One of my internal tools is a small script to setup the linux netconsole module. This requires creating the directory /sys/kernel/config/netconsole/target and writing to some things in there. SELinux does not approve. Jan 7 21:32:15 testbed kernel: [13824.009932] audit: type=1400 audit(1420687935.213:629): avc: denied { search } for pid=26655 comm="mkdir" name="/" dev="configfs" ino=46 ipaddr=173.173.113.156 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:configfs_t tclass=dir permissive=1 Jan 7 21:32:15 testbed kernel: [13824.009959] audit: type=1400 audit(1420687935.213:630): avc: denied { write } for pid=26655 comm="mkdir" name="netconsole" dev="configfs" ino=47 ipaddr=173.173.113.156 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:configfs_t tclass=dir permissive=1 Jan 7 21:32:15 testbed kernel: [13824.009974] audit: type=1400 audit(1420687935.213:631): avc: denied { add_name } for pid=26655 comm="mkdir" name="target" ipaddr=173.173.113.156 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:configfs_t tclass=dir permissive=1 Jan 7 21:32:15 testbed kernel: [13824.010110] audit: type=1400 audit(1420687935.213:632): avc: denied { create } for pid=26655 comm="mkdir" name="target" ipaddr=173.173.113.156 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:configfs_t tclass=dir permissive=1 Jan 7 21:32:15 testbed kernel: [13824.010718] audit: type=1400 audit(1420687935.214:633): avc: denied { write } for pid=26654 comm="bash" name="dev_name" dev="configfs" ino=5616452 ipaddr=173.173.113.156 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:configfs_t tclass=file permissive=1 Jan 7 21:32:15 testbed kernel: [13824.010745] audit: type=1400 audit(1420687935.214:634): avc: denied { open } for pid=26654 comm="bash" path="/sys/kernel/config/netconsole/target/dev_name" dev="configfs" ino=5616452 ipaddr=173.173.113.156 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:configfs_t tclass=file permissive=1 Is there reason to keep sysadm_t away from configfs? If not, the problem should be solved by the following: fs_manage_configfs_dirs(sysadm_t) fs_manage_configfs_files(sysadm_t)
I think that configfs_t probably just needs to be marked as a files_type().
I added in files_mountpoint(configfs_t) which should allow for sysadm_t to manipulate it. Will be in policy release r4
Now in repo, ~arch
r4 is stable