The following was filed automatically by setroubleshoot: Summary: SELinux is preventing rtkit-daemon "getcap" access. Detailed Description: SELinux denied access requested by rtkit-daemon. It is not expected that this access is required by rtkit-daemon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:initrc_t:s0-s0:c0.c1023 Target Context system_u:system_r:initrc_t:s0-s0:c0.c1023 Target Objects None [ process ] Source rtkit-daemon Source Path rtkit-daemon Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.6.32-1.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.31-23.fc12.i686.PAE #1 SMP Wed Sep 16 15:53:47 EDT 2009 i686 i686 Alert Count 1 First Seen Thu 17 Sep 2009 09:17:00 AM PDT Last Seen Thu 17 Sep 2009 09:17:00 AM PDT Local ID f26b17a2-12dc-4e49-a31c-b656f0e80b58 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1253204220.126:47): avc: denied { getcap } for pid=1519 comm="rtkit-daemon" scontext=system_u:system_r:initrc_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s0:c0.c1023 tclass=process audit2allow suggests: #============= initrc_t ============== allow initrc_t self:process getcap;
You seem to be having a labeling problem on the rtkit-daemon restorecon -R -v /usr/libexec
*** Bug 524027 has been marked as a duplicate of this bug. ***
*** Bug 524028 has been marked as a duplicate of this bug. ***
*** Bug 524029 has been marked as a duplicate of this bug. ***
*** Bug 524030 has been marked as a duplicate of this bug. ***
I've had a few selinux reports closed as not a bug. My naive understanding of selinux errors is that they are always bugs unless a user has done something bad to screw up labelling. As far as I know, I've done no such things. I installed f12 alpha and updated it periodically. The only things I've done as root have been to copy a few individual files (ldap.conf, auto.master) from my f11 partition, yum installs, yum updates, and restarting autofs. I am running as a normal local user that was created from scratch after the alpha install, so I don't have any f11 user configuration baggage hanging around. If you want me to stop filing reports, let me know. I usually disable selinux when the official release comes out anyway... in the mean time, I'm just trying to be a good citizen.
Right but if the labeling gets messed up, probably do to rawhide failures, there is nothing I can do to fix the labeling. In this case did you check the labeling on this file? During rawhide, selinux got broken by dracut and some labeling got messed up. This could have been the problem. Also if you are going to report the bugs, and you find a bunch that look the same, please do not keep pushing the report the bug button. I know this is difficult, but some times I get hundreds of bugs all to do with the same labeling issue.
(In reply to comment #7) > Right but if the labeling gets messed up, probably do to rawhide failures, > there is nothing I can do to fix the labeling. > > In this case did you check the labeling on this file? > Honestly, I'm not up to speed on selinux and labeling. I was just told to report all errors I see by somebody on the test mailing list, so I have been. If something like dracut can screw up labelling, it seems that there should be a mechanism for a future yum update to fix it. I guess the danger is that automated fixing of labels will mask real security problems? But I'm not sure that's any different from what I do now which is to blindly run commands to fix labels when bugzilla tells me to. I'll try to fix my labelling and filter out similar looking reports... I had assumed that sealert was smart enough to add to an existing report when there was only one small change between reports.
Well we are working on it. dracut/selinux lots of bugs happen in Rawhide and some never get cleaned up without user intervention. That is what makes Rawhide fun. :^) fixfiles restore and reboot should clean everything up. yum -y upgrade tomorrow, because todays selinux-policy is broken.