Description of problem: SELinux is preventing restorecon from 'associate' accesses on the filesystem /sys/kernel/debug. ***** Plugin filesystem_associate (99.5 confidence) suggests ************** If you believe restorecon should be allowed to create debug files Then you need to use a different command. You are not allowed to preserve the SELinux context on the target file system. Do use a command like "cp -p" to preserve all permissions except SELinux context. ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that restorecon should be allowed associate access on the debug filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep restorecon /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:object_r:sysfs_t:s0 Target Context system_u:object_r:debugfs_t:s0 Target Objects /sys/kernel/debug [ filesystem ] Source restorecon Source Path restorecon Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-105.13.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.0.5-200.fc21.x86_64 #1 SMP Mon Jun 8 16:25:02 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-06-12 14:21:21 PDT Last Seen 2015-06-12 14:21:21 PDT Local ID ec46a89f-1e5b-4e47-81f5-022114ad020d Raw Audit Messages type=AVC msg=audit(1434144081.472:202): avc: denied { associate } for pid=4414 comm="restorecon" name="/" dev="debugfs" ino=1 scontext=system_u:object_r:sysfs_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=filesystem permissive=0 Hash: restorecon,sysfs_t,debugfs_t,filesystem,associate Version-Release number of selected component: selinux-policy-3.13.1-105.13.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 4.0.5-200.fc21.x86_64 type: libreport Potential duplicate: bug 1204049
commit eee97543812d43109750dca687fabc9fbd34e8a1 Author: Dan Walsh <dwalsh> Date: Tue Mar 31 12:41:37 2015 -0400 Set label of /sys/kernel/debug
(In reply to Lukas Vrabec from comment #1) > commit eee97543812d43109750dca687fabc9fbd34e8a1 > Author: Dan Walsh <dwalsh> > Date: Tue Mar 31 12:41:37 2015 -0400 > > Set label of /sys/kernel/debug Thanks Lukas for backporting this fix.
selinux-policy-3.13.1-105.20.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.20.fc21
No problem Roy.
Package selinux-policy-3.13.1-105.20.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.20.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-12049/selinux-policy-3.13.1-105.20.fc21 then log in and leave karma (feedback).
selinux-policy-3.13.1-105.20.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.