Summary: SELinux is preventing setsebool "sys_admin" access . Detailed Description: SELinux denied access requested by setsebool. It is not expected that this access is required by setsebool and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:setsebool_t:s0-s0:c0.c10 23 Target Context unconfined_u:unconfined_r:setsebool_t:s0-s0:c0.c10 23 Target Objects None [ capability ] Source setsebool Source Path setsebool Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.6.32-113.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.32.11-99.fc12.x86_64 #1 SMP Mon Apr 5 19:59:38 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Tue 11 May 2010 04:40:52 PM EDT Last Seen Tue 11 May 2010 04:40:52 PM EDT Local ID fd67518b-e8b0-449d-82c1-b405a701bd60 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1273610452.674:24): avc: denied { sys_admin } for pid=2447 comm="setsebool" capability=21 scontext=unconfined_u:unconfined_r:setsebool_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setsebool_t:s0-s0:c0.c1023 tclass=capability Hash String generated from catchall,setsebool,setsebool_t,setsebool_t,capability,sys_admin audit2allow suggests: #============= setsebool_t ============== allow setsebool_t self:capability sys_admin;
What were you doing when this happened?
The system had started up after being suspended.
I have no idea why this access would be requested by setsebool. Any idea where the setsebool command is being called? Are you running nis/ypbind?
If it can be reproduced, enable syscall audit first and reproduce it.
stori, You can do this by executing # auditctl -w /etc/shadow -p w Put the machine to sleep and then wake it up. If the AVC happens again. gather all of the avc data and paste it in here. ausearch -m avc -ts recent Will collect recent avc messages.
I followed Daniel's instructions. I did the following 1. Typed 'auditctl -w /etc/shadow -p w' as root 2. Closed the lid to the laptop 3. Waited until it was fully asleep then I opened the lid 4. Typed 'ausearch -m avc -ts recent' but no matches were reported. So I cannot reproduce this at least for now. Sorry.