Description of problem: Command: $ sudo ausearch -c (ostnamed) --raw | audit2allow -M mypol bash: syntax error near unexpected token `(' From following report: $ sealert -l 29306eea-442b-448d-a647-6f1dede9ee78 SELinux is preventing (ostnamed) from mounton access on the directory /home. ***** Plugin restorecon (94.8 confidence) suggests ************************ If you want to fix the label. /home default label should be home_root_t. Then you can run restorecon. Do # /sbin/restorecon -v /home ***** Plugin catchall_labels (5.21 confidence) suggests ******************* If you want to allow (ostnamed) to have mounton access on the home directory Then you need to change the label on /home Do # semanage fcontext -a -t FILE_TYPE '/home' where FILE_TYPE is one of the following: admin_home_t, anon_inodefs_t, audit_spool_t, auditd_log_t, autofs_t, automount_tmp_t, bacula_store_t, binfmt_misc_fs_t, boot_t, capifs_t, cgroup_t, cifs_t, container_image_t, debugfs_t, default_t, device_t, devpts_t, dnssec_t, dosfs_t, ecryptfs_t, efivarfs_t, fusefs_t, home_root_t, hugetlbfs_t, ifconfig_var_run_t, init_var_run_t, initrc_tmp_t, iso9660_t, kdbusfs_t, mail_spool_t, mnt_t, mqueue_spool_t, named_conf_t, news_spool_t, nfs_t, nfsd_fs_t, openshift_tmp_t, openshift_var_lib_t, oracleasmfs_t, proc_t, proc_xen_t, pstore_t, public_content_rw_t, public_content_t, ramfs_t, random_seed_t, removable_t, root_t, rpc_pipefs_t, security_t, spufs_t, src_t, svirt_sandbox_file_t, sysctl_fs_t, sysctl_t, sysfs_t, sysv_t, tmp_t, tmpfs_t, usbfs_t, user_home_dir_t, user_home_t, user_tmp_t, usr_t, var_lib_nfs_t, var_lib_t, var_lock_t, var_log_t, var_run_t, var_t, virt_image_t, virt_var_lib_t, vmblock_t, vxfs_t, xend_var_lib_t, xend_var_run_t, xenfs_t, xenstored_var_lib_t. Then execute: restorecon -v '/home' ***** Plugin catchall (1.44 confidence) suggests ************************** If you believe that (ostnamed) should be allowed mounton access on the home directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c (ostnamed) --raw | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:unlabeled_t:s0 Target Objects /home [ dir ] Source (ostnamed) Source Path (ostnamed) Port <Unknown> Host localhost Source RPM Packages Target RPM Packages filesystem-3.2-37.fc24.x86_64 Policy RPM selinux-policy-3.13.1-182.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost Platform Linux localhost 4.5.1-300.fc24.x86_64 #1 SMP Tue Apr 12 18:55:06 UTC 2016 x86_64 x86_64 Alert Count 28 First Seen 2016-04-18 20:27:54 CEST Last Seen 2016-04-19 16:14:48 CEST Local ID 29306eea-442b-448d-a647-6f1dede9ee78 Raw Audit Messages type=AVC msg=audit(1461075288.431:423): avc: denied { mounton } for pid=3618 comm="(ostnamed)" path="/home" dev="md126p2" ino=50332160 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0 Version-Release number of selected component (if applicable): setroubleshoot-server-3.3.5-3.fc24.x86_64 How reproducible: Always Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Thanks for the report! It's fixed upstream https://github.com/fedora-selinux/setroubleshoot/commit/8adf7e62142d83c4a679148f7434cbbdf69049fe and https://github.com/fedora-selinux/setroubleshoot/commit/87600576429ae30f9e220a14c6497f9aa2df3243 and it will be fixed in the next update/release. In the mean time you can try setroubleshoot-plugins-3.3.4-0.fc24.4 from my COPR - https://copr.fedorainfracloud.org/coprs/plautrba
setroubleshoot-plugins-3.3.4-1.fc23 setroubleshoot-3.3.6-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-e5a3abe570
setroubleshoot-3.3.6-1.fc24 setroubleshoot-plugins-3.3.4-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-812271b66f
setroubleshoot-3.3.6-1.fc23, setroubleshoot-plugins-3.3.4-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e5a3abe570
setroubleshoot-3.3.6-1.fc24, setroubleshoot-plugins-3.3.4-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-812271b66f
setroubleshoot-3.3.6-1.fc24, setroubleshoot-plugins-3.3.4-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
setroubleshoot-3.3.6-1.fc23, setroubleshoot-plugins-3.3.4-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.