Package: selinux-policy-default Version: 2:2.20110726-12 Severity: normal Hi,
on boot, I see this AVC : May 5 14:28:40 venser kernel: [ 379.071332] type=1400 audit(1367756920.294:11): avc: denied { read } for pid=515 comm="systemd-logind" name="cpu" dev=tmpfs ino=3309 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=lnk_file It seems that systemd try to access to all cgroups in /sys/fs/cgroup/ but there is now a symlink for cpu : # ls -lZ /sys/fs/cgroup/ total 0 drwxr-xr-x. 2 root root system_u:object_r:cgroup_t:SystemLow 0 mai 5 14:22 blkio lrwxrwxrwx. 1 root root system_u:object_r:cgroup_t:SystemLow 11 mai 5 14:22 cpu -> cpu,cpuacct lrwxrwxrwx. 1 root root system_u:object_r:cgroup_t:SystemLow 11 mai 5 14:22 cpuacct -> cpu,cpuacct drwxr-xr-x. 3 root root system_u:object_r:cgroup_t:SystemLow 0 mai 5 14:22 cpu,cpuacct drwxr-xr-x. 2 root root system_u:object_r:cgroup_t:SystemLow 0 mai 5 14:22 cpuset drwxr-xr-x. 2 root root system_u:object_r:cgroup_t:SystemLow 0 mai 5 14:22 devices drwxr-xr-x. 2 root root system_u:object_r:cgroup_t:SystemLow 0 mai 5 14:22 freezer drwxr-xr-x. 2 root root system_u:object_r:cgroup_t:SystemLow 0 mai 5 14:22 net_cls drwxr-xr-x. 2 root root system_u:object_r:cgroup_t:SystemLow 0 mai 5 14:22 perf_event drwxr-xr-x. 4 root root system_u:object_r:cgroup_t:SystemLow 0 mai 5 14:22 systemd So the policy should be extended to also take in account the symlinks : # sesearch -s systemd_logind_t -A -t cgroup_t Found 2 semantic av rules: allow systemd_logind_t cgroup_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow systemd_logind_t cgroup_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; -- System Information: Debian Release: 7.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C) Shell: /bin/sh linked to /bin/dash Versions of packages selinux-policy-default depends on: ii libpam-modules 1.1.3-7.1 ii libselinux1 2.1.9-5 ii libsepol1 2.1.4-3 ii policycoreutils 2.1.10-9 ii python 2.7.3-4 Versions of packages selinux-policy-default recommends: ii checkpolicy 2.1.8-2 ii setools 3.3.7-3 Versions of packages selinux-policy-default suggests: pn logcheck <none> pn syslog-summary <none> -- Configuration Files: /etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission denied: u'/etc/selinux/default/modules/active/file_contexts.local' -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org