Description of problem: radicale gives selinux problems on start Version-Release number of selected component (if applicable): 0.10-1, grabbed from f22 and rebuilt against f21 (Also seems to happen with stock current 0.9-2) How reproducible: every time on restart Steps to Reproduce: 1. systemctl restart radicale.service 2. see errors in systemctl status -l radicale.service 3. Actual results: output of status is: Feb 23 20:48:13 myserver python[30719]: SELinux is preventing /usr/bin/python2.7 from add_name access on the directory radicale.pid. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python2.7 should be allowed add_name access on the radicale.pid directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep radicale /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Feb 23 20:48:13 myserver python[30719]: SELinux is preventing /usr/bin/python2.7 from add_name access on the directory radicale.pid. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python2.7 should be allowed add_name access on the radicale.pid directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep radicale /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Feb 23 20:48:13 myserver python[30719]: SELinux is preventing /usr/bin/python2.7 from add_name access on the directory radicale.pid. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python2.7 should be allowed add_name access on the radicale.pid directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep radicale /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Feb 23 20:48:13 myserver python[30719]: SELinux is preventing /usr/bin/python2.7 from getattr access on the file /run/radicale/radicale.pid. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python2.7 should be allowed getattr access on the radicale.pid file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep radicale /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Expected results: no such messages Additional info: suggested fix from grep radicale /var/log/audit/audit.log | audit2allow -M mypol is this policy: module mypol 1.0; require { type radicale_t; type var_run_t; class dir { write remove_name add_name }; class file { write create unlink open getattr }; } #============= radicale_t ============== allow radicale_t var_run_t:dir { write remove_name add_name }; allow radicale_t var_run_t:file { write create unlink open getattr }; I'm not an SELinux expert, but the selinux code in radicale-0.10-1 seems to not mention /var/run
radicale-0.10-2.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/radicale-0.10-2.fc21
radicale-0.10-2.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/radicale-0.10-2.fc20
Package radicale-0.10-2.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing radicale-0.10-2.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-2480/radicale-0.10-2.fc21 then log in and leave karma (feedback).
radicale-0.10-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
radicale-0.10-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.