when trying to run pkcon install finch I've got this AVC denial report: Souhrn: SELinux is preventing polkit-resolve- (staff_t) "setuid" staff_t. Podrobný popis: SELinux denied access requested by polkit-resolve-. It is not expected that this access is required by polkit-resolve- and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje staff_u:staff_r:staff_t:SystemLow-SystemHigh Kontext cíle staff_u:staff_r:staff_t:SystemLow-SystemHigh Objekty cíle None [ capability ] Zdroj polkit-resolve- Cesta zdroje /usr/libexec/polkit-resolve-exe-helper Port <Neznámé> Počítač viklef RPM balíčky zdroje PolicyKit-0.9-3.fc10 RPM balíčky cíle RPM politiky selinux-policy-3.5.13-20.fc10 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Enforcing Název zásuvného modulu catchall Název počítače viklef Platforma Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov 18 20:12:41 EST 2008 i686 i686 Počet upozornění 1 Poprvé viděno Út 25. listopad 2008, 23:23:40 CET Naposledy viděno Út 25. listopad 2008, 23:23:40 CET Místní ID 2c9f0150-62bd-4341-bbfd-ec299c8b9924 Čísla řádků Původní zprávy auditu node=viklef type=AVC msg=audit(1227651820.894:134): avc: denied { setuid } for pid=27398 comm="polkit-resolve-" capability=7 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=capability node=viklef type=SYSCALL msg=audit(1227651820.894:134): arch=40000003 syscall=213 success=yes exit=0 a0=0 a1=a a2=0 a3=bfe0c8b0 items=0 ppid=27393 pid=27398 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
Actually, this prevents PackageKit from working -- isn't able to upgrade.
audit2allow suggests: module staffuSetuidCapability 1.0; require { type staff_t; class capability setuid; } #============= staff_t ============== allow staff_t self:capability setuid; will try. Isn't it too much though?
Tried the module described in the previous comment, but it didn't help -- gpk-update-icon still claims that I don't have necessary rights to proceed, and gpk-update-viewer doesn't do anything when it should actualize system.
You should not be allowed to run PackageKit if you are staff_u. You are a limited privledged admin on a system administrated by someone else.
Oh, cool. OK, no problem -- will eradicate PK.