[CentOS] SELinux : please explain ...

Wed Aug 1 08:01:07 UTC 2012
Philippe Naudin <philippe.naudin at supagro.inra.fr>

Hello,

This is somehow off-topic, since the problem appears on a modified
CentOS-6.2 (turned into a xen-4.1 host) : I get SELinux errors, and
I'm not able to understand them.

From audit2why :
type=AVC msg=audit(1343724164.898:298772): avc:  denied  { mac_admin } for  pid=12399 comm="restore" capability=33  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2

... and from audit2allow :
#============= unconfined_t ==============
allow unconfined_t self:capability2 mac_admin;

I don't know what triggers these records in /var/log/audit (everything
seems to work). Running retorecon -rv / doesn't produce any error.

Can someone tell me what is the mac_admin functionnality, and if it 
is safe to allow it ? If I understand correctly what I have found by
googling around, it is not advised.

Thanks,

-- 
Philippe Naudin