Description of problem: I installed tomcat and wanted to try setting up multiple tomcat instances. The current tomcat@.service looks for a catalina base under /var/lib/tomcats (not tomcat). I created the directory and tried setting it to tomcat_var_lib_t instead of var_lib_t. Issuing chcon -t tomcat_var_lib_t /var/lib/tomcats generates the error. I could be doing something wrong but I believe this should be allowed. SELinux is preventing /usr/bin/chcon from 'mac_admin' accesses on the capability2 . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that chcon should be allowed mac_admin access on the capability2 by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep chcon /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Target Context staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Target Objects [ capability2 ] Source chcon Source Path /usr/bin/chcon Port <Unknown> Host (removed) Source RPM Packages coreutils-8.21-18.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-106.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.12.5-302.fc20.x86_64 #1 SMP Tue Dec 17 20:42:32 UTC 2013 x86_64 x86_64 Alert Count 2 First Seen 2014-01-02 17:07:33 EST Last Seen 2014-01-02 17:11:04 EST Local ID 387876c8-4399-4e89-8d96-ca053e0ac0ff Raw Audit Messages type=AVC msg=audit(1388700664.834:828): avc: denied { mac_admin } for pid=11671 comm="chcon" capability=33 scontext=staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 type=SYSCALL msg=audit(1388700664.834:828): arch=x86_64 syscall=setxattr success=no exit=EINVAL a0=11ca0e0 a1=341581956e a2=11cb610 a3=26 items=0 ppid=2576 pid=11671 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts0 comm=chcon exe=/usr/bin/chcon subj=staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Hash: chcon,unconfined_t,unconfined_t,capability2,mac_admin Additional info: reporter: libreport-2.1.10 hashmarkername: setroubleshoot kernel: 3.12.5-302.fc20.x86_64 type: libreport Potential duplicate: bug 672382
After reading the potential duplicate it appears I was typing something wrong. :)