Where does Fedora 16 log boot-time SELinux denial messages? Under Fedora 14 and previous (for sure) and under Fedora 15 (I think), messages were logged via syslog and appeared in /var/log/messages until auditd started. However, this is apparently not happening with Fedora 16 -- how can I get these denial messages?

Details:

I have a Fedora 16 server install (no X Windows and with network.service replacing NetworkManager.service, but otherwise nearly an out-of-the-box installation), and everything works OK until I do "setsebool -P secure_mode_insmod=on" and reboot. At that point -- not unexpectedly -- a number of kernel modules fail to load. For example, from /var/log/messages:

Nov 26 03:35:32 f16dev1 nfs-lock.preconfig[897]: FATAL: Error inserting lockd (/lib/modules/3.1.2-1.fc16.x86_64/kernel/fs/lockd/lockd.ko): Operation not permitted

Network interfaces such as eth0 also fail to come up. However, there are no SELinux denial messages logged to /var/log/messages, to any other file in /var/log, or to /var/log/audit/audit.log.

Setting secure_mode_insmod=off and rebooting results in the system coming back up with all services started and no error messages. So I'm sure there should be some SELinux denials when I boot with secure_mode_insmod=off that I'm not seeing.

I've searched the web and read the auditd and systemd man and web pages without finding a solution. Any idea how to get the SELinux denial messages that get generated before auditd is started?

-- Mark Montague mark@catseye.org