Summary: SELinux is preventing /usr/sbin/certmonger "dac_override" access . Detailed Description: SELinux denied access requested by certmonger. It is not expected that this access is required by certmonger and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:certmonger_t:s0 Target Context unconfined_u:system_r:certmonger_t:s0 Target Objects None [ capability ] Source certmonger Source Path /usr/sbin/certmonger Port <Unknown> Host lenovo.home Source RPM Packages certmonger-0.32-0.2010113022gitc2be99c.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-74.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name lenovo.home Platform Linux lenovo.home 2.6.34.7-63.fc13.i686 #1 SMP Fri Dec 3 12:35:44 UTC 2010 i686 i686 Alert Count 576 First Seen Fri 10 Dec 2010 01:11:49 PM EST Last Seen Fri 10 Dec 2010 01:26:29 PM EST Local ID 24b2284b-7cdb-4ace-b19a-ef90d4669dea Line Numbers Raw Audit Messages node=lenovo.home type=AVC msg=audit(1292005589.876:64809): avc: denied { dac_override } for pid=16173 comm="certmonger" capability=1 scontext=unconfined_u:system_r:certmonger_t:s0 tcontext=unconfined_u:system_r:certmonger_t:s0 tclass=capability node=lenovo.home type=AVC msg=audit(1292005589.876:64809): avc: denied { dac_read_search } for pid=16173 comm="certmonger" capability=2 scontext=unconfined_u:system_r:certmonger_t:s0 tcontext=unconfined_u:system_r:certmonger_t:s0 tclass=capability node=lenovo.home type=SYSCALL msg=audit(1292005589.876:64809): arch=40000003 syscall=5 success=no exit=-13 a0=9966620 a1=242 a2=180 a3=99666b0 items=0 ppid=14128 pid=16173 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="certmonger" exe="/usr/sbin/certmonger" subj=unconfined_u:system_r:certmonger_t:s0 key=(null)
The issue is found during IPA installation.
Miroslav, Add them. Since certmonger can be setup to watch random certificate files, that can be owned by different uids, this is going to be needed.
Fixed in selinux-policy-3.9.7-17.fc14
selinux-policy-3.9.7-18.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-18.fc14
selinux-policy-3.9.7-18.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-18.fc14
Please build for F13 too.
Fixed in selinux-policy-3.7.19-77.fc13.
selinux-policy-3.7.19-77.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-77.fc13
selinux-policy-3.9.7-18.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
selinux-policy-3.7.19-80.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.