SELinux is preventing /usr/sbin/getsebool from 'read' accesses on the directory booleans. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that getsebool should be allowed read access on the booleans directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /usr/sbin/getsebool /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:cobblerd_t:s0 Target Context system_u:object_r:security_t:s0 Target Objects booleans [ dir ] Source getsebool Source Path /usr/sbin/getsebool Port <Unknown> Host (removed) Source RPM Packages libselinux-utils-2.0.96-6.fc14.1 Target RPM Packages Policy RPM selinux-policy-3.9.7-19.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.10-74.fc14.x86_64 #1 SMP Thu Dec 23 16:04:50 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Mon 10 Jan 2011 12:32:03 PM CST Last Seen Mon 10 Jan 2011 12:32:03 PM CST Local ID 80a8438a-5d20-46ad-ac1a-f78e798fcbb1 Raw Audit Messages type=AVC msg=audit(1294684323.157:186): avc: denied { read } for pid=8498 comm="getsebool" name="booleans" dev=selinuxfs ino=19 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir getsebool,cobblerd_t,security_t,dir,read type=SYSCALL msg=audit(1294684323.157:186): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff36fdba90 a1=90800 a2=3c13c13c70 a3=1 items=0 ppid=8366 pid=8498 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=getsebool exe=/usr/sbin/getsebool subj=unconfined_u:system_r:cobblerd_t:s0 key=(null) getsebool,cobblerd_t,security_t,dir,read #============= cobblerd_t ============== allow cobblerd_t security_t:dir read;
cobbler should not do that.
I think this is duplicate of bug 617573. The reproducer is a 'cobbler check' command with selinux enabled. *** This bug has been marked as a duplicate of bug 617573 ***