Description of problem: occered when some appication crashed SELinux is preventing (coredump) from 'mounton' accesses on the directory /var/lib/systemd/coredump. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that (coredump) should be allowed mounton access on the coredump directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(coredump)' --raw | audit2allow -M my-coredump # semodule -X 300 -i my-coredump.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:init_var_lib_t:s0 Target Objects /var/lib/systemd/coredump [ dir ] Source (coredump) Source Path (coredump) Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages systemd-234-1.fc27.x86_64 Policy RPM selinux-policy-3.13.1-263.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.13.0-0.rc0.git6.1.fc27.x86_64 #1 SMP Wed Jul 12 14:25:45 UTC 2017 x86_64 x86_64 Alert Count 3 First Seen 2017-07-16 13:12:56 +05 Last Seen 2017-07-16 13:51:51 +05 Local ID 1f309cac-088d-42c7-8778-b14fdc1e9fbe Raw Audit Messages type=AVC msg=audit(1500195111.268:520): avc: denied { mounton } for pid=28647 comm="(coredump)" path="/var/lib/systemd/coredump" dev="sda1" ino=3540695 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=1 Hash: (coredump),init_t,init_var_lib_t,dir,mounton Version-Release number of selected component: selinux-policy-3.13.1-263.fc27.noarch Additional info: component: selinux-policy reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.13.0-0.rc0.git6.1.fc27.x86_64 type: libreport
Description of problem: One of processes crashed. Version-Release number of selected component: selinux-policy-3.13.1-264.fc27.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.11.10-300.fc26.x86_64 type: libreport
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'.
It is allowed in current stable f27 sh$ sesearch -ds -s init_t -t init_var_lib_t -c dir --allow allow init_t file_type:dir { getattr open search }; allow init_t init_var_lib_t:dir { add_name create getattr ioctl link lock mounton open read remove_name rename reparent rmdir search setattr unlink write }; sh$ rpm -q selinux-policy selinux-policy-3.13.1-278.fc27.noarch