+++ This bug was initially created as a clone of Bug #663584 +++ SELinux is preventing mysql_indexes from unix_read, unix_write access on the semaphore Unknown. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that mysql_indexes should be allowed unix_read unix_write access on the Unknown sem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mysql_indexes /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:services_munin_plugin_t:s0 Target Context unconfined_u:system_r:services_munin_plugin_t:s0 Target Objects Unknown [ sem ] Source mysql_indexes Source Path mysql_indexes Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.9.7-16.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.9-64.fc14.x86_64 #1 SMP Fri Dec 3 12:19:41 UTC 2010 x86_64 x86_64 Alert Count 28 First Seen Thu 16 Dec 2010 10:40:05 CET Last Seen Thu 16 Dec 2010 10:45:06 CET Local ID b91c66b9-7afb-4de8-a0ce-f98011fcb75c Raw Audit Messages type=AVC msg=audit(1292492706.386:45854): avc: denied { unix_read unix_write } for pid=9317 comm="mysql_tmp_table" key=1667461225 scontext=unconfined_u:system_r:services_munin_plugin_t:s0 tcontext=unconfined_u:system_r:services_munin_plugin_t:s0 tclass=sem mysql_indexes,services_munin_plugin_t,services_munin_plugin_t,sem,unix_read,unix_write #============= services_munin_plugin_t ============== allow services_munin_plugin_t self:sem { unix_read unix_write }; Sadly, the proposed solution: You should report this as a bug. You can generate a local policy module to allow this access. Allow this access for now by executing: # grep mysql_indexes /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp does not fix the issue. --- Additional comment from mrunge on 2010-12-16 05:04:05 EST --- The solution was proposed from new setroubleshoot-applet. grep mysql_indexes /var/log/audit.... is empty. (the bug is: setroubleshoot applet suggests a solution, which does not fix the issue)
See if you audit.log has roled. # grep mysql_indexes /var/log/audit/audit.log* | audit2allow -M mypol Maybe a better solution would be ausearch -m avc -se mysql_indexes | audit2allow -M mypol
[root@mrungexp ~]# ausearch -m avc -se mysql_indexes | audit2allow -M mypol <no matches> compilation failed: mypol.te:6:ERROR 'syntax error' at token '' on line 6: /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from mypol.te Asking myself, if not something else is broken right now. [root@mrungexp ~]# rpm -q audit audit-2.0.4-4.fc14.x86_64
One more try ausearch -m avc -se services_munin_plugin_t | audit2allow -M mypol
[root@mrungexp ~]# ausearch -m avc -se services_munin_plugin_t | audit2allow -m mypol module mypol 1.0; require { type unconfined_t; type services_munin_plugin_t; type cupsd_rw_etc_t; type user_tmpfs_t; type tmpfs_t; class sem { write associate read create unix_read unix_write }; class shm { unix_read associate read create write getattr unix_write }; class file { read write open }; } #============= services_munin_plugin_t ============== allow services_munin_plugin_t cupsd_rw_etc_t:file { read open }; #!!!! This avc is allowed in the current policy allow services_munin_plugin_t self:sem { write unix_read unix_write associate read create }; allow services_munin_plugin_t self:shm create; #!!!! This avc is allowed in the current policy allow services_munin_plugin_t self:shm { unix_read write getattr unix_write associate read }; #!!!! This avc is allowed in the current policy allow services_munin_plugin_t tmpfs_t:file { read write }; #!!!! This avc is allowed in the current policy allow services_munin_plugin_t unconfined_t:sem { unix_read read write unix_write associate }; #!!!! This avc is allowed in the current policy allow services_munin_plugin_t unconfined_t:shm { write unix_read getattr unix_write associate read }; #!!!! This avc is allowed in the current policy allow services_munin_plugin_t user_tmpfs_t:file { read write }; After applying the resulting policy, it looks like those errors are gone now. Thank you! Think this can be closed, I'm not sure, if this is a local config error or if it can be reproduced on other systems.
Since this version of Fedora is no longer supported I am closing this bugs. If you are still seeing this bug in a current version of fedora, please reopen the bugzilla with the appropriate version number.