Early during the boot process, around the time that we start udev, we also have dmesg write out information. In this process, dmesg tries to read/write /dev/console which by that time is still labeled device_t (as the /dev structure is devtmpfs). This results in denials from SELinux. Later, when udev has started and relabeled all files, dmesg succeeds in this. Reproducible: Always
Will be dontaudit'ed in r11
AVC denials shown: """ [ 3.247401] type=1400 audit(1338194354.246:5): avc: denied { read write } for pid=997 comm="dmesg" name="console" dev="devtmpfs" ino=1035 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:device_t tclass=chr_file [ 3.260807] type=1400 audit(1338194354.259:6): avc: denied { read write } for pid=997 comm="dmesg" path="/dev/console" dev="devtmpfs" ino=1035 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:device_t tclass=chr_file [ 3.268971] type=1400 audit(1338194354.267:7): avc: denied { read write } for pid=997 comm="dmesg" path="/dev/console" dev="devtmpfs" ino=1035 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:device_t tclass=chr_file [ 3.273404] type=1400 audit(1338194354.272:8): avc: denied { read write } for pid=997 comm="dmesg" path="/dev/console" dev="devtmpfs" ino=1035 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:device_t tclass=chr_file """
In hardened-dev overlay, rev 11
In main tree, ~arch'ed
Stabilized