On Sat, Mar 8, 2025 at 4:52 PM Darvond <xanthinzarda@xxxxxxxxx> wrote:
>
> time->Sat Mar 8 16:43:30 2025
> type=AVC msg=audit(1741470210.428:2587): avc: denied { dac_override
> } for pid=248048 comm="touch" capability=1
> scontext=system_u:system_r:setroubleshoot_fixit_t:s0
> tcontext=system_u:system_r:setroubleshoot_fixit_t:s0 tclass=capability
> permissive=0
>
> Context: SeTroubleshoot says possible fault in system labeling. Offers
> a button to fix, Authenticate for fix, errors out with blank error and
> trigger audit/alert.
>
> Will manually invoke fixfiles and see what happens.
The denial indicates that setroubleshoot is trying to write to a
directory/file to which it lacks DAC permissions.
You could workaround it via a local policy module via audit2allow but
it would be better to have it write to a directory/file it owns or fix
the DAC permissions of the directory/file in question.
These kinds of errors should really go to the Fedora selinux list
and/or bugzilla rather than to this list, which is for upstream
selinux development.
