I'm noticing the following messages showing up for the past few days (strict/enforcing):
Aug 21 13:31:15 fedora kernel: audit(1093120250.606:0): avc: denied { read } for pid=1558 exe=/sbin/microcode_ctl name=microcode dev=hda2 ino=2689367 scontext=system_u:system_r:cpucontrol_t tcontext=system_u:object_r:device_t tclass=lnk_file
Aug 21 13:31:15 fedora kernel: microcode: No new microdata for cpu 0
'ls -lZ /dev/cpu/0/microcode' yields:
lrwxrwxrwx root root system_u:object_r:device_t /dev/cpu/0/microcode -> ../../microcode
Does this link need to be labeled cpu_device_t, or
does 'allow cpucontrol_t device_t:lnk_file { read };' need
to be added to cpucontrol.te, or .... ?tom
[I sort of remember this being fixed a while back .....]
