SELinux is preventing /usr/libexec/telepathy-idle from 'read' accesses on the chr_file urandom. ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* If you want to enable reading of urandom for all domains. Then you must tell SELinux about this by enabling the 'global_ssp' boolean. Do setsebool -P global_ssp 1 ***** Plugin catchall (11.6 confidence) suggests *************************** If you believe that telepathy-idle should be allowed read access on the urandom chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /usr/libexec/telepathy-idle /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:telepathy_idle_t:s0-s0:c 0.c1023 Target Context system_u:object_r:urandom_device_t:s0 Target Objects urandom [ chr_file ] Source telepathy-idle Source Path /usr/libexec/telepathy-idle Port <Inconnu> Host (removed) Source RPM Packages telepathy-idle-0.1.7-2.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.11-2.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.37-0.rc6.git0.1.fc15.x86_64 #1 SMP Thu Dec 16 15:48:53 UTC 2010 x86_64 x86_64 Alert Count 6 First Seen dim. 19 déc. 2010 13:36:55 CET Last Seen dim. 19 déc. 2010 13:38:22 CET Local ID bdd5fe31-a6ca-4598-9356-6f2723e07c46 Raw Audit Messages type=AVC msg=audit(1292762302.871:159): avc: denied { read } for pid=2553 comm="telepathy-idle" name="urandom" dev=devtmpfs ino=5348 scontext=unconfined_u:unconfined_r:telepathy_idle_t:s0-s0:c0.c1023 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file telepathy-idle,telepathy_idle_t,urandom_device_t,chr_file,read type=AVC msg=audit(1292762302.871:159): avc: denied { open } for pid=2553 comm="telepathy-idle" name="urandom" dev=devtmpfs ino=5348 scontext=unconfined_u:unconfined_r:telepathy_idle_t:s0-s0:c0.c1023 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file telepathy-idle,telepathy_idle_t,urandom_device_t,chr_file,read type=SYSCALL msg=audit(1292762302.871:159): arch=x86_64 syscall=open success=yes exit=ENOEXEC a0=3e645376aa a1=900 a2=7fff3bb1e540 a3=18 items=0 ppid=1 pid=2553 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=telepathy-idle exe=/usr/libexec/telepathy-idle subj=unconfined_u:unconfined_r:telepathy_idle_t:s0-s0:c0.c1023 key=(null) telepathy-idle,telepathy_idle_t,urandom_device_t,chr_file,read #============= telepathy_idle_t ============== #!!!! This avc can be allowed using the boolean 'global_ssp' allow telepathy_idle_t urandom_device_t:chr_file { read open };
*** Bug 664231 has been marked as a duplicate of this bug. ***
*** Bug 664232 has been marked as a duplicate of this bug. ***
Fixed in selinux-policy-3.9.11-3.fc15