Description of problem: 1. I am using irssi with libnotify , I am following http://code.google.com/p/irssi-libnotify/wiki/MainPage as reference document. 2. currently after setting up the configuration, selinux denies irssi to send messages as irssi seems to execute /bin/bash. Is there a sane way to make this work ? SELinux is preventing /usr/bin/irssi from 'execute' accesses on the file /usr/bin/bash. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that irssi should be allowed execute access on the bash file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep irssi /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context staff_u:staff_r:irc_t:s0-s0:c0.c1023 Target Context system_u:object_r:shell_exec_t:s0 Target Objects /usr/bin/bash [ file ] Source irssi Source Path /usr/bin/irssi Port <Unknown> Host (removed) Source RPM Packages irssi-0.8.16-0.1.rc1.fc20.x86_64 Target RPM Packages bash-4.2.45-4.fc20.x86_64 Policy RPM selinux-policy-3.12.1-106.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.12.5-302.fc20.x86_64 #1 SMP Tue Dec 17 20:42:32 UTC 2013 x86_64 x86_64 Alert Count 8 First Seen 2013-12-30 10:15:49 IST Last Seen 2013-12-30 10:18:51 IST Local ID 16c79ee9-4835-4d2b-8ffa-0dabb7c3a785 Raw Audit Messages type=AVC msg=audit(1388378931.563:546): avc: denied { execute } for pid=2622 comm="irssi" name="bash" dev="dm-2" ino=782799 scontext=staff_u:staff_r:irc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=SYSCALL msg=audit(1388378931.563:546): arch=x86_64 syscall=execve success=no exit=EACCES a0=35bd367091 a1=7fff8edbfaf0 a2=7fff8edc31f8 a3=8 items=0 ppid=2367 pid=2622 auid=1004 uid=1004 gid=1005 euid=1004 suid=1004 fsuid=1004 egid=1005 sgid=1005 fsgid=1005 ses=1 tty=pts1 comm=irssi exe=/usr/bin/irssi subj=staff_u:staff_r:irc_t:s0-s0:c0.c1023 key=(null) Hash: irssi,irc_t,shell_exec_t,file,execute Additional info: reporter: libreport-2.1.10 hashmarkername: setroubleshoot kernel: 3.12.5-302.fc20.x86_64 type: libreport
0013c7e0cfb8a4ba42f4219554adcf394030a081 allows this in git. If you execute # grep irssi /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp It should allow this access.
back ported.
selinux-policy-3.12.1-116.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-116.fc20
Package selinux-policy-3.12.1-116.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-116.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-0806/selinux-policy-3.12.1-116.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-116.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.