Description of problem: SELinux is preventing ebtables from 'read' accesses on the file ebtables.lock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ebtables should be allowed read access on the ebtables.lock file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ebtables' --raw | audit2allow -M my-ebtables # semodule -X 300 -i my-ebtables.pp Additional Information: Source Context system_u:system_r:firewalld_t:s0 Target Context system_u:object_r:virt_var_run_t:s0 Target Objects ebtables.lock [ file ] Source ebtables Source Path ebtables Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.3-43.fc30.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 5.2.9-200.fc30.x86_64 #1 SMP Fri Aug 16 21:37:45 UTC 2019 x86_64 x86_64 Alert Count 1 First Seen 2019-09-02 15:26:45 IST Last Seen 2019-09-02 15:26:45 IST Local ID 5c3a8f6b-698b-4fef-b008-ab6501b46c58 Raw Audit Messages type=AVC msg=audit(1567418205.677:591): avc: denied { read } for pid=15392 comm="ebtables" name="ebtables.lock" dev="tmpfs" ino=33635 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=file permissive=1 Hash: ebtables,firewalld_t,virt_var_run_t,file,read Version-Release number of selected component: selinux-policy-3.14.3-43.fc30.noarch Additional info: component: selinux-policy reporter: libreport-2.10.1 hashmarkername: setroubleshoot kernel: 5.2.9-200.fc30.x86_64 type: libreport
Hi, Are you able to reproduce it? Do you know when this happened? Default label for /var/run/ebtables.lock is iptables_var_run_t. You can run: # restorecon -v /var/run/ebtables.lock To fix this issue, however I would like to know why it was labeled as virt_var_run_t on your system. Thanks, Lukas.
(In reply to Lukas Vrabec from comment #1) > Hi, > > Are you able to reproduce it? Do you know when this happened? > > Default label for /var/run/ebtables.lock is iptables_var_run_t. You can run: > > # restorecon -v /var/run/ebtables.lock > > To fix this issue, however I would like to know why it was labeled as > virt_var_run_t on your system. > > Thanks, > Lukas. I was trying to install oracle database into my fedora machine, but later, I dropped the plan to install it as my system's ram is not supporting. While trying to install it, I followed some steps to install oracle database on fedora which I found out on the net with link https://oracle-base.com/articles/19c/oracle-db-19c-installation-on-fedora-30#download-software in which it says to set SELinux to permissive then revert SELinux setting to enforcing(which is my default setting before trying to install oracle database).
Understand, I need to take a look on oracle DB but for now it's not supported with Fedora system. For now, please run: # restorecon -Rv / To fix labels on your system. Thanks, Lukas.