Installed F8 on new PC. After applying all updates got this: Summary: SELinux is preventing nm-system-setti (NetworkManager_t) "read" to ./PolicyKit (hald_var_lib_t). Detailed Description: SELinux denied access requested by nm-system-setti. It is not expected that this access is required by nm-system-setti and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./PolicyKit, restorecon -v './PolicyKit' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 Target Context system_u:object_r:hald_var_lib_t:s0 Target Objects ./PolicyKit [ dir ] Source nm-system-setti Source Path /usr/sbin/nm-system-settings Port <Unknown> Host vanilla.icecream Source RPM Packages NetworkManager-0.7.0-0.11.svn4022.4.fc8 Target RPM Packages Policy RPM selinux-policy-3.0.8-117.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name vanilla.icecream Platform Linux vanilla.icecream 2.6.26.5-28.fc8 #1 SMP Sat Sep 20 09:32:58 EDT 2008 i686 i686 Alert Count 1 First Seen Sat 18 Oct 2008 01:18:59 PM CDT Last Seen Sat 18 Oct 2008 01:18:59 PM CDT Local ID 7a53da62-9a75-419e-b42f-a4a7c63a7b68 Line Numbers Raw Audit Messages host=vanilla.icecream type=AVC msg=audit(1224353939.928:16): avc: denied { read } for pid=3039 comm="nm-system-setti" name="PolicyKit" dev=dm-0 ino=4882503 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir host=vanilla.icecream type=SYSCALL msg=audit(1224353939.928:16): arch=40000003 syscall=292 success=no exit=-13 a0=6 a1=13f08e a2=306 a3=8431b60 items=0 ppid=3038 pid=3039 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-system-setti" exe="/usr/sbin/nm-system-settings" subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null)
Fixed in selinux-policy-3.0.8-119.fc8
I seem to be getting this in 8-121 as well. [root@mps1530 ~]# rpm -qa | grep selinux-policy selinux-policy-targeted-3.0.8-121.fc8 selinux-policy-devel-3.0.8-121.fc8 selinux-policy-3.0.8-121.fc8 --------------------------------- From se troubleshooting browser: host=mps1530.rubackedup.com type=AVC msg=audit(1225971828.77:7): avc: denied { read } for pid=2722 comm="nm-system-setti" name="PolicyKit" dev=dm-0 ino=11108485 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:object_r:polkit_var_run_t:s0 tclass=dir host=mps1530.rubackedup.com type=SYSCALL msg=audit(1225971828.77:7): arch=40000003 syscall=292 success=yes exit=4 a0=6 a1=68b0a1 a2=306 a3=9dae6d8 items=0 ppid=2721 pid=2722 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-system-setti" exe="/usr/sbin/nm-system-settings" subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null) --------------------------------- ls -Z /var/lib/ shows the following drwxrwxr-x polkituser polkituser system_u:object_r:polkit_var_lib_t:s0 PolicyKit
Could you check selinux-policy-3.0.8-123.fc8
Sorry, but I no longer have that PC. I can't check anything regarding this bug.
Ok thanks. Maybe David can check
Having a little trouble identifying the repo where 123 is located. Perhaps someone can help me locate the policy rpm's?
Should be in updates-testing.
added selinux-policy-3.0.8-123.fc8 selinux-policy-targeted 3.0.8-123.fc8. sealert no longer shows the denial after reboot. Thanks.