Description of problem: This happens right after start of the system SELinux is preventing /usr/lib/systemd/systemd-journald from 'getattr' accesses on the netlink_audit_socket netlink_audit_socket. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-journald should be allowed getattr access on the netlink_audit_socket netlink_audit_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-journal /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:syslogd_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects netlink_audit_socket [ netlink_audit_socket ] Source systemd-journal Source Path /usr/lib/systemd/systemd-journald Port <Unknown> Host (removed) Source RPM Packages systemd-218-3.fc22.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-101.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.19.0-0.rc3.git2.1.fc22.x86_64 #1 SMP Fri Jan 9 14:34:01 UTC 2015 x86_64 x86_64 Alert Count 17 First Seen 2015-01-15 16:49:54 CET Last Seen 2015-01-15 16:50:22 CET Local ID ff882b62-84a5-4ae6-b3f8-9546e4dc4a7a Raw Audit Messages type=AVC msg=audit(1421337022.690:567): avc: denied { getattr } for pid=738 comm="systemd-journal" path="socket:[11305]" dev="sockfs" ino=11305 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=netlink_audit_socket permissive=1 type=SYSCALL msg=audit(1421337022.690:567): arch=x86_64 syscall=ioctl success=no exit=ENOTSUP a0=6 a1=541b a2=7ffff85be5cc a3=ffffffff items=0 ppid=1 pid=738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-journal exe=/usr/lib/systemd/systemd-journald subj=system_u:system_r:syslogd_t:s0 key=(null) Hash: systemd-journal,syslogd_t,kernel_t,netlink_audit_socket,getattr Version-Release number of selected component: selinux-policy-3.13.1-101.fc22.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.19.0-0.rc3.git2.1.fc22.x86_64 type: libreport
Description of problem: Happens on boot of a Rawhide Workstation live image with selinux-policy-3.13.1-107.fc22. Version-Release number of selected component: selinux-policy-3.13.1-107.fc22.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.19.0-0.rc7.git0.1.fc22.x86_64 type: libreport
Proposing as a Final blocker: "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop." - https://fedoraproject.org/wiki/Fedora_22_Final_Release_Criteria#SELinux_and_crash_notifications .
I don't see this any more with the recent selinux-policy-3.13.1-110.fc22.noarch build.
yeah, I didn't either. Call it closed.
Description of problem: This SELinux warning is appearing every few minutes during usual session. Version-Release number of selected component: selinux-policy-3.13.1-110.fc22.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.19.0-1.fc22.x86_64 type: libreport
commit fd1640754378a34b38f529d3c37f599170e17957 Author: Dan Walsh <dwalsh> Date: Sat Feb 7 18:44:46 2015 +0100 Allow syslogd/journal to read netlink audit socket Patch included in this build. http://koji.fedoraproject.org/koji/buildinfo?buildID=610267