Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 733086
Summary: | avcs on boot - rtc and /dev/live and systemd-tmpfiles | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mads Kiilerich <mads> | ||||||
Component: | libselinux | Assignee: | Daniel Walsh <dwalsh> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 16 | CC: | awilliam, dwalsh, fedora, harald, igor.redhat, johannbg, jonathan, kay, lemenkov, lpoetter, metherid, mgrepl, mschmidt, notting, oliver.henshaw, plautrba, satellitgo, tflink, vedran | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | AcceptedNTH | ||||||||
Fixed In Version: | libselinux-2.1.5-5.fc16 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2011-09-23 04:01:53 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 713565, 713568 | ||||||||
Attachments: |
|
Did you build own live image? Yes I did. I don't think there has been made official images from -testing with dracut-013-4 yet - but I'm not up-to-date on that. I'm using livecd-tools-16.3-1.fc16.x86_64 . AFAIK the conclusion on bug 728576 was that it should be OK as long as there is no /selinux on the build host. I would however expect the version with dwalsh's fixes to get in now after the alpha has been released. I can try with the rawhide livecd-tools - if you think that makes any difference? Created attachment 519832 [details]
dmesg
I get the same (and other) avcs on a real installed non-live system:
[ 16.402026] type=1400 audit(1314274910.239:3): avc: denied { relabelto } for pid=569 comm="udevd" name="rtc" dev=devtmpfs ino=1294 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[ 16.406903] type=1400 audit(1314274910.244:4): avc: denied { associate } for pid=569 comm="udevd" name="rtc" dev=devtmpfs ino=1294 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
[ 16.419579] type=1400 audit(1314274910.257:5): avc: denied { write } for pid=569 comm="udevd" name="rtc" dev=devtmpfs ino=1294 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[ 20.478361] type=1400 audit(1314274914.325:6): avc: denied { relabelto } for pid=579 comm="udevd" name="scd0" dev=devtmpfs ino=7326 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[ 20.482800] type=1400 audit(1314274914.329:7): avc: denied { write } for pid=579 comm="udevd" name="scd0" dev=devtmpfs ino=7326 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[ 20.489577] type=1400 audit(1314274914.336:8): avc: denied { create } for pid=579 comm="udevd" name="cdrom" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[ 22.518889] type=1400 audit(1314274916.370:9): avc: denied { read } for pid=918 comm="udisks-lvm-pv-e" name="scd0" dev=devtmpfs ino=7326 scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[ 22.522458] type=1400 audit(1314274916.374:10): avc: denied { getattr } for pid=918 comm="udisks-lvm-pv-e" path="/dev/scd0" dev=devtmpfs ino=7326 scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[ 22.596964] type=1400 audit(1314274916.448:11): avc: denied { read } for pid=919 comm="lvm" name="scd0" dev=devtmpfs ino=7326 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[ 22.599293] type=1400 audit(1314274916.451:12): avc: denied { getattr } for pid=919 comm="lvm" path="/dev/scd0" dev=devtmpfs ino=7326 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[ 22.671811] type=1400 audit(1314274916.523:13): avc: denied { associate } for pid=638 comm="udevd" name="root" dev=devtmpfs ino=10462 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
[ 24.914650] multipathd[988]: /etc/multipath.conf does not exist, blacklisting all devices.
[ 24.917362] type=1400 audit(1314274918.771:14): avc: denied { getattr } for pid=996 comm="modprobe" path="socket:[14635]" dev=sockfs ino=14635 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
[ 24.917624] multipathd[988]: A sample multipath.conf file is located at
I guess the new dracut requires new policies ... or is buggy ...
selinux-policy-targeted-3.10.0-18.fc16.noarch
dracut-013-4.fc16.noarch
systemd-33-2.fc16.x86_64
What does # matchpathcon /dev/rtc on your F16 real installed non-live system? [root@imac ~]# matchpathcon /dev/rtc /dev/rtc system_u:object_r:default_t:s0 [root@imac ~]# restorecon /dev/rtc [root@imac ~]# matchpathcon /dev/rtc /dev/rtc system_u:object_r:default_t:s0 [root@imac ~]# rpm -q selinux-policy-targeted selinux-policy-targeted-3.10.0-18.fc16.noarch [root@imac ~]# I guess it doesn't make sense to repeat matchpathcon without -V, but both before and after and everywhere and with selinux-policy-targeted-3.10.0-21.fc16 it is: lrwxrwxrwx. root root system_u:object_r:default_t:s0 /dev/rtc -> rtc0 crw-------. root root system_u:object_r:clock_device_t:s0 /dev/rtc0 So this is fixed with -21 correct? No, it is not my experience that -21 fixes it, but I also didn't look for that. Should -21 fix it? Then I will try again and focus on that. One piece of the puzzle I might be missing: Is the policy more or less included in the dracut initrd so that I have to rebuild it after updating the policy? Or do the dracut scripts run without SE constraints until the policy is loaded from /etc ? After installation of -21 and relabel and dracut -f I still get: [ 15.842516] type=1400 audit(1314384836.679:3): avc: denied { relabelto } for pid=500 comm="udevd" name="rtc" dev=devtmpfs ino=10268 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file [ 15.847266] type=1400 audit(1314384836.684:4): avc: denied { associate } for pid=500 comm="udevd" name="rtc" dev=devtmpfs ino=10268 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem [ 15.849860] type=1400 audit(1314384836.687:5): avc: denied { write } for pid=500 comm="udevd" name="rtc" dev=devtmpfs ino=10268 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file [ 16.752414] type=1400 audit(1314384837.591:6): avc: denied { relabelto } for pid=603 comm="udevd" name="scd0" dev=devtmpfs ino=10309 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file [ 16.757783] type=1400 audit(1314384837.597:7): avc: denied { associate } for pid=603 comm="udevd" name="scd0" dev=devtmpfs ino=10309 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem [ 16.760762] type=1400 audit(1314384837.600:8): avc: denied { write } for pid=603 comm="udevd" name="scd0" dev=devtmpfs ino=10309 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file [ 16.768291] type=1400 audit(1314384837.607:9): avc: denied { create } for pid=603 comm="udevd" name="cdrom" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file [ 23.345013] type=1400 audit(1314384844.199:10): avc: denied { read } for pid=825 comm="udisks-lvm-pv-e" name="scd0" dev=devtmpfs ino=10309 scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file [ 23.350214] type=1400 audit(1314384844.204:11): avc: denied { getattr } for pid=825 comm="udisks-lvm-pv-e" path="/dev/scd0" dev=devtmpfs ino=10309 scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file [ 24.441708] type=1400 audit(1314384845.298:12): avc: denied { read } for pid=885 comm="lvm" name="scd0" dev=devtmpfs ino=10309 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file [ 24.443988] type=1400 audit(1314384845.301:13): avc: denied { getattr } for pid=885 comm="lvm" path="/dev/scd0" dev=devtmpfs ino=10309 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file [ 27.258082] dbus[998]: avc: netlink poll: error 4 and I get [root@imac ~]# restorecon -R -v /dev restorecon reset /dev/dvdrw context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0 restorecon reset /dev/dvd context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0 restorecon reset /dev/cdrw context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0 restorecon reset /dev/cdrom context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0 restorecon reset /dev/root context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0 restorecon reset /dev/scd0 context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0 restorecon reset /dev/rtc context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0 restorecon reset /dev/pts/ptmx context system_u:object_r:devpts_t:s0->system_u:object_r:ptmx_t:s0 selinux-policy-targeted-3.10.0-21.fc16.noarch dracut-013-4.fc16.noarch Is this a livecd still? Comment 9 is on a real /dev/sda f16 + updates-testing system (I obviously don't get the "live" errors here, but most of avc's are the same.) This looks like a bogus labelling and is either caused by dracut or systemd. In F16 dracut does not do any selinux anymore. Systemd took full control over it. *** Bug 733512 has been marked as a duplicate of this bug. *** Same issues is seen with: systemd-35-1.fc16.i686 dracut-013-8.fc16.noarch selinux-policy-targeted-3.10.0-25.fc16.noarch kernel-PAE-3.1.0-0.rc4.git0.1.fc16.i686 on a livecd built with livecd-tools-16.5-1.fc16. This one do however also show up on a "real" machine: type=1400 audit(1315568190.150:3): avc: denied { associate } for pid=505 comm="udevd" name="rtc" dev=devtmpfs ino=179 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem Same for me: [ 56.745901] SELinux: initialized (dev sdh1, type xfs), uses xattr [ 56.851290] systemd-tmpfiles[959]: Successfully loaded SELinux database in 24ms 299us, size on heap is 469K. [ 56.878309] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.910704] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 56.915637] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 56.919232] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 56.922765] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.926310] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.929707] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.933037] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.936311] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.939428] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.942619] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.945781] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 56.961252] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.966561] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 56.969696] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 56.972737] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 56.975672] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 56.978586] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.981489] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied [ 56.984506] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied [ 56.987397] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied [ 56.990160] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied [ 56.992969] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied If you run restorecon -R -v -n /run Does it show anything? On a live system: # restorecon -R -v -n /run restorecon reset /run/abrt context system_u:object_r:var_run_t:s0->system_u:object_r:abrt_var_run_t:s0 restorecon reset /run/abrt/saved_core_pattern context system_u:object_r:initrc_var_run_t:s0->system_u:object_r:abrt_var_run_t:s0 restorecon reset /run/user/liveuser/dconf context unconfined_u:object_r:config_home_t:s0->system_u:object_r:user_tmp_t:s0 restorecon reset /run/user/liveuser/dconf/user context unconfined_u:object_r:config_home_t:s0->system_u:object_r:user_tmp_t:s0 # dmesg|grep audit.*rtc [ 12.120169] type=1400 audit(1315852826.192:3): avc: denied { associate } for pid=530 comm="udevd" name="rtc" dev=devtmpfs ino=9487 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem # rpm -q dracut systemd selinux-policy-targeted dracut-013-8.fc16.noarch systemd-35-1.fc16.x86_64 selinux-policy-targeted-3.10.0-25.fc16.noarch FWIW I see many issues that indicates problems with the dracut/systemd interfacing and stuff from before the root pivoting causing strange errors later. On a installed system with the same package versions and enforcing=0 there is (almost) the same avcs and bad fs labels as mentioned in comment 9, but nothing wrong in /run. The dconf file labels should be fixed in the next policy update. Where is rtc located? (In reply to comment #17) > If you run > > restorecon -R -v -n /run > > Does it show anything? [root@nostromo ~]# restorecon -R -v -n /run [root@nostromo ~]# Unfortunately, nothing was changed. I still see all these messages after reboot (they're gone only if I switch to the permissive mode). (In reply to comment #20) > The dconf file labels should be fixed in the next policy update. Where is rtc > located? I assume it is /dev/rtc - which comment 9 points out has the wrong label. (In reply to comment #21) > (they're gone only if I switch to the permissive mode). Really? I do see them in permissive mode - I don't think I am able to boot in enforcing mode. Or did you mean selinux=0 / SELINUX=disabled mode? (In reply to comment #23) > (In reply to comment #21) > > (they're gone only if I switch to the permissive mode). > > Really? I do see them in permissive mode - I don't think I am able to boot in > enforcing mode. Or did you mean selinux=0 / SELINUX=disabled mode? Yes, I was wrong - they still exists in a permissive mode as well. I just updated to the latest selinux-policy-3.10.0-26.fc16.noarch and these issues are still here: [root@nostromo ~]# dmesg | grep avc [ 17.456585] type=1400 audit(1315857818.600:4): avc: denied { associate } for pid=445 comm="udevd" name="root" dev=devtmpfs ino=8261 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem [ 17.520470] type=1400 audit(1315857818.664:5): avc: denied { associate } for pid=447 comm="udevd" name="rtc" dev=devtmpfs ino=8105 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem [ 56.882987] type=1400 audit(1315857858.025:6): avc: denied { associate } for pid=714 comm="udevd" name="root" dev=devtmpfs ino=8261 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem [ 57.121410] type=1400 audit(1315857858.266:7): avc: denied { associate } for pid=714 comm="udevd" name="rtc" dev=devtmpfs ino=8105 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem [root@nostromo ~]# Fixed in libselinux-2.1.5-4.fc16 libselinux-2.1.5-4.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/libselinux-2.1.5-4.fc16 Package libselinux-2.1.5-4.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing libselinux-2.1.5-4.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/libselinux-2.1.5-4.fc16 then log in and leave karma (feedback). Confirmed. This fixed issues with udevd. Unfortunately the issues with systemd-tmpfiles are still remaining unfixed. I have filed Bug 737837 - systemd-tmpfiles: Failed to set security context ... for /var: Permission denied Package libselinux-2.1.5-5.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing libselinux-2.1.5-5.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/libselinux-2.1.5-5.fc16 then log in and leave karma (feedback). Discussed in the 2011-09-16 blocker review meeting. Accepted as NTH for Fedora 16 beta because it will eventually be a final blocker and a fix is ready. libselinux-2.1.5-5.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 519674 [details] dmesg When booting live image with selinux-policy-targeted-3.10.0-18.fc16.noarch dracut-013-4.fc16.noarch systemd-33-2.fc16.x86_64 udev-173-1.fc16.x86_64 I get: [ 16.592255] type=1400 audit(1314206451.269:4): avc: denied { relabelto } for pid=538 comm="udevd" name="rtc" dev=devtmpfs ino=1326 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file [ 16.592355] type=1400 audit(1314206451.270:5): avc: denied { associate } for pid=538 comm="udevd" name="rtc" dev=devtmpfs ino=1326 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem [ 17.380126] type=1400 audit(1314206452.058:6): avc: denied { associate } for pid=463 comm="udevd" name="live" dev=devtmpfs ino=6778 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem [ 17.382508] udevd[463]: setfilecon /dev/live failed: Permission denied [ 18.537611] systemd-tmpfiles[748]: Successfully loaded SELinux database in 16ms 966us, size on heap is 464K. [ 18.590550] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 18.602486] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 18.603547] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 18.610616] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 18.613431] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 18.615268] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 18.616286] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 18.617392] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 18.618274] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 18.619099] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 18.619919] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 18.620572] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 18.621293] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 18.622276] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 18.623425] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 18.631411] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 18.632045] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 18.632578] type=1400 audit(1314206453.311:7): avc: denied { write } for pid=748 comm="systemd-tmpfile" name="cache" dev=dm-0 ino=13 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir [ 18.632696] systemd-tmpfiles[748]: Failed to create directory /var/cache/man: Permission denied [ 18.633078] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 18.634558] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 18.635318] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 18.636119] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 18.636634] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied [ 18.642937] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied [ 18.645264] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied [ 18.647172] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied [ 18.649596] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied I don't know if they are related ... or if the latter should be reported to systemd?