The following was filed automatically by setroubleshoot: Summary: SELinux is preventing icecc-scheduler (icecc_scheduler_t) "read write" var_log_t. Detailed Description: SELinux denied access requested by icecc-scheduler. It is not expected that this access is required by icecc-scheduler and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:icecc_scheduler_t:SystemLow Target Context system_u:object_r:var_log_t:SystemLow Target Objects icecc-scheduler [ file ] Source icecc-scheduler Source Path /usr/sbin/icecc-scheduler Port <Unknown> Host (removed) Source RPM Packages icecream-0.9.4-1.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-39.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.29.3-155.fc11.x86_64 #1 SMP Wed May 20 17:43:16 EDT 2009 x86_64 x86_64 Alert Count 7 First Seen Mon 20 Apr 2009 16:52:35 IST Last Seen Tue 26 May 2009 17:06:33 IST Local ID 25adf24e-1a76-4f25-b57a-db5c45908c51 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1243353993.668:31590): avc: denied { read write } for pid=3349 comm="icecc-scheduler" name="icecc-scheduler" dev=dm-0 ino=29622511 scontext=system_u:system_r:icecc_scheduler_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1243353993.668:31590): arch=c000003e syscall=21 success=no exit=-13 a0=1f18615 a1=6 a2=0 a3=8 items=0 ppid=3312 pid=3349 auid=4294967295 uid=493 gid=487 euid=493 suid=493 fsuid=493 egid=487 sgid=487 fsgid=487 tty=(none) ses=4294967295 comm="icecc-scheduler" exe="/usr/sbin/icecc-scheduler" subj=system_u:system_r:icecc_scheduler_t:s0 key=(null) audit2allow suggests: #============= icecc_scheduler_t ============== allow icecc_scheduler_t var_log_t:file { read write };
Since this policy is not in the base selinux-policy package, it must be shipping with the package. I have a failing this is a mislabled directory.
Yes, icecream ships its policy in the package. I need to resend the patch to the refpolicy mailing list to have it merged. This is a real bug in my policy, not just a mislabelling. I'll fix it.
icecream-0.9.4-3.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/icecream-0.9.4-3.fc11
icecream-0.9.4-3.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update icecream'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8665
icecream-0.9.4-4.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update icecream'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8665
icecream-0.9.4-4.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.