Are the scripts under /etc/init.d and /etc/rc.d labeled properly (e.g. >>> with initrc_exec_t)? Otherwise they won't transition properly. >>> - Do the scripts under /etc/init.d and /etc/rc.d have a #! header? If >>> not, then an attempt to execve() them will fail and it will fall back on >>> the caller to feed them to the shell, at which point you won't have the >>> normal domain transition. >>> >>> -- >>> Stephen Smalley >>> National Security Agency >>> >>> >> >> my bad.. got tied up looking for the avc's denial >> of init. attached is inittab-orig of what suse has. >> >> I'll throw in the inittab from my other system to see >> if it changes things, then if not look at the file labels >> > > > alright here's what I see in /etc/init* > > for /etc/init.d > I have all init.d daemons labeled as > system_u:object_r:initrc_exec_t. > > in that directory there is rc0.d that is labeled > system_u:object_r:etc_t > inside rc0.d the label is the same. > there also is boot.d > which is labeled the same as rc0.d > > ls -lZ /sbin/init > system_u:object_r:init_exec_t > > ls -Z /etc/init.d/rc* > has system_u:object_r:etc_t > (I'll go through each one to make sure). > > head /etc/init.d/rc* > shows all files having > #! /bin/sh > (I can send you those, but might be too big > of a file). > > I think this might be label related > due to the system booting the first time without > any issues, then crashing after lebeling > > > > Justin P. Mattock > > heres everything in /etc/init.d/* (only label changed was auditd just to see). -- Justin P. Mattock [-- Attachment #2: ls_Z --] [-- Type: application/octet-stream, Size: 35170 bytes --] -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 3406 2009-10-24 05:41 /etc/init.d/aaeventd -rwxr--r--. 1 root root system_u:object_r:initrc_exec_t 3634 2009-10-23 20:02 /etc/init.d/acpid -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 5701 2009-10-23 21:11 /etc/init.d/alsasound -rwxr-xr-x. 1 root root system_u:object_r:auditd_initrc_exec_t 6933 2009-10-23 20:40 /etc/init.d/auditd -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 6739 2009-10-19 12:19 /etc/init.d/autofs -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 2989 2008-08-15 02:51 /etc/init.d/autoyast -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1217 2009-10-21 05:37 /etc/init.d/avahi-daemon -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1268 2009-10-21 05:37 /etc/init.d/avahi-dnsconfd -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 761 2009-10-21 15:49 /etc/init.d/bluez-coldplug -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 8323 2009-04-28 05:51 /etc/init.d/boot -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 2910 2009-10-24 05:41 /etc/init.d/boot.apparmor -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1457 2009-11-02 15:14 /etc/init.d/boot.braille -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 3013 2009-09-16 05:27 /etc/init.d/boot.cleanup -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 4871 2009-08-31 03:43 /etc/init.d/boot.clock -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1988 2009-10-27 08:52 /etc/init.d/boot.compcache -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 2702 2009-10-19 11:34 /etc/init.d/boot.crypto -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 2496 2009-10-19 11:34 /etc/init.d/boot.crypto-early -rwxr--r--. 1 root root system_u:object_r:initrc_exec_t 758 2009-10-23 20:06 /etc/init.d/boot.device-mapper -rwxr--r--. 1 root root system_u:object_r:initrc_exec_t 1417 2009-10-21 14:50 /etc/init.d/boot.dmraid -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1590 2009-10-23 21:10 /etc/init.d/boot.fuse -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 3453 2008-08-11 07:52 /etc/init.d/boot.ipconfig -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1781 2008-08-11 07:52 /etc/init.d/boot.klog -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1159 2009-04-20 06:40 /etc/init.d/boot.ldconfig -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1017 2008-07-22 02:47 /etc/init.d/boot.loadmodules -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 395 2010-02-21 00:16 /etc/init.d/boot.local -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 9986 2009-09-16 05:27 /etc/init.d/boot.localfs -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1594 2009-07-22 05:57 /etc/init.d/boot.localnet -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1408 2009-10-19 13:21 /etc/init.d/boot.lvm -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 5047 2009-10-23 20:52 /etc/init.d/boot.md -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 3999 2009-10-23 20:23 /etc/init.d/boot.multipath -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1615 2008-08-08 08:26 /etc/init.d/boot.proc -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 4543 2009-10-19 11:36 /etc/init.d/boot.quota -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 5248 2009-09-16 05:27 /etc/init.d/boot.rootfsck -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1972 2008-07-22 05:17 /etc/init.d/boot.sched -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1554 2009-10-19 12:51 /etc/init.d/boot.scpm -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1635 2009-11-02 13:43 /etc/init.d/boot.startpreload -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 2947 2008-07-22 02:57 /etc/init.d/boot.swap -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1081 2009-10-23 20:25 /etc/init.d/boot.sysctl -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 2271 2009-10-23 21:27 /etc/init.d/boot.udev -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 783 2009-10-23 21:27 /etc/init.d/boot.udev_retry -rwxr--r--. 1 root root system_u:object_r:initrc_exec_t 1010 2009-10-20 11:16 /etc/init.d/brld -rwxr--r--. 1 root root system_u:object_r:initrc_exec_t 4388 2009-10-23 20:56 /etc/init.d/cron -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 4852 2009-10-19 12:58 /etc/init.d/cups -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 3267 2009-10-23 21:14 /etc/init.d/dbus -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 2202 2009-10-19 11:14 /etc/init.d/dnsmasq -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 5116 2009-10-23 20:57 /etc/init.d/dvb -rwxr-xr--. 1 root root system_u:object_r:initrc_exec_t 2171 2009-10-23 20:01 /etc/init.d/earlysyslog -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 2589 2009-11-02 13:43 /etc/init.d/earlyxdm -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 5402 2009-10-23 20:44 /etc/init.d/fbset -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 4310 2009-10-23 17:15 /etc/init.d/gpm -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 6412 2009-10-19 13:02 /etc/init.d/haldaemon -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 6138 2009-09-29 02:45 /etc/init.d/halt -rwxr--r--. 1 root root system_u:object_r:initrc_exec_t 360 2009-11-02 14:51 /etc/init.d/halt.local -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 2513 2009-10-20 01:49 /etc/init.d/irda -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 3022 2009-10-23 21:18 /etc/init.d/irq_balancer -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 2295 2009-10-23 21:11 /etc/init.d/joystick -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 12221 2009-10-23 20:53 /etc/init.d/kbd -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 7258 2009-10-19 12:08 /etc/init.d/lirc -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 3962 2009-10-23 20:52 /etc/init.d/mdadmd -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1210 2009-10-19 09:56 /etc/init.d/microcode.ctl -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 3415 2009-10-23 20:23 /etc/init.d/multipathd -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 29460 2009-10-24 00:14 /etc/init.d/network -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 2599 2009-10-24 00:14 /etc/init.d/network-remotefs -rwxr--r--. 1 root root system_u:object_r:initrc_exec_t 7208 2009-10-19 12:15 /etc/init.d/nfs -rwxr-xr--. 1 root root system_u:object_r:initrc_exec_t 3356 2009-10-27 01:16 /etc/init.d/nmb -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 3307 2009-10-19 10:12 /etc/init.d/nscd -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 6501 2009-10-23 22:05 /etc/init.d/ntp -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 6304 2009-10-24 05:57 /etc/init.d/openvpn -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1678 2009-10-23 19:43 /etc/init.d/pm-profiler -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 5402 2009-10-19 12:31 /etc/init.d/postfix -rwxr--r--. 1 root root system_u:object_r:initrc_exec_t 1335 2009-10-23 19:45 /etc/init.d/powerd -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 2390 2003-09-01 04:11 /etc/init.d/powerfail -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1785 2008-10-15 03:46 /etc/init.d/random -rwxr--r--. 1 root root system_u:object_r:initrc_exec_t 1264 2009-10-21 15:49 /etc/init.d/raw -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 10540 2009-04-28 05:53 /etc/init.d/rc -rw-r--r--. 1 root root system_u:object_r:initrc_exec_t 7827 2009-10-27 01:15 /etc/init.d/README lrwxrwxrwx. 1 root root system_u:object_r:etc_t 4 2010-02-20 23:50 /etc/init.d/reboot -> halt -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 2644 2009-10-19 12:55 /etc/init.d/restorecond -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1793 2009-10-23 21:08 /etc/init.d/rpcbind -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 2492 2009-10-23 18:23 /etc/init.d/rpmconfigcheck -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 3874 2009-10-24 05:46 /etc/init.d/rsyncd -rwxr--r--. 1 root root system_u:object_r:initrc_exec_t 1007 2009-10-20 11:16 /etc/init.d/sbl -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 9645 2009-10-23 20:26 /etc/init.d/setserial -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1431 2008-10-15 03:52 /etc/init.d/single -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 10645 2008-07-23 03:29 /etc/init.d/skeleton -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 12744 2008-07-23 03:29 /etc/init.d/skeleton.compat -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 16291 2009-10-23 20:56 /etc/init.d/smartd -rwxr-xr--. 1 root root system_u:object_r:initrc_exec_t 3506 2009-10-27 01:16 /etc/init.d/smb -rwxr-xr--. 1 root root system_u:object_r:initrc_exec_t 5843 2009-10-27 01:16 /etc/init.d/smbfs -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 2052 2009-10-23 20:28 /etc/init.d/smolt -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 3702 2009-10-21 17:24 /etc/init.d/smpppd -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 3066 2009-10-24 00:22 /etc/init.d/splash -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 460 2009-10-24 00:22 /etc/init.d/splash_early -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 3861 2009-07-12 12:42 /etc/init.d/sshd -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 721 2009-11-02 13:43 /etc/init.d/stoppreload -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1505 2009-10-23 19:34 /etc/init.d/SuSEfirewall2_init -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1618 2009-10-23 19:34 /etc/init.d/SuSEfirewall2_setup -rwxr-xr--. 1 root root system_u:object_r:initrc_exec_t 6081 2009-10-23 20:01 /etc/init.d/syslog -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1031 2009-11-02 13:43 /etc/init.d/waitfornm -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 7942 2010-02-21 22:28 /etc/init.d/xdm -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 7942 2009-11-02 15:15 /etc/init.d/xdm.orig -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 2127 2008-08-12 06:56 /etc/init.d/xfs -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 5882 2009-10-23 20:37 /etc/init.d/xinetd -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 4450 2009-10-19 11:22 /etc/init.d/ypbind /etc/init.d/boot.d: total 8 drwxr-xr-x. 2 root root system_u:object_r:etc_t 4096 2010-02-21 00:12 . drwxr-xr-x. 11 root root system_u:object_r:etc_t 4096 2010-02-21 22:31 .. lrwxrwxrwx. 1 root root system_u:object_r:etc_t 15 2010-02-21 00:11 K01boot.braille -> ../boot.braille lrwxrwxrwx. 1 root root system_u:object_r:etc_t 15 2010-02-21 00:11 K01boot.cleanup -> ../boot.cleanup lrwxrwxrwx. 1 root root system_u:object_r:etc_t 12 2010-02-21 00:11 K01boot.fuse -> ../boot.fuse lrwxrwxrwx. 1 root root system_u:object_r:etc_t 16 2010-02-21 00:11 K01boot.ipconfig -> ../boot.ipconfig lrwxrwxrwx. 1 root root system_u:object_r:etc_t 12 2010-02-21 00:11 K01boot.klog -> ../boot.klog lrwxrwxrwx. 1 root root system_u:object_r:etc_t 16 2010-02-21 00:12 K01boot.ldconfig -> ../boot.ldconfig lrwxrwxrwx. 1 root root system_u:object_r:etc_t 19 2010-02-21 00:11 K01boot.loadmodules -> ../boot.loadmodules lrwxrwxrwx. 1 root root system_u:object_r:etc_t 16 2010-02-21 00:11 K01boot.localnet -> ../boot.localnet lrwxrwxrwx. 1 root root system_u:object_r:etc_t 12 2010-02-21 00:11 K01boot.proc -> ../boot.proc lrwxrwxrwx. 1 root root system_u:object_r:etc_t 13 2010-02-21 00:11 K01boot.quota -> ../boot.quota lrwxrwxrwx. 1 root root system_u:object_r:etc_t 12 2010-02-21 00:11 K01boot.scpm -> ../boot.scpm lrwxrwxrwx. 1 root root system_u:object_r:etc_t 14 2010-02-21 00:11 K01boot.sysctl -> ../boot.sysctl lrwxrwxrwx. 1 root root system_u:object_r:etc_t 18 2010-02-21 00:11 K01boot.udev_retry -> ../boot.udev_retry lrwxrwxrwx. 1 root root system_u:object_r:etc_t 13 2010-02-21 00:11 K02boot.clock -> ../boot.clock lrwxrwxrwx. 1 root root system_u:object_r:etc_t 12 2010-02-21 00:11 K02boot.swap -> ../boot.swap lrwxrwxrwx. 1 root root system_u:object_r:etc_t 15 2010-02-21 00:11 K04boot.localfs -> ../boot.localfs lrwxrwxrwx. 1 root root system_u:object_r:etc_t 16 2010-02-21 00:11 K06boot.rootfsck -> ../boot.rootfsck lrwxrwxrwx. 1 root root system_u:object_r:etc_t 21 2010-02-21 00:11 K08boot.device-mapper -> ../boot.device-mapper lrwxrwxrwx. 1 root root system_u:object_r:etc_t 12 2010-02-21 00:11 K09boot.udev -> ../boot.udev lrwxrwxrwx. 1 root root system_u:object_r:etc_t 20 2010-02-21 00:11 K10boot.startpreload -> ../boot.startpreload lrwxrwxrwx. 1 root root system_u:object_r:etc_t 20 2010-02-21 00:11 S01boot.startpreload -> ../boot.startpreload lrwxrwxrwx. 1 root root system_u:object_r:etc_t 12 2010-02-21 00:11 S02boot.udev -> ../boot.udev lrwxrwxrwx. 1 root root system_u:object_r:etc_t 16 2010-02-21 00:11 S03boot.rootfsck -> ../boot.rootfsck lrwxrwxrwx. 1 root root system_u:object_r:etc_t 13 2010-02-21 00:11 S04boot.clock -> ../boot.clock lrwxrwxrwx. 1 root root system_u:object_r:etc_t 21 2010-02-21 00:11 S05boot.device-mapper -> ../boot.device-mapper lrwxrwxrwx. 1 root root system_u:object_r:etc_t 19 2010-02-21 00:11 S05boot.loadmodules -> ../boot.loadmodules lrwxrwxrwx. 1 root root system_u:object_r:etc_t 16 2010-02-21 00:11 S05boot.localnet -> ../boot.localnet lrwxrwxrwx. 1 root root system_u:object_r:etc_t 15 2010-02-21 00:11 S11boot.localfs -> ../boot.localfs lrwxrwxrwx. 1 root root system_u:object_r:etc_t 15 2010-02-21 00:11 S13boot.braille -> ../boot.braille lrwxrwxrwx. 1 root root system_u:object_r:etc_t 12 2010-02-21 00:11 S13boot.fuse -> ../boot.fuse lrwxrwxrwx. 1 root root system_u:object_r:etc_t 12 2010-02-21 00:11 S13boot.klog -> ../boot.klog lrwxrwxrwx. 1 root root system_u:object_r:etc_t 12 2010-02-21 00:11 S13boot.proc -> ../boot.proc lrwxrwxrwx. 1 root root system_u:object_r:etc_t 12 2010-02-21 00:11 S13boot.scpm -> ../boot.scpm lrwxrwxrwx. 1 root root system_u:object_r:etc_t 12 2010-02-21 00:11 S13boot.swap -> ../boot.swap lrwxrwxrwx. 1 root root system_u:object_r:etc_t 18 2010-02-21 00:11 S13boot.udev_retry -> ../boot.udev_retry lrwxrwxrwx. 1 root root system_u:object_r:etc_t 16 2010-02-21 00:12 S14boot.ldconfig -> ../boot.ldconfig lrwxrwxrwx. 1 root root system_u:object_r:etc_t 13 2010-02-21 00:11 S14boot.quota -> ../boot.quota lrwxrwxrwx. 1 root root system_u:object_r:etc_t 14 2010-02-21 00:11 S14boot.sysctl -> ../boot.sysctl lrwxrwxrwx. 1 root root system_u:object_r:etc_t 15 2010-02-21 00:11 S15boot.cleanup -> ../boot.cleanup lrwxrwxrwx. 1 root root system_u:object_r:etc_t 16 2010-02-21 00:11 S15boot.ipconfig -> ../boot.ipconfig /etc/init.d/rc0.d: total 8 drwxr-xr-x. 2 root root system_u:object_r:etc_t 4096 2009-11-02 14:51 . drwxr-xr-x. 11 root root system_u:object_r:etc_t 4096 2010-02-21 22:31 .. lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:11 S01halt -> ../halt /etc/init.d/rc1.d: total 8 drwxr-xr-x. 2 root root system_u:object_r:etc_t 4096 2009-11-02 15:02 . drwxr-xr-x. 11 root root system_u:object_r:etc_t 4096 2010-02-21 22:31 .. lrwxrwxrwx. 1 root root system_u:object_r:etc_t 8 2010-02-21 00:11 S01fbset -> ../fbset lrwxrwxrwx. 1 root root system_u:object_r:etc_t 6 2010-02-21 00:11 S06kbd -> ../kbd lrwxrwxrwx. 1 root root system_u:object_r:etc_t 15 2010-02-21 00:11 S07irq_balancer -> ../irq_balancer lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 S07splash -> ../splash lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 S08single -> ../single lrwxrwxrwx. 1 root root system_u:object_r:etc_t 14 2010-02-21 00:11 S11stoppreload -> ../stoppreload /etc/init.d/rc2.d: total 8 drwxr-xr-x. 2 root root system_u:object_r:etc_t 4096 2010-02-21 00:15 . drwxr-xr-x. 11 root root system_u:object_r:etc_t 4096 2010-02-21 22:31 .. lrwxrwxrwx. 1 root root system_u:object_r:etc_t 17 2010-02-21 00:11 K01bluez-coldplug -> ../bluez-coldplug lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:11 K01brld -> ../brld lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:12 K01cron -> ../cron lrwxrwxrwx. 1 root root system_u:object_r:etc_t 15 2010-02-21 00:11 K01irq_balancer -> ../irq_balancer lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 K01random -> ../random lrwxrwxrwx. 1 root root system_u:object_r:etc_t 6 2010-02-21 00:11 K01sbl -> ../sbl lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 K01smartd -> ../smartd lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 K01splash -> ../splash lrwxrwxrwx. 1 root root system_u:object_r:etc_t 15 2010-02-21 00:11 K01splash_early -> ../splash_early lrwxrwxrwx. 1 root root system_u:object_r:etc_t 14 2010-02-21 00:11 K01stoppreload -> ../stoppreload lrwxrwxrwx. 1 root root system_u:object_r:etc_t 8 2010-02-21 00:11 K02acpid -> ../acpid lrwxrwxrwx. 1 root root system_u:object_r:etc_t 12 2010-02-21 00:15 K02alsasound -> ../alsasound lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:11 K02cups -> ../cups lrwxrwxrwx. 1 root root system_u:object_r:etc_t 8 2010-02-21 00:11 K02fbset -> ../fbset lrwxrwxrwx. 1 root root system_u:object_r:etc_t 6 2010-02-21 00:11 K02kbd -> ../kbd lrwxrwxrwx. 1 root root system_u:object_r:etc_t 19 2010-02-21 00:12 K03network-remotefs -> ../network-remotefs lrwxrwxrwx. 1 root root system_u:object_r:etc_t 12 2010-02-21 00:12 K04haldaemon -> ../haldaemon lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 K06syslog -> ../syslog lrwxrwxrwx. 1 root root system_u:object_r:etc_t 14 2010-02-21 00:11 K07earlysyslog -> ../earlysyslog lrwxrwxrwx. 1 root root system_u:object_r:etc_t 10 2010-02-21 00:11 K07network -> ../network lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:11 K08dbus -> ../dbus lrwxrwxrwx. 1 root root system_u:object_r:etc_t 8 2010-02-21 00:11 S01acpid -> ../acpid lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:11 S01dbus -> ../dbus lrwxrwxrwx. 1 root root system_u:object_r:etc_t 14 2010-02-21 00:11 S01earlysyslog -> ../earlysyslog lrwxrwxrwx. 1 root root system_u:object_r:etc_t 8 2010-02-21 00:11 S01fbset -> ../fbset lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 S01random -> ../random lrwxrwxrwx. 1 root root system_u:object_r:etc_t 12 2010-02-21 00:11 S02haldaemon -> ../haldaemon lrwxrwxrwx. 1 root root system_u:object_r:etc_t 10 2010-02-21 00:11 S02network -> ../network lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 S03syslog -> ../syslog lrwxrwxrwx. 1 root root system_u:object_r:etc_t 15 2010-02-21 00:11 S04splash_early -> ../splash_early lrwxrwxrwx. 1 root root system_u:object_r:etc_t 6 2010-02-21 00:11 S06kbd -> ../kbd lrwxrwxrwx. 1 root root system_u:object_r:etc_t 12 2010-02-21 00:15 S07alsasound -> ../alsasound lrwxrwxrwx. 1 root root system_u:object_r:etc_t 17 2010-02-21 00:11 S07bluez-coldplug -> ../bluez-coldplug lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:11 S07brld -> ../brld lrwxrwxrwx. 1 root root system_u:object_r:etc_t 15 2010-02-21 00:11 S07irq_balancer -> ../irq_balancer lrwxrwxrwx. 1 root root system_u:object_r:etc_t 19 2010-02-21 00:11 S07network-remotefs -> ../network-remotefs lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 S07splash -> ../splash lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:11 S09cups -> ../cups lrwxrwxrwx. 1 root root system_u:object_r:etc_t 6 2010-02-21 00:11 S09sbl -> ../sbl lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:12 S10cron -> ../cron lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 S10smartd -> ../smartd lrwxrwxrwx. 1 root root system_u:object_r:etc_t 14 2010-02-21 00:11 S11stoppreload -> ../stoppreload /etc/init.d/rc3.d: total 8 drwxr-xr-x. 2 root root system_u:object_r:etc_t 4096 2010-02-21 00:15 . drwxr-xr-x. 11 root root system_u:object_r:etc_t 4096 2010-02-21 22:31 .. lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 K01auditd -> ../auditd lrwxrwxrwx. 1 root root system_u:object_r:etc_t 17 2010-02-21 00:11 K01bluez-coldplug -> ../bluez-coldplug lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:11 K01brld -> ../brld lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:12 K01cron -> ../cron lrwxrwxrwx. 1 root root system_u:object_r:etc_t 15 2010-02-21 00:11 K01irq_balancer -> ../irq_balancer lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:11 K01nscd -> ../nscd lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 K01random -> ../random lrwxrwxrwx. 1 root root system_u:object_r:etc_t 6 2010-02-21 00:11 K01sbl -> ../sbl lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 K01smartd -> ../smartd lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 K01splash -> ../splash lrwxrwxrwx. 1 root root system_u:object_r:etc_t 15 2010-02-21 00:11 K01splash_early -> ../splash_early lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:12 K01sshd -> ../sshd lrwxrwxrwx. 1 root root system_u:object_r:etc_t 14 2010-02-21 00:11 K01stoppreload -> ../stoppreload lrwxrwxrwx. 1 root root system_u:object_r:etc_t 22 2010-02-21 00:14 K01SuSEfirewall2_setup -> ../SuSEfirewall2_setup lrwxrwxrwx. 1 root root system_u:object_r:etc_t 8 2010-02-21 00:11 K02acpid -> ../acpid lrwxrwxrwx. 1 root root system_u:object_r:etc_t 12 2010-02-21 00:15 K02alsasound -> ../alsasound lrwxrwxrwx. 1 root root system_u:object_r:etc_t 15 2010-02-21 00:11 K02avahi-daemon -> ../avahi-daemon lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:11 K02cups -> ../cups lrwxrwxrwx. 1 root root system_u:object_r:etc_t 8 2010-02-21 00:11 K02fbset -> ../fbset lrwxrwxrwx. 1 root root system_u:object_r:etc_t 6 2010-02-21 00:11 K02kbd -> ../kbd lrwxrwxrwx. 1 root root system_u:object_r:etc_t 10 2010-02-21 00:11 K02postfix -> ../postfix lrwxrwxrwx. 1 root root system_u:object_r:etc_t 19 2010-02-21 00:12 K03network-remotefs -> ../network-remotefs lrwxrwxrwx. 1 root root system_u:object_r:etc_t 12 2010-02-21 00:12 K04haldaemon -> ../haldaemon lrwxrwxrwx. 1 root root system_u:object_r:etc_t 6 2010-02-21 00:11 K04nfs -> ../nfs lrwxrwxrwx. 1 root root system_u:object_r:etc_t 8 2010-02-21 00:11 K04smbfs -> ../smbfs lrwxrwxrwx. 1 root root system_u:object_r:etc_t 10 2010-02-21 00:11 K05rpcbind -> ../rpcbind lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 K06syslog -> ../syslog lrwxrwxrwx. 1 root root system_u:object_r:etc_t 14 2010-02-21 00:11 K07earlysyslog -> ../earlysyslog lrwxrwxrwx. 1 root root system_u:object_r:etc_t 10 2010-02-21 00:11 K07network -> ../network lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:11 K08dbus -> ../dbus lrwxrwxrwx. 1 root root system_u:object_r:etc_t 21 2010-02-21 00:14 K08SuSEfirewall2_init -> ../SuSEfirewall2_init lrwxrwxrwx. 1 root root system_u:object_r:etc_t 8 2010-02-21 00:11 S01acpid -> ../acpid lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:11 S01dbus -> ../dbus lrwxrwxrwx. 1 root root system_u:object_r:etc_t 14 2010-02-21 00:11 S01earlysyslog -> ../earlysyslog lrwxrwxrwx. 1 root root system_u:object_r:etc_t 8 2010-02-21 00:11 S01fbset -> ../fbset lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 S01random -> ../random lrwxrwxrwx. 1 root root system_u:object_r:etc_t 21 2010-02-21 00:14 S01SuSEfirewall2_init -> ../SuSEfirewall2_init lrwxrwxrwx. 1 root root system_u:object_r:etc_t 12 2010-02-21 00:11 S02haldaemon -> ../haldaemon lrwxrwxrwx. 1 root root system_u:object_r:etc_t 10 2010-02-21 00:11 S02network -> ../network lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 S03syslog -> ../syslog lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 S04auditd -> ../auditd lrwxrwxrwx. 1 root root system_u:object_r:etc_t 10 2010-02-21 00:11 S04rpcbind -> ../rpcbind lrwxrwxrwx. 1 root root system_u:object_r:etc_t 15 2010-02-21 00:11 S04splash_early -> ../splash_early lrwxrwxrwx. 1 root root system_u:object_r:etc_t 6 2010-02-21 00:11 S05nfs -> ../nfs lrwxrwxrwx. 1 root root system_u:object_r:etc_t 8 2010-02-21 00:11 S05smbfs -> ../smbfs lrwxrwxrwx. 1 root root system_u:object_r:etc_t 6 2010-02-21 00:11 S06kbd -> ../kbd lrwxrwxrwx. 1 root root system_u:object_r:etc_t 12 2010-02-21 00:15 S07alsasound -> ../alsasound lrwxrwxrwx. 1 root root system_u:object_r:etc_t 15 2010-02-21 00:11 S07avahi-daemon -> ../avahi-daemon lrwxrwxrwx. 1 root root system_u:object_r:etc_t 17 2010-02-21 00:11 S07bluez-coldplug -> ../bluez-coldplug lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:11 S07brld -> ../brld lrwxrwxrwx. 1 root root system_u:object_r:etc_t 15 2010-02-21 00:11 S07irq_balancer -> ../irq_balancer lrwxrwxrwx. 1 root root system_u:object_r:etc_t 19 2010-02-21 00:11 S07network-remotefs -> ../network-remotefs lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 S07splash -> ../splash lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:12 S07sshd -> ../sshd lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:11 S09cups -> ../cups lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:11 S09nscd -> ../nscd lrwxrwxrwx. 1 root root system_u:object_r:etc_t 10 2010-02-21 00:11 S09postfix -> ../postfix lrwxrwxrwx. 1 root root system_u:object_r:etc_t 6 2010-02-21 00:11 S09sbl -> ../sbl lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:12 S10cron -> ../cron lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 S10smartd -> ../smartd lrwxrwxrwx. 1 root root system_u:object_r:etc_t 14 2010-02-21 00:11 S11stoppreload -> ../stoppreload lrwxrwxrwx. 1 root root system_u:object_r:etc_t 22 2010-02-21 00:14 S11SuSEfirewall2_setup -> ../SuSEfirewall2_setup /etc/init.d/rc4.d: total 8 drwxr-xr-x. 2 root root system_u:object_r:etc_t 4096 2010-02-21 00:14 . drwxr-xr-x. 11 root root system_u:object_r:etc_t 4096 2010-02-21 22:31 .. lrwxrwxrwx. 1 root root system_u:object_r:etc_t 22 2010-02-21 00:14 K01SuSEfirewall2_setup -> ../SuSEfirewall2_setup lrwxrwxrwx. 1 root root system_u:object_r:etc_t 21 2010-02-21 00:14 K08SuSEfirewall2_init -> ../SuSEfirewall2_init lrwxrwxrwx. 1 root root system_u:object_r:etc_t 21 2010-02-21 00:14 S01SuSEfirewall2_init -> ../SuSEfirewall2_init lrwxrwxrwx. 1 root root system_u:object_r:etc_t 22 2010-02-21 00:14 S11SuSEfirewall2_setup -> ../SuSEfirewall2_setup /etc/init.d/rc5.d: total 8 drwxr-xr-x. 2 root root system_u:object_r:etc_t 4096 2010-02-21 00:15 . drwxr-xr-x. 11 root root system_u:object_r:etc_t 4096 2010-02-21 22:31 .. lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 K01auditd -> ../auditd lrwxrwxrwx. 1 root root system_u:object_r:etc_t 17 2010-02-21 00:11 K01bluez-coldplug -> ../bluez-coldplug lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:11 K01brld -> ../brld lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:12 K01cron -> ../cron lrwxrwxrwx. 1 root root system_u:object_r:etc_t 15 2010-02-21 00:11 K01irq_balancer -> ../irq_balancer lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:11 K01nscd -> ../nscd lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 K01random -> ../random lrwxrwxrwx. 1 root root system_u:object_r:etc_t 6 2010-02-21 00:11 K01sbl -> ../sbl lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 K01smartd -> ../smartd lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 K01splash -> ../splash lrwxrwxrwx. 1 root root system_u:object_r:etc_t 15 2010-02-21 00:11 K01splash_early -> ../splash_early lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:12 K01sshd -> ../sshd lrwxrwxrwx. 1 root root system_u:object_r:etc_t 14 2010-02-21 00:11 K01stoppreload -> ../stoppreload lrwxrwxrwx. 1 root root system_u:object_r:etc_t 22 2010-02-21 00:14 K01SuSEfirewall2_setup -> ../SuSEfirewall2_setup lrwxrwxrwx. 1 root root system_u:object_r:etc_t 6 2010-02-21 00:11 K01xdm -> ../xdm lrwxrwxrwx. 1 root root system_u:object_r:etc_t 8 2010-02-21 00:11 K02acpid -> ../acpid lrwxrwxrwx. 1 root root system_u:object_r:etc_t 12 2010-02-21 00:15 K02alsasound -> ../alsasound lrwxrwxrwx. 1 root root system_u:object_r:etc_t 15 2010-02-21 00:11 K02avahi-daemon -> ../avahi-daemon lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:11 K02cups -> ../cups lrwxrwxrwx. 1 root root system_u:object_r:etc_t 11 2010-02-21 00:11 K02earlyxdm -> ../earlyxdm lrwxrwxrwx. 1 root root system_u:object_r:etc_t 8 2010-02-21 00:11 K02fbset -> ../fbset lrwxrwxrwx. 1 root root system_u:object_r:etc_t 6 2010-02-21 00:11 K02kbd -> ../kbd lrwxrwxrwx. 1 root root system_u:object_r:etc_t 10 2010-02-21 00:11 K02postfix -> ../postfix lrwxrwxrwx. 1 root root system_u:object_r:etc_t 19 2010-02-21 00:12 K03network-remotefs -> ../network-remotefs lrwxrwxrwx. 1 root root system_u:object_r:etc_t 12 2010-02-21 00:12 K04haldaemon -> ../haldaemon lrwxrwxrwx. 1 root root system_u:object_r:etc_t 6 2010-02-21 00:11 K04nfs -> ../nfs lrwxrwxrwx. 1 root root system_u:object_r:etc_t 8 2010-02-21 00:11 K04smbfs -> ../smbfs lrwxrwxrwx. 1 root root system_u:object_r:etc_t 10 2010-02-21 00:11 K05rpcbind -> ../rpcbind lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 K06syslog -> ../syslog lrwxrwxrwx. 1 root root system_u:object_r:etc_t 14 2010-02-21 00:11 K07earlysyslog -> ../earlysyslog lrwxrwxrwx. 1 root root system_u:object_r:etc_t 10 2010-02-21 00:11 K07network -> ../network lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:11 K08dbus -> ../dbus lrwxrwxrwx. 1 root root system_u:object_r:etc_t 21 2010-02-21 00:14 K08SuSEfirewall2_init -> ../SuSEfirewall2_init lrwxrwxrwx. 1 root root system_u:object_r:etc_t 8 2010-02-21 00:11 S01acpid -> ../acpid lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:11 S01dbus -> ../dbus lrwxrwxrwx. 1 root root system_u:object_r:etc_t 14 2010-02-21 00:11 S01earlysyslog -> ../earlysyslog lrwxrwxrwx. 1 root root system_u:object_r:etc_t 8 2010-02-21 00:11 S01fbset -> ../fbset lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 S01random -> ../random lrwxrwxrwx. 1 root root system_u:object_r:etc_t 21 2010-02-21 00:14 S01SuSEfirewall2_init -> ../SuSEfirewall2_init lrwxrwxrwx. 1 root root system_u:object_r:etc_t 12 2010-02-21 00:11 S02haldaemon -> ../haldaemon lrwxrwxrwx. 1 root root system_u:object_r:etc_t 10 2010-02-21 00:11 S02network -> ../network lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 S03syslog -> ../syslog lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 S04auditd -> ../auditd lrwxrwxrwx. 1 root root system_u:object_r:etc_t 10 2010-02-21 00:11 S04rpcbind -> ../rpcbind lrwxrwxrwx. 1 root root system_u:object_r:etc_t 15 2010-02-21 00:11 S04splash_early -> ../splash_early lrwxrwxrwx. 1 root root system_u:object_r:etc_t 6 2010-02-21 00:11 S05nfs -> ../nfs lrwxrwxrwx. 1 root root system_u:object_r:etc_t 8 2010-02-21 00:11 S05smbfs -> ../smbfs lrwxrwxrwx. 1 root root system_u:object_r:etc_t 6 2010-02-21 00:11 S06kbd -> ../kbd lrwxrwxrwx. 1 root root system_u:object_r:etc_t 12 2010-02-21 00:15 S07alsasound -> ../alsasound lrwxrwxrwx. 1 root root system_u:object_r:etc_t 15 2010-02-21 00:11 S07avahi-daemon -> ../avahi-daemon lrwxrwxrwx. 1 root root system_u:object_r:etc_t 17 2010-02-21 00:11 S07bluez-coldplug -> ../bluez-coldplug lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:11 S07brld -> ../brld lrwxrwxrwx. 1 root root system_u:object_r:etc_t 15 2010-02-21 00:11 S07irq_balancer -> ../irq_balancer lrwxrwxrwx. 1 root root system_u:object_r:etc_t 19 2010-02-21 00:11 S07network-remotefs -> ../network-remotefs lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 S07splash -> ../splash lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:12 S07sshd -> ../sshd lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:11 S09cups -> ../cups lrwxrwxrwx. 1 root root system_u:object_r:etc_t 11 2010-02-21 00:11 S09earlyxdm -> ../earlyxdm lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:11 S09nscd -> ../nscd lrwxrwxrwx. 1 root root system_u:object_r:etc_t 10 2010-02-21 00:11 S09postfix -> ../postfix lrwxrwxrwx. 1 root root system_u:object_r:etc_t 6 2010-02-21 00:11 S09sbl -> ../sbl lrwxrwxrwx. 1 root root system_u:object_r:etc_t 7 2010-02-21 00:12 S10cron -> ../cron lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 S10smartd -> ../smartd lrwxrwxrwx. 1 root root system_u:object_r:etc_t 6 2010-02-21 00:11 S10xdm -> ../xdm lrwxrwxrwx. 1 root root system_u:object_r:etc_t 14 2010-02-21 00:11 S11stoppreload -> ../stoppreload lrwxrwxrwx. 1 root root system_u:object_r:etc_t 22 2010-02-21 00:14 S11SuSEfirewall2_setup -> ../SuSEfirewall2_setup /etc/init.d/rc6.d: total 8 drwxr-xr-x. 2 root root system_u:object_r:etc_t 4096 2009-11-02 14:51 . drwxr-xr-x. 11 root root system_u:object_r:etc_t 4096 2010-02-21 22:31 .. lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 S01reboot -> ../reboot /etc/init.d/rcS.d: total 8 drwxr-xr-x. 2 root root system_u:object_r:etc_t 4096 2009-11-02 15:02 . drwxr-xr-x. 11 root root system_u:object_r:etc_t 4096 2010-02-21 22:31 .. lrwxrwxrwx. 1 root root system_u:object_r:etc_t 13 2010-02-21 00:11 S04boot.clock -> ../boot.clock lrwxrwxrwx. 1 root root system_u:object_r:etc_t 6 2010-02-21 00:11 S06kbd -> ../kbd lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 S07splash -> ../splash lrwxrwxrwx. 1 root root system_u:object_r:etc_t 9 2010-02-21 00:11 S08single -> ../single ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-22 22:35 ` Justin Mattock @ 2010-02-23 6:17 ` Justin P. mattock 2010-02-23 13:40 ` Stephen Smalley 0 siblings, 1 reply; 113+ messages in thread From: Justin P. mattock @ 2010-02-23 6:17 UTC (permalink / raw) To: Stephen Smalley Cc: Alan Rouse, Dominick Grift, selinux@tycho.nsa.gov, Christopher J. PeBenito On 02/22/2010 02:35 PM, Justin Mattock wrote: > On Mon, Feb 22, 2010 at 2:10 PM, Justin P. mattock > <justinmattock@gmail.com> wrote: >> On 02/22/2010 01:25 PM, Justin Mattock wrote: >>>> >>>> You don't need to rebuild sysvinit; it already has the selinux support >>>> in opensuse. >>>> >>>> The only issue is how they have configured /etc/inittab (which you still >>>> haven't sent) or how they have set up their init scripts. Things to >>>> look for: >>>> - Does /etc/inittab invoke the rc scripts directly or indirectly via a >>>> shell command? >>>> - Are the scripts under /etc/init.d and /etc/rc.d labeled properly (e.g. >>>> with initrc_exec_t)? Otherwise they won't transition properly. >>>> - Do the scripts under /etc/init.d and /etc/rc.d have a #! header? If >>>> not, then an attempt to execve() them will fail and it will fall back on >>>> the caller to feed them to the shell, at which point you won't have the >>>> normal domain transition. >>>> >>>> -- >>>> Stephen Smalley >>>> National Security Agency >>>> >>>> >>> >>> my bad.. got tied up looking for the avc's denial >>> of init. attached is inittab-orig of what suse has. >>> >>> I'll throw in the inittab from my other system to see >>> if it changes things, then if not look at the file labels >>> >> >> >> alright here's what I see in /etc/init* >> >> for /etc/init.d >> I have all init.d daemons labeled as >> system_u:object_r:initrc_exec_t. >> >> in that directory there is rc0.d that is labeled >> system_u:object_r:etc_t >> inside rc0.d the label is the same. >> there also is boot.d >> which is labeled the same as rc0.d >> >> ls -lZ /sbin/init >> system_u:object_r:init_exec_t >> >> ls -Z /etc/init.d/rc* >> has system_u:object_r:etc_t >> (I'll go through each one to make sure). >> >> head /etc/init.d/rc* >> shows all files having >> #! /bin/sh >> (I can send you those, but might be too big >> of a file). >> >> I think this might be label related >> due to the system booting the first time without >> any issues, then crashing after lebeling >> >> >> >> Justin P. Mattock >> >> > > heres everything in /etc/init.d/* > (only label changed was auditd > just to see). > > ahh.. I see what you mean by transition i.g. with enable_upstart=0 under ps auxZ I see everything is with sysadm_t example when dbus starts: with enable_upstart=0 system_u:system_r:sysadm_t and continues to have sysadm_t (with enable_upstart=1) system_u:system_r:udev_t and all other daemons etc.. go into there proper name(udev_t,hald_t,xdm_t)down the line. I've looked at the file contexts, and am not seeing anything out of the ordinary (but could be wrong). any ideas? Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-23 6:17 ` Justin P. mattock @ 2010-02-23 13:40 ` Stephen Smalley 2010-02-23 14:13 ` Justin P. mattock 2010-02-23 15:56 ` Alan Rouse 0 siblings, 2 replies; 113+ messages in thread From: Stephen Smalley @ 2010-02-23 13:40 UTC (permalink / raw) To: Justin P. mattock Cc: Alan Rouse, Dominick Grift, selinux@tycho.nsa.gov, Christopher J. PeBenito On Mon, 2010-02-22 at 22:17 -0800, Justin P. mattock wrote: > ahh.. I see what you mean by transition > i.g. with enable_upstart=0 > > under ps auxZ > I see everything is with sysadm_t > example when dbus starts: > with enable_upstart=0 > system_u:system_r:sysadm_t > and continues to have sysadm_t > > (with enable_upstart=1) > system_u:system_r:udev_t > and all other daemons etc.. go into there > proper name(udev_t,hald_t,xdm_t)down the line. > > > I've looked at the file contexts, and > am not seeing anything out of the ordinary > (but could be wrong). > > any ideas? Looks like /etc/init.d/rc is labeled correctly. And /etc/init.d/rc and /etc/init.d/boot have the #!/bin/sh prefix? Looking at the sysvinit code, it appears that it will invoke the command specified in /etc/inittab via a shell if: - the command string has any meta characters in it that need interpretation (but your /etc/inittab didn't look that way), or - the attempt to exec the command directly returns with errno ENOEXEC (this will happen if the script lacks a #!/path/to/interpreter header). The proper domain transition only happens upon direct execution of the script, not if it is invoked indirectly via the shell. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-23 13:40 ` Stephen Smalley @ 2010-02-23 14:13 ` Justin P. mattock 2010-02-23 15:56 ` Alan Rouse 1 sibling, 0 replies; 113+ messages in thread From: Justin P. mattock @ 2010-02-23 14:13 UTC (permalink / raw) To: Stephen Smalley Cc: Alan Rouse, Dominick Grift, selinux@tycho.nsa.gov, Christopher J. PeBenito On 02/23/2010 05:40 AM, Stephen Smalley wrote: > On Mon, 2010-02-22 at 22:17 -0800, Justin P. mattock wrote: >> ahh.. I see what you mean by transition >> i.g. with enable_upstart=0 >> >> under ps auxZ >> I see everything is with sysadm_t >> example when dbus starts: >> with enable_upstart=0 >> system_u:system_r:sysadm_t >> and continues to have sysadm_t >> >> (with enable_upstart=1) >> system_u:system_r:udev_t >> and all other daemons etc.. go into there >> proper name(udev_t,hald_t,xdm_t)down the line. >> >> >> I've looked at the file contexts, and >> am not seeing anything out of the ordinary >> (but could be wrong). >> >> any ideas? > > Looks like /etc/init.d/rc is labeled correctly. > And /etc/init.d/rc and /etc/init.d/boot have the #!/bin/sh prefix? > > Looking at the sysvinit code, it appears that it will invoke the command > specified in /etc/inittab via a shell if: > - the command string has any meta characters in it that need > interpretation (but your /etc/inittab didn't look that way), or > - the attempt to exec the command directly returns with errno ENOEXEC > (this will happen if the script lacks a #!/path/to/interpreter header). > > The proper domain transition only happens upon direct execution of the > script, not if it is invoked indirectly via the shell. > I can go through all of these files again to make sure #!/bin/sh is present. (maybe strace will show something). > The proper domain transition only happens upon direct execution of the > script, not if it is invoked indirectly via the shell. > unlike small systems, this system has things going on everywhere I look. Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-23 13:40 ` Stephen Smalley 2010-02-23 14:13 ` Justin P. mattock @ 2010-02-23 15:56 ` Alan Rouse 2010-02-23 16:10 ` Stephen Smalley 1 sibling, 1 reply; 113+ messages in thread From: Alan Rouse @ 2010-02-23 15:56 UTC (permalink / raw) To: Stephen Smalley, Justin P. mattock Cc: Dominick Grift, selinux@tycho.nsa.gov, Christopher J. PeBenito Would the proper solution be to add a transition to put that script in the right context when run from a shell? -----Original Message----- From: Stephen Smalley [mailto:sds@tycho.nsa.gov] Sent: Tuesday, February 23, 2010 8:40 AM To: Justin P. mattock Cc: Alan Rouse; Dominick Grift; selinux@tycho.nsa.gov; Christopher J. PeBenito Subject: Re: SELinux Policy in OpenSUSE 11.2 On Mon, 2010-02-22 at 22:17 -0800, Justin P. mattock wrote: > ahh.. I see what you mean by transition i.g. with enable_upstart=0 > > under ps auxZ > I see everything is with sysadm_t > example when dbus starts: > with enable_upstart=0 > system_u:system_r:sysadm_t > and continues to have sysadm_t > > (with enable_upstart=1) > system_u:system_r:udev_t > and all other daemons etc.. go into there proper > name(udev_t,hald_t,xdm_t)down the line. > > > I've looked at the file contexts, and > am not seeing anything out of the ordinary (but could be wrong). > > any ideas? Looks like /etc/init.d/rc is labeled correctly. And /etc/init.d/rc and /etc/init.d/boot have the #!/bin/sh prefix? Looking at the sysvinit code, it appears that it will invoke the command specified in /etc/inittab via a shell if: - the command string has any meta characters in it that need interpretation (but your /etc/inittab didn't look that way), or - the attempt to exec the command directly returns with errno ENOEXEC (this will happen if the script lacks a #!/path/to/interpreter header). The proper domain transition only happens upon direct execution of the script, not if it is invoked indirectly via the shell. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-23 15:56 ` Alan Rouse @ 2010-02-23 16:10 ` Stephen Smalley 2010-02-23 17:41 ` Justin P. mattock 0 siblings, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-23 16:10 UTC (permalink / raw) To: Alan Rouse Cc: Justin P. mattock, Dominick Grift, selinux@tycho.nsa.gov, Christopher J. PeBenito On Tue, 2010-02-23 at 10:56 -0500, Alan Rouse wrote: > Would the proper solution be to add a transition to put that script in the right context when run from a shell? No. I think we just need to drop the transition to sysadm_t altogether (at least in the ifdef suse case) and have userspace explicitly arrange the transition for single-user mode (ala sulogin). > -----Original Message----- > From: Stephen Smalley [mailto:sds@tycho.nsa.gov] > Sent: Tuesday, February 23, 2010 8:40 AM > To: Justin P. mattock > Cc: Alan Rouse; Dominick Grift; selinux@tycho.nsa.gov; Christopher J. PeBenito > Subject: Re: SELinux Policy in OpenSUSE 11.2 > > On Mon, 2010-02-22 at 22:17 -0800, Justin P. mattock wrote: > > ahh.. I see what you mean by transition i.g. with enable_upstart=0 > > > > under ps auxZ > > I see everything is with sysadm_t > > example when dbus starts: > > with enable_upstart=0 > > system_u:system_r:sysadm_t > > and continues to have sysadm_t > > > > (with enable_upstart=1) > > system_u:system_r:udev_t > > and all other daemons etc.. go into there proper > > name(udev_t,hald_t,xdm_t)down the line. > > > > > > I've looked at the file contexts, and > > am not seeing anything out of the ordinary (but could be wrong). > > > > any ideas? > > Looks like /etc/init.d/rc is labeled correctly. > And /etc/init.d/rc and /etc/init.d/boot have the #!/bin/sh prefix? > > Looking at the sysvinit code, it appears that it will invoke the command specified in /etc/inittab via a shell if: > - the command string has any meta characters in it that need interpretation (but your /etc/inittab didn't look that way), or > - the attempt to exec the command directly returns with errno ENOEXEC (this will happen if the script lacks a #!/path/to/interpreter header). > > The proper domain transition only happens upon direct execution of the script, not if it is invoked indirectly via the shell. > > -- > Stephen Smalley > National Security Agency > -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-23 16:10 ` Stephen Smalley @ 2010-02-23 17:41 ` Justin P. mattock 2010-02-23 18:01 ` Stephen Smalley 0 siblings, 1 reply; 113+ messages in thread From: Justin P. mattock @ 2010-02-23 17:41 UTC (permalink / raw) To: Stephen Smalley Cc: Alan Rouse, Dominick Grift, selinux@tycho.nsa.gov, Christopher J. PeBenito On 02/23/2010 08:10 AM, Stephen Smalley wrote: > On Tue, 2010-02-23 at 10:56 -0500, Alan Rouse wrote: >> Would the proper solution be to add a transition to put that script in the right context when run from a shell? > > No. I think we just need to drop the transition to sysadm_t altogether > (at least in the ifdef suse case) and have userspace explicitly arrange > the transition for single-user mode (ala sulogin). out of curiosity during booting up I'm seeing a mess load of *.sh files being called before the policy is loaded. looking into this I'm seeing them in /lib/mkinitrd/scripts before I go and mess around with initrd what are the thoughts on this area? Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-23 17:41 ` Justin P. mattock @ 2010-02-23 18:01 ` Stephen Smalley 2010-02-23 18:30 ` Justin P. mattock 0 siblings, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-23 18:01 UTC (permalink / raw) To: Justin P. mattock Cc: Alan Rouse, Dominick Grift, selinux@tycho.nsa.gov, Christopher J. PeBenito On Tue, 2010-02-23 at 09:41 -0800, Justin P. mattock wrote: > On 02/23/2010 08:10 AM, Stephen Smalley wrote: > > On Tue, 2010-02-23 at 10:56 -0500, Alan Rouse wrote: > >> Would the proper solution be to add a transition to put that script in the right context when run from a shell? > > > > No. I think we just need to drop the transition to sysadm_t altogether > > (at least in the ifdef suse case) and have userspace explicitly arrange > > the transition for single-user mode (ala sulogin). > > out of curiosity during booting up I'm seeing > a mess load of *.sh files being called > before the policy is loaded. > > looking into this I'm seeing them in /lib/mkinitrd/scripts > before I go and mess around with initrd > what are the thoughts on this area? That's ok - I wouldn't worry about that. As I said, I think the solution here is just to disable the transition to sysadm_t, at least if DISTRO=suse. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-23 18:01 ` Stephen Smalley @ 2010-02-23 18:30 ` Justin P. mattock 2010-02-23 18:42 ` Stephen Smalley 0 siblings, 1 reply; 113+ messages in thread From: Justin P. mattock @ 2010-02-23 18:30 UTC (permalink / raw) To: Stephen Smalley Cc: Alan Rouse, Dominick Grift, selinux@tycho.nsa.gov, Christopher J. PeBenito On 02/23/2010 10:01 AM, Stephen Smalley wrote: > On Tue, 2010-02-23 at 09:41 -0800, Justin P. mattock wrote: >> On 02/23/2010 08:10 AM, Stephen Smalley wrote: >>> On Tue, 2010-02-23 at 10:56 -0500, Alan Rouse wrote: >>>> Would the proper solution be to add a transition to put that script in the right context when run from a shell? >>> >>> No. I think we just need to drop the transition to sysadm_t altogether >>> (at least in the ifdef suse case) and have userspace explicitly arrange >>> the transition for single-user mode (ala sulogin). >> >> out of curiosity during booting up I'm seeing >> a mess load of *.sh files being called >> before the policy is loaded. >> >> looking into this I'm seeing them in /lib/mkinitrd/scripts >> before I go and mess around with initrd >> what are the thoughts on this area? > > That's ok - I wouldn't worry about that. > > As I said, I think the solution here is just to disable the transition > to sysadm_t, at least if DISTRO=suse. > alright.. in regards to sysadm_t a quick google found something similar to what might be happening: http://www.engardelinux.org/modules/index/list_archives.cgi?list=selinux&page=1000.html&month=2008-03 Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-23 18:30 ` Justin P. mattock @ 2010-02-23 18:42 ` Stephen Smalley 2010-02-23 18:58 ` Justin P. mattock 0 siblings, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-23 18:42 UTC (permalink / raw) To: Justin P. mattock Cc: Alan Rouse, Dominick Grift, selinux@tycho.nsa.gov, Christopher J. PeBenito On Tue, 2010-02-23 at 10:30 -0800, Justin P. mattock wrote: > On 02/23/2010 10:01 AM, Stephen Smalley wrote: > > On Tue, 2010-02-23 at 09:41 -0800, Justin P. mattock wrote: > >> On 02/23/2010 08:10 AM, Stephen Smalley wrote: > >>> On Tue, 2010-02-23 at 10:56 -0500, Alan Rouse wrote: > >>>> Would the proper solution be to add a transition to put that script in the right context when run from a shell? > >>> > >>> No. I think we just need to drop the transition to sysadm_t altogether > >>> (at least in the ifdef suse case) and have userspace explicitly arrange > >>> the transition for single-user mode (ala sulogin). > >> > >> out of curiosity during booting up I'm seeing > >> a mess load of *.sh files being called > >> before the policy is loaded. > >> > >> looking into this I'm seeing them in /lib/mkinitrd/scripts > >> before I go and mess around with initrd > >> what are the thoughts on this area? > > > > That's ok - I wouldn't worry about that. > > > > As I said, I think the solution here is just to disable the transition > > to sysadm_t, at least if DISTRO=suse. > > > > > alright.. in regards to sysadm_t > a quick google found something > similar to what might be happening: > > http://www.engardelinux.org/modules/index/list_archives.cgi?list=selinux&page=1000.html&month=2008-03 That was the original discussion that led to the logic you see in init.te today. In any event, I've taken this up as a separate issue on refpolicy list. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-23 18:42 ` Stephen Smalley @ 2010-02-23 18:58 ` Justin P. mattock 2010-02-23 19:00 ` Stephen Smalley 0 siblings, 1 reply; 113+ messages in thread From: Justin P. mattock @ 2010-02-23 18:58 UTC (permalink / raw) To: Stephen Smalley Cc: Alan Rouse, Dominick Grift, selinux@tycho.nsa.gov, Christopher J. PeBenito On 02/23/2010 10:42 AM, Stephen Smalley wrote: > On Tue, 2010-02-23 at 10:30 -0800, Justin P. mattock wrote: >> On 02/23/2010 10:01 AM, Stephen Smalley wrote: >>> On Tue, 2010-02-23 at 09:41 -0800, Justin P. mattock wrote: >>>> On 02/23/2010 08:10 AM, Stephen Smalley wrote: >>>>> On Tue, 2010-02-23 at 10:56 -0500, Alan Rouse wrote: >>>>>> Would the proper solution be to add a transition to put that script in the right context when run from a shell? >>>>> >>>>> No. I think we just need to drop the transition to sysadm_t altogether >>>>> (at least in the ifdef suse case) and have userspace explicitly arrange >>>>> the transition for single-user mode (ala sulogin). >>>> >>>> out of curiosity during booting up I'm seeing >>>> a mess load of *.sh files being called >>>> before the policy is loaded. >>>> >>>> looking into this I'm seeing them in /lib/mkinitrd/scripts >>>> before I go and mess around with initrd >>>> what are the thoughts on this area? >>> >>> That's ok - I wouldn't worry about that. >>> >>> As I said, I think the solution here is just to disable the transition >>> to sysadm_t, at least if DISTRO=suse. >>> >> >> >> alright.. in regards to sysadm_t >> a quick google found something >> similar to what might be happening: >> >> http://www.engardelinux.org/modules/index/list_archives.cgi?list=selinux&page=1000.html&month=2008-03 > > That was the original discussion that led to the logic you see in > init.te today. In any event, I've taken this up as a separate issue on > refpolicy list. > alright.. I'll look to file some bugs at suse for pam.d, the config file with the permissions being that cause libselinux to default to targeted. and any other that I can think of. Justin P. mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-23 18:58 ` Justin P. mattock @ 2010-02-23 19:00 ` Stephen Smalley 2010-02-23 19:03 ` Justin Mattock 0 siblings, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-23 19:00 UTC (permalink / raw) To: Justin P. mattock Cc: Alan Rouse, Dominick Grift, selinux@tycho.nsa.gov, Christopher J. PeBenito On Tue, 2010-02-23 at 10:58 -0800, Justin P. mattock wrote: > On 02/23/2010 10:42 AM, Stephen Smalley wrote: > > On Tue, 2010-02-23 at 10:30 -0800, Justin P. mattock wrote: > >> On 02/23/2010 10:01 AM, Stephen Smalley wrote: > >>> On Tue, 2010-02-23 at 09:41 -0800, Justin P. mattock wrote: > >>>> On 02/23/2010 08:10 AM, Stephen Smalley wrote: > >>>>> On Tue, 2010-02-23 at 10:56 -0500, Alan Rouse wrote: > >>>>>> Would the proper solution be to add a transition to put that script in the right context when run from a shell? > >>>>> > >>>>> No. I think we just need to drop the transition to sysadm_t altogether > >>>>> (at least in the ifdef suse case) and have userspace explicitly arrange > >>>>> the transition for single-user mode (ala sulogin). > >>>> > >>>> out of curiosity during booting up I'm seeing > >>>> a mess load of *.sh files being called > >>>> before the policy is loaded. > >>>> > >>>> looking into this I'm seeing them in /lib/mkinitrd/scripts > >>>> before I go and mess around with initrd > >>>> what are the thoughts on this area? > >>> > >>> That's ok - I wouldn't worry about that. > >>> > >>> As I said, I think the solution here is just to disable the transition > >>> to sysadm_t, at least if DISTRO=suse. > >>> > >> > >> > >> alright.. in regards to sysadm_t > >> a quick google found something > >> similar to what might be happening: > >> > >> http://www.engardelinux.org/modules/index/list_archives.cgi?list=selinux&page=1000.html&month=2008-03 > > > > That was the original discussion that led to the logic you see in > > init.te today. In any event, I've taken this up as a separate issue on > > refpolicy list. > > > > > alright.. > I'll look to file some bugs at suse > for pam.d, the config file with the > permissions being that cause libselinux to default > to targeted. and any other that I can think of. Might want to add it to: https://bugzilla.novell.com/show_bug.cgi?id=581505 -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-23 19:00 ` Stephen Smalley @ 2010-02-23 19:03 ` Justin Mattock 2010-02-23 20:37 ` Justin P. mattock 0 siblings, 1 reply; 113+ messages in thread From: Justin Mattock @ 2010-02-23 19:03 UTC (permalink / raw) To: Stephen Smalley Cc: Alan Rouse, Dominick Grift, selinux@tycho.nsa.gov, Christopher J. PeBenito On Tue, Feb 23, 2010 at 11:00 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Tue, 2010-02-23 at 10:58 -0800, Justin P. mattock wrote: >> On 02/23/2010 10:42 AM, Stephen Smalley wrote: >> > On Tue, 2010-02-23 at 10:30 -0800, Justin P. mattock wrote: >> >> On 02/23/2010 10:01 AM, Stephen Smalley wrote: >> >>> On Tue, 2010-02-23 at 09:41 -0800, Justin P. mattock wrote: >> >>>> On 02/23/2010 08:10 AM, Stephen Smalley wrote: >> >>>>> On Tue, 2010-02-23 at 10:56 -0500, Alan Rouse wrote: >> >>>>>> Would the proper solution be to add a transition to put that script in the right context when run from a shell? >> >>>>> >> >>>>> No. I think we just need to drop the transition to sysadm_t altogether >> >>>>> (at least in the ifdef suse case) and have userspace explicitly arrange >> >>>>> the transition for single-user mode (ala sulogin). >> >>>> >> >>>> out of curiosity during booting up I'm seeing >> >>>> a mess load of *.sh files being called >> >>>> before the policy is loaded. >> >>>> >> >>>> looking into this I'm seeing them in /lib/mkinitrd/scripts >> >>>> before I go and mess around with initrd >> >>>> what are the thoughts on this area? >> >>> >> >>> That's ok - I wouldn't worry about that. >> >>> >> >>> As I said, I think the solution here is just to disable the transition >> >>> to sysadm_t, at least if DISTRO=suse. >> >>> >> >> >> >> >> >> alright.. in regards to sysadm_t >> >> a quick google found something >> >> similar to what might be happening: >> >> >> >> http://www.engardelinux.org/modules/index/list_archives.cgi?list=selinux&page=1000.html&month=2008-03 >> > >> > That was the original discussion that led to the logic you see in >> > init.te today. In any event, I've taken this up as a separate issue on >> > refpolicy list. >> > >> >> >> alright.. >> I'll look to file some bugs at suse >> for pam.d, the config file with the >> permissions being that cause libselinux to default >> to targeted. and any other that I can think of. > > Might want to add it to: > https://bugzilla.novell.com/show_bug.cgi?id=581505 > > -- > Stephen Smalley > National Security Agency > > cool, already one there. -- Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-23 19:03 ` Justin Mattock @ 2010-02-23 20:37 ` Justin P. mattock 0 siblings, 0 replies; 113+ messages in thread From: Justin P. mattock @ 2010-02-23 20:37 UTC (permalink / raw) To: Stephen Smalley Cc: Alan Rouse, Dominick Grift, selinux@tycho.nsa.gov, Christopher J. PeBenito alright.. here's the bug entries for OpenSUSE 11.2 and SELinux. https://bugzilla.novell.com/show_bug.cgi?id=581505 https://bugzilla.novell.com/show_bug.cgi?id=582366 https://bugzilla.novell.com/show_bug.cgi?id=582399 https://bugzilla.novell.com/show_bug.cgi?id=582404 Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-19 21:47 ` Justin P. mattock 2010-02-22 14:00 ` Stephen Smalley @ 2010-02-22 17:58 ` Alan Rouse 2010-02-22 18:23 ` Justin P. mattock 1 sibling, 1 reply; 113+ messages in thread From: Alan Rouse @ 2010-02-22 17:58 UTC (permalink / raw) To: Justin P. mattock, Stephen Smalley Cc: Dominick Grift, 'selinux@tycho.nsa.gov' Justin wrote: > alan, > > here is a good tutorial on the login: > http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&chap=4 Do I need to change the login context for some linux user / users? > just make sure /etc/pam.d/* > has pam_selinux.so close/open > (in the certain files) I'm not following you. Do I need to edit one or more of the files in /etc/pam.d/? Sorry I'm a bit slow on this. You're knowledge about linux is leaving me in the dust! -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-22 17:58 ` Alan Rouse @ 2010-02-22 18:23 ` Justin P. mattock 2010-02-22 18:31 ` Alan Rouse 0 siblings, 1 reply; 113+ messages in thread From: Justin P. mattock @ 2010-02-22 18:23 UTC (permalink / raw) To: Alan Rouse Cc: Stephen Smalley, Dominick Grift, 'selinux@tycho.nsa.gov' On 02/22/2010 09:58 AM, Alan Rouse wrote: > Justin wrote: >> alan, >> >> here is a good tutorial on the login: >> http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&chap=4 > > Do I need to change the login context for some linux user / users? > cant remember what fedora is(I think its staff_t:unconfined_r:unconfined_t) over here I have name:user_r:user_t which gives the minimal amount of privileges for the system to run in. >> just make sure /etc/pam.d/* >> has pam_selinux.so close/open >> (in the certain files) > > I'm not following you. Do I need to edit one or more of the files in /etc/pam.d/? > > Sorry I'm a bit slow on this. You're knowledge about linux is leaving me in the dust! hey man!! I'm still a newbie over here. Anyways /etc/pam.d/ has login,gdm,xdm,and sshd. (and maybe a couple of others) that need to have pam_selinux.so in them in order to get the user in the right context. Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-22 18:23 ` Justin P. mattock @ 2010-02-22 18:31 ` Alan Rouse 2010-02-22 18:49 ` Justin P. mattock 0 siblings, 1 reply; 113+ messages in thread From: Alan Rouse @ 2010-02-22 18:31 UTC (permalink / raw) To: Justin P. mattock Cc: Stephen Smalley, Dominick Grift, 'selinux@tycho.nsa.gov' Justin wrote: > Anyways /etc/pam.d/ has login,gdm,xdm,and sshd. > (and maybe a couple of others) > that need to have pam_selinux.so in them in order to get the user in the right context. What exactly should I put in those files? Literally just a new line "pam_selinux.so" at the end of the existing file? Or are there other parms on the line? -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-22 18:31 ` Alan Rouse @ 2010-02-22 18:49 ` Justin P. mattock 0 siblings, 0 replies; 113+ messages in thread From: Justin P. mattock @ 2010-02-22 18:49 UTC (permalink / raw) To: Alan Rouse Cc: Stephen Smalley, Dominick Grift, 'selinux@tycho.nsa.gov' On 02/22/2010 10:31 AM, Alan Rouse wrote: > Justin wrote: > >> Anyways /etc/pam.d/ has login,gdm,xdm,and sshd. >> (and maybe a couple of others) >> that need to have pam_selinux.so in them in order to get the user in the right context. > > What exactly should I put in those files? Literally just a new line "pam_selinux.so" at the end of the existing file? Or are there other parms on the line? > I modified them as this: /etc/pam.d/* cat login #%PAM-1.0 auth requisite pam_nologin.so auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad] pam_securetty.so auth include common-auth account include common-account password include common-password session required pam_selinux.so close session required pam_loginuid.so session include common-session session required pam_selinux.so open session required pam_lastlog.so nowtmp session optional pam_mail.so standard session optional pam_ck_connector.so cat gdm #%PAM-1.0 auth include common-auth account include common-account password include common-password session required pam_selinux.so close session required pam_loginuid.so session include common-session session required pam_selinux.so open cat xdm #%PAM-1.0 auth include common-auth account include common-account password include common-password session required pam_selinux.so close session required pam_loginuid.so session include common-session session required pam_selinux.so open if your going todo any ssh with the policy in enforcing mode then modify sshd as well so youu can login correctly. (off to grab the right info for stephen about /sbin/init). Jutin P. mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
[parent not found: <5A5E55DF96F73844AF7DFB0F48721F0F529A780232@EUSAACMS0703.eamcs.ericsson.se>]
* RE: SELinux Policy in OpenSUSE 11.2 [not found] ` <5A5E55DF96F73844AF7DFB0F48721F0F529A780232@EUSAACMS0703.eamcs.ericsson.se> @ 2010-02-17 19:58 ` Stephen Smalley 2010-02-17 20:09 ` Justin P. mattock 0 siblings, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-17 19:58 UTC (permalink / raw) To: Alan Rouse; +Cc: selinux On Wed, 2010-02-17 at 14:37 -0500, Alan Rouse wrote: > Oops. > > I'm a bit confused though. What are the scenarios that trigger an > autorelabel? I've not had any luck with the -autorelabel kernel boot > parameter, nor with the /.autorelabel flag file. OTOH sometimes when > I reboot it (apparently) decides to autorelabel. In Fedora, automatic relabeling is performed by /etc/rc.d/rc.sysinit. It is triggered if SELinux is enabled and either: 1) the word "autorelabel" appears as a parameter in the kernel command line, or 2) a file named "/.autorelabel" exists (in which case the file is then removed) The /.autorelabel file is automatically created by rc.sysinit if you ever boot with SELinux disabled so that a subsequent boot with SELinux re-enabled will trigger the automatic relabeling as well. In any event, you can always just run fixfiles -F restore yourself (or run 'make relabel' from the refpolicy directory). -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-17 19:58 ` Stephen Smalley @ 2010-02-17 20:09 ` Justin P. mattock 2010-02-17 20:21 ` Stephen Smalley 0 siblings, 1 reply; 113+ messages in thread From: Justin P. mattock @ 2010-02-17 20:09 UTC (permalink / raw) To: Stephen Smalley; +Cc: Alan Rouse, selinux On 02/17/2010 11:58 AM, Stephen Smalley wrote: > On Wed, 2010-02-17 at 14:37 -0500, Alan Rouse wrote: >> Oops. >> >> I'm a bit confused though. What are the scenarios that trigger an >> autorelabel? I've not had any luck with the -autorelabel kernel boot >> parameter, nor with the /.autorelabel flag file. OTOH sometimes when >> I reboot it (apparently) decides to autorelabel. > > In Fedora, automatic relabeling is performed by /etc/rc.d/rc.sysinit. > It is triggered if SELinux is enabled and either: > 1) the word "autorelabel" appears as a parameter in the kernel command > line, or > 2) a file named "/.autorelabel" exists (in which case the file is then > removed) > > The /.autorelabel file is automatically created by rc.sysinit if you > ever boot with SELinux disabled so that a subsequent boot with SELinux > re-enabled will trigger the automatic relabeling as well. > > In any event, you can always just run fixfiles -F restore yourself (or > run 'make relabel' from the refpolicy directory). > that's right the daemon.. figured they already had that there. anyways fixfiles works for now(hopefully). another thing I'm seeing is adding a user login to staff_u gives this: SELinux policy is not managed or store cannot be accessed. (even after adding seusers). but maybe for now that can be ignored, main thing is getting this system to load without crashing on dbus send/receive messages for some reason or another. (file labels must be out of whack somewhere, or maybe the login needs to be set right in order for dbus to do it's thing(I don't know at this point either). Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-17 20:09 ` Justin P. mattock @ 2010-02-17 20:21 ` Stephen Smalley 2010-02-17 23:22 ` Justin P. mattock 0 siblings, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-17 20:21 UTC (permalink / raw) To: Justin P. mattock; +Cc: Alan Rouse, selinux On Wed, 2010-02-17 at 12:09 -0800, Justin P. mattock wrote: > On 02/17/2010 11:58 AM, Stephen Smalley wrote: > > On Wed, 2010-02-17 at 14:37 -0500, Alan Rouse wrote: > >> Oops. > >> > >> I'm a bit confused though. What are the scenarios that trigger an > >> autorelabel? I've not had any luck with the -autorelabel kernel boot > >> parameter, nor with the /.autorelabel flag file. OTOH sometimes when > >> I reboot it (apparently) decides to autorelabel. > > > > In Fedora, automatic relabeling is performed by /etc/rc.d/rc.sysinit. > > It is triggered if SELinux is enabled and either: > > 1) the word "autorelabel" appears as a parameter in the kernel command > > line, or > > 2) a file named "/.autorelabel" exists (in which case the file is then > > removed) > > > > The /.autorelabel file is automatically created by rc.sysinit if you > > ever boot with SELinux disabled so that a subsequent boot with SELinux > > re-enabled will trigger the automatic relabeling as well. > > > > In any event, you can always just run fixfiles -F restore yourself (or > > run 'make relabel' from the refpolicy directory). > > > > > that's right the daemon.. figured they already had that there. > anyways fixfiles works for now(hopefully). > > another thing I'm seeing is > adding a user login to staff_u gives this: > SELinux policy is not managed or store cannot be accessed. > (even after adding seusers). That means your policy wasn't built as modular (MONOLITHIC=n). -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-17 20:21 ` Stephen Smalley @ 2010-02-17 23:22 ` Justin P. mattock 2010-02-18 15:17 ` Alan Rouse 0 siblings, 1 reply; 113+ messages in thread From: Justin P. mattock @ 2010-02-17 23:22 UTC (permalink / raw) To: Stephen Smalley; +Cc: Alan Rouse, selinux On 02/17/2010 12:21 PM, Stephen Smalley wrote: > On Wed, 2010-02-17 at 12:09 -0800, Justin P. mattock wrote: >> On 02/17/2010 11:58 AM, Stephen Smalley wrote: >>> On Wed, 2010-02-17 at 14:37 -0500, Alan Rouse wrote: >>>> Oops. >>>> >>>> I'm a bit confused though. What are the scenarios that trigger an >>>> autorelabel? I've not had any luck with the -autorelabel kernel boot >>>> parameter, nor with the /.autorelabel flag file. OTOH sometimes when >>>> I reboot it (apparently) decides to autorelabel. >>> >>> In Fedora, automatic relabeling is performed by /etc/rc.d/rc.sysinit. >>> It is triggered if SELinux is enabled and either: >>> 1) the word "autorelabel" appears as a parameter in the kernel command >>> line, or >>> 2) a file named "/.autorelabel" exists (in which case the file is then >>> removed) >>> >>> The /.autorelabel file is automatically created by rc.sysinit if you >>> ever boot with SELinux disabled so that a subsequent boot with SELinux >>> re-enabled will trigger the automatic relabeling as well. >>> >>> In any event, you can always just run fixfiles -F restore yourself (or >>> run 'make relabel' from the refpolicy directory). >>> >> >> >> that's right the daemon.. figured they already had that there. >> anyways fixfiles works for now(hopefully). >> >> another thing I'm seeing is >> adding a user login to staff_u gives this: >> SELinux policy is not managed or store cannot be accessed. >> (even after adding seusers). > > That means your policy wasn't built as modular (MONOLITHIC=n). > my bad.. thought targeted was binary. In any case I looked for there refpolicy source and could not see/find. So I just grabbed an older version from tresys which I know works with distros(new policy probably is not ready(but I'm not the one to call that)). So after fussing with flex to build checkpolicy, the policy built and loaded just fine. enabling some booleans gets/takes care of some of the error messages from avahi and so forth. right now I'm looking at a clean bootup except for the dbus error(gdm crash)that was hitting earlier with the word "targeted". I do/am running in this context id -Z name:user_r:user_t after changing pam.d/login if I copy refpolicy to targeted the system loads but I'm left in this context: id -Z system_u:system_r:xdm_t (which looks like in pam.d somewhere needs pam_selinux.so) a bit fuzzed/tired at the moment taking a breather, then I'll start working away(anybody see/know anything let me know). Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-17 23:22 ` Justin P. mattock @ 2010-02-18 15:17 ` Alan Rouse 2010-02-18 18:33 ` Justin P. mattock 0 siblings, 1 reply; 113+ messages in thread From: Alan Rouse @ 2010-02-18 15:17 UTC (permalink / raw) To: Justin P. mattock, Stephen Smalley; +Cc: selinux@tycho.nsa.gov Justin wrote: > In any case I looked for there refpolicy source and could not see/find. http://software.opensuse.org/search?baseproject=openSUSE%3A11.2&p=1&q=selinux-policy Download selinux-policy-2.20081210-3.1.src.rpm from that page. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* Re: SELinux Policy in OpenSUSE 11.2 2010-02-18 15:17 ` Alan Rouse @ 2010-02-18 18:33 ` Justin P. mattock 2010-02-18 18:44 ` Alan Rouse 0 siblings, 1 reply; 113+ messages in thread From: Justin P. mattock @ 2010-02-18 18:33 UTC (permalink / raw) To: Alan Rouse; +Cc: Stephen Smalley, selinux@tycho.nsa.gov On 02/18/2010 07:17 AM, Alan Rouse wrote: > Justin wrote: >> In any case I looked for there refpolicy source and could not see/find. > > http://software.opensuse.org/search?baseproject=openSUSE%3A11.2&p=1&q=selinux-policy > > Download selinux-policy-2.20081210-3.1.src.rpm from that page. > > > cool thanks.. I used refpolicy-20081014.tar.bz2 which is pretty much similar to what they have. I'll see if I can get into the correct context and then go from there. only concern is the "targeted" issue A) did they plan for this i.g. a symlink or something as an extra way for something. B) libselinux is really going out of whack, and defaulting to targeted. I can update the userspace tools, but kind of wanted to avoid adding anything(leave it as pure to the distro as can be). but then again maybe it needs it. Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-18 18:33 ` Justin P. mattock @ 2010-02-18 18:44 ` Alan Rouse 0 siblings, 0 replies; 113+ messages in thread From: Alan Rouse @ 2010-02-18 18:44 UTC (permalink / raw) To: Justin P. mattock; +Cc: Stephen Smalley, selinux@tycho.nsa.gov Justin wrote: > libselinux is really going out of whack, and defaulting to targeted. Maybe that problem has something to do with why my "setsebool -P" configurations are not persiting across a boot. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-16 21:30 ` Alan Rouse 2010-02-16 22:52 ` Dominick Grift @ 2010-02-17 13:35 ` Stephen Smalley 2010-02-17 15:14 ` Alan Rouse 1 sibling, 1 reply; 113+ messages in thread From: Stephen Smalley @ 2010-02-17 13:35 UTC (permalink / raw) To: Alan Rouse; +Cc: 'selinux@tycho.nsa.gov' On Tue, 2010-02-16 at 16:30 -0500, Alan Rouse wrote: > I had been trying various things in this image. So, just to be sure I have a repeatable state, I've rebuilt my system from scratch as follows: > > 1. standard OpenSuse 11.2 install (using Gnome); boot; start terminal; su - > 2. install packages: > > selinux-tools > selinux-policy > libselinux* > libsemanage* > policycoreutils > checkpolicy > make > m4 > gcc > findutils-locate > git > > 3. add "3 security=selinux selinux=1 enforcing=0" to the grub boot line (boot to runlevel 3 with selinux in permissive mode) and reboot. > 4. git clone http://oss.tresys.com/git/refpolicy.git > 5. change build.conf: "DIST = suse" and "MONOLITHIC = n" > 6. make clean; make conf; make; make install-src; You didn't do a make install or a make load? Given that you are doing a modular build, you have to do both to actually install the modules and link/expand them to kernel policy. make install-src isn't needed. In any event, I would suggest trying to use the OpenSUSE-provided policy first and seeing what issues arise there before you go switching to the upstream refpolicy. > 7. change /etc/refpolicy to point to the just-built policy version, and reboot > 8. restorecon -R /; reboot > > sestatus -v gives: > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: permissive > Mode from config file: permissive > Policy version: 24 > Policy from config file: refpolicy > > Process contexts: > Current context: system_u:system_r:sysadm_t > Init context: system_u:system_r:init_t > /sbin/mingetty system_u:system_r:sysadm_t > > File contexts: > Controlling term: system_u:object_r:tty_device_t > /etc/passwd system_u:object_r:etc_t > /etc/shadow system_u:object_r:shadow_t > /bin/bash system_u:object_r:shell_exec_t > /bin/login system_u:object_r:login_exec_t > /bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t > /sbin/agetty system_u:object_r:getty_exec_t > /sbin/init system_u:object_r:init_exec_t > /sbin/mingetty system_u:object_r:getty_exec_t > /usr/sbin/sshd system_u:object_r:sshd_exec_t > /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t > /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t > > pstree- Z gives: > init(`system_u:system_r:init_t') > |-acpid(`system_u:system_r:sysadm_t') > |-auditd(`system_u:system_r:sysadm_t') > | |-audispd(`system_u:system_r:sysadm_t') > | | `-{audispd}(`system_u:system_r:sysadm_t') > | `-{auditd}(`system_u:system_r:sysadm_t') > |-cron(`system_u:system_r:sysadm_t') > |-cupsd(`system_u:system_r:sysadm_t') > |-dbus-daemon(`system_u:system_r:sysadm_dbusd_t') > | `-{dbus-daemon}(`system_u:system_r:sysadm_dbusd_t') > |-dhcpcd(`system_u:system_r:dhcpc_t') > |-login(`system_u:system_r:sysadm_t') > | `-bash(`system_u:system_r:sysadm_t') > | `-pstree(`system_u:system_r:sysadm_t') > |-master(`system_u:system_r:sysadm_t') > | |-pickup(`system_u:system_r:sysadm_t') > | `-qmgr(`system_u:system_r:sysadm_t') > |-mingetty(`system_u:system_r:sysadm_t') > |-mingetty(`system_u:system_r:sysadm_t') > |-mingetty(`system_u:system_r:sysadm_t') > |-mingetty(`system_u:system_r:sysadm_t') > |-mingetty(`system_u:system_r:sysadm_t') > |-nscd(`system_u:system_r:sysadm_t') > |-rpcbind(`system_u:system_r:sysadm_t') > |-rsyslogd(`system_u:system_r:sysadm_t') > | |-{rsyslogd}(`system_u:system_r:sysadm_t') > | |-{rsyslogd}(`system_u:system_r:sysadm_t') > | |-{rsyslogd}(`system_u:system_r:sysadm_t') > | `-{rsyslogd}(`system_u:system_r:sysadm_t') > |-startpar(`system_u:system_r:sysadm_t') > |-udevd(`system_u:system_r:sysadm_t') > | |-udevd(`system_u:system_r:sysadm_t') > | `-udevd(`system_u:system_r:sysadm_t') > `-vmtoolsd(`system_u:system_r:sysadm_t') > > Now, I tried setsebool -P init_upstart=1. It gives an error message: > ---------------- > Libsemanage.get_home_dirs: nobody homedir /var/lib/nobody or its parent directory conflicts with a file context already specified in the policy. This usually indicates an incorrectly defined system account. If it is a system account please make sure its uid is less than 1000 or its log in shell is /sbin/nologin. > ---------------- > > So I did "usermod -s /sbin/nologin nobody" and repeated the setsebool > (no error message returned, and "getsebool init_upstart" reports that > it was on. But after reboot it is off again... -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-17 13:35 ` Stephen Smalley @ 2010-02-17 15:14 ` Alan Rouse 2010-02-17 15:33 ` Stephen Smalley 0 siblings, 1 reply; 113+ messages in thread From: Alan Rouse @ 2010-02-17 15:14 UTC (permalink / raw) To: Stephen Smalley; +Cc: 'selinux@tycho.nsa.gov' I actually did do a make load but then rebooted so I figured it was an unnecessary step. It has been my understanding that Novell is not doing any SELinux policy development. The policy package currently in the OpenSuse 11.2 repository doesn't work, which supports that understanding... As does Thomas's recent message on this list. So I figured I'd need to move to the current edition of the reference policy to find active development going on, so there would be hope of bug fixes. In any case, the same issues seem to be present in both versions. -----Original Message----- From: Stephen Smalley [mailto:sds@tycho.nsa.gov] Sent: Wednesday, February 17, 2010 8:35 AM To: Alan Rouse Cc: 'selinux@tycho.nsa.gov' Subject: RE: SELinux Policy in OpenSUSE 11.2 On Tue, 2010-02-16 at 16:30 -0500, Alan Rouse wrote: > I had been trying various things in this image. So, just to be sure I have a repeatable state, I've rebuilt my system from scratch as follows: > > 1. standard OpenSuse 11.2 install (using Gnome); boot; start > terminal; su - 2. install packages: > > selinux-tools > selinux-policy > libselinux* > libsemanage* > policycoreutils > checkpolicy > make > m4 > gcc > findutils-locate > git > > 3. add "3 security=selinux selinux=1 enforcing=0" to the grub boot line (boot to runlevel 3 with selinux in permissive mode) and reboot. > 4. git clone http://oss.tresys.com/git/refpolicy.git > 5. change build.conf: "DIST = suse" and "MONOLITHIC = n" > 6. make clean; make conf; make; make install-src; You didn't do a make install or a make load? Given that you are doing a modular build, you have to do both to actually install the modules and link/expand them to kernel policy. make install-src isn't needed. In any event, I would suggest trying to use the OpenSUSE-provided policy first and seeing what issues arise there before you go switching to the upstream refpolicy. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
* RE: SELinux Policy in OpenSUSE 11.2 2010-02-17 15:14 ` Alan Rouse @ 2010-02-17 15:33 ` Stephen Smalley 0 siblings, 0 replies; 113+ messages in thread From: Stephen Smalley @ 2010-02-17 15:33 UTC (permalink / raw) To: Alan Rouse; +Cc: 'selinux@tycho.nsa.gov' On Wed, 2010-02-17 at 10:14 -0500, Alan Rouse wrote: > I actually did do a make load but then rebooted so I figured it was an > unnecessary step. With a monolithic policy (MONOLITHIC=y), make install installs the policy files under /etc/selinux/$SELINUXTYPE and make load loads it into the kernel, so a make load is unnecessary if you plan to reboot. With a modular policy (MONOLITHIC=n), make install installs the modules under /usr/share/selinux/$SELINUXTYPE and make load runs semodule on them to actually insert them into your policy store under /etc/selinux/$SELINUXTYPE/modules and then to generate a kernel policy image from them. So you do need the make load in the modular case. > It has been my understanding that Novell is not doing any SELinux > policy development. The policy package currently in the OpenSuse 11.2 > repository doesn't work, which supports that understanding... As does > Thomas's recent message on this list. So I figured I'd need to move > to the current edition of the reference policy to find active > development going on, so there would be hope of bug fixes. In any > case, the same issues seem to be present in both versions. Fair enough - I just wanted to ensure that you had in fact tried the opensuse-provided policy first and confirmed that it didn't work before moving onto the upstream one. In the Fedora case, it is often the other way around due to Fedora policy customizations, where the upstream refpolicy won't boot cleanly on a Fedora system without some work. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 113+ messages in thread
end of thread, other threads:[~2010-04-29 7:01 UTC | newest]
Thread overview: 113+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-04-29 6:43 SELinux Policy in OpenSUSE 11.2 Justin P. Mattock
2010-04-29 7:01 ` Justin P. Mattock
-- strict thread matches above, loose matches on Subject: below --
2010-02-17 14:04 Thomas
2010-02-16 14:55 Alan Rouse
2010-02-16 15:22 ` Dominick Grift
2010-02-16 18:04 ` Alan Rouse
2010-02-16 18:35 ` Dominick Grift
2010-02-16 18:52 ` Dominick Grift
2010-02-16 19:28 ` Stephen Smalley
2010-02-16 20:06 ` Justin P. mattock
2010-02-16 19:10 ` Stephen Smalley
2010-02-16 19:19 ` Alan Rouse
2010-02-16 19:38 ` Stephen Smalley
2010-02-16 21:30 ` Alan Rouse
2010-02-16 22:52 ` Dominick Grift
2010-02-17 3:36 ` Justin P. mattock
2010-02-17 7:16 ` Justin P. mattock
2010-02-17 13:43 ` Stephen Smalley
2010-02-17 15:35 ` Justin P. mattock
2010-02-17 16:34 ` Alan Rouse
2010-02-17 16:58 ` Stephen Smalley
2010-02-17 18:34 ` Alan Rouse
2010-02-17 18:50 ` Justin P. mattock
2010-02-17 18:58 ` Stephen Smalley
2010-02-17 19:39 ` Alan Rouse
2010-02-17 19:47 ` Justin P. mattock
2010-02-17 20:00 ` Stephen Smalley
2010-02-17 20:03 ` Alan Rouse
2010-02-17 20:12 ` Dominick Grift
2010-02-17 20:18 ` Stephen Smalley
2010-02-17 20:17 ` Alan Rouse
2010-02-17 20:25 ` Stephen Smalley
[not found] ` <5A5E55DF96F73844AF7DFB0F48721F0F529A7802A0@EUSAACMS0703.eamcs.ericsson.se>
[not found] ` <1266438910.4945.137.camel@moss-pluto.epoch.ncsc.mil>
2010-02-17 20:49 ` Alan Rouse
2010-02-17 21:09 ` Stephen Smalley
2010-02-17 21:11 ` Alan Rouse
2010-02-17 21:29 ` Stephen Smalley
2010-02-17 21:37 ` Stephen Smalley
2010-02-17 21:48 ` Alan Rouse
2010-02-18 14:16 ` Stephen Smalley
2010-02-18 21:28 ` Stephen Smalley
2010-02-18 16:03 ` Stephen Smalley
2010-02-18 17:36 ` Alan Rouse
2010-02-18 17:53 ` Stephen Smalley
2010-02-18 18:21 ` Alan Rouse
2010-02-19 14:49 ` Stephen Smalley
2010-02-19 15:29 ` Alan Rouse
2010-02-19 17:46 ` Stephen Smalley
2010-02-19 20:23 ` Alan Rouse
2010-02-19 21:06 ` Stephen Smalley
2010-02-19 21:10 ` Alan Rouse
[not found] ` <5A5E55DF96F73844AF7DFB0F48721F0F529A780365@EUSAACMS0703.eamcs.ericsson.se>
2010-02-18 14:12 ` Stephen Smalley
2010-02-18 14:45 ` Alan Rouse
2010-02-17 20:08 ` Alan Rouse
2010-02-18 21:40 ` Justin P. mattock
2010-02-18 21:53 ` Alan Rouse
2010-02-18 23:17 ` Justin P. mattock
2010-02-19 14:35 ` Stephen Smalley
2010-02-19 15:43 ` Justin P. mattock
2010-02-19 15:58 ` Alan Rouse
2010-02-19 16:26 ` Justin P. mattock
2010-02-19 14:28 ` Stephen Smalley
2010-02-19 15:48 ` Justin P. mattock
2010-02-19 18:46 ` Justin P. mattock
2010-02-19 21:08 ` Alan Rouse
2010-02-19 21:19 ` Dominick Grift
2010-02-19 21:22 ` Justin P. mattock
2010-02-19 21:25 ` Stephen Smalley
2010-02-19 21:30 ` Alan Rouse
2010-02-19 21:37 ` Stephen Smalley
2010-02-19 21:53 ` Alan Rouse
2010-02-22 14:10 ` Stephen Smalley
[not found] ` <5A5E55DF96F73844AF7DFB0F48721F0F52E41FF16B@EUSAACMS0703.eamcs.ericsson.se>
[not found] ` <1266850844.15933.38.camel@moss-pluto.epoch.ncsc.mil>
2010-02-22 17:39 ` Alan Rouse
2010-02-22 17:56 ` Stephen Smalley
2010-02-22 19:12 ` Alan Rouse
2010-02-22 19:37 ` Stephen Smalley
2010-02-19 23:48 ` Justin P. mattock
2010-02-22 1:29 ` Justin P. mattock
2010-02-19 21:47 ` Justin P. mattock
2010-02-22 14:00 ` Stephen Smalley
2010-02-22 19:27 ` Justin Mattock
[not found] ` <dd18b0c31002221129s4be9b56cha13b7be39c2cba36@mail.gmail.com>
2010-02-22 19:57 ` Justin P. mattock
2010-02-22 20:24 ` Stephen Smalley
2010-02-22 21:25 ` Justin Mattock
2010-02-22 21:42 ` Stephen Smalley
2010-02-22 22:10 ` Justin P. mattock
2010-02-22 22:35 ` Justin Mattock
2010-02-23 6:17 ` Justin P. mattock
2010-02-23 13:40 ` Stephen Smalley
2010-02-23 14:13 ` Justin P. mattock
2010-02-23 15:56 ` Alan Rouse
2010-02-23 16:10 ` Stephen Smalley
2010-02-23 17:41 ` Justin P. mattock
2010-02-23 18:01 ` Stephen Smalley
2010-02-23 18:30 ` Justin P. mattock
2010-02-23 18:42 ` Stephen Smalley
2010-02-23 18:58 ` Justin P. mattock
2010-02-23 19:00 ` Stephen Smalley
2010-02-23 19:03 ` Justin Mattock
2010-02-23 20:37 ` Justin P. mattock
2010-02-22 17:58 ` Alan Rouse
2010-02-22 18:23 ` Justin P. mattock
2010-02-22 18:31 ` Alan Rouse
2010-02-22 18:49 ` Justin P. mattock
[not found] ` <5A5E55DF96F73844AF7DFB0F48721F0F529A780232@EUSAACMS0703.eamcs.ericsson.se>
2010-02-17 19:58 ` Stephen Smalley
2010-02-17 20:09 ` Justin P. mattock
2010-02-17 20:21 ` Stephen Smalley
2010-02-17 23:22 ` Justin P. mattock
2010-02-18 15:17 ` Alan Rouse
2010-02-18 18:33 ` Justin P. mattock
2010-02-18 18:44 ` Alan Rouse
2010-02-17 13:35 ` Stephen Smalley
2010-02-17 15:14 ` Alan Rouse
2010-02-17 15:33 ` Stephen Smalley
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.