Bug 564328 - SELinux is preventing hwclock (hwclock_t) "append" to /var/webmin/miniserv.error (var_t).
Summary: SELinux is preventing hwclock (hwclock_t) "append" to /var/webmin/miniserv.er...
Keywords:
Status: CLOSED DUPLICATE of bug 538428
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:590367a7bb2...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-02-12 12:45 UTC by Jochen Brinkmann
Modified: 2010-02-12 14:50 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-02-12 14:50:44 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Jochen Brinkmann 2010-02-12 12:45:25 UTC 
Zusammenfassung:

SELinux is preventing hwclock (hwclock_t) "append" to /var/webmin/miniserv.error
(var_t).

Detaillierte Beschreibung:

[hwclock hat einen toleranten Typ (hwclock_t). Dieser Zugriff wurde nicht
verweigert.]

SELinux denied access requested by hwclock. It is not expected that this access
is required by hwclock and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Zugriff erlauben:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /var/webmin/miniserv.error,

restorecon -v '/var/webmin/miniserv.error'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:hwclock_t:s0
Zielkontext                   system_u:object_r:var_t:s0
Zielobjekte                   /var/webmin/miniserv.error [ file ]
Quelle                        hwclock
Quellen-Pfad                  /sbin/hwclock
Port                          <Unbekannt>
Host                          (removed)
Quellen-RPM-Pakete            util-linux-ng-2.14.1-3.2.fc10
Ziel-RPM-Pakete               
RPM-Richtlinie                selinux-policy-3.5.13-55.fc10
SELinux aktiviert             True
Richtlinienversion            targeted
Enforcing-Modus               Enforcing
Plugin-Name                   catchall_file
Hostname                      (removed)
Plattform                     Linux (removed) 2.6.27.21-170.2.56.fc10.x86_64 #1 SMP
                              Mon Mar 23 23:08:10 EDT 2009 x86_64 x86_64
Anzahl der Alarme             4
Zuerst gesehen                Mi 22 Apr 2009 08:37:27 CEST
Zuletzt gesehen               Mi 22 Apr 2009 08:40:00 CEST
Lokale ID                     08aa8239-0fb5-43b1-8206-25823969fe60
Zeilennummern                 

Raw-Audit-Meldungen           

node=(removed) type=AVC msg=audit(1240382400.781:26): avc:  denied  { append } for  pid=4584 comm="hwclock" path="/var/webmin/miniserv.error" dev=dm-0 ino=20472074 scontext=system_u:system_r:hwclock_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1240382400.781:26): arch=c000003e syscall=59 success=yes exit=0 a0=7fff60e64435 a1=1ea3768 a2=1932f80 a3=8101010101010100 items=0 ppid=4579 pid=4584 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hwclock" exe="/sbin/hwclock" subj=system_u:system_r:hwclock_t:s0 key=(null)



Hash String generated from  selinux-policy-3.5.13-55.fc10,catchall_file,hwclock,hwclock_t,var_t,file,append
audit2allow suggests:

#============= hwclock_t ==============
allow hwclock_t var_t:file append;
Comment 1 Daniel Walsh 2010-02-12 14:50:44 UTC 

*** This bug has been marked as a duplicate of bug 538428 ***
Note You need to log in before you can comment on or make changes to this bug.