Description of problem: While yum was updating authconfig-gtk, the following appeared in /var/log/messages: Jul 31 22:58:04 localhost yum: Updated: authconfig-gtk.i386 5.3.15-1.fc7 Jul 31 22:58:05 localhost setroubleshoot: SELinux is preventing /usr/sbin/s m-notify (rpcd_t) "search" to <Unknown> (sysctl_fs_t). For complete SELinux messages. run sealert -l 55c0814f-e7f1-4ed4-ba78-93b7b1e36960 Jul 31 22:58:06 localhost setroubleshoot: SELinux is preventing /sbin/rpc.s tatd (rpcd_t) "search" to <Unknown> (sysctl_fs_t). For complete SELinux mes sages. run sealert -l 55c0814f-e7f1-4ed4-ba78-93b7b1e36960 and this command shows [root@localhost ~]# sealert -l 55c0814f-e7f1-4ed4-ba78-93b7b1e36960 Summary SELinux is preventing /sbin/rpc.statd (rpcd_t) "search" to <Unknown> (sysctl_fs_t). Detailed Description SELinux denied access requested by /sbin/rpc.statd. It is not expected that this access is required by /sbin/rpc.statd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown> If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context user_u:system_r:rpcd_t Target Context system_u:object_r:sysctl_fs_t Target Objects None [ dir ] Affected RPM Packages nfs-utils-1.0.12-4.fc7 [application] Policy RPM selinux-policy-2.6.4-29.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.22.1-33.fc7 #1 SMP Mon Jul 23 17:33:07 EDT 2007 i686 i686 Alert Count 2 First Seen Tue Jul 31 22:58:03 2007 Last Seen Tue Jul 31 22:58:03 2007 Local ID 55c0814f-e7f1-4ed4-ba78-93b7b1e36960 Line Numbers Raw Audit Messages avc: denied { search } for comm="rpc.statd" egid=0 euid=0 exe="/sbin/rpc.statd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=3974 scontext=user_u:system_r:rpcd_t:s0 sgid=0 subj=user_u:system_r:rpcd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:sysctl_fs_t:s0 tty=(none) uid=0 [root@localhost ~]# Version-Release number of selected component (if applicable): selinux-policy-2.6.4-29.fc7 authconfig-gtk-5.3.15-1.fc7 How reproducible: haven't tried, but presumably always
Actually I think the relevant package is nfs-utils, so I'm changing the name of the bug. Both packages were in the same batch of updates, nfs-utils appeared just before authconfig-gtk.
Fixed in selinux-policy-2.6.4-31
After updating to selinux-policy*2.6.4-30.fc7, I verified that this is fixed by reverting to the original versions of nfs-utils and nfs-utils-lib and updating without the setroubleshoot error. Please close. I would do it but I'm confused regarding the difference between "CURRENTRELEASE" and "ERRATA", so I don't know which to use here. When is it appropriate to use each one?
I've pasted in the text from setroubleshoot browser that popped up tonight in F7. Hope this helps. Summary SELinux is preventing /sbin/rpc.statd (rpcd_t) "search" to (sysctl_fs_t). Detailed Description SELinux denied access requested by /sbin/rpc.statd. It is not expected that this access is required by /sbin/rpc.statd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for , restorecon -v If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Additional Information Source Context: system_u:system_r:rpcd_tTarget Context: system_u:object_r:sysctl_fs_tTarget Objects: None [ dir ]Affected RPM Packages: nfs-utils-1.1.0-1.fc7 [application] Policy RPM: selinux-policy-2.6.4-30.fc7Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: EnforcingPlugin Name: plugins.catchall_fileHost Name: localhost.localdomain Platform: Linux localhost.localdomain 2.6.22.1-41.fc7 #1 SMP Fri Jul 27 18:10:34 EDT 2007 i686 i686 Alert Count: 1 First Seen: Tue 14 Aug 2007 07:07:36 PM PDT Last Seen: Tue 14 Aug 2007 07:07:36 PM PDTLocal ID: 614e5e67-e156-44d0-9465-7ed0c681624a Line Numbers: Raw Audit Messages :avc: denied { search } for comm="rpc.statd" egid=0 euid=0 exe="/sbin/rpc.statd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=3070 scontext=system_u:system_r:rpcd_t:s0 sgid=0 subj=system_u:system_r:rpcd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:sysctl_fs_t:s0 tty=(none) uid=0 Here is the output of rpm -q for the packages... rpm -q authconfig-gtk authconfig-gtk-5.3.15-1.fc7 rpm -q selinux-policy selinux-policy-2.6.4-33.fc7
I mistakenly said above that the problem was fixed with selinux-policy*2.6.4-30.fc7 when it was actually selinux-policy*2.6.4-33.fc7 (which was released that day). It looks like you still had the old version selinux-policy-2.6.4-30.fc7 installed when you got this error (note that comment #2 says it is fixed in selinux-policy-2.6.4-31), so I still think this can be closed. Mr. Walsh, when closing this, could you also answer my question in comment #3?
I close Fedora bugs with CurrentRelease. Errata is used for RHEL or Security Releases?