Summary: SELinux is preventing /usr/sbin/iceccd "execute" access on gcc. Detailed Description: [iceccd has a permissive type (iceccd_t). This access was not denied.] SELinux denied access requested by iceccd. It is not expected that this access is required by iceccd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:iceccd_t:s0 Target Context unconfined_u:object_r:iceccd_tmp_t:s0 Target Objects gcc [ file ] Source iceccd Source Path /usr/sbin/iceccd Port <Unknown> Host (removed) Source RPM Packages icecream-0.9.5-5.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-116.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.32.14-127.fc12.x86_64 #1 SMP Fri May 28 04:30:39 UTC 2010 x86_64 x86_64 Alert Count 4 First Seen Mon 21 Jun 2010 10:41:55 AM CEST Last Seen Tue 22 Jun 2010 07:23:17 AM CEST Local ID 00b09842-bee8-4cb8-8e10-c9ce973f7737 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1277184197.464:35): avc: denied { execute } for pid=25478 comm="iceccd" name="gcc" dev=tmpfs ino=95799 scontext=unconfined_u:system_r:iceccd_t:s0 tcontext=unconfined_u:object_r:iceccd_tmp_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1277184197.464:35): arch=c000003e syscall=21 success=yes exit=128 a0=d2c578 a1=1 a2=0 a3=2d6363672f34365f items=0 ppid=3420 pid=25478 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="iceccd" exe="/usr/sbin/iceccd" subj=unconfined_u:system_r:iceccd_t:s0 key=(null) Hash String generated from catchall,iceccd,iceccd_t,iceccd_tmp_t,file,execute audit2allow suggests: #============= iceccd_t ============== allow iceccd_t iceccd_tmp_t:file execute;
After this, the iceccd deamon is dead. A "service icecream restart" will help for a while.
Seems like a strange priv? iceccd is executing gcc that it downloaded to /tmp?
Could you attach your /etc/sysconfig/icecream ? I'm curious if you changed ICECREAM_BASEDIR. By default the config file specifies /var/cache/icecream which is labeled with the type iceccd_cache_t. If you are using a different directory, it would have to be labeled with the same context (for example using "semange fcontext -a -e /var/cache/icecream /your/alternative/dir")
You are right. My ICECREAM_BASEDIR points to /tmp/icecream After # semanage fcontext -a -e /var/cache/icecream /tmp/icecream # restorecon /tmp/icecream # ls -Zd /tmp/icecream drwxr-xr-x. root root system_u:object_r:iceccd_cache_t:s0 /tmp/icecream iceccd is working now. Many Thanks