I updated fedora20 now and got SELinux alert.
What's wrong?SELinux is preventing /usr/sbin/setfiles from mac_admin access on the capability2 .
***** Plugin catchall (100. confidence) suggests **************************
# grep restorecon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023
Target Context unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023
Target Objects [ capability2 ]
Source restorecon
Source Path /usr/sbin/setfiles
Port <Unknown>
Host localhost.localdomain
Source RPM Packages policycoreutils-2.2.5-3.fc20.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-158.fc20.noarch selinux-
policy-3.12.1-166.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.14.4-200.fc20.x86_64
#1 SMP Tue May 13 13:51:08 UTC 2014 x86_64 x86_64
Alert Count 3
First Seen 2014-02-20 00:11:29 JST
Last Seen 2014-05-25 19:36:13 JST
Local ID 0a51e340-8e41-42fb-8c41-4c3d3d7fee6f
Raw Audit Messages
type=AVC msg=audit(1401014173.443:796): avc: denied { mac_admin } for pid=13598 comm="restorecon" capability=33 scontext=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2
type=SYSCALL msg=audit(1401014173.443:796): arch=x86_64 syscall=lsetxattr success=no exit=EINVAL a0=7f5e992cc820 a1=7f5e9708556e a2=7f5e992cf070 a3=29 items=0 ppid=13002 pid=13598 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 key=(null)
Hash: restorecon,setfiles_t,setfiles_t,capability2,mac_admin
--
日本にヘヴィメタル・ハードロックを根付かせるページ
http://heavymetalhardrock.no-ip.info/
世界中でセキュアOSのSELinuxを使いやすくするフリーソフト
http://sourceforge.net/projects/segatex/
http://heavymetalhardrock.no-ip.info/
世界中でセキュアOSのSELinuxを使いやすくするフリーソフト
http://sourceforge.net/projects/segatex/
CMS(PHPとPostgreSQLを使ったフリーソフト)
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux