SELinux is preventing /usr/bin/systemd-tmpfiles from getattr access on the directory /var/tmp/kdecache-root.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



SELinux is preventing /usr/bin/systemd-tmpfiles from getattr access 
on the directory /var/tmp/kdecache-root.

*****  Plugin catchall_labels (83.8 confidence) suggests  
********************

If you want to allow systemd-tmpfiles to have getattr access on the 
kdecache-root directory
Then you need to change the label on /var/tmp/kdecache-root
Do
# semanage fcontext -a -t FILE_TYPE '/var/tmp/kdecache-root'
where FILE_TYPE is one of the following: security_t, rpm_var_cache_t, 
faillog_t, systemd_tmpfiles_t, var_spool_t, httpd_cache_t, proc_net_t, 
var_log_t, var_lib_t, var_run_t, textrel_shlib_t, user_home_type, 
init_var_run_t, rpm_script_tmp_t, rpm_var_lib_t, file_type, 
winbind_var_run_t, security_t, httpd_sys_rw_content_t, file_context_t, 
etc_t, cert_t, default_t, home_root_t, rpm_log_t, var_t, var_log_t, 
var_run_t, sssd_public_t, abrt_var_run_t, selinux_config_t, 
likewise_var_lib_t, user_home_dir_t, default_context_t, sysctl_crypto_t, 
filesystem_type, device_t, locale_t, var_auth_t, var_lock_t, 
krb5_conf_t, etc_t, file_t, proc_t, man_t, sysfs_t, tmpfs_t, root_t, 
tmp_t, config_home_t, usr_t, var_t, cpu_online_t, lockfile, 
setrans_var_run_t, pidfile, tmpfile, var_lib_t, var_run_t, device_t, 
samba_var_t, sysctl_t, etc_t, abrt_t, bin_t, samba_etc_t, proc_t, 
avahi_var_run_t, lib_t, mnt_t, sysfs_t, nscd_var_run_t, nslcd_var_run_t, 
root_t, smbd_var_run_t, sssd_var_lib_t, tmp_t, usr_t, var_t, 
lost_found_t, net_conf_t, sandbox_file_t, cpu_online_t, 
krb5_host_rcache_t, var_t, var_t, var_run_t, var_run_t, nscd_var_run_t, 
pcscd_var_run_t. 
Then execute: 
restorecon -v '/var/tmp/kdecache-root'


*****  Plugin catchall (17.1 confidence) suggests  
***************************

If you believe that systemd-tmpfiles should be allowed getattr access 
on the kdecache-root directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-tmpfile /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_tmpfiles_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                /var/tmp/kdecache-root [ dir ]
Source                        systemd-tmpfile
Source Path                   /usr/bin/systemd-tmpfiles
Port                          <Unknown>
Host                          yuxict
Source RPM Packages           systemd-44-17.fc17.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-134.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     yuxict
Platform                      Linux yuxict 3.4.4-3.fc17.i686 #1 SMP Tue Jun 26
                              21:32:03 UTC 2012 i686 i686
Alert Count                   3
First Seen                    Wed 04 Jul 2012 04:28:34 PM CST
Last Seen                     Wed 04 Jul 2012 04:28:35 PM CST
Local ID                      70ac4e23-d403-4920-b306-692db38f4d6e

Raw Audit Messages
type=AVC msg=audit(1341390515.119:58): avc:  denied  { getattr } 
for  pid=1217 comm="systemd-tmpfile" path="/var/tmp/kdecache-
root" dev="dm-1" ino=262165 
scontext=system_u:system_r:systemd_tmpfiles_t:s0 
tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir


type=SYSCALL msg=audit(1341390515.119:58): arch=i386 
syscall=fstatat64 success=no exit=EACCES a0=4 a1=9fef1bb 
a2=bfde6c40 a3=100 items=0 ppid=1 pid=1217 auid=4294967295 
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=(none) ses=4294967295 comm=systemd-tmpfile 
exe=/usr/bin/systemd-tmpfiles 
subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null)

Hash: systemd-tmpfile,systemd_tmpfiles_t,unlabeled_t,dir,getattr

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
_______________________________________________
kde mailing list
kde@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/kde
New to KDE4? - get help from http://userbase.kde.org



[Index of Archives]     [KDE Users]     [Fedora General Discussion]     [Older Fedora Users Mail]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Maintainers]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Triage]     [Coolkey]     [Yum Users]     [Yosemite Forum]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]

  Powered by Linux