Tom London wrote:
The others are there only because you are running in permissive mode.Running strict, latest Rawhide.
I happened to do today's updates in permissive mode, and got the following avcs:
Dec 7 07:40:23 fedora kernel: loop: loaded (max 8 devices)
Dec 7 07:41:29 fedora kernel: audit(1102434089.867:0): avc: denied { read } for pid=3863 exe=/bin/bash name=.bashrc dev=hda2 ino=1130588
scontext=root:sysadm_r:bootloader_t
tcontext=root:object_r:staff_home_t tclass=file
Dec 7 07:41:29 fedora kernel: audit(1102434089.867:0): avc: denied { getattr } for pid=3863 exe=/bin/bash path=/root/.bashrc dev=hda2
ino=1130588 scontext=root:sysadm_r:bootloader_t
tcontext=root:object_r:staff_home_t tclass=file
Dec 7 07:41:29 fedora kernel: audit(1102434089.957:0): avc: denied { read } for pid=3865 exe=/usr/bin/id name=config dev=hda2
ino=4509759 scontext=root:sysadm_r:bootloader_t
tcontext=system_u:object_r:selinux_config_t tclass=file
Dec 7 07:41:29 fedora kernel: audit(1102434089.957:0): avc: denied { getattr } for pid=3865 exe=/usr/bin/id path=/etc/selinux/config
dev=hda2 ino=4509759 scontext=root:sysadm_r:bootloader_t
tcontext=system_u:object_r:selinux_config_t tclass=file
The first two of these (ref to /root/.basrc, I believe) is not new, but
I don't remember seeing the others.
tom
Basically there is a dontaudit in the polic on searches of /etc/selinux/config, but since you
are in permissive mode it allows you to continue and read the selinux files, this would not happen in
strict mode. So these are false error messages :^(
