Description of problem: Same problem as 1478602, just a different file and process. The shell is inheriting the "executable stack" flag from brcupsconfpt1, thus causing this issue. SELinux is preventing sh from 'execute' accesses on the file /usr/lib/locale/locale-archive. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sh should be allowed execute access on the locale-archive file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sh' --raw | audit2allow -M my-sh # semodule -X 300 -i my-sh.pp Additional Information: Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:locale_t:s0 Target Objects /usr/lib/locale/locale-archive [ file ] Source sh Source Path sh Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages glibc-all-langpacks-2.25-12.fc26.i686 Policy RPM selinux-policy-3.13.1-260.14.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.13.12-200.fc26.i686+PAE #1 SMP Wed Nov 8 17:09:43 UTC 2017 i686 i686 Alert Count 1 First Seen 2017-11-17 08:08:16 CET Last Seen 2017-11-17 08:08:16 CET Local ID 249ecfb9-c311-40b7-9e70-7c9e55628763 Raw Audit Messages type=AVC msg=audit(1510902496.863:215): avc: denied { execute } for pid=1354 comm="sh" path="/usr/lib/locale/locale-archive" dev="sda2" ino=1445621 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:locale_t:s0 tclass=file permissive=1 Hash: sh,cupsd_t,locale_t,file,execute Version-Release number of selected component: selinux-policy-3.13.1-260.14.fc26.noarch Additional info: component: selinux-policy reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.13.12-200.fc26.i686+PAE type: libreport Potential duplicate: bug 1346108
Current selinus version: selinux-policy.noarch 3.13.1-260.14.fc26 selinux-policy-targeted.noarch 3.13.1-260.14.fc26
selinux-policy-3.13.1-260.17.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-39e6a2f7e7
selinux-policy-3.13.1-260.17.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-39e6a2f7e7
selinux-policy-3.13.1-260.17.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.