Description of problem: sudo yum -y install bbswitch bumblebee grep bumblebeed /var/log/audit/audit.log | audit2allow -M bumblebee ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i bumblebee.pp [root@boris weekleyj]# semodule -i bumblebee.pp libsepol.print_missing_requirements: bumblebee's global requirements were not met: type/attribute bumblebee_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). It's repeatable. SELinux is preventing bumblebeed from 'search' accesses on the directory /var/lib/sss/mc. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that bumblebeed should be allowed search access on the mc directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep bumblebeed /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:bumblebee_t:s0 Target Context system_u:object_r:sssd_public_t:s0 Target Objects /var/lib/sss/mc [ dir ] Source bumblebeed Source Path bumblebeed Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages sssd-common-1.12.1-2.fc21.x86_64 Policy RPM selinux-policy-3.13.1-86.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.17.1-300.fc21.x86_64 #1 SMP Wed Oct 15 20:53:21 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-10-21 18:13:37 CDT Last Seen 2014-10-21 18:13:37 CDT Local ID e50d301e-79a4-49f7-8dcb-bb8316e5196d Raw Audit Messages type=AVC msg=audit(1413933217.317:1280): avc: denied { search } for pid=5045 comm="bumblebeed" name="mc" dev="sda4" ino=130629 scontext=system_u:system_r:bumblebee_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir permissive=1 Hash: bumblebeed,bumblebee_t,sssd_public_t,dir,search Version-Release number of selected component: selinux-policy-3.13.1-86.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.1-300.fc21.x86_64 type: libreport
Does anyone know why bumblebee needs this search?
bumblebee has auth_read_passwd(bumblebee_t) and looking for /var/lib/sss/mc/{group|passwd} on sssd systems.
commit c94799594ec00950fda591713e681222e9c87cd1 Author: Lukas Vrabec <lvrabec> Date: Fri Nov 14 14:13:05 2014 +0100 Allow bumblebee to use nsswitch. BZ(1155339)
selinux-policy-3.13.1-99.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-99.fc21
selinux-policy-3.13.1-99.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.