OK, through a process of elimination, it appears that the "missing AVC" is
type=AVC msg=audit(1201380657.580:110): avc: denied { sys_tty_config
} for pid=2474 comm="console-kit-dae" capability=26
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:system_r:system_dbusd_t:s0 tclass=capability
type=SYSCALL msg=audit(1201380657.580:110): arch=40000003 syscall=54
success=yes exit=0 a0=c a1=5603 a2=bfd48356 a3=c items=0 ppid=1
pid=2474 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="console-kit-dae"
exe="/usr/sbin/console-kit-daemon"
subj=system_u:system_r:system_dbusd_t:s0 key=(null)
or
#============= system_dbusd_t ==============
allow system_dbusd_t self:capability sys_tty_config;
If I haven't confused myself silly, adding this to the AVCs generated
in permissive mode makes sound work. Suspect "shutdown" may need this
too.
tom
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
