Summary: SELinux is preventing /sbin/setfiles from creating a file with a context of cgroup_t on a filesystem. Detailed Description: SELinux is preventing restorecon from creating a file with a context of cgroup_t on a filesystem. Usually this happens when you ask the cp command to maintain the context of a file when copying between file systems, "cp -a" for example. Not all file contexts should be maintained between the file systems. For example, a read-only file type like iso9660_t should not be placed on a r/w system. "cp -P" might be a better solution, as this will adopt the default file context for the destination. Allowing Access: Use a command like "cp -P" to preserve all permissions except SELinux context. Additional Information: Source Context system_u:object_r:cgroup_t:s0 Target Context system_u:object_r:sysfs_t:s0 Target Objects cgroup [ filesystem ] Source restorecon Source Path /sbin/setfiles Port <Unknown> Host (removed) Source RPM Packages policycoreutils-2.0.83-9.fc15 Target RPM Packages libcgroup-0.36.2-2.fc15 Policy RPM selinux-policy-3.8.8-20.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name filesystem_associate Host Name (removed) Platform Linux (removed) 2.6.36-0.9.rc2.git3.fc15.x86_64 #1 SMP Wed Aug 25 01:08:58 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Sat 28 Aug 2010 10:18:51 PM CDT Last Seen Sat 28 Aug 2010 10:18:51 PM CDT Local ID a167600c-0d2a-40ad-b8f8-ee33ae60ce2e Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1283051931.586:41): avc: denied { associate } for pid=3085 comm="restorecon" name="cgroup" dev=sysfs ino=3 scontext=system_u:object_r:cgroup_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem node=(removed) type=SYSCALL msg=audit(1283051931.586:41): arch=c000003e syscall=189 success=no exit=-13 a0=7f769e2e2010 a1=7f769c264dc9 a2=7f769e296650 a3=1e items=0 ppid=3053 pid=3085 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 key=(null) Hash String generated from filesystem_associate,restorecon,cgroup_t,sysfs_t,filesystem,associate audit2allow suggests: #============= cgroup_t ============== allow cgroup_t sysfs_t:filesystem associate;
Fixed in selinux-policy-3.9.0-2.fc14
selinux-policy-3.9.0-2.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.0-2.fc14
selinux-policy-3.9.0-2.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.0-2.fc14
selinux-policy-3.9.0-2.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.