Description of problem: SELinux is preventing /usr/bin/who from 'read' accesses on the file /etc/group. ***** Plugin catchall (100. confidence) suggests ************************** If você acredita que o who deva ser permitido acesso de read em group file por default. Then você precisa reportar este como um erro. Você pode gerar um módulo de política local para permitir este acesso. Do permitir este acesso agora executando: # grep who /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:zabbix_agent_t:s0 Target Context system_u:object_r:passwd_file_t:s0 Target Objects /etc/group [ file ] Source who Source Path /usr/bin/who Port <Unknown> Host (removed) Source RPM Packages coreutils-8.21-20.fc20.x86_64 Target RPM Packages setup-2.8.71-2.fc20.noarch Policy RPM selinux-policy-3.12.1-122.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.12.10-300.fc20.x86_64 #1 SMP Thu Feb 6 22:11:48 UTC 2014 x86_64 x86_64 Alert Count 145 First Seen 2014-02-13 23:06:39 BRST Last Seen 2014-02-14 06:56:39 BRST Local ID 2a57c97d-c699-47f9-b00b-3ed6852e4793 Raw Audit Messages type=AVC msg=audit(1392368199.324:963): avc: denied { read } for pid=2324 comm="who" name="group" dev="sda5" ino=65475 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file type=AVC msg=audit(1392368199.324:963): avc: denied { open } for pid=2324 comm="who" path="/etc/group" dev="sda5" ino=65475 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file type=SYSCALL msg=audit(1392368199.324:963): arch=x86_64 syscall=open success=yes exit=ESRCH a0=7fcb26259f27 a1=80000 a2=1b6 a3=0 items=0 ppid=2323 pid=2324 auid=4294967295 uid=977 gid=972 euid=977 suid=977 fsuid=977 egid=972 sgid=972 fsgid=972 ses=4294967295 tty=(none) comm=who exe=/usr/bin/who subj=system_u:system_r:zabbix_agent_t:s0 key=(null) Hash: who,zabbix_agent_t,passwd_file_t,file,read Additional info: reporter: libreport-2.1.12 hashmarkername: setroubleshoot kernel: 3.12.10-300.fc20.x86_64 type: libreport
368a3f2bd2c4add7bae8f36891a7d8b125f7ca13 fixes this in git.
back ported.
selinux-policy-3.12.1-126.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-126.fc20
Package selinux-policy-3.12.1-126.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-126.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-126.fc20 then log in and leave karma (feedback).
Package selinux-policy-3.12.1-127.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-127.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-127.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-127.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.