Hello to all the list. I need your help to understand what's wrong here. I tried to convert my laptop to a selinux profile (targeted) several times following the documentation step by step. Now, the last time I tried, I'm using 2.20120725-r3 policies from the hardened-dev overlay, but I found the same problems with every version of policies I try.. The system is mainly amd64 (not ~amd64). The problems I find are: 1) it seems like some part of hardware can't be revealed in enforcing mode: Pulseaudio can't see the soundcard, powerdevil can't see power statistics, newly atttached usb drives are ingored. Obviously selinux-consolekit, selinux-policykit and selinux-dbus are installed. 2) I use partitions encryption (with cryptsetup) and if booting in enforcing mode it complains about a temporary file that is already there, but then it goes straight. 3) Logging in root with su or kdesu (in X environment) takes too long: if the password I write is ok, it takes even some minute to give me the root shell.
Thank you in advance for your help. This is my emerge --info: Portage 2.1.11.9 (default/linux/amd64/10.0/selinux, gcc-4.5.3, glibc-2.15-r2, 3.3.8-gentoo x86_64) ================================================================= System uname: Linux-3.3.8-gentoo-x86_64-Intel-R-_Core-TM-2_Duo_CPU_P8600_@_2.40GHz-with-gentoo-2.1 Timestamp of tree: Sun, 19 Aug 2012 12:45:01 +0000 app-shells/bash: 4.2_p37 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.7.3-r2, 3.2.3 dev-util/cmake: 2.8.8-r3 dev-util/pkgconfig: 0.27 sys-apps/baselayout: 2.1-r1 sys-apps/openrc: 0.9.8.4 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.11.6 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.5.3-r2 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r3 sys-kernel/linux-headers: 3.4-r2 (virtual/os-headers) sys-libs/glibc: 2.15-r2 Repositories: gentoo mozilla hardened-dev lcd-filtering ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=core2 -msse4.1 --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=3072 -mtune=generic" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/themes/oxygen-gtk/gtk-2.0" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe -march=core2 -msse4.1 --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=3072 -mtune=generic" DISTDIR="/home/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles news parallel-fetch parse-eapi-ebuild-head protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="ftp://de-mirror.org/gentoo/"; LANG="it_IT.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="it" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/mozilla /var/lib/layman/hardened-development /var/lib/layman/lcd-filtering" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="X a52 aac aac+ acl acpi alsa amd64 audit auto-hinter berkdb bzip2 cairo cdda cdio cdr cli consolekit corefonts cracklib crypt cups custom-cflags custom-optimization cxx dbus dirac dri dts dvd encode exif extras faac fam flac fortran g3dvl gdbm gif gles2 gpm gudev hwdb iconv jit jpeg kde keymap lcdfilter lcms libnotify lzma mad mmx mng modules mp3 mpeg mudflap multilib multimedia ncurses nls nptl ogg open_perms opengl openmp pam pcre pdf phonon pic png policykit pppd pulseaudio python qt3support qt4 readline schroedinger sdl selinux session sse sse2 sse3 sse4_1 ssl ssse3 startup-notification svg tcpd theora threads thumbnail tiff truetype type1 udev unicode usb v4l vorbis wavpack x264 xa xft xml xv xvid xvmc zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="it" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="radeon" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON This is my avc.log of the last boot up: Aug 21 08:45:49 dell-studio kernel: [ 7.848157] type=1400 audit(1345538717.847:3): avc: denied { search } for pid=1452 comm="alsactl" name="root" dev="sda5" ino=1308163 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:default_t tclass=dir Aug 21 08:45:49 dell-studio kernel: [ 8.588561] type=1400 audit(1345538718.587:4): avc: denied { read } for pid=1450 comm="alsactl" name="urandom" dev="tmpfs" ino=3255 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file Aug 21 08:45:49 dell-studio kernel: [ 8.588576] type=1400 audit(1345538718.587:6): avc: denied { open } for pid=1450 comm="alsactl" name="urandom" dev="tmpfs" ino=3255 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file Aug 21 08:45:49 dell-studio kernel: [ 8.588579] type=1400 audit(1345538718.587:7): avc: denied { open } for pid=1452 comm="alsactl" name="urandom" dev="tmpfs" ino=3255 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file Aug 21 08:45:49 dell-studio kernel: [ 8.588621] type=1400 audit(1345538718.587:8): avc: denied { getattr } for pid=1450 comm="alsactl" name="/" dev="tmpfs" ino=2980 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem Aug 21 08:45:49 dell-studio kernel: [ 8.588625] type=1400 audit(1345538718.587:9): avc: denied { getattr } for pid=1452 comm="alsactl" name="/" dev="tmpfs" ino=2980 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem Aug 21 08:45:49 dell-studio kernel: [ 8.588644] type=1400 audit(1345538718.587:10): avc: denied { write } for pid=1452 comm="alsactl" name="shm" dev="tmpfs" ino=2984 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t tclass=dir Aug 21 08:45:49 dell-studio kernel: [ 8.588652] type=1400 audit(1345538718.587:11): avc: denied { add_name } for pid=1452 comm="alsactl" name="pulse-shm-1979112542" scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t tclass=dir Aug 21 08:45:49 dell-studio kernel: [ 28.881908] type=1400 audit(1345531540.026:21): avc: denied { module_request } for pid=1524 comm="cryptsetup" kmod="cbc(aes)" scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:kernel_t tclass=system Aug 21 08:45:49 dell-studio kernel: [ 38.142682] type=1400 audit(1345531549.287:22): avc: denied { setrlimit } for pid=1983 comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=process Aug 21 08:45:49 dell-studio kernel: [ 38.743819] type=1400 audit(1345531549.888:23): avc: denied { getattr } for pid=2013 comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=5240 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 21 08:45:49 dell-studio kernel: [ 38.743833] type=1400 audit(1345531549.888:24): avc: denied { search } for pid=2013 comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5240 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 21 08:45:49 dell-studio kernel: [ 38.743845] type=1400 audit(1345531549.888:25): avc: denied { write } for pid=2013 comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5240 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 21 08:45:49 dell-studio kernel: [ 38.743854] type=1400 audit(1345531549.888:26): avc: denied { add_name } for pid=2013 comm="console-kit-dae" name="database~" scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 21 08:45:49 dell-studio kernel: [ 38.743875] type=1400 audit(1345531549.888:27): avc: denied { create } for pid=2013 comm="console-kit-dae" name="database~" scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=file Aug 21 08:45:49 dell-studio kernel: [ 38.743939] type=1400 audit(1345531549.888:28): avc: denied { remove_name } for pid=2013 comm="console-kit-dae" name="database~" dev="tmpfs" ino=5251 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 21 08:45:49 dell-studio kernel: [ 38.743948] type=1400 audit(1345531549.888:29): avc: denied { rename } for pid=2013 comm="console-kit-dae" name="database~" dev="tmpfs" ino=5251 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=file Aug 21 08:45:50 dell-studio kernel: [ 39.000295] type=1400 audit(1345531550.145:30): avc: denied { read } for pid=2089 comm="crond" name="root" dev="sda7" ino=12796 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:file_t tclass=file Aug 21 08:45:55 dell-studio kernel: [ 44.775964] type=1400 audit(1345531555.920:51): avc: denied { read } for pid=2912 comm="sh" name="meminfo" dev="proc" ino=4026532031 scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t tclass=file Aug 21 08:45:55 dell-studio kernel: [ 44.775974] type=1400 audit(1345531555.920:52): avc: denied { open } for pid=2912 comm="sh" name="meminfo" dev="proc" ino=4026532031 scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t tclass=file Aug 21 08:45:55 dell-studio kernel: [ 44.775991] type=1400 audit(1345531555.920:53): avc: denied { getattr } for pid=2912 comm="sh" path="/proc/meminfo" dev="proc" ino=4026532031 scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t tclass=file Aug 21 08:45:56 dell-studio kernel: [ 44.975326] type=1400 audit(1345531556.120:54): avc: denied { read write } for pid=2956 comm="ifconfig" path="socket:[5638]" dev="sockfs" ino=5638 scontext=system_u:system_r:ifconfig_t tcontext=system_u:system_r:wpa_cli_t tclass=unix_dgram_socket Aug 21 08:45:56 dell-studio kernel: [ 45.229495] type=1400 audit(1345531556.374:55): avc: denied { use } for pid=3088 comm="mount" path="/dev/null" dev="tmpfs" ino=2982 scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t tclass=fd Aug 21 08:45:56 dell-studio kernel: [ 45.229516] type=1400 audit(1345531556.374:56): avc: denied { read write } for pid=3088 comm="mount" path="socket:[5638]" dev="sockfs" ino=5638 scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t tclass=unix_dgram_socket Aug 21 08:46:05 dell-studio kernel: [ 54.833228] type=1400 audit(1345531565.978:57): avc: denied { read } for pid=2013 comm="console-kit-dae" name="machine-id" dev="sda7" ino=184383 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:system_dbusd_var_lib_t tclass=lnk_file Aug 21 08:46:06 dell-studio kernel: [ 54.866726] type=1400 audit(1345531566.011:58): avc: denied { create } for pid=2013 comm="console-kit-dae" name="database~" scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=file Aug 21 08:46:06 dell-studio kernel: [ 54.866889] type=1400 audit(1345531566.011:59): avc: denied { remove_name } for pid=2013 comm="console-kit-dae" name="database~" dev="tmpfs" ino=6008 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 21 08:46:06 dell-studio kernel: [ 54.866898] type=1400 audit(1345531566.011:60): avc: denied { rename } for pid=2013 comm="console-kit-dae" name="database~" dev="tmpfs" ino=6008 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=file Aug 21 08:46:06 dell-studio kernel: [ 54.866907] type=1400 audit(1345531566.011:61): avc: denied { unlink } for pid=2013 comm="console-kit-dae" name="database" dev="tmpfs" ino=5251 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=file Aug 21 08:46:06 dell-studio kernel: [ 54.939435] type=1400 audit(1345531566.084:62): avc: denied { read } for pid=3111 comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3056 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:udev_var_run_t tclass=dir Aug 21 08:46:06 dell-studio kernel: [ 54.939920] type=1400 audit(1345531566.084:63): avc: denied { getattr } for pid=3111 comm="udev-acl.ck" name="card0" dev="tmpfs" ino=3051 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:dri_device_t tclass=chr_file Aug 21 08:46:06 dell-studio kernel: [ 54.939945] type=1400 audit(1345531566.084:64): avc: denied { setattr } for pid=3111 comm="udev-acl.ck" name="card0" dev="tmpfs" ino=3051 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:dri_device_t tclass=chr_file Aug 21 08:46:06 dell-studio kernel: [ 54.940052] type=1400 audit(1345531566.085:65): avc: denied { getattr } for pid=3111 comm="udev-acl.ck" name="hwC1D0" dev="tmpfs" ino=3733 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:sound_device_t tclass=chr_file Aug 21 08:46:06 dell-studio kernel: [ 54.940067] type=1400 audit(1345531566.085:66): avc: denied { setattr } for pid=3111 comm="udev-acl.ck" name="hwC1D0" dev="tmpfs" ino=3733 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:sound_device_t tclass=chr_file Aug 21 08:46:11 dell-studio kernel: [ 60.117720] type=1400 audit(1345531571.262:74): avc: denied { execute } for pid=3184 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 21 08:46:11 dell-studio kernel: [ 60.117729] type=1400 audit(1345531571.262:75): avc: denied { read open } for pid=3184 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 21 08:46:11 dell-studio kernel: [ 60.117750] type=1400 audit(1345531571.262:76): avc: denied { execute_no_trans } for pid=3184 comm="dbus-daemon-lau" path="/usr/libexec/upowerd" dev="sda5" ino=939375 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 21 08:46:11 dell-studio kernel: [ 60.184184] type=1400 audit(1345531571.329:77): avc: denied { write } for pid=3184 comm="upowerd" name="cpu_dma_latency" dev="tmpfs" ino=3263 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:netcontrol_device_t tclass=chr_file Aug 21 08:46:11 dell-studio kernel: [ 60.184195] type=1400 audit(1345531571.329:78): avc: denied { open } for pid=3184 comm="upowerd" name="cpu_dma_latency" dev="tmpfs" ino=3263 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:netcontrol_device_t tclass=chr_file Aug 21 08:46:11 dell-studio kernel: [ 60.223810] type=1400 audit(1345531571.368:79): avc: denied { read } for pid=3188 comm="upowerd" name="sh" dev="sda5" ino=1706629 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=lnk_file Aug 21 08:46:11 dell-studio kernel: [ 60.223838] type=1400 audit(1345531571.368:80): avc: denied { execute } for pid=3188 comm="upowerd" name="bash" dev="sda5" ino=1700702 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:shell_exec_t tclass=file Aug 21 08:46:11 dell-studio kernel: [ 60.223848] type=1400 audit(1345531571.368:81): avc: denied { read open } for pid=3188 comm="upowerd" name="bash" dev="sda5" ino=1700702 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:shell_exec_t tclass=file Aug 21 08:46:11 dell-studio kernel: [ 60.225529] type=1400 audit(1345531571.370:82): avc: denied { ioctl } for pid=3188 comm="pm-is-supported" path="/usr/bin/pm-is-supported" dev="sda5" ino=815434 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 21 08:46:11 dell-studio kernel: [ 60.225555] type=1400 audit(1345531571.370:83): avc: denied { getattr } for pid=3188 comm="pm-is-supported" path="/usr/bin/pm-is-supported" dev="sda5" ino=815434 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 21 08:46:16 dell-studio kernel: [ 65.194471] type=1400 audit(1345531576.339:148): avc: denied { write } for pid=3260 comm="mount" name="/" dev="dm-1" ino=2 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:home_root_t tclass=dir Aug 21 08:46:16 dell-studio kernel: [ 65.449862] type=1400 audit(1345531576.594:149): avc: denied { search } for pid=3268 comm="laptop-mode" name="vm" dev="proc" ino=5312 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:sysctl_vm_t tclass=dir Aug 21 08:46:16 dell-studio kernel: [ 65.449879] type=1400 audit(1345531576.594:150): avc: denied { write } for pid=3268 comm="laptop-mode" name="laptop_mode" dev="proc" ino=5313 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:sysctl_vm_t tclass=file Aug 21 08:46:16 dell-studio kernel: [ 65.450458] type=1400 audit(1345531576.595:151): avc: denied { read } for pid=3269 comm="laptop-mode" name="laptop_mode" dev="proc" ino=5313 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:sysctl_vm_t tclass=file Aug 21 08:46:16 dell-studio kernel: [ 65.451314] type=1400 audit(1345531576.596:152): avc: denied { open } for pid=3271 comm="cat" name="laptop_mode" dev="proc" ino=5313 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:sysctl_vm_t tclass=file Aug 21 08:46:16 dell-studio kernel: [ 65.451327] type=1400 audit(1345531576.596:153): avc: denied { getattr } for pid=3271 comm="cat" path="/proc/sys/vm/laptop_mode" dev="proc" ino=5313 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:sysctl_vm_t tclass=file Aug 21 08:46:16 dell-studio kernel: [ 65.460034] type=1400 audit(1345531576.604:154): avc: denied { execute } for pid=3277 comm="readahead" name="blockdev" dev="sda5" ino=416349 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:fsadm_exec_t tclass=file Aug 21 08:46:16 dell-studio kernel: [ 65.462069] type=1400 audit(1345531576.607:155): avc: denied { read open } for pid=3280 comm="readahead" name="blockdev" dev="sda5" ino=416349 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:fsadm_exec_t tclass=file Aug 21 08:46:16 dell-studio kernel: [ 65.462103] type=1400 audit(1345531576.607:156): avc: denied { execute_no_trans } for pid=3280 comm="readahead" path="/sbin/blockdev" dev="sda5" ino=416349 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:fsadm_exec_t tclass=file Aug 21 08:46:16 dell-studio kernel: [ 65.494153] type=1400 audit(1345531576.639:157): avc: denied { getattr } for pid=3287 comm="which" path="/sbin/iwconfig" dev="sda5" ino=416869 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:ifconfig_exec_t tclass=file Aug 21 08:46:24 dell-studio kernel: [ 73.269671] type=1400 audit(1345531584.414:159): avc: denied { search } for pid=1983 comm="dbus-daemon" name="console" dev="tmpfs" ino=6011 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:consolekit_var_run_t tclass=dir Aug 21 08:46:26 dell-studio kernel: [ 75.002090] type=1400 audit(1345531586.147:160): avc: denied { read } for pid=3238 comm="udisks-daemon" name="sr0" dev="tmpfs" ino=3539 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:removable_device_t tclass=blk_file Aug 21 08:46:26 dell-studio kernel: [ 75.002101] type=1400 audit(1345531586.147:161): avc: denied { open } for pid=3238 comm="udisks-daemon" name="sr0" dev="tmpfs" ino=3539 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:removable_device_t tclass=blk_file Aug 21 08:46:48 dell-studio kernel: [ 97.234376] type=1400 audit(1345531608.230:162): avc: denied { execstack } for pid=3659 comm="chrome" scontext=unconfined_u:unconfined_r:unconfined_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=process Aug 21 08:50:01 dell-studio kernel: [ 290.083336] type=1400 audit(1345531801.079:163): avc: denied { execute } for pid=4630 comm="sh" name="run-crons" dev="sda5" ino=922129 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t tclass=file Aug 21 08:50:01 dell-studio kernel: [ 290.083888] type=1400 audit(1345531801.079:164): avc: denied { read open } for pid=4631 comm="sh" name="run-crons" dev="sda5" ino=922129 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t tclass=file Aug 21 08:50:01 dell-studio kernel: [ 290.083965] type=1400 audit(1345531801.079:165): avc: denied { execute_no_trans } for pid=4631 comm="sh" path="/usr/sbin/run-crons" dev="sda5" ino=922129 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t tclass=file Aug 21 08:50:01 dell-studio kernel: [ 290.110392] type=1400 audit(1345531801.106:166): avc: denied { ioctl } for pid=4631 comm="run-crons" path="/usr/sbin/run-crons" dev="sda5" ino=922129 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t tclass=file Aug 21 08:50:01 dell-studio kernel: [ 290.110414] type=1400 audit(1345531801.106:167): avc: denied { getattr } for pid=4631 comm="run-crons" path="/usr/sbin/run-crons" dev="sda5" ino=922129 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t tclass=file Aug 21 08:50:01 dell-studio kernel: [ 290.161144] type=1400 audit(1345531801.157:168): avc: denied { create } for pid=4633 comm="ln" name="lock" scontext=system_u:system_r:crond_t tcontext=system_u:object_r:crond_tmp_t tclass=lnk_file Aug 21 08:50:01 dell-studio kernel: [ 290.168642] type=1400 audit(1345531801.164:169): avc: denied { getattr } for pid=4631 comm="run-crons" path="/var/spool/cron/lastrun/lock" dev="sda7" ino=12547 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:crond_tmp_t tclass=lnk_file Aug 21 08:50:01 dell-studio kernel: [ 290.170178] type=1400 audit(1345531801.166:170): avc: denied { read } for pid=4634 comm="find" name="root" dev="sda5" ino=1308163 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:default_t tclass=dir Aug 21 08:50:01 dell-studio kernel: [ 290.180507] type=1400 audit(1345531801.176:171): avc: denied { getattr } for pid=4634 comm="find" path="/var/spool/cron/lastrun/.keep_sys-process_cronbase-0" dev="sda7" ino=45164 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:file_t tclass=file Aug 21 08:50:09 dell-studio kernel: [ 298.361777] type=1400 audit(1345531809.356:173): avc: denied { unlink } for pid=4704 comm="rm" name="lock" dev="sda7" ino=12547 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:crond_tmp_t tclass=lnk_file This is my /etc/fstab (I found that the /selinux mountpoint is no more needed): /dev/sda1 /boot ext2 noauto,noatime 1 2 /dev/sda5 / ext4 noatime 0 1 /dev/mapper/swap none swap sw 0 0 /dev/sda7 /var jfs defaults,rootcontext=system_u:object_r:var_t 0 1 /dev/mapper/home /home ext4 noatime 0 1 /dev/cdrom /mnt/cdrom auto noauto,ro 0 0 tmpfs /run tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t 0 0 Lastly this is my sestatus -v: Password: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: disabled Policy deny_unknown status: denied Max kernel policy version: 26 Process contexts: Current context: unconfined_u:unconfined_r:unconfined_t Init context: system_u:system_r:init_t /sbin/agetty system_u:system_r:getty_t File contexts: Controlling terminal: unconfined_u:object_r:user_devpts_t /sbin/init system_u:object_r:init_exec_t /sbin/agetty system_u:object_r:getty_exec_t /bin/login system_u:object_r:login_exec_t /sbin/rc system_u:object_r:rc_exec_t /usr/sbin/sshd system_u:object_r:sshd_exec_t /sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t /etc/passwd system_u:object_r:etc_t /etc/shadow system_u:object_r:shadow_t /bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t /bin/bash system_u:object_r:shell_exec_t /usr/bin/newrole system_u:object_r:newrole_exec_t /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t
