Bug 564328

Summary: SELinux is preventing hwclock (hwclock_t) "append" to /var/webmin/miniserv.error (var_t).
Product: [Fedora] Fedora Reporter: Jochen Brinkmann <brinkj>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:590367a7bb269d8889bb2e118f3179546f94976a43794f1f7b92de0cef3b0cf8
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-02-12 14:50:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jochen Brinkmann 2010-02-12 12:45:25 UTC 
Zusammenfassung:

SELinux is preventing hwclock (hwclock_t) "append" to /var/webmin/miniserv.error
(var_t).

Detaillierte Beschreibung:

[hwclock hat einen toleranten Typ (hwclock_t). Dieser Zugriff wurde nicht
verweigert.]

SELinux denied access requested by hwclock. It is not expected that this access
is required by hwclock and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Zugriff erlauben:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /var/webmin/miniserv.error,

restorecon -v '/var/webmin/miniserv.error'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:hwclock_t:s0
Zielkontext                   system_u:object_r:var_t:s0
Zielobjekte                   /var/webmin/miniserv.error [ file ]
Quelle                        hwclock
Quellen-Pfad                  /sbin/hwclock
Port                          <Unbekannt>
Host                          (removed)
Quellen-RPM-Pakete            util-linux-ng-2.14.1-3.2.fc10
Ziel-RPM-Pakete               
RPM-Richtlinie                selinux-policy-3.5.13-55.fc10
SELinux aktiviert             True
Richtlinienversion            targeted
Enforcing-Modus               Enforcing
Plugin-Name                   catchall_file
Hostname                      (removed)
Plattform                     Linux (removed) 2.6.27.21-170.2.56.fc10.x86_64 #1 SMP
                              Mon Mar 23 23:08:10 EDT 2009 x86_64 x86_64
Anzahl der Alarme             4
Zuerst gesehen                Mi 22 Apr 2009 08:37:27 CEST
Zuletzt gesehen               Mi 22 Apr 2009 08:40:00 CEST
Lokale ID                     08aa8239-0fb5-43b1-8206-25823969fe60
Zeilennummern                 

Raw-Audit-Meldungen           

node=(removed) type=AVC msg=audit(1240382400.781:26): avc:  denied  { append } for  pid=4584 comm="hwclock" path="/var/webmin/miniserv.error" dev=dm-0 ino=20472074 scontext=system_u:system_r:hwclock_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1240382400.781:26): arch=c000003e syscall=59 success=yes exit=0 a0=7fff60e64435 a1=1ea3768 a2=1932f80 a3=8101010101010100 items=0 ppid=4579 pid=4584 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hwclock" exe="/sbin/hwclock" subj=system_u:system_r:hwclock_t:s0 key=(null)



Hash String generated from  selinux-policy-3.5.13-55.fc10,catchall_file,hwclock,hwclock_t,var_t,file,append
audit2allow suggests:

#============= hwclock_t ==============
allow hwclock_t var_t:file append;
Comment 1 Daniel Walsh 2010-02-12 14:50:44 UTC 

*** This bug has been marked as a duplicate of bug 538428 ***