Description of problem: SELinux is preventing restorecon from 'associate' accesses on the filesystem /sys/kernel/debug. ***** Plugin filesystem_associate (99.5 confidence) suggests ************** If you believe restorecon should be allowed to create debug files Then you need to use a different command. You are not allowed to preserve the SELinux context on the target file system. Do use a command like "cp -p" to preserve all permissions except SELinux context. ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that restorecon should be allowed associate access on the debug filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep restorecon /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:object_r:sysfs_t:s0 Target Context system_u:object_r:debugfs_t:s0 Target Objects /sys/kernel/debug [ filesystem ] Source restorecon Source Path restorecon Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-116.fc22.noarch selinux- policy-3.13.1-118.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.0.0-0.rc4.git0.1.fc22.i686+PAE #1 SMP Mon Mar 16 14:55:09 UTC 2015 i686 i686 Alert Count 1 First Seen 2015-03-20 14:02:15 YEKT Last Seen 2015-03-20 14:02:15 YEKT Local ID df22a5ae-4b4e-4f20-94b9-4d1ed127ce78 Raw Audit Messages type=AVC msg=audit(1426842135.368:619): avc: denied { associate } for pid=5729 comm="restorecon" name="/" dev="debugfs" ino=1 scontext=system_u:object_r:sysfs_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=filesystem permissive=1 Hash: restorecon,sysfs_t,debugfs_t,filesystem,associate Version-Release number of selected component: selinux-policy-3.13.1-116.fc22.noarch selinux-policy-3.13.1-118.fc22.noarch Additional info: reporter: libreport-2.4.0 hashmarkername: setroubleshoot kernel: 4.0.0-0.rc4.git0.1.fc22.i686+PAE type: libreport
Description of problem: It happened when running "restorecon -FRv /" on a fully updated and running F22 system. Version-Release number of selected component: selinux-policy-3.13.1-119.fc22.noarch Additional info: reporter: libreport-2.5.0 hashmarkername: setroubleshoot kernel: 4.0.0-0.rc5.git1.3.fc22.x86_64 type: libreport
2763e4b01c90c6f70b13c7afa9b95d2bca3a62d5 fixes this in git. This AVC is safe to ignore.
commit 4898ca2bf1e1c8861c65b9912096f8d90df6b97f Author: Dan Walsh <dwalsh> Date: Tue Mar 31 12:41:37 2015 -0400 Set label of /sys/kernel/debug
selinux-policy-3.13.1-126.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-126.fc22
Package selinux-policy-3.13.1-126.fc22: * should fix your issue, * was pushed to the Fedora 22 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-126.fc22' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-8101/selinux-policy-3.13.1-126.fc22 then log in and leave karma (feedback).
selinux-policy-3.13.1-126.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.