Description of problem: I update my machine and after the update was finished the sealert notification was there. The problem probably is due to pcscd being (re)started and the new daemon checking if an old daemon is still running: --- 8< --- src/pcscdaemon.c:355 --- /* * test the presence of /var/run/pcscd/pcscd.comm */ rv = stat(PCSCLITE_CSOCK_NAME, &fStatBuf); if (rv == 0) { pid_t pid; /* read the pid file to get the old pid and test if the old pcscd is * still running */ pid = GetDaemonPid(); if (pid != -1) { if (HotPlug) return SendHotplugSignal(); rv = kill(pid, 0); if (0 == rv) --- >8 --- SELinux is preventing /usr/sbin/pcscd from using the 'signull' accesses on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pcscd should be allowed signull access on processes labeled pcscd_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep pcscd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:pcscd_t:s0 Target Context system_u:system_r:pcscd_t:s0 Target Objects [ process ] Source pcscd Source Path /usr/sbin/pcscd Port <Unknown> Host (removed) Source RPM Packages pcsc-lite-1.8.10-1.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-106.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.12.5-302.fc20.x86_64 #1 SMP Tue Dec 17 20:42:32 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2014-01-05 15:18:02 CET Last Seen 2014-01-05 15:18:02 CET Local ID fc694798-d818-4169-aae6-914473daff6d Raw Audit Messages type=AVC msg=audit(1388931482.103:6885): avc: denied { signull } for pid=29897 comm="pcscd" scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=process type=SYSCALL msg=audit(1388931482.103:6885): arch=x86_64 syscall=kill success=no exit=EACCES a0=49d a1=0 a2=a a3=7fff16daeef0 items=0 ppid=1 pid=29897 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=pcscd exe=/usr/sbin/pcscd subj=system_u:system_r:pcscd_t:s0 key=(null) Hash: pcscd,pcscd_t,pcscd_t,process,signull Additional info: reporter: libreport-2.1.10 hashmarkername: setroubleshoot kernel: 3.12.5-302.fc20.x86_64 type: libreport
commit 89e669ccffa2e5d207fc7840876617186dcb4021 Author: Miroslav Grepl <mgrepl> Date: Mon Jan 6 10:27:47 2014 +0100 Allow pcscd to check if an old daemon is still running
selinux-policy-3.12.1-116.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-116.fc20
Package selinux-policy-3.12.1-116.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-116.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-0806/selinux-policy-3.12.1-116.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-116.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.