Description of problem: SELinux is preventing rhsmcertd-worke from read, write access on the file /var/lib/rpm/Requirename. ***** Plugin restorecon (94.8 confidence) suggests ************************ If you want to fix the label. /var/lib/rpm/Requirename default label should be rpm_var_lib_t. Then you can run restorecon. Do # /sbin/restorecon -v /var/lib/rpm/Requirename ***** Plugin catchall_labels (5.21 confidence) suggests ******************* If you want to allow rhsmcertd-worke to have read write access on the Requirename file Then you need to change the label on /var/lib/rpm/Requirename Do # semanage fcontext -a -t FILE_TYPE '/var/lib/rpm/Requirename' where FILE_TYPE is one of the following: afs_cache_t, cert_t, etc_runtime_t, initrc_tmp_t, puppet_tmp_t, rhnsd_conf_t, rhsmcertd_lock_t, rhsmcertd_log_t, rhsmcertd_tmp_t, rhsmcertd_var_lib_t, rhsmcertd_var_run_t, rpm_var_lib_t, system_conf_t, user_cron_spool_t, user_tmp_t, var_lock_t. Then execute: restorecon -v '/var/lib/rpm/Requirename' ***** Plugin catchall (1.44 confidence) suggests ************************** If you believe that rhsmcertd-worke should be allowed read write access on the Requirename file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'rhsmcertd-worke' --raw | audit2allow -M my-rhsmcertdworke # semodule -X 300 -i my-rhsmcertdworke.pp Additional Information: Source Context system_u:system_r:rhsmcertd_t:s0 Target Context unconfined_u:object_r:var_lib_t:s0 Target Objects /var/lib/rpm/Requirename [ file ] Source rhsmcertd-worke Source Path rhsmcertd-worke Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages rpm-4.13.0.1-1.fc24.i686 Policy RPM selinux-policy-3.13.1-191.24.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.9.13-101.fc24.i686+PAE #1 SMP Wed Mar 8 00:13:37 UTC 2017 i686 i686 Alert Count 15 First Seen 2017-03-22 19:19:50 CET Last Seen 2017-03-26 15:06:50 CEST Local ID c6939857-ce89-4280-bbe7-4ccee0b638e1 Raw Audit Messages type=AVC msg=audit(1490533610.674:388): avc: denied { read write } for pid=29510 comm="rhsmcertd-worke" name="Requirename" dev="sda5" ino=6044100 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 Hash: rhsmcertd-worke,rhsmcertd_t,var_lib_t,file,read,write Version-Release number of selected component: selinux-policy-3.13.1-191.24.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.9.13-101.fc24.i686+PAE type: libreport
target context var_lib_t instead of rpm_var_lib_t I would say it is a duplicate of BZ1461313. Workaround is to restore SELinux context after rebuilding rpm db. https://bugzilla.redhat.com/show_bug.cgi?id=1461313#c1
*** This bug has been marked as a duplicate of bug 1461313 ***