After a recent 'yum upgrade', I got: Summary: SELinux is preventing cyrus-master (cyrus_t) "write" usr_t. Detailed Description: SELinux denied access requested by cyrus-master. It is not expected that this access is required by cyrus-master and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:cyrus_t:s0 Target Context system_u:object_r:usr_t:s0 Target Objects /usr/share/snmp/mibs [ dir ] Source cyrus-master Source Path /usr/lib/cyrus-imapd/cyrus-master Port <Unknown> Host blackpad.lan.raisama.net Source RPM Packages cyrus-imapd-2.3.16-2.fc11 Target RPM Packages net-snmp-libs-5.4.2.1-13.fc11 Policy RPM selinux-policy-3.6.12-93.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name blackpad.lan.raisama.net Platform Linux blackpad.lan.raisama.net 2.6.30.10-105.fc11.i686.PAE #1 SMP Thu Dec 24 16:41:17 UTC 2009 i686 i686 Alert Count 8 First Seen Sun 12 Jul 2009 07:21:27 PM BRT Last Seen Wed 03 Feb 2010 08:39:11 AM BRST Local ID 18b0f93a-8b3e-49cb-9906-f7abea9bcab3 Line Numbers Raw Audit Messages node=blackpad.lan.raisama.net type=AVC msg=audit(1265193551.557:4196): avc: denied { write } for pid=4082 comm="cyrus-master" name="mibs" dev=dm-3 ino=116615 scontext=unconfined_u:system_r:cyrus_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir node=blackpad.lan.raisama.net type=SYSCALL msg=audit(1265193551.557:4196): arch=40000003 syscall=5 success=no exit=-13 a0=bfef0f70 a1=8241 a2=1b6 a3=5c78ff items=0 ppid=4081 pid=4082 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=17 comm="cyrus-master" exe="/usr/lib/cyrus-imapd/cyrus-master" subj=unconfined_u:system_r:cyrus_t:s0 key=(null)
cyrus-imapd shouldn't be writing to /usr/share, anyway, so moving the bug from selinux-policy to cyrus-imapd.
(In reply to comment #1) > cyrus-imapd shouldn't be writing to /usr/share, anyway, and, of course, cyrus-imapd is not writing there ;) > so moving the bug from > selinux-policy to cyrus-imapd. still wrong component net-snmp-libs owns /usr/share/snmp/mibs and this library is creating some index file during initialization when it's missing, cyrus-imapd can't control this anyway, this bug already exists somewhere... for example bug #523249, I can't find fedora version now, but I guess net-snmp owner will find it faster :)
AFAIK there is no Fedora bug for this, you are the first reporter. Congratulations! Net-snmp-libs does not provide .index file in its rpm and cyrus-imapd (by linking libnetsnmp*) tries to create one -> SELinux error. The error does not have any impact on cyrus or net-snmp functionality, net-snmp libraries can live without write access to the .index. As a workaround, you can try following commands: touch /usr/share/snmp/mibs/.index restorecon -R -v /usr/share/snmp/mibs/.index
Should be assigned, and the .index file should be provided and should be moved to some plase like /var/lib/snmp out of /usr/share
The .index file is in /var/lib/net-snmp in net-snmp-5.5 in Rawhide, I'd like to avoid rebasing stuff in F11-12.
(and .index will be provided in /usr/share/snmp/mibs in updated F11-12 packages)
Great.
This message is a reminder that Fedora 11 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 11. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '11'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 11's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 11 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
oops, forgot to release this update... Feel free to poke me earlier next time :)
net-snmp-5.4.2.1-14.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/net-snmp-5.4.2.1-14.fc11
net-snmp-5.4.2.1-14.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update net-snmp'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/net-snmp-5.4.2.1-14.fc11
net-snmp-5.4.2.1-14.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.