# auditctl -w /etc/shadow -p w # ausearch -m avc -ts recent ---- time->Fri Oct 5 13:17:06 2018 type=AVC msg=audit(1538770626.301:842): avc: denied { read } for pid=13444 comm="setroubleshootd" name="Packages" dev="dm-1" ino=24903757 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 SELinux is preventing ModemManager from using the dac_override capability. ***** Plugin dac_override (91.4 confidence) suggests ********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. ***** Plugin catchall (9.59 confidence) suggests ************************** If you believe that ModemManager should have the dac_override capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ModemManager' --raw | audit2allow -M my-ModemManager # semodule -X 300 -i my-ModemManager.pp Additional Information: Source Context system_u:system_r:modemmanager_t:s0 Target Context system_u:system_r:modemmanager_t:s0 Target Objects Unknown [ capability ] Source ModemManager Source Path ModemManager Port <Unknown> Host rn6.rent-a-nerd.local Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name rn6.rent-a-nerd.local Platform Linux rn6.rent-a-nerd.local 4.17.7-200.fc28.x86_64 #1 SMP Tue Jul 17 16:28:31 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-07-27 20:31:03 PDT Last Seen 2018-07-27 20:31:03 PDT Local ID 06f38645-a741-4b61-957c-0f0e7d53c89b Raw Audit Messages type=AVC msg=audit(1532748663.473:974): avc: denied { dac_override } for pid=3138 comm="ModemManager" capability=1 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=capability permissive=0 Hash: ModemManager,modemmanager_t,modemmanager_t,capability,dac_override
commit 50697974eedae63f9cdd469f751e6cca57101385 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Mon Oct 15 10:55:30 2018 +0200 Add dac_override capability to modemmanager_t domain BZ(1636608)
selinux-policy-3.14.2-39.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-ce273879ac
selinux-policy-3.14.1-46.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b493044b46
selinux-policy-3.14.1-47.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b493044b46
selinux-policy-3.14.1-47.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.