Description of problem: SELinux is preventing /usr/bin/pkla-check-authorization from using the 'rlimitinh' accesses on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pkla-check-authorization should be allowed rlimitinh access on processes labeled policykit_auth_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep pkla-check-auth /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:policykit_t:s0 Target Context system_u:system_r:policykit_auth_t:s0 Target Objects [ process ] Source pkla-check-auth Source Path /usr/bin/pkla-check-authorization Port <Unknown> Host (removed) Source RPM Packages polkit-pkla-compat-0.1-3.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-192.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.16.6-203.fc20.x86_64 #1 SMP Sat Oct 25 12:44:32 UTC 2014 x86_64 x86_64 Alert Count 326 First Seen 2014-10-31 04:21:07 PDT Last Seen 2014-10-31 04:40:01 PDT Local ID ac849723-27bd-4560-b212-b880111a3763 Raw Audit Messages type=AVC msg=audit(1414755601.604:4372): avc: denied { rlimitinh } for pid=10849 comm="pkla-check-auth" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 type=AVC msg=audit(1414755601.604:4372): avc: denied { siginh } for pid=10849 comm="pkla-check-auth" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 type=AVC msg=audit(1414755601.604:4372): avc: denied { noatsecure } for pid=10849 comm="pkla-check-auth" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 type=SYSCALL msg=audit(1414755601.604:4372): arch=x86_64 syscall=execve success=yes exit=0 a0=7fc8e6ed1cb0 a1=7fc8e6f4b550 a2=7fff3692f4f0 a3=7fff3692e150 items=0 ppid=1649 pid=10849 auid=4294967295 uid=999 gid=999 euid=999 suid=999 fsuid=999 egid=999 sgid=999 fsgid=999 tty=(none) ses=4294967295 comm=pkla-check-auth exe=/usr/bin/pkla-check-authorization subj=system_u:system_r:policykit_auth_t:s0 key=(null) Hash: pkla-check-auth,policykit_t,policykit_auth_t,process,rlimitinh Additional info: reporter: libreport-2.2.3 hashmarkername: setroubleshoot kernel: 3.16.6-203.fc20.x86_64 type: libreport Potential duplicate: bug 984456
Basically you need to run # semodule -B which will turn "dontaudit" rules back on.
Yes. Did you need to turn dontaudit rules off?
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days