.525 kernel and strict/enforcing (!?!?)

[Tom London <selinux@xxxxxxxxxxx>]

Wow, the new kernel (.525) seems to not quite work with strict/enforcing.
(Took me a while to recover, so tread carefully!)

It manages to boot with strict/permissive, but there are hordes of
avc messages....  Here are just the first....

Also, I notice that the initrd for .525 is about 625KB, compared
with about 180KB for previous versions.

Is it running udev, etc., off of the initrd?

tom

> Aug 21 11:28:46 fedora kernel: SELinux: initialized (dev rootfs, type 
> rootfs), uses genfs_contexts
> Aug 21 11:28:46 fedora kernel: SELinux: initialized (dev sysfs, type 
> sysfs), uses genfs_contexts
> Aug 21 11:28:46 fedora kernel: audit(1093087655.962:0): avc:  denied  
> { read write } for  pid=1 exe=/sbin/init path=/dev/console dev=ramfs 
> ino=847 scontext=system_u:system_r:init_t 
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087655.962:0): avc:  denied  
> { read } for  pid=1 exe=/sbin/init path=/init dev=rootfs ino=17 
> scontext=system_u:system_r:init_t 
> tcontext=system_u:object_r:unlabeled_t tclass=file
> Aug 21 11:28:46 fedora kernel: audit(1093087655.963:0): avc:  denied  
> { ioctl } for  pid=1 exe=/sbin/init path=/dev/tty0 dev=ramfs ino=1126 
> scontext=system_u:system_r:init_t 
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087656.509:0): avc:  denied  
> { write } for  pid=1 exe=/sbin/init dev=ramfs ino=846 
> scontext=system_u:system_r:init_t tcontext=system_u:object_r:ramfs_t 
> tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087656.509:0): avc:  denied  
> { add_name } for  pid=1 exe=/sbin/init name=initctl 
> scontext=system_u:system_r:init_t tcontext=system_u:object_r:ramfs_t 
> tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087656.509:0): avc:  denied  
> { create } for  pid=1 exe=/sbin/init name=initctl 
> scontext=system_u:system_r:init_t tcontext=system_u:object_r:ramfs_t 
> tclass=fifo_file
> Aug 21 11:28:46 fedora kernel: audit(1093087656.509:0): avc:  denied  
> { read write } for  pid=1 exe=/sbin/init name=initctl dev=ramfs 
> ino=1787 scontext=system_u:system_r:init_t 
> tcontext=system_u:object_r:ramfs_t tclass=fifo_file
> Aug 21 11:28:46 fedora kernel: audit(1093087656.509:0): avc:  denied  
> { getattr } for  pid=1 exe=/sbin/init path=/dev/initctl dev=ramfs 
> ino=1787 scontext=system_u:system_r:init_t 
> tcontext=system_u:object_r:ramfs_t tclass=fifo_file
> Aug 21 11:28:46 fedora kernel: audit(1093087657.094:0): avc:  denied  
> { read write } for  pid=403 exe=/bin/hostname path=/dev/console 
> dev=ramfs ino=847 scontext=system_u:system_r:hostname_t 
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087657.565:0): avc:  denied  
> { read write } for  pid=449 exe=/bin/mount path=/dev/console dev=ramfs 
> ino=847 scontext=system_u:system_r:mount_t 
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087657.566:0): avc:  denied  
> { search } for  pid=449 exe=/bin/mount dev=ramfs ino=846 
> scontext=system_u:system_r:mount_t tcontext=system_u:object_r:ramfs_t 
> tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087657.640:0): avc:  denied  
> { search } for  pid=451 exe=/bin/bash dev=ramfs ino=846 
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t 
> tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087657.640:0): avc:  denied  
> { read write } for  pid=451 exe=/bin/bash name=tty dev=ramfs ino=1120 
> scontext=system_u:system_r:udev_t 
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087657.898:0): avc:  denied  
> { read write } for  pid=513 exe=/sbin/consoletype path=/dev/console 
> dev=ramfs ino=847 scontext=system_u:system_r:consoletype_t 
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087657.899:0): avc:  denied  
> { getattr } for  pid=513 exe=/sbin/consoletype path=/dev/console 
> dev=ramfs ino=847 scontext=system_u:system_r:consoletype_t 
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087657.900:0): avc:  denied  
> { ioctl } for  pid=513 exe=/sbin/consoletype path=/dev/console 
> dev=ramfs ino=847 scontext=system_u:system_r:consoletype_t 
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.598:0): avc:  denied  
> { read write } for  pid=536 exe=/sbin/minilogd path=/dev/null 
> dev=ramfs ino=848 scontext=system_u:system_r:syslogd_t 
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.598:0): avc:  denied  
> { use } for  pid=536 exe=/sbin/minilogd path=/init dev=rootfs ino=17 
> scontext=system_u:system_r:syslogd_t 
> tcontext=system_u:system_r:kernel_t tclass=fd
> Aug 21 11:28:46 fedora kernel: audit(1093087658.598:0): avc:  denied  
> { search } for  pid=536 exe=/sbin/minilogd dev=ramfs ino=846 
> scontext=system_u:system_r:syslogd_t 
> tcontext=system_u:object_r:ramfs_t tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087658.599:0): avc:  denied  
> { write } for  pid=536 exe=/sbin/minilogd dev=ramfs ino=846 
> scontext=system_u:system_r:syslogd_t 
> tcontext=system_u:object_r:ramfs_t tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087658.599:0): avc:  denied  
> { add_name } for  pid=536 exe=/sbin/minilogd name=log 
> scontext=system_u:system_r:syslogd_t 
> tcontext=system_u:object_r:ramfs_t tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087658.599:0): avc:  denied  
> { create } for  pid=536 exe=/sbin/minilogd name=log 
> scontext=system_u:system_r:syslogd_t 
> tcontext=system_u:object_r:ramfs_t tclass=sock_file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.599:0): avc:  denied  
> { getattr } for  pid=540 exe=/sbin/minilogd path=/dev/log dev=ramfs 
> ino=2057 scontext=system_u:system_r:syslogd_t 
> tcontext=system_u:object_r:ramfs_t tclass=sock_file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.614:0): avc:  denied  
> { read write } for  pid=538 exe=/sbin/udev name=.udev.tdb dev=ramfs 
> ino=855 scontext=system_u:system_r:udev_t 
> tcontext=system_u:object_r:unlabeled_t tclass=file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.614:0): avc:  denied  
> { lock } for  pid=538 exe=/sbin/udev path=/dev/.udev.tdb dev=ramfs 
> ino=855 scontext=system_u:system_r:udev_t 
> tcontext=system_u:object_r:unlabeled_t tclass=file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.614:0): avc:  denied  
> { getattr } for  pid=538 exe=/sbin/udev path=/dev/.udev.tdb dev=ramfs 
> ino=855 scontext=system_u:system_r:udev_t 
> tcontext=system_u:object_r:unlabeled_t tclass=file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.665:0): avc:  denied  
> { write } for  pid=538 exe=/sbin/udev name=log dev=ramfs ino=2057 
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t 
> tclass=sock_file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.666:0): avc:  denied  
> { write } for  pid=538 exe=/sbin/udev dev=ramfs ino=846 
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t 
> tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087658.666:0): avc:  denied  
> { add_name } for  pid=538 exe=/sbin/udev name=input 
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t 
> tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087658.666:0): avc:  denied  
> { create } for  pid=538 exe=/sbin/udev name=input 
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t 
> tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087658.679:0): avc:  denied  
> { create } for  pid=538 exe=/sbin/udev name=event0 
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t 
> tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.679:0): avc:  denied  
> { setattr } for  pid=538 exe=/sbin/udev name=event0 dev=ramfs ino=2069 
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t 
> tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087659.059:0): avc:  denied  
> { read write } for  pid=546 exe=/sbin/restorecon path=/dev/console 
> dev=ramfs ino=847 scontext=system_u:system_r:restorecon_t 
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087659.061:0): avc:  denied  
> { getattr } for  pid=546 exe=/sbin/restorecon path=/dev/input/event0 
> dev=ramfs ino=2069 scontext=system_u:system_r:restorecon_t 
> tcontext=system_u:object_r:ramfs_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087659.226:0): avc:  denied  
> { getattr } for  pid=547 exe=/sbin/udev path=/dev/input dev=ramfs 
> ino=2066 scontext=system_u:system_r:udev_t 
> tcontext=system_u:object_r:ramfs_t tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087661.046:0): avc:  denied  
> { write } for  pid=540 exe=/sbin/minilogd name=log dev=ramfs ino=2057 
> scontext=system_u:system_r:syslogd_t 
> tcontext=system_u:object_r:ramfs_t tclass=sock_file
> Aug 21 11:28:46 fedora kernel: audit(1093087661.320:0): avc:  denied  
> { getattr } for  pid=568 exe=/sbin/udev path=/dev/full dev=ramfs 
> ino=883 scontext=system_u:system_r:udev_t 
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087661.320:0): avc:  denied  
> { setattr } for  pid=568 exe=/sbin/udev name=full dev=ramfs ino=883 
> scontext=system_u:system_r:udev_t 
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087661.893:0): avc:  denied  
> { create } for  pid=596 exe=/sbin/udev name=XOR 
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t 
> tclass=lnk_file
> Aug 21 11:28:46 fedora kernel: audit(1093087667.935:0): avc:  denied  
> { remove_name } for  pid=897 exe=/sbin/udev name=vcs1 dev=ramfs 
> ino=1564 scontext=system_u:system_r:udev_t 
> tcontext=system_u:object_r:ramfs_t tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087667.935:0): avc:  denied  
> { unlink } for  pid=897 exe=/sbin/udev name=vcs1 dev=ramfs ino=1564 
> scontext=system_u:system_r:udev_t 
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087668.270:0): avc:  denied  
> { unlink } for  pid=919 exe=/sbin/udev name=vcsa1 dev=ramfs ino=2889 
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t 
> tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087679.159:0): avc:  denied  
> { getattr } for  pid=1476 exe=/sbin/udev path=/dev/vcs1 dev=ramfs 
> ino=3133 scontext=system_u:system_r:udev_t 
> tcontext=system_u:object_r:ramfs_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087679.590:0): avc:  denied  
> { getattr } for  pid=1497 exe=/sbin/udev path=/dev/hda dev=ramfs 
> ino=1582 scontext=system_u:system_r:udev_t 
> tcontext=system_u:object_r:unlabeled_t tclass=blk_file
> Aug 21 11:28:46 fedora kernel: audit(1093087679.590:0): avc:  denied  
> { setattr } for  pid=1497 exe=/sbin/udev name=hda dev=ramfs ino=1582 
> scontext=system_u:system_r:udev_t 
> tcontext=system_u:object_r:unlabeled_t tclass=blk_file
> Aug 21 11:28:46 fedora kernel: audit(1093087682.418:0): avc:  denied  
> { remove_name } for  pid=1637 exe=/sbin/minilogd name=log dev=ramfs 
> ino=2057 scontext=system_u:system_r:syslogd_t 
> tcontext=system_u:object_r:ramfs_t tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087682.418:0): avc:  denied  
> { unlink } for  pid=1637 exe=/sbin/minilogd name=log dev=ramfs 
> ino=2057 scontext=system_u:system_r:syslogd_t 
> tcontext=system_u:object_r:ramfs_t tclass=sock_file
> Aug 21 11:28:46 fedora kernel: audit(1093087683.376:0): avc:  denied  
> { read write } for  pid=1836 exe=/bin/dmesg path=/dev/console 
> dev=ramfs ino=847 scontext=system_u:system_r:dmesg_t 
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087683.406:0): avc:  denied  
> { mounton } for  pid=1837 exe=/bin/mount path=/dev/pts dev=ramfs 
> ino=850 scontext=system_u:system_r:mount_t 
> tcontext=system_u:object_r:unlabeled_t tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087683.700:0): avc:  denied  
> { read write } for  pid=1849 exe=/sbin/hwclock path=/dev/console 
> dev=ramfs ino=847 scontext=system_u:system_r:hwclock_t 
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087683.701:0): avc:  denied  
> { search } for  pid=1849 exe=/sbin/hwclock dev=ramfs ino=846 
> scontext=system_u:system_r:hwclock_t 
> tcontext=system_u:object_r:ramfs_t tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087683.701:0): avc:  denied  
> { ioctl } for  pid=1849 exe=/sbin/hwclock path=/dev/rtc dev=ramfs 
> ino=941 scontext=system_u:system_r:hwclock_t 
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: ACPI: Power Button (FF) [PWRF]