Hide Forgot
Description of problem: Random SELinux alert. SELinux is preventing certwatch from 'write' accesses on the soubor /etc/pki/nssdb/cert9.db. ***** Plugin catchall (100. confidence) suggests ************************** Pokud jste přesvědčeni, že má certwatch mít ve výchozím stavu přístup write na cert9.db file. Then toto byste měli nahlásit jako chybu. Abyste přístup povolili, můžete vygenerovat lokální modul pravidel. Do prozatím tento přístup povolíte příkazy: # ausearch -c 'certwatch' --raw | audit2allow -M my-certwatch # semodule -X 300 -i my-certwatch.pp Additional Information: Source Context system_u:system_r:certwatch_t:s0-s0:c0.c1023 Target Context system_u:object_r:cert_t:s0 Target Objects /etc/pki/nssdb/cert9.db [ file ] Source certwatch Source Path certwatch Port <Neznámé> Host (removed) Source RPM Packages Target RPM Packages nss-3.36.0-1.0.fc28.x86_64 nss-3.36.0-1.0.fc28.i686 Policy RPM selinux-policy-3.14.1-17.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.16.0-0.rc6.git0.2.fc28.x86_64 #1 SMP Mon Mar 19 17:05:43 UTC 2018 x86_64 x86_64 Alert Count 6 First Seen 2018-03-23 10:46:02 CET Last Seen 2018-03-28 11:30:01 CEST Local ID 7154dbb2-95d6-4675-9b77-ad1559add51e Raw Audit Messages type=AVC msg=audit(1522229401.545:4754): avc: denied { write } for pid=16494 comm="certwatch" name="cert9.db" dev="dm-1" ino=2360933 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 Hash: certwatch,certwatch_t,cert_t,file,write Version-Release number of selected component: selinux-policy-3.14.1-17.fc28.noarch Additional info: component: selinux-policy reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.16.0-0.rc6.git0.2.fc28.x86_64 type: libreport Potential duplicate: bug 834656
selinux-policy-3.14.1-21.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1148ada2a3
Description of problem: - The certwatch tool (of crypto-utils) is configured to run daily: /etc/cron.daily/certwatch - Needs to be able to read certificate files to alert the admin of expired ones. Version-Release number of selected component: selinux-policy-3.14.1-20.fc28.noarch Additional info: reporter: libreport-2.9.4 hashmarkername: setroubleshoot kernel: 4.16.2-300.fc28.x86_64 type: libreport
selinux-policy-3.14.1-21.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1148ada2a3
selinux-policy-3.14.1-21.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.