This has appeared the past two mornings. The initial triggering event was probably the last kernel update:
Dec 16 08:59:09 Installed: kernel-3.6.10-2.fc17.x86_64
**********************************
SELinux is preventing /usr/bin/df from getattr access on the directory /sys/kernel/config.
***** Plugin restorecon (99.5 confidence) suggests *************************
If you want to fix the label. /sys/kernel/config default label should be sysfs_t. Then you can run restorecon. Do # /sbin/restorecon -v /sys/kernel/config
***** Plugin catchall (1.49 confidence) suggests ***************************
If you believe that df should be allowed getattr access on the config directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep df /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:logwatch_t:s0-s0:c0.c1023 Target Context system_u:object_r:configfs_t:s0 Target Objects /sys/kernel/config [ dir ] Source df Source Path /usr/bin/df Port <Unknown> Host sds-desk-2.sterndata.local Source RPM Packages coreutils-8.15-9.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-161.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name sds-desk-2.sterndata.local Platform Linux sds-desk-2.sterndata.local 3.6.10-2.fc17.x86_64 #1 SMP Tue Dec 11 18:07:34 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen 2012-12-18 03:33:03 CST Last Seen 2012-12-18 03:33:03 CST Local ID 9f9df328-2e36-4b38-8e5b-ec1ee816c1e1
Raw Audit Messages type=AVC msg=audit(1355823183.154:493): avc: denied { getattr } for pid=31684 comm="df" path="/sys/kernel/config" dev="configfs" ino=9139 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1355823183.154:493): arch=x86_64 syscall=stat success=yes exit=0 a0=1078340 a1=7ffff0c48b90 a2=7ffff0c48b90 a3=3eb5b2f360 items=0 ppid=31683 pid=31684 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=54 comm=df exe=/usr/bin/df subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
Hash: df,logwatch_t,configfs_t,dir,getattr
audit2allow
#============= logwatch_t ============== allow logwatch_t configfs_t:dir getattr;
audit2allow -R
#============= logwatch_t ============== allow logwatch_t configfs_t:dir getattr;
Am 18.12.2012 16:03, schrieb Steven Stern:
This has appeared the past two mornings. The initial triggering event was probably the last kernel update:
Dec 16 08:59:09 Installed: kernel-3.6.10-2.fc17.x86_64
SELinux is preventing /usr/bin/df from getattr access on the directory /sys/kernel/config.
***** Plugin restorecon (99.5 confidence) suggests *************************...
Hi Steven,
I opened a bugzilla for this two or three days ago, and Miroslav Grepl already fixed it, in selinux-policy-3.11.1-66.fc18.noarch
Klaus
On 12/19/2012 10:11 AM, Klaus Lichtenwalder wrote:
Am 18.12.2012 16:03, schrieb Steven Stern:
This has appeared the past two mornings. The initial triggering event was probably the last kernel update:
Dec 16 08:59:09 Installed: kernel-3.6.10-2.fc17.x86_64
SELinux is preventing /usr/bin/df from getattr access on the directory /sys/kernel/config.
***** Plugin restorecon (99.5 confidence) suggests *************************...
Hi Steven,
I opened a bugzilla for this two or three days ago, and Miroslav Grepl already fixed it, in selinux-policy-3.11.1-66.fc18.noarch
Klaus
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
It will be also in the latest F17 policy build.
selinux@lists.fedoraproject.org
-
Klaus Lichtenwalder -
Miroslav Grepl -
SternData