Description of problem: How did this problem happen? I installed the latest updates with yum and rebooted. The machine in question is a VM running on VMWare Fusion. How can it be reproduced? Unknown. Perhaps by rebooting? SELinux is preventing /usr/bin/vmtoolsd from 'write' accesses on the directory /tmp. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that vmtoolsd should be allowed write access on the tmp directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep vmtoolsd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:vmtools_t:s0 Target Context system_u:object_r:tmp_t:s0 Target Objects /tmp [ dir ] Source vmtoolsd Source Path /usr/bin/vmtoolsd Port <Unknown> Host (removed) Source RPM Packages open-vm-tools-9.4.0-1.fc20.x86_64 Target RPM Packages filesystem-3.2-19.fc20.x86_64 Policy RPM selinux-policy-3.12.1-119.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.12.8-300.fc20.x86_64 #1 SMP Thu Jan 16 01:07:50 UTC 2014 x86_64 x86_64 Alert Count 2 First Seen 2014-01-24 08:49:44 GMT Last Seen 2014-01-24 08:49:44 GMT Local ID f037af3a-1aea-4076-ac12-b3356fbac7ee Raw Audit Messages type=AVC msg=audit(1390553384.445:126): avc: denied { write } for pid=381 comm="vmtoolsd" name="/" dev="tmpfs" ino=13435 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1390553384.445:126): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=7f5877c48680 a1=1c0 a2=1c a3=7fff8d389c80 items=0 ppid=1 pid=381 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=vmtoolsd exe=/usr/bin/vmtoolsd subj=system_u:system_r:vmtools_t:s0 key=(null) Hash: vmtoolsd,vmtools_t,tmp_t,dir,write Additional info: reporter: libreport-2.1.11 hashmarkername: setroubleshoot kernel: 3.12.8-300.fc20.x86_64 type: libreport
On inspection by using grep avc /var/log/audit/audit.log there are more denials: type=AVC msg=audit(1390553414.405:879): avc: denied { read } for pid=381 comm="vmtoolsd" name="meminfo" dev="proc" ino=4026532027 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1390554727.449:23): avc: denied { sys_time } for pid=380 comm="vmtoolsd" capability=25 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:system_r:vmtools_t:s0 tclass=capability type=AVC msg=audit(1390554727.450:24): avc: denied { sys_time } for pid=380 comm="vmtoolsd" capability=25 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:system_r:vmtools_t:s0 tclass=capability type=AVC msg=audit(1390554727.450:25): avc: denied { sys_time } for pid=380 comm="vmtoolsd" capability=25 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:system_r:vmtools_t:s0 tclass=capability type=AVC msg=audit(1390554727.454:26): avc: denied { read } for pid=380 comm="vmtoolsd" name="uptime" dev="proc" ino=4026532029 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1390554727.457:27): avc: denied { sys_rawio } for pid=380 comm="vmtoolsd" capability=17 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:system_r:vmtools_t:s0 tclass=capability type=AVC msg=audit(1390554727.460:29): avc: denied { execute } for pid=424 comm="vmtoolsd" name="bash" dev="sda2" ino=34071102 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=AVC msg=audit(1390554727.467:31): avc: denied { write } for pid=380 comm="vmtoolsd" name="/" dev="tmpfs" ino=11892 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1390554727.467:32): avc: denied { read } for pid=380 comm="vmtoolsd" name="/" dev="tmpfs" ino=11892 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1390554727.467:33): avc: denied { write } for pid=380 comm="vmtoolsd" name="/" dev="tmpfs" ino=11892 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1390554727.467:34): avc: denied { write } for pid=380 comm="vmtoolsd" name="/" dev="tmpfs" ino=11892 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1390554727.467:35): avc: denied { write } for pid=380 comm="vmtoolsd" name="/" dev="tmpfs" ino=11892 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1390554727.467:36): avc: denied { write } for pid=380 comm="vmtoolsd" name="/" dev="tmpfs" ino=11892 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1390554727.467:37): avc: denied { write } for pid=380 comm="vmtoolsd" name="/" dev="tmpfs" ino=11892 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1390554727.467:38): avc: denied { write } for pid=380 comm="vmtoolsd" name="/" dev="tmpfs" ino=11892 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir Scraping all my audit logs using grep "avc: de" audit.log* | sort | uniq -f 13 -c | grep vmtoolsd shows the following: 5 audit.log:type=AVC msg=audit(1390537553.740:27914): avc: denied { getattr } for pid=5619 comm="updatedb" path="/usr/bin/vmtoolsd" dev="sda2" ino=34738378 scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file 1 audit.log:type=AVC msg=audit(1390553384.398:28): avc: denied { execute } for pid=432 comm="vmtoolsd" name="bash" dev="sda2" ino=34071102 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file 253 audit.log:type=AVC msg=audit(1390553384.444:29): avc: denied { write } for pid=381 comm="vmtoolsd" name="/" dev="tmpfs" ino=13435 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir 3 audit.log:type=AVC msg=audit(1390553384.450:282): avc: denied { sys_time } for pid=381 comm="vmtoolsd" capability=25 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:system_r:vmtools_t:s0 tclass=capability 1 audit.log:type=AVC msg=audit(1390553384.455:285): avc: denied { read } for pid=381 comm="vmtoolsd" name="uptime" dev="proc" ino=4026532029 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 1 audit.log:type=AVC msg=audit(1390553384.456:286): avc: denied { sys_rawio } for pid=381 comm="vmtoolsd" capability=17 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:system_r:vmtools_t:s0 tclass=capability 253 audit.log:type=AVC msg=audit(1390553384.456:287): avc: denied { write } for pid=381 comm="vmtoolsd" name="/" dev="tmpfs" ino=13435 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir 1 audit.log:type=AVC msg=audit(1390553414.399:875): avc: denied { read } for pid=381 comm="vmtoolsd" name="devices" dev="proc" ino=4026532024 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 1 audit.log:type=AVC msg=audit(1390553414.400:876): avc: denied { getattr } for pid=381 comm="vmtoolsd" path="/dev/sda1" dev="devtmpfs" ino=1593 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file 1 audit.log:type=AVC msg=audit(1390553414.401:877): avc: denied { read } for pid=381 comm="vmtoolsd" name="dev" dev="proc" ino=4026531975 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file 2 audit.log:type=AVC msg=audit(1390553414.404:878): avc: denied { read } for pid=381 comm="vmtoolsd" name="uptime" dev="proc" ino=4026532029 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 3 audit.log:type=AVC msg=audit(1390554727.449:23): avc: denied { sys_time } for pid=380 comm="vmtoolsd" capability=25 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:system_r:vmtools_t:s0 tclass=capability 1 audit.log:type=AVC msg=audit(1390554727.454:26): avc: denied { read } for pid=380 comm="vmtoolsd" name="uptime" dev="proc" ino=4026532029 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 1 audit.log:type=AVC msg=audit(1390554727.457:27): avc: denied { sys_rawio } for pid=380 comm="vmtoolsd" capability=17 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:system_r:vmtools_t:s0 tclass=capability 1 audit.log:type=AVC msg=audit(1390554727.460:29): avc: denied { execute } for pid=424 comm="vmtoolsd" name="bash" dev="sda2" ino=34071102 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file 253 audit.log:type=AVC msg=audit(1390554727.467:31): avc: denied { write } for pid=380 comm="vmtoolsd" name="/" dev="tmpfs" ino=11892 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir 1 audit.log:type=AVC msg=audit(1390554757.452:707): avc: denied { read } for pid=380 comm="vmtoolsd" name="devices" dev="proc" ino=4026532024 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 1 audit.log:type=AVC msg=audit(1390554757.453:708): avc: denied { getattr } for pid=380 comm="vmtoolsd" path="/dev/sda1" dev="devtmpfs" ino=7944 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file 1 audit.log:type=AVC msg=audit(1390554757.454:709): avc: denied { read } for pid=380 comm="vmtoolsd" name="dev" dev="proc" ino=4026531975 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file 2 audit.log:type=AVC msg=audit(1390554757.455:710): avc: denied { read } for pid=380 comm="vmtoolsd" name="uptime" dev="proc" ino=4026532029 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
vmtools should be a permissive domain. f00de9355ade76a31c440d38cd87e94c76b59bb6 adds these rules to git.
selinux-policy-3.12.1-121.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-121.fc20
Package selinux-policy-3.12.1-121.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-121.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-1700/selinux-policy-3.12.1-121.fc20 then log in and leave karma (feedback).
One AVC remaining after installing selinux-policy{,-targeted}-3.12.1-121.fc20: type=AVC msg=audit(1390968317.814:422): avc: denied { getattr } for pid=617 comm="vmtoolsd" name="/" dev="dm-1" ino=2 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
Package selinux-policy-3.12.1-122.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-122.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-1700/selinux-policy-3.12.1-122.fc20 then log in and leave karma (feedback).
Description of problem: Running Fedora in A VM and the VMWare Tools attempted to run on launch of the VM. Additional info: reporter: libreport-2.1.11 hashmarkername: setroubleshoot kernel: 3.12.8-300.fc20.x86_64 type: libreport
Unfortunately selinux-policy-3.12.1-122.fc20.noarch does not solve all the VMware Tools problems. If I make VMware shut down the guest, another round of denials occur: type=AVC msg=audit(1391678717.211:376): avc: denied { execute } for pid=1904 comm="vmtoolsd" name="poweroff-vm-default" dev="sda2" ino=821407 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1391678717.211:376): avc: denied { execute_no_trans } for pid=1904 comm="vmtoolsd" path="/etc/vmware-tools/poweroff-vm-default" dev="sda2" ino=821407 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1391678717.347:377): avc: denied { getattr } for pid=1917 comm="which" path="/usr/sbin/ifconfig" dev="sda2" ino=68707287 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file type=AVC msg=audit(1391678717.463:378): avc: denied { execute } for pid=1923 comm="sh" name="systemctl" dev="sda2" ino=34494703 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file type=AVC msg=audit(1391678717.463:378): avc: denied { read open } for pid=1923 comm="sh" path="/usr/bin/systemctl" dev="sda2" ino=34494703 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file type=AVC msg=audit(1391678717.463:378): avc: denied { execute_no_trans } for pid=1923 comm="sh" path="/usr/bin/systemctl" dev="sda2" ino=34494703 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file type=AVC msg=audit(1391678717.465:379): avc: denied { read } for pid=1923 comm="shutdown" name="root" dev="proc" ino=7829 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file type=AVC msg=audit(1391678717.465:379): avc: denied { read } for pid=1923 comm="shutdown" scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file type=AVC msg=audit(1391678717.467:380): avc: denied { connectto } for pid=1923 comm="shutdown" path="/run/systemd/private" scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket type=USER_AVC msg=audit(1391678717.526:381): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=-1 uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1391678717.529:382): avc: denied { read } for pid=1923 comm="shutdown" name="utmp" dev="tmpfs" ino=15384 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file type=AVC msg=audit(1391678717.529:382): avc: denied { open } for pid=1923 comm="shutdown" path="/run/utmp" dev="tmpfs" ino=15384 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file type=AVC msg=audit(1391678717.530:383): avc: denied { lock } for pid=1923 comm="shutdown" path="/run/utmp" dev="tmpfs" ino=15384 scontext=system_u:system_r:vmtools_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
selinux-policy-3.12.1-122.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Reopening. I don't even know why this was closed - I mentioned there are still problems in comment #8...
commit 61bc70fc1f6c167e8ea4366ef7c3564b5d429102 Author: Miroslav Grepl <mgrepl> Date: Tue Feb 18 13:46:08 2014 +0100 Add vmtools_helper_t for helper scripts. Allow vmtools shutdonw a host and run ifconfig.
selinux-policy-3.12.1-126.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-126.fc20
Package selinux-policy-3.12.1-126.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-126.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-126.fc20 then log in and leave karma (feedback).
Nearly there - when using the VMware host's features (Shutdown, Restart, Suspend) there are the following: grep avc /var/log/audit/audit.log{,.1} /var/log/audit/audit.log:type=AVC msg=audit(1393149761.497:365): avc: denied { transition } for pid=1376 comm="vmware-user-sui" path="/usr/bin/vmtoolsd" dev="sda2" ino=34738378 scontext=unconfined_u:unconfined_r:vmtools_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:vmtools_t:s0-s0:c0.c1023 tclass=process /var/log/audit/audit.log:type=USER_AVC msg=audit(1393149777.972:379): pid=427 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.54 spid=522 tpid=1674 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:vmtools_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' /var/log/audit/audit.log:type=AVC msg=audit(1393149965.016:364): avc: denied { transition } for pid=1383 comm="vmware-user-sui" path="/usr/bin/vmtoolsd" dev="sda2" ino=34738378 scontext=unconfined_u:unconfined_r:vmtools_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:vmtools_t:s0-s0:c0.c1023 tclass=process /var/log/audit/audit.log.1:type=AVC msg=audit(1392800649.158:351): avc: denied { transition } for pid=1335 comm="vmware-user-sui" path="/usr/bin/vmtoolsd" dev="sda2" ino=34738378 scontext=unconfined_u:unconfined_r:vmtools_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:vmtools_t:s0-s0:c0.c1023 tclass=process /var/log/audit/audit.log.1:type=AVC msg=audit(1392800894.142:396): avc: denied { transition } for pid=2496 comm="vmware-user-sui" path="/usr/bin/vmtoolsd" dev="sda2" ino=34738378 scontext=unconfined_u:unconfined_r:vmtools_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:vmtools_t:s0-s0:c0.c1023 tclass=process /var/log/audit/audit.log.1:type=AVC msg=audit(1392800943.770:364): avc: denied { transition } for pid=1381 comm="vmware-user-sui" path="/usr/bin/vmtoolsd" dev="sda2" ino=34738378 scontext=unconfined_u:unconfined_r:vmtools_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:vmtools_t:s0-s0:c0.c1023 tclass=process /var/log/audit/audit.log.1:type=AVC msg=audit(1392801389.929:366): avc: denied { transition } for pid=1355 comm="vmware-user-sui" path="/usr/bin/vmtoolsd" dev="sda2" ino=34738378 scontext=unconfined_u:unconfined_r:vmtools_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:vmtools_t:s0-s0:c0.c1023 tclass=process /var/log/audit/audit.log.1:type=AVC msg=audit(1393149309.648:366): avc: denied { transition } for pid=1412 comm="vmware-user-sui" path="/usr/bin/vmtoolsd" dev="sda2" ino=34738378 scontext=unconfined_u:unconfined_r:vmtools_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:vmtools_t:s0-s0:c0.c1023 tclass=process /var/log/audit/audit.log.1:type=AVC msg=audit(1393149421.738:410): avc: denied { transition } for pid=2338 comm="vmware-user-sui" path="/usr/bin/vmtoolsd" dev="sda2" ino=34738378 scontext=unconfined_u:unconfined_r:vmtools_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:vmtools_t:s0-s0:c0.c1023 tclass=process I guess someone should also do tests on ESXi as it can request different features (time sync, ip addresses etc).
A word of warning: don't use VMware's suspend menu option in selinux enforcing mode until these issues are fixed - it will cause your network connection to become broken.
commit a2f8b4549ef3e89013c5713acae49d5b89959e32 Author: Miroslav Grepl <mgrepl> Date: Mon Feb 24 12:22:06 2014 +0100 Allow vmtools_helper_t to change role to system_r
Package selinux-policy-3.12.1-127.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-127.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-127.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-127.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.