Description of problem: certwatch is run daily from cron SELinux is preventing certwatch from 'write' accesses on the directory /sys/fs/fuse/connections. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that certwatch should be allowed write access on the connections directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'certwatch' --raw | audit2allow -M my-certwatch # semodule -X 300 -i my-certwatch.pp Additional Information: Source Context system_u:system_r:certwatch_t:s0-s0:c0.c1023 Target Context system_u:object_r:fusefs_t:s0 Target Objects /sys/fs/fuse/connections [ dir ] Source certwatch Source Path certwatch Port <Άγνωστο> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-40.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.18.16-300.fc29.x86_64 #1 SMP Sat Oct 20 23:24:08 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-11-06 03:42:01 EET Last Seen 2018-11-06 03:42:01 EET Local ID fe9f4373-c25c-4b53-aefb-381dd5019e18 Raw Audit Messages type=AVC msg=audit(1541468521.770:4249): avc: denied { write } for pid=15862 comm="certwatch" name="/" dev="fusectl" ino=1 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir permissive=0 Hash: certwatch,certwatch_t,fusefs_t,dir,write Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
same problem here. After upgrading to Fedora 29 (from 28) certwatch is giving many selinux errors I have crypto-utils-2.5-4.fc29.x86_64 selinux-policy-targeted-3.14.2-42.fc29.noarch policycoreutils-2.8-8.fc29.x86_64 kernel-headers-4.18.17-300.fc29.x86_64 # runcon -t certwatch_t -u system_u -r system_r /etc/cron.daily/certwatch ffi_closure_alloc failed ffi_closure_alloc failed ffi_closure_alloc failed ffi_closure_alloc failed ffi_closure_alloc failed ffi_closure_alloc failed [root@nonoise share]# ausearch -m avc -ts recent ---- time->Fri Nov 9 12:47:59 2018 type=AVC msg=audit(1541792879.188:455): avc: denied { write } for pid=7033 comm="certwatch" name="/" dev="tmpfs" ino=21539 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 ---- time->Fri Nov 9 12:47:59 2018 type=AVC msg=audit(1541792879.188:456): avc: denied { write } for pid=7033 comm="certwatch" name="tmp" dev="dm-1" ino=1179708 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 ---- time->Fri Nov 9 12:47:59 2018 type=AVC msg=audit(1541792879.188:457): avc: denied { write } for pid=7033 comm="certwatch" name="/" dev="tmpfs" ino=17423 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 ---- time->Fri Nov 9 12:47:59 2018 type=AVC msg=audit(1541792879.188:458): avc: denied { dac_override } for pid=7033 comm="certwatch" capability=1 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tclass=capability permissive=0 ---- time->Fri Nov 9 12:47:59 2018 type=AVC msg=audit(1541792879.188:459): avc: denied { write } for pid=7033 comm="certwatch" name="/" dev="devtmpfs" ino=1025 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir permissive=0 ---- time->Fri Nov 9 12:47:59 2018 type=AVC msg=audit(1541792879.188:460): avc: denied { write } for pid=7033 comm="certwatch" name="/" dev="tmpfs" ino=17423 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 ---- time->Fri Nov 9 12:47:59 2018 type=AVC msg=audit(1541792879.188:461): avc: denied { write } for pid=7033 comm="certwatch" name="/" dev="tmpfs" ino=17425 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0 ---- time->Fri Nov 9 12:47:59 2018 type=AVC msg=audit(1541792879.188:462): avc: denied { write } for pid=7033 comm="certwatch" name="/" dev="configfs" ino=16592 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=0 ---- time->Fri Nov 9 12:47:59 2018 type=AVC msg=audit(1541792879.188:463): avc: denied { dac_override } for pid=7033 comm="certwatch" capability=1 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tclass=capability permissive=0 ---- time->Fri Nov 9 12:47:59 2018 type=AVC msg=audit(1541792879.188:464): avc: denied { write } for pid=7033 comm="certwatch" name="/" dev="selinuxfs" ino=1 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir permissive=0 ---- time->Fri Nov 9 12:47:59 2018 type=AVC msg=audit(1541792879.188:465): avc: denied { write } for pid=7033 comm="certwatch" name="/" dev="hugetlbfs" ino=2371 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=dir permissive=0 ---- time->Fri Nov 9 12:47:59 2018 type=AVC msg=audit(1541792879.188:466): avc: denied { write } for pid=7033 comm="certwatch" name="/" dev="debugfs" ino=1 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0 ---- time->Fri Nov 9 12:47:59 2018 type=AVC msg=audit(1541792879.188:467): avc: denied { write } for pid=7033 comm="certwatch" name="/" dev="mqueue" ino=13145 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 ---- time->Fri Nov 9 12:47:59 2018 type=AVC msg=audit(1541792879.188:468): avc: denied { write } for pid=7033 comm="certwatch" name="/" dev="tmpfs" ino=21539 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 ---- time->Fri Nov 9 12:47:59 2018 type=AVC msg=audit(1541792879.188:469): avc: denied { dac_override } for pid=7033 comm="certwatch" capability=1 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tclass=capability permissive=0 ---- time->Fri Nov 9 12:47:59 2018 type=AVC msg=audit(1541792879.188:470): avc: denied { write } for pid=7033 comm="certwatch" name="/" dev="dm-3" ino=2 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir permissive=0 ---- time->Fri Nov 9 12:47:59 2018 type=AVC msg=audit(1541792879.188:471): avc: denied { write } for pid=7033 comm="certwatch" name="/" dev="dm-4" ino=2 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=0 ---- time->Fri Nov 9 12:47:59 2018 type=AVC msg=audit(1541792879.188:472): avc: denied { write } for pid=7033 comm="certwatch" name="/" dev="dm-6" ino=2 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0 ---- time->Fri Nov 9 12:47:59 2018 type=AVC msg=audit(1541792879.189:473): avc: denied { write } for pid=7033 comm="certwatch" name="/" dev="dm-7" ino=2 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=0 ---- time->Fri Nov 9 12:47:59 2018 type=AVC msg=audit(1541792879.189:474): avc: denied { write } for pid=7033 comm="certwatch" name="/" dev="fusectl" ino=1 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir permissive=0 ---- time->Fri Nov 9 12:47:59 2018 type=AVC msg=audit(1541792879.189:475): avc: denied { write } for pid=7033 comm="certwatch" name="/" dev="devtmpfs" ino=1025 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir permissive=0 ---- time->Fri Nov 9 12:47:59 2018 type=AVC msg=audit(1541792879.189:476): avc: denied { write } for pid=7033 comm="certwatch" name="/" dev="tmpfs" ino=17423 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 ---- and many more Cheers T.
In permissive mode, certwatch will generate additional AVCs related to temporary files and mmap. AVC avc: denied { write } for pid=10988 comm="certwatch" name="/" dev="tmpfs" ino=19732 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1 AVC avc: denied { add_name } for pid=10988 comm="certwatch" name="ffi5HJkIb" scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1 AVC avc: denied { create } for pid=10988 comm="certwatch" name="ffi5HJkIb" scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1 AVC avc: denied { write } for pid=10988 comm="certwatch" path="/tmp/ffi5HJkIb" dev="tmpfs" ino=196868 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1 AVC avc: denied { remove_name } for pid=10988 comm="certwatch" name="ffi5HJkIb" dev="tmpfs" ino=196868 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1 AVC avc: denied { unlink } for pid=10988 comm="certwatch" name="ffi5HJkIb" dev="tmpfs" ino=196868 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1 AVC avc: denied { map } for pid=10988 comm="certwatch" path=2F746D702F66666935484A6B4962202864656C6574656429 dev="tmpfs" ino=196868 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1 AVC avc: denied { execute } for pid=10988 comm="certwatch" path=2F746D702F66666935484A6B4962202864656C6574656429 dev="tmpfs" ino=196868 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1
Description of problem: This is one of a cascade of related reports presented each morning after I open my laptop. Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.19.4-300.fc29.x86_64 type: libreport
*** This bug has been marked as a duplicate of bug 1655357 ***