Description of problem: Showed during F20 TC5 installation (Live Desktop). SELinux is preventing /usr/lib/systemd/systemd-hostnamed from using the 'dac_override' capabilities. ***** Plugin dac_override (91.4 confidence) suggests ********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. ***** Plugin catchall (9.59 confidence) suggests ************************** If you believe that systemd-hostnamed should have the dac_override capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-hostnam /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_hostnamed_t:s0 Target Context system_u:system_r:systemd_hostnamed_t:s0 Target Objects [ capability ] Source systemd-hostnam Source Path /usr/lib/systemd/systemd-hostnamed Port <Unknown> Host (removed) Source RPM Packages systemd-208-8.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-106.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.11.10-300.fc20.x86_64 #1 SMP Fri Nov 29 19:16:48 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-12-11 07:40:17 EST Last Seen 2013-12-11 07:40:17 EST Local ID 962dcd06-3967-4a59-844c-f04261eac0f5 Raw Audit Messages type=AVC msg=audit(1386765617.130:531): avc: denied { dac_override } for pid=16712 comm="systemd-hostnam" capability=1 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=capability type=SYSCALL msg=audit(1386765617.130:531): arch=x86_64 syscall=open success=yes exit=EIO a0=7f0d8b2b4d20 a1=800c2 a2=180 a3=1 items=0 ppid=1 pid=16712 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=systemd-hostnam exe=/usr/lib/systemd/systemd-hostnamed subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) Hash: systemd-hostnam,systemd_hostnamed_t,systemd_hostnamed_t,capability,dac_override Additional info: reporter: libreport-2.1.9 hashmarkername: setroubleshoot kernel: 3.11.10-300.fc20.x86_64 type: libreport Potential duplicate: bug 1003178
Description of problem: This appeared at the end of the installation on F20 TC5 Live x86_64 with http://vpodzime.fedorapeople.org/f20_blockers_updates.img used. Additional info: reporter: libreport-2.1.9 hashmarkername: setroubleshoot kernel: 3.11.10-300.fc20.x86_64 type: libreport
This might violate "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop. " unless it happens only when (certain) updates.img is used (and not without it).
This usually means some file has the wrong ownership on it. If you can turn on full auditing and recreate the problem. We could diagnose this better. If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. Of course it probably will only happen once.
This does not happen with F20 RC1. It was probably caused by the updates.img. Removing blocker proposal.