Bug 1387311

Description of problem:
No specific action taken; saw this shortly after system restart.
SELinux is preventing systemd-update- from 'setattr' accesses on the file /etc/.updated.

*****  Plugin restorecon (94.8 confidence) suggests   ************************

If you want to fix the label. 
/etc/.updated default label should be etc_runtime_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /etc/.updated

*****  Plugin catchall_labels (5.21 confidence) suggests   *******************

If you want to allow systemd-update- to have setattr access on the .updated file
Then you need to change the label on /etc/.updated
Do
# semanage fcontext -a -t FILE_TYPE '/etc/.updated'
where FILE_TYPE is one of the following: NetworkManager_unit_file_t, abrt_unit_file_t, accountsd_unit_file_t, alsa_lock_t, alsa_unit_file_t, amanda_unit_file_t, antivirus_unit_file_t, apcupsd_lock_t, apcupsd_unit_file_t, apmd_lock_t, apmd_unit_file_t, arpwatch_unit_file_t, auditd_etc_t, auditd_unit_file_t, automount_lock_t, automount_unit_file_t, avahi_unit_file_t, bcfg2_unit_file_t, bluetooth_lock_t, bluetooth_unit_file_t, boinc_unit_file_t, brltty_unit_file_t, bumblebee_unit_file_t, cache_home_t, cgroup_t, chronyd_unit_file_t, cinder_api_unit_file_t, cinder_backup_unit_file_t, cinder_scheduler_unit_file_t, cinder_volume_unit_file_t, cloud_init_unit_file_t, cluster_unit_file_t, cockpit_unit_file_t, collectd_unit_file_t, colord_unit_file_t, condor_unit_file_t, condor_var_lock_t, config_home_t, conman_unit_file_t, consolekit_log_t, consolekit_unit_file_t, couchdb_unit_file_t, cpuplug_lock_t, crond_unit_file_t, cupsd_lock_t, cupsd_unit_file_t, data_home_t, dbus_home_t, denyhosts_var_lock_t, device_t, dhcp_state_t, dhcpd_unit_file_t, dirsrv_var_lock_t, dirsrvadmin_lock_t, dirsrvadmin_unit_file_t, dnsmasq_unit_file_t, dnssec_trigger_unit_file_t, docker_lock_t, docker_unit_file_t, drbd_lock_t, etc_aliases_t, etc_runtime_t, fenced_lock_t, firewalld_unit_file_t, freeipmi_bmc_watchdog_unit_file_t, freeipmi_ipmidetectd_unit_file_t, freeipmi_ipmiseld_unit_file_t, ftpd_lock_t, ftpd_unit_file_t, fwupd_unit_file_t, gconf_home_t, gear_unit_file_t, getty_lock_t, getty_unit_file_t, gkeyringd_gnome_home_t, glance_api_unit_file_t, glance_registry_unit_file_t, glance_scrubber_unit_file_t, gnome_home_t, gssproxy_unit_file_t, gstreamer_home_t, haproxy_unit_file_t, hostapd_unit_file_t, hsqldb_unit_file_t, httpd_lock_t, httpd_unit_file_t, hwloc_dhwd_unit_t, hypervkvp_unit_file_t, hypervvssd_unit_file_t, icc_data_home_t, init_tmp_t, init_var_lib_t, init_var_run_t, initrc_state_t, initrc_var_run_t, innd_unit_file_t, iodined_unit_file_t, ipa_dnskey_unit_file_t, ipa_ods_exporter_unit_file_t, ipa_otpd_unit_file_t, ipmievd_lock_t, ipmievd_unit_file_t, ipsec_mgmt_lock_t, ipsec_mgmt_unit_file_t, ipsec_var_run_t, iptables_lock_t, iptables_unit_file_t, iscsi_lock_t, iscsi_unit_file_t, jetty_unit_file_t, kdump_lock_t, kdump_unit_file_t, keepalived_unit_file_t, keystone_unit_file_t, kmscon_unit_file_t, krb5_host_rcache_t, krb5_keytab_t, krb5kdc_lock_t, ksmtuned_unit_file_t, ktalkd_unit_file_t, likewise_pstore_lock_t, local_login_lock_t, locale_t, lockdev_lock_t, logrotate_lock_t, logwatch_lock_t, lsmd_unit_file_t, lttng_sessiond_unit_file_t, lvm_lock_t, lvm_unit_file_t, machineid_t, mailman_lock_t, mandb_lock_t, mdadm_unit_file_t, mip6d_unit_file_t, modemmanager_unit_file_t, mongod_unit_file_t, motion_unit_file_t, mrtg_lock_t, mysqld_unit_file_t, named_conf_t, named_unit_file_t, netlabel_mgmt_unit_file_t, neutron_unit_file_t, nfsd_unit_file_t, ninfod_unit_file_t, nis_unit_file_t, nova_unit_file_t, nscd_unit_file_t, ntpd_unit_file_t, numad_unit_file_t, nut_unit_file_t, oddjob_unit_file_t, opendnssec_unit_file_t, opensm_unit_file_t, openvswitch_unit_file_t, openwsman_unit_file_t, pdns_unit_file_t, pesign_unit_file_t, phc2sys_unit_file_t, pkcs11proxyd_unit_file_t, pkcs_slotd_lock_t, pki_ra_lock_t, pki_tomcat_lock_t, pki_tomcat_unit_file_t, pki_tps_lock_t, polipo_unit_file_t, postgresql_lock_t, postgresql_unit_file_t, power_unit_file_t, pppd_lock_t, pppd_unit_file_t, print_spool_t, prosody_unit_file_t, ptp4l_unit_file_t, rabbitmq_unit_file_t, rabbitmq_var_lock_t, radiusd_unit_file_t, random_seed_t, rasdaemon_unit_file_t, rdisc_unit_file_t, redis_unit_file_t, rhev_agentd_unit_file_t, rhnsd_unit_file_t, rhsmcertd_lock_t, ricci_modstorage_lock_t, rkt_unit_file_t, rngd_unit_file_t, rolekit_unit_file_t, rpcd_unit_file_t, rtas_errd_unit_file_t, rtas_errd_var_lock_t, samba_unit_file_t, sanlk_resetd_unit_file_t, sanlock_unit_file_t, sbd_unit_file_t, semanage_read_lock_t, semanage_trans_lock_t, sensord_unit_file_t, shorewall_lock_t, slapd_lock_t, slapd_unit_file_t, speech-dispatcher_unit_file_t, sshd_keygen_unit_file_t, sshd_unit_file_t, sslh_unit_file_t, sssd_unit_file_t, svnserve_unit_file_t, swift_lock_t, swift_unit_file_t, sysctl_fs_t, sysctl_t, syslogd_unit_file_t, system_cronjob_lock_t, systemd_gpt_generator_unit_file_t, systemd_home_t, systemd_hwdb_unit_file_t, systemd_logind_var_run_t, systemd_machined_unit_file_t, systemd_modules_load_unit_file_t, systemd_networkd_unit_file_t, systemd_passwd_var_run_t, systemd_resolved_unit_file_t, systemd_rfkill_unit_file_t, systemd_runtime_unit_file_t, systemd_timedated_unit_file_t, systemd_unit_file_t, systemd_vconsole_unit_file_t, targetd_unit_file_t, timemaster_unit_file_t, tmpfs_t, tomcat_unit_file_t, tor_unit_file_t, udev_rules_t, usbmuxd_unit_file_t, uucpd_lock_t, var_lib_nfs_t, var_lib_t, var_lock_t, virt_lock_t, virtd_unit_file_t, virtlogd_unit_file_t, vmtools_unit_file_t, xdm_lock_t, ypbind_unit_file_t, zebra_unit_file_t, zoneminder_unit_file_t.
Then execute:
restorecon -v '/etc/.updated'


*****  Plugin catchall (1.44 confidence) suggests   **************************

If you believe that systemd-update- should be allowed setattr access on the .updated file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-update-' --raw | audit2allow -M my-systemdupdate
# semodule -X 300 -i my-systemdupdate.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                unconfined_u:object_r:etc_t:s0
Target Objects                /etc/.updated [ file ]
Source                        systemd-update-
Source Path                   systemd-update-
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-220.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.8.2-300.fc25.x86_64 #1 SMP Mon
                              Oct 17 23:07:43 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-10-20 11:19:55 EDT
Last Seen                     2016-10-20 11:19:55 EDT
Local ID                      3f9e6e98-eedd-4358-8cf1-430cf73b6f2b

Raw Audit Messages
type=AVC msg=audit(1476976795.915:85): avc:  denied  { setattr } for  pid=960 comm="systemd-update-" name=".updated" dev="dm-0" ino=786809 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0


Hash: systemd-update-,init_t,etc_t,file,setattr

Version-Release number of selected component:
selinux-policy-3.13.1-220.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.2-300.fc25.x86_64
type:           libreport