Description of problem: restart centos container SELinux is preventing dmesg from 'syslog_read' accesses on the system labeled kernel_t. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that dmesg should be allowed syslog_read access on system labeled kernel_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'dmesg' --raw | audit2allow -M my-dmesg # semodule -X 300 -i my-dmesg.pp Additional Information: Source Context system_u:system_r:container_t:s0:c509,c634 Target Context system_u:system_r:kernel_t:s0 Target Objects Unknown [ system ] Source dmesg Source Path dmesg Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-51.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.20.14-200.fc29.x86_64 #1 SMP Tue Mar 5 19:55:32 UTC 2019 x86_64 x86_64 Alert Count 3 First Seen 2019-03-16 09:08:59 CST Last Seen 2019-03-17 21:35:37 CST Local ID 6bb27e16-30e8-4f58-9e98-b2bfa82ce2ed Raw Audit Messages type=AVC msg=audit(1552829737.432:2566): avc: denied { syslog_read } for pid=6038 comm="dmesg" scontext=system_u:system_r:container_t:s0:c509,c634 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 Hash: dmesg,container_t,kernel_t,system,syslog_read Version-Release number of selected component: selinux-policy-3.14.2-51.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 4.20.14-200.fc29.x86_64 type: libreport Potential duplicate: bug 1401770
Hi, Thank you for reporting the issue. This bugzilla seems to be a duplicate of bz 1401770, so closing as a duplicate. Please read the comments in there and feel free to reopen this bz if your issue turns out to be different. *** This bug has been marked as a duplicate of bug 1401770 ***