Souhrn: SELinux is preventing /usr/bin/python "write" access on tuned. Podrobný popis: [tuned has a permissive type (tuned_t). This access was not denied.] SELinux denied access requested by tuned. It is not expected that this access is required by tuned and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Další informace: Kontext zdroje unconfined_u:system_r:tuned_t:s0 Kontext cíle system_u:object_r:usr_t:s0 Objekty cíle tuned [ dir ] Zdroj tuned Cesta zdroje /usr/bin/python Port <Neznámé> Počítač (removed) RPM balíčky zdroje python-2.6.2-2.fc12 RPM balíčky cíle RPM politiky selinux-policy-3.6.32-46.fc12 Selinux povolen True Typ politiky targeted Vynucovací režim Enforcing Název zásuvného modulu catchall Název počítače (removed) Platforma Linux (removed) 2.6.31.6-134.fc12.x86_64 #1 SMP Mon Nov 16 20:38:45 EST 2009 x86_64 x86_64 Počet upozornění 4 Poprvé viděno So 21. listopad 2009, 19:08:34 CET Naposledy viděno So 21. listopad 2009, 19:08:34 CET Místní ID affd2f3b-4c13-4198-b7ec-18747720c4fd Čísla řádků Původní zprávy auditu node=(removed) type=AVC msg=audit(1258826914.669:9288): avc: denied { write } for pid=30641 comm="tuned" name="tuned" dev=dm-3 ino=648571 scontext=unconfined_u:system_r:tuned_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir node=(removed) type=AVC msg=audit(1258826914.669:9288): avc: denied { add_name } for pid=30641 comm="tuned" name="tuned.pyc" scontext=unconfined_u:system_r:tuned_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir node=(removed) type=AVC msg=audit(1258826914.669:9288): avc: denied { create } for pid=30641 comm="tuned" name="tuned.pyc" scontext=unconfined_u:system_r:tuned_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file node=(removed) type=AVC msg=audit(1258826914.669:9288): avc: denied { write } for pid=30641 comm="tuned" name="tuned.pyc" dev=dm-3 ino=649240 scontext=unconfined_u:system_r:tuned_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1258826914.669:9288): arch=c000003e syscall=2 success=yes exit=4 a0=7fff7d71c6a0 a1=2c1 a2=81a4 a3=7fd924444c50 items=0 ppid=30640 pid=30641 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="tuned" exe="/usr/bin/python" subj=unconfined_u:system_r:tuned_t:s0 key=(null) Hash String generated from selinux-policy-3.6.32-46.fc12,catchall,tuned,tuned_t,usr_t,dir,write audit2allow suggests: #============= tuned_t ============== allow tuned_t usr_t:dir { write add_name }; allow tuned_t usr_t:file { write create };
Tuned needs to ship the pyc and pyo files. Martin if you go in and run #python /usr/share/tuned/tuned.py This should create the pyc file and eliminate the AVC from being reported.
I have no more selinux denials after running this command, thank you
*** Bug 533669 has been marked as a duplicate of this bug. ***
Fixed in upstream: http://git.fedorahosted.org/git/tuned.git?p=tuned.git;a=commit;h=461ae6d2466cb47736ccbdf964e96c5c4b01d9bd
tuned-0.2.5-2.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/tuned-0.2.5-2.fc12
tuned-0.2.5-2.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update tuned'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12297