SELinux is preventing /usr/bin/chcon from 'mac_admin' accesses on the capability2 Unknown. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that chcon should be allowed mac_admin access on the Unknown capability2 by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep chcon /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects Unknown [ capability2 ] Source chcon Source Path /usr/bin/chcon Port <Unknown> Host (removed) Source RPM Packages coreutils-8.5-7.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-20.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.10-74.fc14.x86_64 #1 SMP Thu Dec 23 16:04:50 UTC 2010 x86_64 x86_64 Alert Count 4 First Seen Thu 20 Jan 2011 02:32:25 PM CST Last Seen Thu 20 Jan 2011 02:39:27 PM CST Local ID 098033e6-ee16-42b6-9719-e3e4dd89458c Raw Audit Messages type=AVC msg=audit(1295555967.501:41300): avc: denied { mac_admin } for pid=4672 comm="chcon" capability=33 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 chcon,unconfined_t,unconfined_t,capability2,mac_admin type=SYSCALL msg=audit(1295555967.501:41300): arch=x86_64 syscall=lsetxattr success=no exit=EINVAL a0=25e00e0 a1=362d415995 a2=25e2a30 a3=25 items=0 ppid=4614 pid=4672 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm=chcon exe=/usr/bin/chcon subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) chcon,unconfined_t,unconfined_t,capability2,mac_admin #============= unconfined_t ============== allow unconfined_t self:capability2 mac_admin;
Pretty skimpy information - Unknown... I did not open up SELinux to this request. My system did not crash, the sky is not falling, etc. I was sending an email near the moment I was notified of the problem. --- My email was sent.
Did you execute the 'chcon' command? This means you tried to set a context via chcon that the kernel/policy does not know about. For example: chcon -t abc_exec_t /bin/ps
Possible other apps that could cause this would be livecd, rpm/yum, mock?
It might have been caused by me - using chcon with an erroneous argument. I was executing a 'fix' chcon line in response to a suggestion in another bug report. I haven't checked the timing, but this bug may have been caused by that command.
Ok, sadly making a mistake in a chcon will cause this issue. It is usually better to execute semanage fcontext -t abc_exec_t PATH restorecon PATH Then to use chcon.
As I remember, the syntax and content of the chcon command I executed was recommended by a se tool in response to another se problem. If there is a better command syntax, then that better syntax should be incorporated into the se tools for execution by future sysadmins.
If you can grab the output from I would figure setroubleshoot, I would love to look at it?