Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 685017 Details for
Bug 896624
Invalid selinux policy for openlmi-account package
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
Output from sealert -a audit.log > audit.log.sealert.version2.txt
audit.log.sealert.version2.txt (text/plain), 83.72 KB, created by
Roman Rakus
on 2013-01-22 10:21:56 UTC
(
hide
)
Description:
Output from sealert -a audit.log > audit.log.sealert.version2.txt
Filename:
MIME Type:
Creator:
Roman Rakus
Created:
2013-01-22 10:21:56 UTC
Size:
83.72 KB
patch
obsolete
>found 31 alerts in audit.log >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/bin/bash from read access on the file meminfo. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that bash should be allowed read access on the meminfo file by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cmpiLMI_Account /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:object_r:proc_t:s0 >Target Objects meminfo [ file ] >Source cmpiLMI_Account >Source Path /usr/bin/bash >Port <Unknown> >Host <Unknown> >Source RPM Packages bash-4.2.42-1.fc18.x86_64 >Target RPM Packages >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 1 >First Seen 2013-01-22 09:38:49 CET >Last Seen 2013-01-22 09:38:49 CET >Local ID 5c9c929e-9e0a-4e77-8b2b-567fa0bde4e9 > >Raw Audit Messages >type=AVC msg=audit(1358843929.82:5930): avc: denied { read } for pid=4422 comm="cmpiLMI_Account" name="meminfo" dev="proc" ino=4026532026 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file > > >type=AVC msg=audit(1358843929.82:5930): avc: denied { open } for pid=4422 comm="cmpiLMI_Account" path="/proc/meminfo" dev="proc" ino=4026532026 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file > > >type=SYSCALL msg=audit(1358843929.82:5930): arch=x86_64 syscall=open success=yes exit=ESRCH a0=392ab7823b a1=80000 a2=1b6 a3=238 items=0 ppid=4421 pid=4422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cmpiLMI_Account exe=/usr/bin/bash subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cmpiLMI_Account,pegasus_openlmi_account_t,proc_t,file,read > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t proc_t:file { read open }; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t proc_t:file { read open }; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/bin/bash from getattr access on the directory /var/lib/Pegasus/cache/trace. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that bash should be allowed getattr access on the trace directory by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cmpiLMI_Account /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:object_r:pegasus_data_t:s0 >Target Objects /var/lib/Pegasus/cache/trace [ dir ] >Source cmpiLMI_Account >Source Path /usr/bin/bash >Port <Unknown> >Host <Unknown> >Source RPM Packages bash-4.2.42-1.fc18.x86_64 >Target RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 1 >First Seen 2013-01-22 09:38:49 CET >Last Seen 2013-01-22 09:38:49 CET >Local ID d92913b7-dfa2-4343-b9d7-2306c1ac20a3 > >Raw Audit Messages >type=AVC msg=audit(1358843929.89:5932): avc: denied { getattr } for pid=4422 comm="cmpiLMI_Account" path="/var/lib/Pegasus/cache/trace" dev="vda3" ino=170687 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:pegasus_data_t:s0 tclass=dir > > >type=SYSCALL msg=audit(1358843929.89:5932): arch=x86_64 syscall=stat success=yes exit=0 a0=17bcef0 a1=7ffff1b3beb0 a2=7ffff1b3beb0 a3=0 items=0 ppid=4421 pid=4422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cmpiLMI_Account exe=/usr/bin/bash subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cmpiLMI_Account,pegasus_openlmi_account_t,pegasus_data_t,dir,getattr > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t pegasus_data_t:dir getattr; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t pegasus_data_t:dir getattr; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/bin/bash from getattr access on the file /proc/meminfo. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that bash should be allowed getattr access on the meminfo file by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cmpiLMI_Account /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:object_r:proc_t:s0 >Target Objects /proc/meminfo [ file ] >Source cmpiLMI_Account >Source Path /usr/bin/bash >Port <Unknown> >Host <Unknown> >Source RPM Packages bash-4.2.42-1.fc18.x86_64 >Target RPM Packages >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 1 >First Seen 2013-01-22 09:38:49 CET >Last Seen 2013-01-22 09:38:49 CET >Local ID 029fa987-37ec-4a05-b3fb-83f23d1f30ea > >Raw Audit Messages >type=AVC msg=audit(1358843929.89:5931): avc: denied { getattr } for pid=4422 comm="cmpiLMI_Account" path="/proc/meminfo" dev="proc" ino=4026532026 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file > > >type=SYSCALL msg=audit(1358843929.89:5931): arch=x86_64 syscall=fstat success=yes exit=0 a0=3 a1=7ffff1b39df0 a2=7ffff1b39df0 a3=0 items=0 ppid=4421 pid=4422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cmpiLMI_Account exe=/usr/bin/bash subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cmpiLMI_Account,pegasus_openlmi_account_t,proc_t,file,getattr > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t proc_t:file getattr; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t proc_t:file getattr; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/bin/bash from read access on the file passwd. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that bash should be allowed read access on the passwd file by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cmpiLMI_Account /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:object_r:passwd_file_t:s0 >Target Objects passwd [ file ] >Source cmpiLMI_Account >Source Path /usr/bin/bash >Port <Unknown> >Host <Unknown> >Source RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Target RPM Packages >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 2 >First Seen 2013-01-22 09:38:49 CET >Last Seen 2013-01-22 09:38:52 CET >Local ID 309be271-0149-4543-a639-8c00be2ae0d4 > >Raw Audit Messages >type=AVC msg=audit(1358843932.492:5989): avc: denied { read } for pid=4427 comm="cimprovagt" name="passwd" dev="vda3" ino=48314 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file > > >type=AVC msg=audit(1358843932.492:5989): avc: denied { open } for pid=4427 comm="cimprovagt" path="/etc/passwd" dev="vda3" ino=48314 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file > > >type=SYSCALL msg=audit(1358843932.492:5989): arch=x86_64 syscall=open success=yes exit=ECHILD a0=7f04bc016210 a1=0 a2=7f04c571bdb0 a3=c items=0 ppid=1 pid=4427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cmpiLMI_Account,pegasus_openlmi_account_t,passwd_file_t,file,read > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t passwd_file_t:file { read open }; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t passwd_file_t:file { read open }; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/bin/bash from getattr access on the file /etc/passwd. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that bash should be allowed getattr access on the passwd file by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cmpiLMI_Account /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:object_r:passwd_file_t:s0 >Target Objects /etc/passwd [ file ] >Source cmpiLMI_Account >Source Path /usr/bin/bash >Port <Unknown> >Host <Unknown> >Source RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Target RPM Packages setup-2.8.57-1.fc18.noarch >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 2 >First Seen 2013-01-22 09:38:49 CET >Last Seen 2013-01-22 09:38:52 CET >Local ID c3777fbc-571e-4952-89fc-6b9c4d3cf01f > >Raw Audit Messages >type=AVC msg=audit(1358843932.499:5991): avc: denied { getattr } for pid=4427 comm="cimprovagt" path="/etc/passwd" dev="vda3" ino=48314 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file > > >type=SYSCALL msg=audit(1358843932.499:5991): arch=x86_64 syscall=fstat success=yes exit=0 a0=a a1=7f04c571bbf0 a2=7f04c571bbf0 a3=238 items=0 ppid=1 pid=4427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cmpiLMI_Account,pegasus_openlmi_account_t,passwd_file_t,file,getattr > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t passwd_file_t:file getattr; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t passwd_file_t:file getattr; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/bin/bash from write access on the file account.log. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that bash should be allowed write access on the account.log file by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cmpiLMI_Account /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:object_r:pegasus_tmp_t:s0 >Target Objects account.log [ file ] >Source cmpiLMI_Account >Source Path /usr/bin/bash >Port <Unknown> >Host <Unknown> >Source RPM Packages bash-4.2.42-1.fc18.x86_64 >Target RPM Packages >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 1 >First Seen 2013-01-22 09:38:49 CET >Last Seen 2013-01-22 09:38:49 CET >Local ID dc8306bf-312c-4b25-b754-42b0e086af2d > >Raw Audit Messages >type=AVC msg=audit(1358843929.94:5935): avc: denied { write } for pid=4422 comm="cmpiLMI_Account" name="account.log" dev="tmpfs" ino=137198 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:pegasus_tmp_t:s0 tclass=file > > >type=AVC msg=audit(1358843929.94:5935): avc: denied { open } for pid=4422 comm="cmpiLMI_Account" path="/tmp/account.log" dev="tmpfs" ino=137198 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:pegasus_tmp_t:s0 tclass=file > > >type=SYSCALL msg=audit(1358843929.94:5935): arch=x86_64 syscall=open success=yes exit=ESRCH a0=17c2910 a1=241 a2=1b6 a3=0 items=0 ppid=4421 pid=4422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cmpiLMI_Account exe=/usr/bin/bash subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cmpiLMI_Account,pegasus_openlmi_account_t,pegasus_tmp_t,file,write > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t pegasus_tmp_t:file { write open }; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t pegasus_tmp_t:file { write open }; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/libexec/pegasus/cimprovagt from execute access on the file /usr/libexec/pegasus/cimprovagt. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that cimprovagt should be allowed execute access on the cimprovagt file by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cimprovagt /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:object_r:bin_t:s0 >Target Objects /usr/libexec/pegasus/cimprovagt [ file ] >Source cimprovagt >Source Path /usr/libexec/pegasus/cimprovagt >Port <Unknown> >Host <Unknown> >Source RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Target RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 1 >First Seen 2013-01-22 09:38:49 CET >Last Seen 2013-01-22 09:38:49 CET >Local ID 0aaec446-889d-4ea6-8b2b-960427e2fa7b > >Raw Audit Messages >type=AVC msg=audit(1358843929.94:5936): avc: denied { execute } for pid=4425 comm="cmpiLMI_Account" name="cimprovagt" dev="vda3" ino=9010 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file > > >type=AVC msg=audit(1358843929.94:5936): avc: denied { execute_no_trans } for pid=4425 comm="cmpiLMI_Account" path="/usr/libexec/pegasus/cimprovagt" dev="vda3" ino=9010 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file > > >type=SYSCALL msg=audit(1358843929.94:5936): arch=x86_64 syscall=execve success=yes exit=0 a0=17c2c20 a1=17c0e00 a2=17c34f0 a3=38 items=0 ppid=4422 pid=4425 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cimprovagt,pegasus_openlmi_account_t,bin_t,file,execute > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t bin_t:file { execute execute_no_trans }; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t bin_t:file { execute execute_no_trans }; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/libexec/pegasus/cimprovagt from using the setgid capability. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that cimprovagt should have the setgid capability by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cimprovagt /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Objects [ capability ] >Source cimprovagt >Source Path /usr/libexec/pegasus/cimprovagt >Port <Unknown> >Host <Unknown> >Source RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Target RPM Packages >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 1 >First Seen 2013-01-22 09:38:49 CET >Last Seen 2013-01-22 09:38:49 CET >Local ID 6ae68316-9c8f-4978-90d2-bcc503005642 > >Raw Audit Messages >type=AVC msg=audit(1358843929.104:5937): avc: denied { setgid } for pid=4425 comm="cimprovagt" capability=6 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:system_r:pegasus_openlmi_account_t:s0 tclass=capability > > >type=SYSCALL msg=audit(1358843929.104:5937): arch=x86_64 syscall=setgid success=yes exit=0 a0=0 a1=0 a2=3 a3=7fff227a8e90 items=0 ppid=4422 pid=4425 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cimprovagt,pegasus_openlmi_account_t,pegasus_openlmi_account_t,capability,setgid > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t self:capability setgid; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t self:capability setgid; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/libexec/pegasus/cimprovagt from using the setuid capability. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that cimprovagt should have the setuid capability by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cimprovagt /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Objects [ capability ] >Source cimprovagt >Source Path /usr/libexec/pegasus/cimprovagt >Port <Unknown> >Host <Unknown> >Source RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Target RPM Packages >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 1 >First Seen 2013-01-22 09:38:49 CET >Last Seen 2013-01-22 09:38:49 CET >Local ID f340a7a3-23bd-4d50-be8d-ad1c1f47c7e7 > >Raw Audit Messages >type=AVC msg=audit(1358843929.105:5938): avc: denied { setuid } for pid=4425 comm="cimprovagt" capability=7 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:system_r:pegasus_openlmi_account_t:s0 tclass=capability > > >type=SYSCALL msg=audit(1358843929.105:5938): arch=x86_64 syscall=setuid success=yes exit=0 a0=0 a1=0 a2=1 a3=7fff227a8e90 items=0 ppid=4422 pid=4425 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cimprovagt,pegasus_openlmi_account_t,pegasus_openlmi_account_t,capability,setuid > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t self:capability setuid; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t self:capability setuid; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/libexec/pegasus/cimprovagt from write access on the directory /var/lib/Pegasus/cache/trace. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that cimprovagt should be allowed write access on the trace directory by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cimprovagt /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:object_r:pegasus_data_t:s0 >Target Objects /var/lib/Pegasus/cache/trace [ dir ] >Source cimprovagt >Source Path /usr/libexec/pegasus/cimprovagt >Port <Unknown> >Host <Unknown> >Source RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Target RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 1 >First Seen 2013-01-22 09:38:49 CET >Last Seen 2013-01-22 09:38:49 CET >Local ID 569b220c-fea0-4a9d-81b6-276d91ebd06d > >Raw Audit Messages >type=AVC msg=audit(1358843929.119:5939): avc: denied { write } for pid=4426 comm="cimprovagt" name="trace" dev="vda3" ino=170687 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:pegasus_data_t:s0 tclass=dir > > >type=SYSCALL msg=audit(1358843929.119:5939): arch=x86_64 syscall=access success=yes exit=0 a0=7f04c65b21c0 a1=2 a2=7f04c2afe768 a3=7fff74f13e00 items=0 ppid=1 pid=4426 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cimprovagt,pegasus_openlmi_account_t,pegasus_data_t,dir,write > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t pegasus_data_t:dir write; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t pegasus_data_t:dir write; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/libexec/pegasus/cimprovagt from getattr access on the file /etc/resolv.conf. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that cimprovagt should be allowed getattr access on the resolv.conf file by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cimprovagt /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:object_r:net_conf_t:s0 >Target Objects /etc/resolv.conf [ file ] >Source cimprovagt >Source Path /usr/libexec/pegasus/cimprovagt >Port <Unknown> >Host <Unknown> >Source RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Target RPM Packages >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 1 >First Seen 2013-01-22 09:38:49 CET >Last Seen 2013-01-22 09:38:49 CET >Local ID 00b86462-646c-4d06-acd7-91e8aaa2d701 > >Raw Audit Messages >type=AVC msg=audit(1358843929.206:5941): avc: denied { getattr } for pid=4427 comm="cimprovagt" path="/etc/resolv.conf" dev="vda3" ino=8290 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file > > >type=SYSCALL msg=audit(1358843929.206:5941): arch=x86_64 syscall=fstat success=yes exit=0 a0=3 a1=7f04c5719680 a2=7f04c5719680 a3=0 items=0 ppid=1 pid=4427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cimprovagt,pegasus_openlmi_account_t,net_conf_t,file,getattr > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t net_conf_t:file getattr; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t net_conf_t:file getattr; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/libexec/pegasus/cimprovagt from read access on the file /etc/resolv.conf. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that cimprovagt should be allowed read access on the resolv.conf file by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cimprovagt /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:object_r:net_conf_t:s0 >Target Objects /etc/resolv.conf [ file ] >Source cimprovagt >Source Path /usr/libexec/pegasus/cimprovagt >Port <Unknown> >Host <Unknown> >Source RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Target RPM Packages >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 1 >First Seen 2013-01-22 09:38:49 CET >Last Seen 2013-01-22 09:38:49 CET >Local ID 6069e9d9-99ee-4220-a53f-5254180c0e73 > >Raw Audit Messages >type=AVC msg=audit(1358843929.206:5940): avc: denied { read } for pid=4427 comm="cimprovagt" name="resolv.conf" dev="vda3" ino=8290 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file > > >type=AVC msg=audit(1358843929.206:5940): avc: denied { open } for pid=4427 comm="cimprovagt" path="/etc/resolv.conf" dev="vda3" ino=8290 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file > > >type=SYSCALL msg=audit(1358843929.206:5940): arch=x86_64 syscall=open success=yes exit=ESRCH a0=7f04c28c55ad a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=4427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cimprovagt,pegasus_openlmi_account_t,net_conf_t,file,read > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t net_conf_t:file { read open }; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t net_conf_t:file { read open }; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/libexec/pegasus/cimprovagt from create access on the udp_socket . > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that cimprovagt should be allowed create access on the udp_socket by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cimprovagt /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Objects [ udp_socket ] >Source cimprovagt >Source Path /usr/libexec/pegasus/cimprovagt >Port <Unknown> >Host <Unknown> >Source RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Target RPM Packages >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 1 >First Seen 2013-01-22 09:38:49 CET >Last Seen 2013-01-22 09:38:49 CET >Local ID 4d3d721c-0866-4def-898f-884887ac87a9 > >Raw Audit Messages >type=AVC msg=audit(1358843929.206:5942): avc: denied { create } for pid=4427 comm="cimprovagt" scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:system_r:pegasus_openlmi_account_t:s0 tclass=udp_socket > > >type=SYSCALL msg=audit(1358843929.206:5942): arch=x86_64 syscall=socket success=yes exit=ESRCH a0=2 a1=802 a2=0 a3=7f04c5719680 items=0 ppid=1 pid=4427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cimprovagt,pegasus_openlmi_account_t,pegasus_openlmi_account_t,udp_socket,create > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t self:udp_socket create; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t self:udp_socket create; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/libexec/pegasus/cimprovagt from getattr access on the udp_socket udp_socket. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that cimprovagt should be allowed getattr access on the udp_socket udp_socket by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cimprovagt /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Objects udp_socket [ udp_socket ] >Source cimprovagt >Source Path /usr/libexec/pegasus/cimprovagt >Port <Unknown> >Host <Unknown> >Source RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Target RPM Packages >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 1 >First Seen 2013-01-22 09:38:49 CET >Last Seen 2013-01-22 09:38:49 CET >Local ID 21da68f3-90fb-463c-b396-9be26366c00d > >Raw Audit Messages >type=AVC msg=audit(1358843929.207:5944): avc: denied { getattr } for pid=4427 comm="cimprovagt" path="socket:[183104]" dev="sockfs" ino=183104 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:system_r:pegasus_openlmi_account_t:s0 tclass=udp_socket > > >type=SYSCALL msg=audit(1358843929.207:5944): arch=x86_64 syscall=ioctl success=yes exit=0 a0=3 a1=541b a2=7f04c5719a20 a3=7f04c5719680 items=0 ppid=1 pid=4427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cimprovagt,pegasus_openlmi_account_t,pegasus_openlmi_account_t,udp_socket,getattr > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t self:udp_socket getattr; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t self:udp_socket getattr; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/libexec/pegasus/cimprovagt from connect access on the udp_socket . > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that cimprovagt should be allowed connect access on the udp_socket by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cimprovagt /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Objects [ udp_socket ] >Source cimprovagt >Source Path /usr/libexec/pegasus/cimprovagt >Port <Unknown> >Host <Unknown> >Source RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Target RPM Packages >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 1 >First Seen 2013-01-22 09:38:49 CET >Last Seen 2013-01-22 09:38:49 CET >Local ID 3feafbe6-9b4f-4744-9407-97bbdf11cfe5 > >Raw Audit Messages >type=AVC msg=audit(1358843929.207:5943): avc: denied { connect } for pid=4427 comm="cimprovagt" scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:system_r:pegasus_openlmi_account_t:s0 tclass=udp_socket > > >type=SYSCALL msg=audit(1358843929.207:5943): arch=x86_64 syscall=connect success=yes exit=0 a0=3 a1=7f04bc009260 a2=10 a3=7f04c5719680 items=0 ppid=1 pid=4427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cimprovagt,pegasus_openlmi_account_t,pegasus_openlmi_account_t,udp_socket,connect > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t self:udp_socket connect; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t self:udp_socket connect; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/libexec/pegasus/cimprovagt from getattr access on the file /etc/shadow. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that cimprovagt should be allowed getattr access on the shadow file by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cimprovagt /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:object_r:shadow_t:s0 >Target Objects /etc/shadow [ file ] >Source cimprovagt >Source Path /usr/libexec/pegasus/cimprovagt >Port <Unknown> >Host <Unknown> >Source RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Target RPM Packages setup-2.8.57-1.fc18.noarch >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 1 >First Seen 2013-01-22 09:38:49 CET >Last Seen 2013-01-22 09:38:49 CET >Local ID 4c983169-9aad-4e30-963e-9d7994f18765 > >Raw Audit Messages >type=AVC msg=audit(1358843929.238:5945): avc: denied { getattr } for pid=4427 comm="cimprovagt" path="/etc/shadow" dev="vda3" ino=1233 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file > > >type=SYSCALL msg=audit(1358843929.238:5945): arch=x86_64 syscall=stat success=yes exit=0 a0=7f04bc0154e0 a1=7f04c571be40 a2=7f04c571be40 a3=c items=0 ppid=1 pid=4427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cimprovagt,pegasus_openlmi_account_t,shadow_t,file,getattr > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t shadow_t:file getattr; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t shadow_t:file getattr; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/libexec/pegasus/cimprovagt from lock access on the file /etc/passwd. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that cimprovagt should be allowed lock access on the passwd file by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cimprovagt /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:object_r:passwd_file_t:s0 >Target Objects /etc/passwd [ file ] >Source cimprovagt >Source Path /usr/libexec/pegasus/cimprovagt >Port <Unknown> >Host <Unknown> >Source RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Target RPM Packages setup-2.8.57-1.fc18.noarch >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 2 >First Seen 2013-01-22 09:38:49 CET >Last Seen 2013-01-22 09:38:52 CET >Local ID 38d4e201-f0fb-4240-b10e-b001afe3d6fa > >Raw Audit Messages >type=AVC msg=audit(1358843932.499:5990): avc: denied { lock } for pid=4427 comm="cimprovagt" path="/etc/passwd" dev="vda3" ino=48314 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file > > >type=SYSCALL msg=audit(1358843932.499:5990): arch=x86_64 syscall=fcntl success=yes exit=0 a0=a a1=6 a2=7f04bc016008 a3=28 items=0 ppid=1 pid=4427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cimprovagt,pegasus_openlmi_account_t,passwd_file_t,file,lock > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t passwd_file_t:file lock; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t passwd_file_t:file lock; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/libexec/pegasus/cimprovagt from lock access on the file /etc/shadow. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that cimprovagt should be allowed lock access on the shadow file by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cimprovagt /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:object_r:shadow_t:s0 >Target Objects /etc/shadow [ file ] >Source cimprovagt >Source Path /usr/libexec/pegasus/cimprovagt >Port <Unknown> >Host <Unknown> >Source RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Target RPM Packages setup-2.8.57-1.fc18.noarch >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 1 >First Seen 2013-01-22 09:38:49 CET >Last Seen 2013-01-22 09:38:49 CET >Local ID e8855645-a57b-455c-b401-6a96dc77c5e8 > >Raw Audit Messages >type=AVC msg=audit(1358843929.239:5948): avc: denied { lock } for pid=4427 comm="cimprovagt" path="/etc/shadow" dev="vda3" ino=1233 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file > > >type=SYSCALL msg=audit(1358843929.239:5948): arch=x86_64 syscall=fcntl success=yes exit=0 a0=3 a1=6 a2=7f04bc0166b8 a3=28 items=0 ppid=1 pid=4427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cimprovagt,pegasus_openlmi_account_t,shadow_t,file,lock > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t shadow_t:file lock; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t shadow_t:file lock; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/libexec/pegasus/cimprovagt from using the dac_override capability. > >***** Plugin dac_override (91.4 confidence) suggests *********************** > >If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system >Then turn on full auditing to get path information about the offending file and generate the error again. >Do > >Turn on full auditing ># auditctl -w /etc/shadow -p w >Try to recreate AVC. Then execute ># ausearch -m avc -ts recent >If you see PATH record check ownership/permissions on file, and fix it, >otherwise report as a bugzilla. > >***** Plugin catchall (9.59 confidence) suggests *************************** > >If you believe that cimprovagt should have the dac_override capability by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cimprovagt /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Objects [ capability ] >Source cimprovagt >Source Path /usr/libexec/pegasus/cimprovagt >Port <Unknown> >Host <Unknown> >Source RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Target RPM Packages >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 2 >First Seen 2013-01-22 09:38:49 CET >Last Seen 2013-01-22 09:38:54 CET >Local ID e1beeb14-2e31-46b4-b38b-d014e442dde6 > >Raw Audit Messages >type=AVC msg=audit(1358843934.282:6020): avc: denied { dac_override } for pid=4427 comm="cimprovagt" capability=1 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:system_r:pegasus_openlmi_account_t:s0 tclass=capability > > >type=SYSCALL msg=audit(1358843934.282:6020): arch=x86_64 syscall=open success=yes exit=ECHILD a0=7f04bc037230 a1=0 a2=7f04c571c220 a3=d items=0 ppid=1 pid=4427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cimprovagt,pegasus_openlmi_account_t,pegasus_openlmi_account_t,capability,dac_override > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t self:capability dac_override; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t self:capability dac_override; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/libexec/pegasus/cimprovagt from read access on the file /var/log/wtmp. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that cimprovagt should be allowed read access on the wtmp file by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cimprovagt /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:object_r:wtmp_t:s0 >Target Objects /var/log/wtmp [ file ] >Source cimprovagt >Source Path /usr/libexec/pegasus/cimprovagt >Port <Unknown> >Host <Unknown> >Source RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Target RPM Packages initscripts-9.42.1-1.fc18.x86_64 >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 1 >First Seen 2013-01-22 09:38:49 CET >Last Seen 2013-01-22 09:38:49 CET >Local ID 06825837-6d87-436e-9328-9ed7f698c3ed > >Raw Audit Messages >type=AVC msg=audit(1358843929.242:5949): avc: denied { read } for pid=4427 comm="cimprovagt" name="wtmp" dev="vda3" ino=146104 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:wtmp_t:s0 tclass=file > > >type=AVC msg=audit(1358843929.242:5949): avc: denied { open } for pid=4427 comm="cimprovagt" path="/var/log/wtmp" dev="vda3" ino=146104 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:wtmp_t:s0 tclass=file > > >type=SYSCALL msg=audit(1358843929.242:5949): arch=x86_64 syscall=open success=yes exit=ESRCH a0=7f04bc08a240 a1=80000 a2=7f04bc08a240 a3=7f04c571bd30 items=0 ppid=1 pid=4427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cimprovagt,pegasus_openlmi_account_t,wtmp_t,file,read > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t wtmp_t:file { read open }; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t wtmp_t:file { read open }; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/libexec/pegasus/cimprovagt from search access on the directory tog-pegasus. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that cimprovagt should be allowed search access on the tog-pegasus directory by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cimprovagt /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:object_r:pegasus_var_run_t:s0 >Target Objects tog-pegasus [ dir ] >Source cimprovagt >Source Path /usr/libexec/pegasus/cimprovagt >Port <Unknown> >Host <Unknown> >Source RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Target RPM Packages >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 1 >First Seen 2013-01-22 09:38:50 CET >Last Seen 2013-01-22 09:38:50 CET >Local ID 71b5690f-2f47-46a9-af5f-5faf851f2861 > >Raw Audit Messages >type=AVC msg=audit(1358843930.787:5957): avc: denied { search } for pid=4427 comm="cimprovagt" name="tog-pegasus" dev="tmpfs" ino=12793 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:pegasus_var_run_t:s0 tclass=dir > > >type=AVC msg=audit(1358843930.787:5957): avc: denied { write } for pid=4427 comm="cimprovagt" name="cimxml.socket" dev="tmpfs" ino=183040 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:pegasus_var_run_t:s0 tclass=sock_file > > >type=AVC msg=audit(1358843930.787:5957): avc: denied { connectto } for pid=4427 comm="cimprovagt" path="/run/tog-pegasus/cimxml.socket" scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:system_r:pegasus_t:s0 tclass=unix_stream_socket > > >type=SYSCALL msg=audit(1358843930.787:5957): arch=x86_64 syscall=connect success=yes exit=0 a0=5 a1=7f04c571b390 a2=6e a3=7f04c571ab10 items=0 ppid=1 pid=4427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cimprovagt,pegasus_openlmi_account_t,pegasus_var_run_t,dir,search > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t pegasus_t:unix_stream_socket connectto; >allow pegasus_openlmi_account_t pegasus_var_run_t:dir search; >allow pegasus_openlmi_account_t pegasus_var_run_t:sock_file write; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t pegasus_t:unix_stream_socket connectto; >allow pegasus_openlmi_account_t pegasus_var_run_t:dir search; >allow pegasus_openlmi_account_t pegasus_var_run_t:sock_file write; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/libexec/pegasus/cimprovagt from read access on the file cimclient_root_1_792. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that cimprovagt should be allowed read access on the cimclient_root_1_792 file by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cimprovagt /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:object_r:pegasus_data_t:s0 >Target Objects cimclient_root_1_792 [ file ] >Source cimprovagt >Source Path /usr/libexec/pegasus/cimprovagt >Port <Unknown> >Host <Unknown> >Source RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Target RPM Packages >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 1 >First Seen 2013-01-22 09:38:50 CET >Last Seen 2013-01-22 09:38:50 CET >Local ID 822f96b7-9d05-46cc-a408-a2d2dbd8489b > >Raw Audit Messages >type=AVC msg=audit(1358843930.795:5958): avc: denied { read } for pid=4427 comm="cimprovagt" name="cimclient_root_1_792" dev="vda3" ino=163600 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:pegasus_data_t:s0 tclass=file > > >type=AVC msg=audit(1358843930.795:5958): avc: denied { open } for pid=4427 comm="cimprovagt" path="/var/lib/Pegasus/cache/localauth/cimclient_root_1_792" dev="vda3" ino=163600 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:pegasus_data_t:s0 tclass=file > > >type=SYSCALL msg=audit(1358843930.795:5958): arch=x86_64 syscall=open success=yes exit=ENXIO a0=7f04bc067c60 a1=0 a2=1b6 a3=238 items=0 ppid=1 pid=4427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cimprovagt,pegasus_openlmi_account_t,pegasus_data_t,file,read > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t pegasus_data_t:file { read open }; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t pegasus_data_t:file { read open }; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/libexec/pegasus/cimprovagt from using the setfscreate access on a process. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that cimprovagt should be allowed setfscreate access on processes labeled pegasus_openlmi_account_t by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cimprovagt /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Objects [ process ] >Source cimprovagt >Source Path /usr/libexec/pegasus/cimprovagt >Port <Unknown> >Host <Unknown> >Source RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Target RPM Packages >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 2 >First Seen 2013-01-22 09:38:50 CET >Last Seen 2013-01-22 09:38:53 CET >Local ID 28dbcf35-04a3-4bbf-8f3a-43d9df27e2c2 > >Raw Audit Messages >type=AVC msg=audit(1358843933.776:6011): avc: denied { setfscreate } for pid=4427 comm="cimprovagt" scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:system_r:pegasus_openlmi_account_t:s0 tclass=process > > >type=SYSCALL msg=audit(1358843933.776:6011): arch=x86_64 syscall=write success=yes exit=EDEADLOCK a0=a a1=7f04bc037ce0 a2=23 a3=6165726373662f72 items=0 ppid=1 pid=4427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cimprovagt,pegasus_openlmi_account_t,pegasus_openlmi_account_t,process,setfscreate > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t self:process setfscreate; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t self:process setfscreate; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/libexec/pegasus/cimprovagt from write access on the file /etc/passwd-. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that cimprovagt should be allowed write access on the passwd- file by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cimprovagt /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:object_r:passwd_file_t:s0 >Target Objects /etc/passwd- [ file ] >Source cimprovagt >Source Path /usr/libexec/pegasus/cimprovagt >Port <Unknown> >Host <Unknown> >Source RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Target RPM Packages >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 2 >First Seen 2013-01-22 09:38:50 CET >Last Seen 2013-01-22 09:38:52 CET >Local ID 0ded2ec3-dc80-4ad6-961f-10a913713b15 > >Raw Audit Messages >type=AVC msg=audit(1358843932.716:5994): avc: denied { write } for pid=4427 comm="cimprovagt" name="passwd-" dev="vda3" ino=22906 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file > > >type=SYSCALL msg=audit(1358843932.716:5994): arch=x86_64 syscall=open success=yes exit=ENOMEM a0=7f04bc014cf0 a1=41 a2=81a4 a3=d items=0 ppid=1 pid=4427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cimprovagt,pegasus_openlmi_account_t,passwd_file_t,file,write > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t passwd_file_t:file write; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t passwd_file_t:file write; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/libexec/pegasus/cimprovagt from setattr access on the file /etc/passwd-. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that cimprovagt should be allowed setattr access on the passwd- file by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cimprovagt /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:object_r:passwd_file_t:s0 >Target Objects /etc/passwd- [ file ] >Source cimprovagt >Source Path /usr/libexec/pegasus/cimprovagt >Port <Unknown> >Host <Unknown> >Source RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Target RPM Packages >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 2 >First Seen 2013-01-22 09:38:50 CET >Last Seen 2013-01-22 09:38:52 CET >Local ID c449b5e2-12c6-4343-9d90-e1a9d7b95c8e > >Raw Audit Messages >type=AVC msg=audit(1358843932.720:5995): avc: denied { setattr } for pid=4427 comm="cimprovagt" name="passwd-" dev="vda3" ino=22906 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file > > >type=SYSCALL msg=audit(1358843932.720:5995): arch=x86_64 syscall=fchown success=yes exit=0 a0=c a1=0 a2=0 a3=28 items=0 ppid=1 pid=4427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cimprovagt,pegasus_openlmi_account_t,passwd_file_t,file,setattr > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t passwd_file_t:file setattr; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t passwd_file_t:file setattr; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/libexec/pegasus/cimprovagt from write access on the file /etc/gshadow-. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that cimprovagt should be allowed write access on the gshadow- file by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cimprovagt /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:object_r:shadow_t:s0 >Target Objects /etc/gshadow- [ file ] >Source cimprovagt >Source Path /usr/libexec/pegasus/cimprovagt >Port <Unknown> >Host <Unknown> >Source RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Target RPM Packages >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 1 >First Seen 2013-01-22 09:38:50 CET >Last Seen 2013-01-22 09:38:50 CET >Local ID 2277823c-4879-464f-8f9c-770fa3d6134e > >Raw Audit Messages >type=AVC msg=audit(1358843930.907:5962): avc: denied { write } for pid=4427 comm="cimprovagt" name="gshadow-" dev="vda3" ino=50 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file > > >type=SYSCALL msg=audit(1358843930.907:5962): arch=x86_64 syscall=open success=yes exit=ENOMEM a0=7f04bc0230d0 a1=41 a2=8000 a3=e items=0 ppid=1 pid=4427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cimprovagt,pegasus_openlmi_account_t,shadow_t,file,write > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t shadow_t:file write; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t shadow_t:file write; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/libexec/pegasus/cimprovagt from setattr access on the file /etc/gshadow-. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that cimprovagt should be allowed setattr access on the gshadow- file by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cimprovagt /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:object_r:shadow_t:s0 >Target Objects /etc/gshadow- [ file ] >Source cimprovagt >Source Path /usr/libexec/pegasus/cimprovagt >Port <Unknown> >Host <Unknown> >Source RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Target RPM Packages >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 1 >First Seen 2013-01-22 09:38:50 CET >Last Seen 2013-01-22 09:38:50 CET >Local ID bb30a8fd-288c-49c5-9a0e-da58610e8e2f > >Raw Audit Messages >type=AVC msg=audit(1358843930.908:5963): avc: denied { setattr } for pid=4427 comm="cimprovagt" name="gshadow-" dev="vda3" ino=50 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file > > >type=SYSCALL msg=audit(1358843930.908:5963): arch=x86_64 syscall=fchown success=yes exit=0 a0=c a1=0 a2=0 a3=28 items=0 ppid=1 pid=4427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cimprovagt,pegasus_openlmi_account_t,shadow_t,file,setattr > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t shadow_t:file setattr; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t shadow_t:file setattr; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/libexec/pegasus/cimprovagt from write access on the directory /home. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that cimprovagt should be allowed write access on the home directory by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cimprovagt /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:object_r:home_root_t:s0 >Target Objects /home [ dir ] >Source cimprovagt >Source Path /usr/libexec/pegasus/cimprovagt >Port <Unknown> >Host <Unknown> >Source RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Target RPM Packages filesystem-3.1-2.fc18.x86_64 >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 1 >First Seen 2013-01-22 09:38:51 CET >Last Seen 2013-01-22 09:38:51 CET >Local ID 703a46e6-cc9f-43d6-98d8-5e5d46ffb0d0 > >Raw Audit Messages >type=AVC msg=audit(1358843931.19:5964): avc: denied { write } for pid=4427 comm="cimprovagt" name="home" dev="vda3" ino=129321 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir > > >type=AVC msg=audit(1358843931.19:5964): avc: denied { add_name } for pid=4427 comm="cimprovagt" name="account_test_user" scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir > > >type=AVC msg=audit(1358843931.19:5964): avc: denied { create } for pid=4427 comm="cimprovagt" name="account_test_user" scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir > > >type=SYSCALL msg=audit(1358843931.19:5964): arch=x86_64 syscall=mkdir success=yes exit=0 a0=7f04bc030550 a1=1c0 a2=0 a3=7f04c571b6d0 items=0 ppid=1 pid=4427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cimprovagt,pegasus_openlmi_account_t,home_root_t,dir,write > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t home_root_t:dir { write create add_name }; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t home_root_t:dir { write create add_name }; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/libexec/pegasus/cimprovagt from setattr access on the directory account_test_user. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that cimprovagt should be allowed setattr access on the account_test_user directory by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cimprovagt /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:object_r:home_root_t:s0 >Target Objects account_test_user [ dir ] >Source cimprovagt >Source Path /usr/libexec/pegasus/cimprovagt >Port <Unknown> >Host <Unknown> >Source RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Target RPM Packages >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 1 >First Seen 2013-01-22 09:38:51 CET >Last Seen 2013-01-22 09:38:51 CET >Local ID 60e0b910-b284-4f5c-ac96-c4d38d643522 > >Raw Audit Messages >type=AVC msg=audit(1358843931.20:5965): avc: denied { setattr } for pid=4427 comm="cimprovagt" name="account_test_user" dev="vda3" ino=210108 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir > > >type=AVC msg=audit(1358843931.20:5965): avc: denied { chown } for pid=4427 comm="cimprovagt" capability=0 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:system_r:pegasus_openlmi_account_t:s0 tclass=capability > > >type=SYSCALL msg=audit(1358843931.20:5965): arch=x86_64 syscall=chown success=yes exit=0 a0=7f04bc030550 a1=3ed a2=3e9 a3=7f04c571b6d0 items=0 ppid=1 pid=4427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cimprovagt,pegasus_openlmi_account_t,home_root_t,dir,setattr > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t home_root_t:dir setattr; >allow pegasus_openlmi_account_t self:capability chown; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t home_root_t:dir setattr; >allow pegasus_openlmi_account_t self:capability chown; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/sbin/userdel from rmdir access on the directory account_test_user. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that userdel should be allowed rmdir access on the account_test_user directory by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep userdel /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 >Target Context system_u:object_r:home_root_t:s0 >Target Objects account_test_user [ dir ] >Source userdel >Source Path /usr/sbin/userdel >Port <Unknown> >Host <Unknown> >Source RPM Packages shadow-utils-4.1.5.1-1.fc18.x86_64 >Target RPM Packages >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 1 >First Seen 2013-01-22 09:38:51 CET >Last Seen 2013-01-22 09:38:51 CET >Local ID ea137ec4-b6fc-4a37-92e2-864ec5874a30 > >Raw Audit Messages >type=AVC msg=audit(1358843931.103:5969): avc: denied { rmdir } for pid=4515 comm="userdel" name="account_test_user" dev="vda3" ino=210108 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir > > >type=SYSCALL msg=audit(1358843931.103:5969): arch=x86_64 syscall=rmdir success=yes exit=0 a0=7fd1ce0805e0 a1=0 a2=6700 a3=8028 items=0 ppid=4417 pid=4515 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=20 comm=userdel exe=/usr/sbin/userdel subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) > >Hash: userdel,useradd_t,home_root_t,dir,rmdir > >audit2allow > >#============= useradd_t ============== >allow useradd_t home_root_t:dir rmdir; > >audit2allow -R > >#============= useradd_t ============== >allow useradd_t home_root_t:dir rmdir; > > >-------------------------------------------------------------------------------- > >SELinux is preventing /usr/libexec/pegasus/cimprovagt from write access on the sock_file cimxml.socket. > >***** Plugin catchall (100. confidence) suggests *************************** > >If you believe that cimprovagt should be allowed write access on the cimxml.socket sock_file by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep cimprovagt /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:pegasus_openlmi_account_t:s0 >Target Context system_u:object_r:pegasus_var_run_t:s0 >Target Objects cimxml.socket [ sock_file ] >Source cimprovagt >Source Path /usr/libexec/pegasus/cimprovagt >Port <Unknown> >Host <Unknown> >Source RPM Packages tog-pegasus-2.12.0-4.fc18.x86_64 >Target RPM Packages >Policy RPM selinux-policy-3.11.1-67.fc18.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Permissive >Host Name f18 >Platform Linux f18 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 > 14:12:51 UTC 2012 x86_64 x86_64 >Alert Count 1 >First Seen 2013-01-22 09:38:55 CET >Last Seen 2013-01-22 09:38:55 CET >Local ID 523982c1-8ca8-4196-85f9-2347f9236ed1 > >Raw Audit Messages >type=AVC msg=audit(1358843935.543:6038): avc: denied { write } for pid=4427 comm="cimprovagt" name="cimxml.socket" dev="tmpfs" ino=183040 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:pegasus_var_run_t:s0 tclass=sock_file > > >type=AVC msg=audit(1358843935.543:6038): avc: denied { connectto } for pid=4427 comm="cimprovagt" path="/run/tog-pegasus/cimxml.socket" scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:system_r:pegasus_t:s0 tclass=unix_stream_socket > > >type=SYSCALL msg=audit(1358843935.543:6038): arch=x86_64 syscall=connect success=yes exit=0 a0=d a1=7f04c571b710 a2=6e a3=20 items=0 ppid=1 pid=4427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null) > >Hash: cimprovagt,pegasus_openlmi_account_t,pegasus_var_run_t,sock_file,write > >audit2allow > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t pegasus_t:unix_stream_socket connectto; >allow pegasus_openlmi_account_t pegasus_var_run_t:sock_file write; > >audit2allow -R > >#============= pegasus_openlmi_account_t ============== >allow pegasus_openlmi_account_t pegasus_t:unix_stream_socket connectto; >allow pegasus_openlmi_account_t pegasus_var_run_t:sock_file write; > >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=685017">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 896624
:
680328
|
680355
|
684235
|
685010
| 685017