Description of problem: I can reproduce the AVC with this commands: sudo systemctl restart nut-driver and the service status is error, and AVCs are in the audit.log. If I use `sudo semanage permissive -a nut_upsdrvctl_t`, and restart the service, the service runs without any error.\ Then `sudo ausearch -m AVC -ts recent --raw` displays: type=AVC msg=audit(1473778244.378:1172): avc: denied { read } for pid=38507 comm="usbhid-ups" name="c189:9" dev="tmpfs" ino=5229898 scontext=system_u:system_r:nut_upsdrvctl_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1473778244.378:1173): avc: denied { open } for pid=38507 comm="usbhid-ups" path="/run/udev/data/c189:9" dev="tmpfs" ino=5229898 scontext=system_u:system_r:nut_upsdrvctl_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1473778244.378:1174): avc: denied { getattr } for pid=38507 comm="usbhid-ups" path="/run/udev/data/c189:9" dev="tmpfs" ino=5229898 scontext=system_u:system_r:nut_upsdrvctl_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1473778281.961:1197): avc: denied { read } for pid=38556 comm="usbhid-ups" name="c189:9" dev="tmpfs" ino=5229898 scontext=system_u:system_r:nut_upsdrvctl_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1473778281.961:1198): avc: denied { open } for pid=38556 comm="usbhid-ups" path="/run/udev/data/c189:9" dev="tmpfs" ino=5229898 scontext=system_u:system_r:nut_upsdrvctl_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1473778281.961:1199): avc: denied { getattr } for pid=38556 comm="usbhid-ups" path="/run/udev/data/c189:9" dev="tmpfs" ino=5229898 scontext=system_u:system_r:nut_upsdrvctl_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 SELinux is preventing usbhid-ups from 'read' accesses on the file +usb:2-0:1.0. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that usbhid-ups should be allowed read access on the +usb:2-0:1.0 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'usbhid-ups' --raw | audit2allow -M my-usbhidups # semodule -X 300 -i my-usbhidups.pp Additional Information: Source Context system_u:system_r:nut_upsdrvctl_t:s0 Target Context system_u:object_r:udev_var_run_t:s0 Target Objects +usb:2-0:1.0 [ file ] Source usbhid-ups Source Path usbhid-ups Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-191.14.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.7.2-201.fc24.x86_64 #1 SMP Fri Aug 26 15:58:40 UTC 2016 x86_64 x86_64 Alert Count 160 First Seen 2016-09-13 10:28:21 CEST Last Seen 2016-09-13 14:22:39 CEST Local ID 3e0a8294-09c2-4dd7-8da0-f38dffb19e86 Raw Audit Messages type=AVC msg=audit(1473769359.640:1079): avc: denied { read } for pid=34936 comm="usbhid-ups" name="+usb:2-0:1.0" dev="tmpfs" ino=18387 scontext=system_u:system_r:nut_upsdrvctl_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0 Hash: usbhid-ups,nut_upsdrvctl_t,udev_var_run_t,file,read Version-Release number of selected component: selinux-policy-3.13.1-191.14.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.2-201.fc24.x86_64 type: libreport Potential duplicate: bug 1299429
*** Bug 1299429 has been marked as a duplicate of this bug. ***
selinux-policy-3.13.1-191.16.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-fe39b806b6
selinux-policy-3.13.1-191.16.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-fe39b806b6
selinux-policy-3.13.1-191.16.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.