SELinux is preventing /bin/systemd-notify from 'create' accesses on the fichier done. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemd-notify should be allowed create access on the done file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-notify /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_notify_t:s0 Target Context system_u:object_r:device_t:s0 Target Objects done [ file ] Source systemd-notify Source Path /bin/systemd-notify Port <Inconnu> Host (removed) Source RPM Packages systemd-20-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-1.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38-0.rc8.git0.1.fc15.x86_64 #1 SMP Tue Mar 8 08:22:15 UTC 2011 x86_64 x86_64 Alert Count 12 First Seen dim. 13 mars 2011 23:14:30 CET Last Seen mer. 16 mars 2011 00:49:08 CET Local ID 50d74493-1bb2-4851-a224-d28448399b5c Raw Audit Messages type=AVC msg=audit(1300232948.110:55): avc: denied { create } for pid=1340 comm="systemd-notify" name="done" scontext=system_u:system_r:systemd_notify_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file type=AVC msg=audit(1300232948.110:55): avc: denied { write open } for pid=1340 comm="systemd-notify" name="done" dev=devtmpfs ino=18239 scontext=system_u:system_r:systemd_notify_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file type=SYSCALL msg=audit(1300232948.110:55): arch=x86_64 syscall=open success=yes exit=ESRCH a0=40506d a1=80141 a2=1b6 a3=3161083250 items=0 ppid=1 pid=1340 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-notify exe=/bin/systemd-notify subj=system_u:system_r:systemd_notify_t:s0 key=(null) Hash: systemd-notify,systemd_notify_t,device_t,file,create audit2allow #============= systemd_notify_t ============== #!!!! The source type 'systemd_notify_t' can write to a 'file' of the following type: # readahead_var_run_t allow systemd_notify_t device_t:file { write create open }; audit2allow -R #============= systemd_notify_t ============== #!!!! The source type 'systemd_notify_t' can write to a 'file' of the following type: # readahead_var_run_t allow systemd_notify_t device_t:file { write create open };
Also seen on the kde-x86_64-20110315.01 nightly, along with some other denials: Mar 20 17:21:09 localhost setroubleshoot: SELinux is preventing /bin/systemd-not ify from write access on the directory .systemd. For complete SELinux messages. run sealert -l c7e362b3-9f13-4a4f-9d0e-c27eb9dcfacb Mar 20 17:21:09 localhost setroubleshoot: SELinux is preventing /bin/systemd-not ify from write access on the directory .systemd. For complete SELinux messages. run sealert -l c7e362b3-9f13-4a4f-9d0e-c27eb9dcfacb Mar 20 17:21:09 localhost setroubleshoot: SELinux is preventing /bin/systemd-not ify from write access on the directory .systemd. For complete SELinux messages. run sealert -l c7e362b3-9f13-4a4f-9d0e-c27eb9dcfacb Mar 20 17:21:10 localhost setroubleshoot: SELinux is preventing /bin/systemd-not ify from create access on the file done. For complete SELinux messages. run seal ert -l c3df1656-2728-4ef2-addd-9acc9b416eff Mar 20 17:21:10 localhost setroubleshoot: SELinux is preventing /bin/systemd-not ify from create access on the file done. For complete SELinux messages. run seal ert -l c3df1656-2728-4ef2-addd-9acc9b416eff systemd-20-1.fc15.x86_64 selinux-policy-3.9.16-1.fc15.noarch
Fixed in selinux-policy-3.9.16-6.fc15
selinux-policy-3.9.16-6.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-6.fc15
selinux-policy-3.9.16-6.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.