https://bugzilla.redhat.com/show_bug.cgi?id=558499 In Fedora 13, we had a rule that said dontaudit domain rpm_tmp_t:file { read write }; rpm changed the access on rpm_tmp_t to be { read append }; This caused the following avc. node=(removed) type=AVC msg=audit(1264430091.330:28): avc: denied { read append } for pid=2933 comm="rpc.statd" path="/tmp/tmp9IF8MN" dev=dm-0 ino=432 scontext=unconfined_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1264430091.330:28): arch=c000003e syscall=59 success=yes exit=0 a0=28bd8d0 a1=28bdb50 a2=28bc920 a3=7fff07d44c30 items=0 ppid=2932 pid=2933 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="rpc.statd" exe="/sbin/rpc.statd" subj=unconfined_u:system_r:rpcd_t:s0 key=(null) Indicating that rpcd_t did not have read append access. When it should have only reported append access, since the read access should have been dontaudited. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
