SELinux is preventing /bin/systemd-tmpfiles from 'read' accesses on the file unix. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemd-tmpfiles should be allowed read access on the unix file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-tmpfile /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_tmpfiles_t:s0 Target Context system_u:object_r:proc_net_t:s0 Target Objects unix [ file ] Source systemd-tmpfile Source Path /bin/systemd-tmpfiles Port <Unknown> Host (removed) Source RPM Packages systemd-units-18-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.15-2.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38-0.rc5.git7.1.fc15.x86_64 #1 SMP Tue Feb 22 06:02:13 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Wed 23 Feb 2011 02:04:24 PM CET Last Seen Wed 23 Feb 2011 02:04:24 PM CET Local ID 797e656b-4307-4be2-8051-0a96dc883f28 Raw Audit Messages type=AVC msg=audit(1298466264.1:124): avc: denied { read } for pid=2654 comm="systemd-tmpfile" name="unix" dev=proc ino=4026531981 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=AVC msg=audit(1298466264.1:124): avc: denied { open } for pid=2654 comm="systemd-tmpfile" name="unix" dev=proc ino=4026531981 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=SYSCALL msg=audit(1298466264.1:124): arch=x86_64 syscall=open success=yes exit=EIO a0=4077a0 a1=80000 a2=1b6 a3=0 items=0 ppid=1 pid=2654 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-tmpfile exe=/bin/systemd-tmpfiles subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null) Hash: systemd-tmpfile,systemd_tmpfiles_t,proc_net_t,file,read audit2allow #============= systemd_tmpfiles_t ============== allow systemd_tmpfiles_t proc_net_t:file { read open }; audit2allow -R #============= systemd_tmpfiles_t ============== allow systemd_tmpfiles_t proc_net_t:file { read open };
*** Bug 679712 has been marked as a duplicate of this bug. ***
Fixed in selinux-policy-3.9.15-3.fc15
That has not been pushed as an update, and there are several newer builds since then. Am I correct in assuming you want -2 to finish testing first, and then you'll push the latest release after that?
I will probably replace -2 release by newer release on Monday. You can test it with a build from koji for now http://koji.fedoraproject.org/koji/buildinfo?buildID=231903
selinux-policy-3.9.16-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-1.fc15
selinux-policy-3.9.16-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
the problem still persist even if the system updated to selinux-policy-3.9.16-1.fc15.noarch selinux-policy-targeted-3.9.16-1.fc15.noarch
You mean #============= systemd_tmpfiles_t ============== allow systemd_tmpfiles_t proc_net_t:file { read open }; I get # sesearch -A -s systemd_tmpfiles_t -t proc_net_t -c file -p read Found 1 semantic av rules: allow systemd_tmpfiles_t proc_net_t : file { ioctl read getattr lock open } ; Does yum reinstall selinux-policy-targeted complain?