Description of problem: This is one of a cascade of related reports presented each morning after I open my laptop. SELinux is preventing certwatch from 'write' accesses on the directory /sys/kernel/debug. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that certwatch should be allowed write access on the debug directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'certwatch' --raw | audit2allow -M my-certwatch # semodule -X 300 -i my-certwatch.pp Additional Information: Source Context system_u:system_r:certwatch_t:s0-s0:c0.c1023 Target Context system_u:object_r:debugfs_t:s0 Target Objects /sys/kernel/debug [ dir ] Source certwatch Source Path certwatch Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.19.4-300.fc29.x86_64 #1 SMP Fri Nov 23 13:03:11 UTC 2018 x86_64 x86_64 Alert Count 128 First Seen 2018-11-26 08:56:37 AEST Last Seen 2018-12-03 10:08:38 AEST Local ID 3703b338-be53-439e-a2c5-fc65097f2131 Raw Audit Messages type=AVC msg=audit(1543795718.634:10527): avc: denied { write } for pid=22300 comm="certwatch" name="/" dev="debugfs" ino=1 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0 Hash: certwatch,certwatch_t,debugfs_t,dir,write Additional info: component: selinux-policy reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.19.4-300.fc29.x86_64 type: libreport
*** Bug 1655356 has been marked as a duplicate of this bug. ***
*** Bug 1655355 has been marked as a duplicate of this bug. ***
*** Bug 1655353 has been marked as a duplicate of this bug. ***
*** Bug 1655351 has been marked as a duplicate of this bug. ***
*** Bug 1655354 has been marked as a duplicate of this bug. ***
*** Bug 1653090 has been marked as a duplicate of this bug. ***
*** Bug 1655348 has been marked as a duplicate of this bug. ***
*** Bug 1646899 has been marked as a duplicate of this bug. ***
*** Bug 1655346 has been marked as a duplicate of this bug. ***
commit 879f70d91144905fff16a378c12ea7c4b0dad720 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Wed Dec 12 16:06:39 2018 +0100 Dontaudit certwatch_t domain to write to all mountpoints BZ(1655357)
Created attachment 1513931 [details] All 12 alerts I get every single morning Attached list of all alerts I am getting every day
*** Bug 1658823 has been marked as a duplicate of this bug. ***
selinux-policy-3.14.2-46.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.