Sammanfattning: SELinux is preventing /sbin/hwclock access to a leaked /var/webmin/miniserv.error file descriptor. Detaljerad beskrivning: [hwclock har en tillåtande typ (hwclock_t). Denna åtkomst nekades inte.] SELinux denied access requested by the hwclock command. It looks like this is either a leaked descriptor or hwclock output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /var/webmin/miniserv.error. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Att tillåta åtkomst: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Ytterligare information: Källkontext unconfined_u:system_r:hwclock_t:s0 Målkontext unconfined_u:object_r:var_t:s0 Målobjekt /var/webmin/miniserv.error [ file ] Källa hwclock Källsökväg /sbin/hwclock Port <Okänd> Värd (removed) Käll-RPM-paket util-linux-ng-2.16.2-5.fc12 Mål-RPM-paket Policy-RPM selinux-policy-3.6.32-73.fc12 SELinux aktiverat True Policytyp targeted Verkställande läge Enforcing Insticksmodulnamn leaks Värdnamn (removed) Plattform Linux ZlatkoLad-Dator.localdomain 2.6.31.12-174.2.3.fc12.i686 #1 SMP Mon Jan 18 20:22:46 UTC 2010 i686 athlon Antal larm 1 Först sedd lör 30 jan 2010 21.32.11 Senast sedd lör 30 jan 2010 21.32.11 Lokalt ID c244cdeb-584a-4cc2-9d30-aff47f8b905b Radnummer Råa granskningsmeddelanden node=ZlatkoLad-Dator.localdomain type=AVC msg=audit(1264883531.885:26252): avc: denied { append } for pid=1365 comm="hwclock" path="/var/webmin/miniserv.error" dev=sdc2 ino=412717 scontext=unconfined_u:system_r:hwclock_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file node=ZlatkoLad-Dator.localdomain type=SYSCALL msg=audit(1264883531.885:26252): arch=40000003 syscall=11 success=yes exit=0 a0=bfc1b2b4 a1=a125cb4 a2=a018b10 a3=a03bb14 items=0 ppid=1325 pid=1365 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="hwclock" exe="/sbin/hwclock" subj=unconfined_u:system_r:hwclock_t:s0 key=(null) Hash String generated from selinux-policy-3.6.32-73.fc12,leaks,hwclock,hwclock_t,var_t,file,append audit2allow suggests: #============= hwclock_t ============== allow hwclock_t var_t:file append;
Miroslav, I guess we should label /var/webmin as var_log_t. /var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) (OPTIONAL) Real Name You can set this label for now by executing chcon -t var_log_t -R /var/webmin Also could you report a bug to webmin to move their log files to /var/log
Fixed in selinux-policy-3.6.32-80.fc12
selinux-policy-3.6.32-82.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-82.fc12
selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1492
selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.