# SELinux avc denials

## al-Quaknaa

Hi,

I'm installing a gentoo+hardened+selinux system (using selinux/2007.0/amd64/hardened profile) and I guess I have selinux up and running (I relabeled everything with rlpkg -a -r), just missing some policies (my guess only!), because I have a lot of avc denial messages on boot (there's not much more what this machine is going to do - just host some Xen guests). This is what I get right after boot, login and remote ssh login.

```

audit(1203374381.820:2): policy loaded auid=4294967295

audit(1203374381.820:3): avc:  denied  { read } for  pid=1 comm="init" name="urandom" dev=dm-6 ino=73810 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1203374381.910:4): avc:  denied  { read } for  pid=9416 comm="rc" name="urandom" dev=dm-6 ino=73810 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1203374382.320:5): avc:  denied  { write } for  pid=9418 comm="bash" name="null" dev=dm-6 ino=68585 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1203374382.320:6): avc:  denied  { write } for  pid=9418 comm="consoletype" name="null" dev=dm-6 ino=68585 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1203374382.320:7): avc:  denied  { read } for  pid=9418 comm="consoletype" name="ld.so.cache" dev=dm-6 ino=69737 scontext=system_u:system_r:consoletype_t tcontext=root:object_r:etc_t tclass=file

audit(1203374382.320:8): avc:  denied  { getattr } for  pid=9418 comm="consoletype" name="ld.so.cache" dev=dm-6 ino=69737 scontext=system_u:system_r:consoletype_t tcontext=root:object_r:etc_t tclass=file

audit(1203374382.320:9): avc:  denied  { read } for  pid=9418 comm="consoletype" name="urandom" dev=dm-6 ino=73810 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1203374382.460:10): avc:  denied  { getattr } for  pid=9416 comm="bash" name="null" dev=dm-6 ino=68585 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1203374382.490:11): avc:  denied  { read } for  pid=9425 comm="dmesg" name="ld.so.cache" dev=dm-6 ino=69737 scontext=system_u:system_r:dmesg_t tcontext=root:object_r:etc_t tclass=file

audit(1203374382.490:12): avc:  denied  { getattr } for  pid=9425 comm="dmesg" name="ld.so.cache" dev=dm-6 ino=69737 scontext=system_u:system_r:dmesg_t tcontext=root:object_r:etc_t tclass=file

audit(1203374382.500:13): avc:  denied  { read } for  pid=9425 comm="dmesg" name="urandom" dev=dm-6 ino=73810 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1203374382.520:14): avc:  denied  { write } for  pid=9428 comm="mount" name="null" dev=dm-6 ino=68585 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1203374382.560:15): avc:  denied  { read } for  pid=9428 comm="mount" name="urandom" dev=dm-6 ino=73810 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:file_t tclass=chr_file

grsec: mount of proc to /proc by /bin/mount[mount:9428] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:9427] uid/euid:0/0 gid/egid:0/0

grsec: mount of sysfs to /sys by /bin/mount[mount:9442] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:9441] uid/euid:0/0 gid/egid:0/0

SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs

grsec: mount of udev to /dev by /bin/mount[mount:9471] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:9470] uid/euid:0/0 gid/egid:0/0

audit(1203374382.970:16): avc:  denied  { write } for  pid=9477 comm="bash" name="null" dev=tmpfs ino=3476 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=chr_file

audit(1203374383.210:17): avc:  denied  { read } for  pid=9485 comm="write_root_link" name="console" dev=tmpfs ino=3470 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=chr_file

audit(1203374383.410:18): avc:  denied  { execute } for  pid=9517 comm="udevd" name="usb_id" dev=dm-6 ino=483374 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file

audit(1203374383.410:19): avc:  denied  { execute_no_trans } for  pid=9517 comm="udevd" name="usb_id" dev=dm-6 ino=483374 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file

audit(1203374383.720:20): avc:  denied  { read } for  pid=9588 comm="modprobe" name="console" dev=tmpfs ino=3470 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t tclass=chr_file

audit(1203374384.460:21): avc:  denied  { getattr } for  pid=9779 comm="modprobe.sh" name="modprobe.conf" dev=dm-6 ino=69883 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:modules_conf_t tclass=file

audit(1203374384.460:22): avc:  denied  { read } for  pid=9909 comm="grep" name="modprobe.conf" dev=dm-6 ino=69883 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:modules_conf_t tclass=file

sd 0:0:0:0: Attached scsi generic sg0 type 0

sd 1:0:0:0: Attached scsi generic sg1 type 0

sd 2:0:0:0: Attached scsi generic sg2 type 0

sr 3:0:0:0: Attached scsi generic sg3 type 5

audit(1203374384.970:23): avc:  denied  { relabelfrom } for  pid=10043 comm="udevd" name="EAE87168E8713443" dev=tmpfs ino=4943 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:device_t tclass=lnk_file

audit(1203374384.970:24): avc:  denied  { relabelto } for  pid=10043 comm="udevd" name="EAE87168E8713443" dev=tmpfs ino=4943 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:device_t tclass=lnk_file

ACPI: PCI Interrupt 0000:00:1f.3[B] -> GSI 19 (level, low) -> IRQ 19

input: PC Speaker as /class/input/input4

audit(1203374386.820:25): avc:  denied  { read write } for  pid=10187 comm="lvm" name="device-mapper" dev=tmpfs ino=4694 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:device_t tclass=chr_file

audit(1203374386.820:26): avc:  denied  { ioctl } for  pid=10187 comm="lvm" name="device-mapper" dev=tmpfs ino=4694 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:device_t tclass=chr_file

audit(1203374386.980:27): avc:  denied  { ioctl } for  pid=10188 comm="evms_activate" name="control" dev=tmpfs ino=7402 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=chr_file

audit(1203374387.290:28): avc:  denied  { create } for  pid=10188 comm="evms_activate" name="dm-0" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=blk_file

audit(1203374387.290:29): avc:  denied  { read write } for  pid=10188 comm="evms_activate" name="dm-0" dev=tmpfs ino=7427 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=blk_file

audit(1203374387.300:30): avc:  denied  { ioctl } for  pid=10188 comm="evms_activate" name="sda" dev=tmpfs ino=7459 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=blk_file

audit(1203374387.300:31): avc:  denied  { getattr } for  pid=10188 comm="evms_activate" name="sda" dev=tmpfs ino=7459 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=blk_file

audit(1203374387.910:32): avc:  denied  { unlink } for  pid=10188 comm="evms_activate" name="sdc" dev=tmpfs ino=7520 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=chr_file

audit(1203374387.920:33): avc:  denied  { unlink } for  pid=10188 comm="evms_activate" name="dm-0" dev=tmpfs ino=7427 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=blk_file

audit(1203374388.150:34): avc:  denied  { read } for  pid=10233 comm="mount" name="urandom" dev=tmpfs ino=4662 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file

audit(1203374400.160:35): avc:  denied  { mount } for  pid=10377 comm="mount" name="/" dev=securityfs ino=7968 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem

grsec: mount of securityfs to /sys/kernel/security by /bin/mount[mount:10377] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10358] uid/euid:0/0 gid/egid:0/0

Adding 1052248k swap on /dev/evms/swap1.  Priority:1 extents:1 across:1052248k

Adding 1052248k swap on /dev/evms/swap2.  Priority:1 extents:1 across:1052248k

audit(1203374400.260:36): avc:  denied  { getattr } for  pid=10380 comm="bash" name="xen" dev=proc ino=4026533134 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:proc_xen_t tclass=dir

audit(1203374400.260:37): avc:  denied  { search } for  pid=10380 comm="bash" name="xen" dev=proc ino=4026533134 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:proc_xen_t tclass=dir

audit(1203374400.260:38): avc:  denied  { getattr } for  pid=10380 comm="bash" name="capabilities" dev=proc ino=4026533372 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:proc_xen_t tclass=file

audit(1203374400.260:39): avc:  denied  { read } for  pid=10380 comm="bash" name="capabilities" dev=proc ino=4026533372 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:proc_xen_t tclass=file

audit(1203374400.320:40): avc:  denied  { read } for  pid=10393 comm="hwclock" name="urandom" dev=tmpfs ino=4662 scontext=system_u:system_r:hwclock_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file

grsec: time set by /sbin/hwclock[hwclock:10395] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10394] uid/euid:0/0 gid/egid:0/0

audit(1203374402.757:41): avc:  denied  { read } for  pid=10440 comm="restorecon" name="urandom" dev=tmpfs ino=4662 scontext=system_u:system_r:setfiles_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file

audit(1203374402.827:42): avc:  denied  { read } for  pid=10443 comm="dmesg" name="urandom" dev=tmpfs ino=4662 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file

audit(1203374403.697:43): avc:  denied  { read } for  pid=10515 comm="consoletype" name="urandom" dev=tmpfs ino=4662 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file

audit(1203374405.087:44): avc:  denied  { read } for  pid=10864 comm="hostname" name="urandom" dev=tmpfs ino=4662 scontext=system_u:system_r:hostname_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file

audit(1203374409.477:45): avc:  denied  { read } for  pid=11592 comm="arping" name="urandom" dev=tmpfs ino=4662 scontext=system_u:system_r:netutils_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file

tg3: eth0: Link is up at 100 Mbps, full duplex.

tg3: eth0: Flow control is on for TX and on for RX.

audit(1203374414.378:46): avc:  denied  { read } for  pid=12287 comm="metalog" name="urandom" dev=tmpfs ino=4662 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file

audit(1203374416.488:47): avc:  denied  { write } for  pid=12404 comm="python" name="privcmd" dev=proc ino=4026533371 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:proc_xen_t tclass=file

audit(1203374416.698:48): avc:  denied  { ioctl } for  pid=12404 comm="python" name="privcmd" dev=proc ino=4026533371 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:proc_xen_t tclass=file

Bridge firewalling registered

audit(1203374417.318:49): avc:  denied  { execute } for  pid=12428 comm="udevd" name="net.sh" dev=dm-6 ino=483480 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file

audit(1203374417.318:50): avc:  denied  { execute_no_trans } for  pid=12428 comm="udevd" name="net.sh" dev=dm-6 ino=483480 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file

audit(1203374417.328:51): avc:  denied  { write } for  pid=12430 comm="brctl" name="tmpbridge" dev=sysfs ino=11199 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:sysfs_t tclass=dir

tg3: peth0: Link is up at 100 Mbps, full duplex.

tg3: peth0: Flow control is on for TX and on for RX.

device peth0 entered promiscuous mode

audit(1203374419.768:52): dev=peth0 prom=256 old_prom=0 auid=4294967295

eth0: port 1(peth0) entering learning state

eth0: topology change detected, propagating

eth0: port 1(peth0) entering forwarding state

audit(1203374419.978:53): avc:  denied  { create } for  pid=12475 comm="xenstored" name="socket" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:var_run_t tclass=sock_file

audit(1203374419.988:54): avc:  denied  { setattr } for  pid=12475 comm="xenstored" name="socket" dev=dm-6 ino=410149 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:var_run_t tclass=sock_file

audit(1203374420.028:55): avc:  denied  { getattr } for  pid=12475 comm="xenstored" name="evtchn" dev=tmpfs ino=4722 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:xen_device_t tclass=chr_file

audit(1203374420.028:56): avc:  denied  { read write } for  pid=12475 comm="xenstored" name="evtchn" dev=tmpfs ino=4722 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:xen_device_t tclass=chr_file

audit(1203374420.028:57): avc:  denied  { ioctl } for  pid=12475 comm="xenstored" name="evtchn" dev=tmpfs ino=4722 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:xen_device_t tclass=chr_file

audit(1203374420.068:58): avc:  denied  { write } for  pid=12482 comm="xenconsoled" name="socket" dev=dm-6 ino=410149 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:var_run_t tclass=sock_file

audit(1203374420.138:59): avc:  denied  { name_bind } for  pid=12485 comm="python" src=8002 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:xen_port_t tclass=tcp_socket

audit(1203374420.138:60): avc:  denied  { node_bind } for  pid=12485 comm="python" src=8002 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:inaddr_any_node_t tclass=tcp_socket

audit(1203374420.738:61): avc:  denied  { setattr } for  pid=12500 comm="python" name="xend" dev=dm-6 ino=410136 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:var_run_t tclass=dir

audit(1203374422.958:62): avc:  denied  { read } for  pid=12645 comm="agetty" name="urandom" dev=tmpfs ino=4662 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file

audit(1203374423.998:63): avc:  denied  { create } for  pid=12645 comm="agetty" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t tclass=netlink_route_socket

audit(1203374423.998:64): avc:  denied  { bind } for  pid=12645 comm="agetty" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t tclass=netlink_route_socket

audit(1203374423.998:65): avc:  denied  { getattr } for  pid=12645 comm="agetty" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t tclass=netlink_route_socket

audit(1203374423.998:66): avc:  denied  { write } for  pid=12645 comm="agetty" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t tclass=netlink_route_socket

audit(1203374423.998:67): avc:  denied  { nlmsg_read } for  pid=12645 comm="agetty" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t tclass=netlink_route_socket

audit(1203374423.998:68): avc:  denied  { read } for  pid=12645 comm="agetty" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t tclass=netlink_route_socket

audit(1203374432.938:69): avc:  denied  { search } for  pid=12688 comm="update-modules" name="lib" dev=dm-6 ino=106605 scontext=root:sysadm_r:update_modules_t tcontext=system_u:object_r:var_lib_t tclass=dir

audit(1203374432.938:70): avc:  denied  { search } for  pid=12688 comm="update-modules" name="init.d" dev=dm-6 ino=106720 scontext=root:sysadm_r:update_modules_t tcontext=system_u:object_r:initrc_state_t tclass=dir

audit(1203374432.938:71): avc:  denied  { getattr } for  pid=12688 comm="update-modules" name="softlevel" dev=dm-6 ino=106721 scontext=root:sysadm_r:update_modules_t tcontext=system_u:object_r:initrc_state_t tclass=file

audit(1203374432.938:72): avc:  denied  { read } for  pid=12694 comm="update-modules" name="softlevel" dev=dm-6 ino=106721 scontext=root:sysadm_r:update_modules_t tcontext=system_u:object_r:initrc_state_t tclass=file

audit(1203374434.168:73): avc:  denied  { ioctl } for  pid=12488 comm="python" name="privcmd" dev=proc ino=4026533371 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:proc_xen_t tclass=file

audit(1203374436.718:74): avc:  denied  { read } for  pid=12710 comm="update-modules" name="build" dev=dm-6 ino=63177 scontext=root:sysadm_r:update_modules_t tcontext=system_u:object_r:modules_object_t tclass=lnk_file

audit(1203374436.768:75): avc:  denied  { read } for  pid=13405 comm="update-modules" name="linux-2.6.20-hardened-r6" dev=dm-6 ino=312672 scontext=root:sysadm_r:update_modules_t tcontext=system_u:object_r:src_t tclass=dir

audit(1203374436.808:76): avc:  denied  { read write } for  pid=13408 comm="depmod" name="tty1" dev=tmpfs ino=3473 scontext=root:sysadm_r:depmod_t tcontext=root:object_r:sysadm_tty_device_t tclass=chr_file

audit(1203374436.808:77): avc:  denied  { read } for  pid=13408 comm="depmod" name="urandom" dev=tmpfs ino=4662 scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file

```

(this is what I get right after the boot)

I know it is most probably more problems than just one, but I thought there must be some simple step to fix this (I don't think adding the allows suggested by audit2allow -a is correct, but if it is - in this case - just tell me so  :Smile:  ).

Thanks for any help as I'm just a SELinux begginer  :Smile:  Also, if youe missing any info, just ask and I will submit it as soon as possible.

Thanks in advance,

al-Quaknaa

----------

## lol.2.dol

I've the same problem. I think it's because the base-policy is not loaded, but I don't find how to load it...

When i do a semodule -R, i've only the gpm & logrotate policy loaded.

----------

## swingman

Did you ever find a solution to this?

I'm just now experimenting with a Gentoo 2007.0 selinux, updated to todays package versions, and I get the same violations.

The below mail discussion helped pinpoint some problems, and solve some.

http://www.mail-archive.com/gentoo-hardened%40lists.gentoo.org/msg01610.html

However, there are still a number of violations that must be due to faulty rules or types.

The below is from the system boot up until the first login.

```

audit(1205311345.096:2): policy loaded auid=4294967295

SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs

audit(1205311345.562:3): avc:  denied  { write } for  pid=946 comm="bash" name="null" dev=tmpfs ino=1313 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=chr_file

audit(1205311345.624:4): avc:  denied  { read } for  pid=955 comm="write_root_link" name="console" dev=tmpfs ino=1307 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=chr_file

SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs

SELinux: initialized (dev securityfs, type securityfs), not configured for labeling

audit(1205311352.640:5): avc:  denied  { mount } for  pid=1756 comm="mount" name="/" dev=securityfs ino=1 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem

Adding 977216k swap on /dev/hda1.  Priority:-1 extents:1 across:977216k

audit(1205311359.150:6): avc:  denied  { write } for  pid=2470 comm="runscript.sh" name="resolv.conf" dev=hda2 ino=46223216 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:net_conf_t tclass=file

audit(1205311359.154:7): avc:  denied  { setattr } for  pid=2525 comm="chmod" name="resolv.conf" dev=hda2 ino=46223216 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:net_conf_t tclass=file

audit(1205311362.834:8): avc:  denied  { search } for  pid=3168 comm="syslog-ng" name="lib" dev=hda2 ino=33576422 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t tclass=dir

audit(1205311362.834:9): avc:  denied  { read } for  pid=3168 comm="syslog-ng" name="syslog-ng.persist" dev=hda2 ino=33576402 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t tclass=file

audit(1205311362.834:10): avc:  denied  { getattr } for  pid=3168 comm="syslog-ng" path="/var/lib/syslog-ng.persist" dev=hda2 ino=33576402 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t tclass=file

eth0: link up, 100Mbps, full-duplex

audit(1205311366.898:11): avc:  denied  { nlmsg_write } for  pid=3576 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_route_socket

audit(1205307770.810:12): avc:  denied  { create } for  pid=3889 comm="agetty" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t tclass=netlink_route_socket

audit(1205307770.810:13): avc:  denied  { bind } for  pid=3889 comm="agetty" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t tclass=netlink_route_socket

audit(1205307770.810:14): avc:  denied  { getattr } for  pid=3889 comm="agetty" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t tclass=netlink_route_socket

audit(1205307770.810:15): avc:  denied  { write } for  pid=3889 comm="agetty" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t tclass=netlink_route_socket

audit(1205307770.810:16): avc:  denied  { nlmsg_read } for  pid=3889 comm="agetty" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t tclass=netlink_route_socket

audit(1205307770.810:17): avc:  denied  { read } for  pid=3889 comm="agetty" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t tclass=netlink_route_socket

```

I could of course change the policies to make this boot silently and make it possible to enforce the rules, but that would make me have to re-do all the editing every time there's an update to selinux-base-policy, right?

   _

/Bjorn

----------

