Summary: SELinux is preventing /usr/sbin/abrtd (deleted) "write" access on /etc/abrt. Detailed Description: [abrtd has a permissive type (abrt_t). This access was not denied.] SELinux denied access requested by abrtd. It is not expected that this access is required by abrtd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023 Target Context system_u:object_r:abrt_etc_t:s0 Target Objects /etc/abrt [ dir ] Source abrtd Source Path /usr/sbin/abrtd (deleted) Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages abrt-1.0.2-1.fc12 Policy RPM selinux-policy-3.6.32-63.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.31.9-174.fc12.i686.PAE #1 SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686 Alert Count 3 First Seen الخميس 24 كانون الأول 2009 20:55:05 Last Seen الخميس 24 كانون الأول 2009 20:55:05 Local ID 7ff468f8-b2ac-4496-a0c3-ce37b349b398 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1261684505.50:24581): avc: denied { write } for pid=1527 comm="abrtd" name="abrt" dev=dm-0 ino=23447 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=dir node=(removed) type=AVC msg=audit(1261684505.50:24581): avc: denied { add_name } for pid=1527 comm="abrtd" name="pyhook.conf" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=dir node=(removed) type=AVC msg=audit(1261684505.50:24581): avc: denied { create } for pid=1527 comm="abrtd" name="pyhook.conf" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1261684505.50:24581): arch=40000003 syscall=5 success=yes exit=9 a0=2a80c9 a1=8241 a2=1b6 a3=3172629 items=0 ppid=1 pid=1527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrtd" exe=2F7573722F7362696E2F6162727464202864656C6574656429 subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-63.fc12,catchall,abrtd,abrt_t,abrt_etc_t,dir,write audit2allow suggests: audit2allow is not installed.
*** Bug 551782 has been marked as a duplicate of this bug. ***
Many users are going to see this AVC when updating from 1.0.0 because I pushed a new version to stable yesterday.
*** Bug 553237 has been marked as a duplicate of this bug. ***
*** Bug 550574 has been marked as a duplicate of this bug. ***
*** Bug 553823 has been marked as a duplicate of this bug. ***
I am seeing this same problem after today's F-12 update. I have seen no SElinux warnings before this. Linux box6 2.6.31.9-174.fc12.x86_64 #1 SMP Mon Dec 21 05:33:33 UTC 2009 x86_64 x86_64 x86_64 GNU/Linux
*** This bug has been marked as a duplicate of bug 546152 ***
My system was up to date on 29/01/10 and today after the 30/01/10 update i have seen the same bug. That happened after the restart (after update)
Same behavior here. After an update - I don‘t know when anymore - after log-in I get the SELinux-Message with another message about wine-prestarter wants to do "an unsafe memory operation". Actually I've removed all wine (incl. the directories in my home-directory) and the same bug appears after restarting my system. New labeling didn‘t help.
(In reply to comment #2) > Many users are going to see this AVC when updating from 1.0.0 because I pushed > a new version to stable yesterday. Then what should we do?
(In reply to comment #12) > (In reply to comment #2) > > Many users are going to see this AVC when updating from 1.0.0 because I pushed > > a new version to stable yesterday. > > Then what should we do? Hi jul, this bug as been closed as a duplicate, you should refer to bug 546152.