SELinux is preventing /usr/libexec/polkit-1/polkit-agent-helper-1 from 'write' accesses on the file /var/lib/abl/users.db. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that polkit-agent-helper-1 should be allowed write access on the users.db file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /usr/libexec/polkit-1/polkit-agent-helper-1 /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c 0.c1023 Target Context system_u:object_r:var_auth_t:s0 Target Objects /var/lib/abl/users.db [ file ] Source polkit-agent-he Source Path /usr/libexec/polkit-1/polkit-agent-helper-1 Port <Inconnu> Host (removed) Source RPM Packages polkit-0.98-5.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.10-10.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.37-0.rc5.git2.1.fc15.x86_64 #1 SMP Thu Dec 9 19:08:58 UTC 2010 x86_64 x86_64 Alert Count 4 First Seen sam. 11 déc. 2010 10:49:06 CET Last Seen sam. 11 déc. 2010 10:52:24 CET Local ID c6fcd9b1-55aa-4a40-80e2-a22704f88be3 Raw Audit Messages type=AVC msg=audit(1292061144.865:1300): avc: denied { write } for pid=12352 comm="polkit-agent-he" name="users.db" dev=dm-1 ino=41581 scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_auth_t:s0 tclass=file polkit-agent-he,policykit_auth_t,var_auth_t,file,write type=SYSCALL msg=audit(1292061144.865:1300): arch=x86_64 syscall=open success=no exit=EACCES a0=127a650 a1=2 a2=0 a3=16 items=0 ppid=1942 pid=12352 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=2 comm=polkit-agent-he exe=/usr/libexec/polkit-1/polkit-agent-helper-1 subj=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 key=(null) polkit-agent-he,policykit_auth_t,var_auth_t,file,write #============= policykit_auth_t ============== allow policykit_auth_t var_auth_t:file write;
Does it work with # grep -r policykit_auth_t /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Probably should be allowed.
Yes, added to selinux-policy-3.9.10-11.fc15.