SELinux is preventing /usr/sbin/setfiles from mac_admin
access on the capability2 .
***** Plugin catchall (100. confidence) suggests
**************************
# grep restorecon /var/log/audit/audit.log | audit2allow
-M mypol
# semodule -i mypol.pp
Additional Information:
Source Context
unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023
Target Context
unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023
Target Objects [ capability2 ]
Source restorecon
Source Path /usr/sbin/setfiles
Port <Unknown>
Host localhost.localdomain
Source RPM Packages
policycoreutils-2.2.5-3.fc20.x86_64
Target RPM Packages
Policy RPM
selinux-policy-3.12.1-158.fc20.noarch selinux-
policy-3.12.1-166.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux
localhost.localdomain 3.14.4-200.fc20.x86_64
#1 SMP Tue May 13 13:51:08
UTC 2014 x86_64 x86_64
Alert Count 3
First Seen 2014-02-20 00:11:29 JST
Last Seen 2014-05-25 19:36:13 JST
Local ID
0a51e340-8e41-42fb-8c41-4c3d3d7fee6f
Raw Audit Messages
type=AVC msg=audit(1401014173.443:796): avc: denied {
mac_admin } for pid=13598 comm="restorecon"
capability=33
scontext=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023
tclass=capability2
type=SYSCALL msg=audit(1401014173.443:796): arch=x86_64
syscall=lsetxattr success=no exit=EINVAL a0=7f5e992cc820
a1=7f5e9708556e a2=7f5e992cf070 a3=29 items=0 ppid=13002
pid=13598 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm=restorecon
exe=/usr/sbin/setfiles
subj=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023
key=(null)
Hash:
restorecon,setfiles_t,setfiles_t,capability2,mac_admin
--
