Description of problem: I have a cron that mails this file and selinux is diabled on this system. Why is this still being denied? SELinux is preventing /usr/bin/mailx from 'ioctl' accesses on the file /home/tbecker/rsync_backup.log. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mailx should be allowed ioctl access on the rsync_backup.log file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mail /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:system_mail_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects /home/tbecker/rsync_backup.log [ file ] Source mail Source Path /usr/bin/mailx Port <Unknown> Host (removed) Source RPM Packages mailx-12.5-10.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-106.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.12.5-302.fc20.x86_64 #1 SMP Tue Dec 17 20:42:32 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-12-27 09:55:20 MST Last Seen 2013-12-27 09:55:20 MST Local ID 97342c42-8b9b-47ac-802d-16c4d2c4d9a9 Raw Audit Messages type=AVC msg=audit(1388163320.29:614): avc: denied { ioctl } for pid=4767 comm="mail" path="/home/tbecker/rsync_backup.log" dev="dm-1" ino=3670331 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1388163320.29:614): arch=x86_64 syscall=ioctl success=no exit=ENOTTY a0=0 a1=5401 a2=7ffff8f210e0 a3=8 items=0 ppid=3711 pid=4767 auid=0 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=2 tty=(none) comm=mail exe=/usr/bin/mailx subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null) Hash: mail,system_mail_t,user_home_t,file,ioctl Additional info: reporter: libreport-2.1.10 hashmarkername: setroubleshoot kernel: 3.12.5-302.fc20.x86_64 type: libreport
Are you booting with "enforcing=0" or with the SELINUX line in /etc/selinux/config set to SELINUX=disabled?
SELINUX=disabled Here's my /etc/selinix/conf file # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
Tim, This is likely a problem with the libselinux package. Boot with "selinux=0" so that the kernel does not load any of the SELinux infrastructure if you really want to disable SELinux entirely.
fixed in libselinux-2.2.1-6.fc20
selinux-policy-3.12.1-116.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-116.fc20
Package selinux-policy-3.12.1-116.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-116.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-0806/selinux-policy-3.12.1-116.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-116.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.