Running targeted/enforcing, latest rawhide. Rebooting after today's updates (including .1261 and selinux-policy-targeted-1.23.12-4), graphical logins fail. Looks like search access to /proc/PROCESS-ID directories are failing. (Also show an early hotplug attempt at writing to sysfs_t). I worked around this by doing an 'ALT-CTL-F2', and logging in on the text console, and doing a 'setenforce 0'. Reverting to graphical via 'ALT-CTL-F7' now allows login. /var/log messages show a very large number of avcs, including many that look like: Apr 23 13:04:18 localhost dhclient: DHCPREQUEST on eth0 to 255.255.255.255 port 67 Apr 23 13:04:18 localhost dhclient: DHCPACK from 10.10.192.1 Apr 23 13:04:18 localhost kernel: audit(1114286658.747:0): avc: denied { write } for name=vcs7 dev=sysfs ino=6997 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:sysfs_t tclass=dir Apr 23 13:04:18 localhost kernel: audit(1114286658.747:0): avc: denied { write } for name=vcsa7 dev=sysfs ino=7003 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:sysfs_t tclass=dir Apr 23 13:04:19 localhost NET[2301]: /sbin/dhclient-script : updated /etc/resolv.conf and Apr 23 13:05:15 localhost kernel: audit(1114286715.636:0): avc: denied { search } for name=2 dev=proc ino=131074 scontext=system_u:system_r:init_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 13:05:15 localhost kernel: audit(1114286715.636:0): avc: denied { search } for name=3 dev=proc ino=196610 scontext=system_u:system_r:init_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 13:05:15 localhost kernel: audit(1114286715.636:0): avc: denied { search } for name=4 dev=proc ino=262146 scontext=system_u:system_r:init_t tcontext=system_u:system_r:kernel_t tclass=dir <<<<SNIP many, many >>>> Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: denied { search } for name=2103 dev=proc ino=137822210 scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t tclass=dir Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: denied { search } for name=2111 dev=proc ino=138346498 scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t tclass=dir Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: denied { search } for name=2303 dev=proc ino=150929410 scontext=system_u:system_r:init_t tcontext=system_u:system_r:dhcpc_t tclass=dir Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: denied { search } for name=2476 dev=proc ino=162267138 scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t tclass=dir Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: denied { search } for name=2530 dev=proc ino=165806082 scontext=system_u:system_r:init_t tcontext=system_u:system_r:portmap_t tclass=dir Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: denied { search } for name=2548 dev=proc ino=166985730 scontext=system_u:system_r:init_t tcontext=system_u:system_r:rpcd_t tclass=dir Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: denied { search } for name=2575 dev=proc ino=168755202 scontext=system_u:system_r:init_t tcontext=system_u:system_r:rpcd_t tclass=dir <<<<SNIP many, many.... >>>> etc. etc. Is this a policy change, or did something else change? Or, did I just botch it again? thanks, tom -- Tom London -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list