Description of problem: Run yum update after a week. Receive notification without really doing anything. No custom configs. Chrony has been running since Aug03 (last boot). Updates did not include chrony but did update selinux-policy, among other 100 packages: selinux-policy noarch 3.13.1-128.10.fc22 updates 417 k selinux-policy-devel noarch 3.13.1-128.10.fc22 updates 3.3 M selinux-policy-targeted noarch 3.13.1-128.10.fc22 updates 4.0 M SELinux is preventing /usr/bin/cat from 'getattr' accesses on the file /run/chrony-helper/added_servers. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that cat should be allowed getattr access on the added_servers file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep cat /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:dhcpc_t:s0 Target Context system_u:object_r:var_run_t:s0 Target Objects /run/chrony-helper/added_servers [ file ] Source cat Source Path /usr/bin/cat Port <Unknown> Host (removed) Source RPM Packages coreutils-8.23-10.fc22.i686 Target RPM Packages Policy RPM selinux-policy-3.13.1-128.10.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.1.3-200.fc22.i686+PAE #1 SMP Wed Jul 22 20:09:43 UTC 2015 i686 i686 Alert Count 15 First Seen 2015-07-31 02:18:44 EEST Last Seen 2015-08-22 11:16:40 EEST Local ID af989861-24a8-4c92-9f0e-dbb6c15f4ad6 Raw Audit Messages type=AVC msg=audit(1440231400.161:1126): avc: denied { getattr } for pid=20468 comm="cat" path="/run/chrony-helper/added_servers" dev="tmpfs" ino=20774 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1440231400.161:1126): arch=i386 syscall=fstat64 success=yes exit=0 a0=3 a1=bfb73b2c a2=b76fa000 a3=3 items=0 ppid=20466 pid=20468 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cat exe=/usr/bin/cat subj=system_u:system_r:dhcpc_t:s0 key=(null) Hash: cat,dhcpc_t,var_run_t,file,getattr Version-Release number of selected component: selinux-policy-3.13.1-128.10.fc22.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.1.3-200.fc22.i686+PAE type: libreport
commit 85dbf965f1001b836249240fffbde332012bc776 Author: Lukas Vrabec <lvrabec> Date: Thu Aug 27 11:17:52 2015 +0200 Allow dhcpc_t domain transition to chronyd_t
selinux-policy-3.13.1-128.13.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-15798
selinux-policy-3.13.1-128.13.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-15798
selinux-policy-3.13.1-128.13.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.