Description of problem: webalizer with default configuration tries to getattr("/"), which SELinux denies. Version-Release number of selected component (if applicable): webalizer-2.01_10-30.1 Additional info: avc: denied { getattr } for comm="webalizer" dev=dm-0 name="/" pid=259137 scontext=user_u:system_r:webalizer_t:s0 tclass=filesystem tcontext=system_u:object_r:fs_t:s0
Actually / has the label "system_u:object_r:root_t" and yet the AVC says "system_u:object_r:fs_t:s0". So this is not a webalizer bug..... Component: webalizer -> filesystem (?)
*** Bug 222815 has been marked as a duplicate of this bug. ***
I'm seeing this with webalizer and also with dovecot: SELinux is preventing dovecot-auth (dovecot_auth_t) "getattr" to / (fs_t). type=AVC msg=audit(1169634718.042:8543): avc: denied { getattr } for pid=23722 comm="dovecot-auth" name="/" dev=dm-2 ino=2 scontext=user_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
I tested this more and this only happens to me when the policy package has been updated since reboot. Doesn't seem to effect anything else only the rootdir. The kernel generates the AVC messages and they contain target context info inconsistent with the file's label therefore this looks like a kernel bug? Component: filesystem -> kernel Things to test: * Does restarting cron fix it? * Does reloading the same policy also trigger it?
Hmm.. I actually got it now after reboot as well without reloading the policy at all. And note the tclass=filesystem and not dir It is affecting setroubleshootd itself (which quits) so people might not notice these AVCs. type=AVC msg=audit(1169636523.985:80): avc: denied { getattr } for pid=6305 comm="uname" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem type=AVC msg=audit(1169636523.989:81): avc: denied { getattr } for pid=6304 comm="sh" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
Can't reproduce this any more...