SELinux is preventing /bin/find from 'read' accesses on the directory /. ***** Plugin catchall_labels (83.8 confidence) suggests ******************** If you want to allow find to have read access on the directory Then you need to change the label on / Do # semanage fcontext -a -t FILE_TYPE '/' where FILE_TYPE is one of the following: device_t, locale_t, etc_t, proc_t, sysctl_crypto_t, prelink_cron_system_t, abrt_t, lib_t, root_t, usr_t, var_lib_t, device_t, etc_t, rpm_var_cache_t, textrel_shlib_t, rpm_var_lib_t, var_run_t, prelink_log_t, prelink_var_lib_t, bin_t, lib_t. Then execute: restorecon -v '/' ***** Plugin catchall (17.1 confidence) suggests *************************** If you believe that find should be allowed read access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep find /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:prelink_cron_system_t:s0-s0:c0.c 1023 Target Context system_u:object_r:mnt_t:s0 Target Objects / [ dir ] Source find Source Path /bin/find Port <Unknown> Host (removed) Source RPM Packages findutils-4.5.9-2.fc14 Target RPM Packages filesystem-2.4.35-1.fc14 Policy RPM selinux-policy-3.9.7-35.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.11-83.fc14.i686 #1 SMP Mon Feb 7 07:04:18 UTC 2011 i686 i686 Alert Count 2 First Seen Mon 04 Apr 2011 01:15:50 PM WEST Last Seen Mon 04 Apr 2011 01:19:31 PM WEST Local ID ae19421e-2be5-4b64-9775-9a0eb83762ae Raw Audit Messages type=AVC msg=audit(1301919571.937:33): avc: denied { read } for pid=2090 comm="find" name="/" dev=sda1 ino=2 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mnt_t:s0 tclass=dir type=SYSCALL msg=audit(1301919571.937:33): arch=i386 syscall=open success=no exit=EACCES a0=806d1eb a1=8000 a2=0 a3=b items=0 ppid=2082 pid=2090 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=find exe=/bin/find subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null) Hash: find,prelink_cron_system_t,mnt_t,dir,read audit2allow #============= prelink_cron_system_t ============== allow prelink_cron_system_t mnt_t:dir read; audit2allow -R #============= prelink_cron_system_t ============== allow prelink_cron_system_t mnt_t:dir read;
what is your output of # ls -dZ /
*** Bug 703434 has been marked as a duplicate of this bug. ***
dr-xr-xr-x. root root system_u:object_r:root_t:s0 /
Does it happen again?
This is probably a file system mounted under /mnt or /media That is causing this. The kernel reports "/" for the top Inode of any file system, not just the / for the root file system. Most likely this can be ignored. Miroslav we can probably just allow it.
(In reply to comment #4) > Does it happen again? Yes, it happens all the time ( since some F-14 update that I am not sure of ). I don't have this issue on F-15.
(In reply to comment #5) > This is probably a file system mounted under /mnt or /media That is causing > this. The kernel reports "/" for the top Inode of any file system, not just > the / for the root file system. Most likely this can be ignored. Miroslav we > can probably just allow it. Yes, it looks so.
Fixed in selinux-policy-3.9.7-42.fc14
selinux-policy-3.9.7-42.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-42.fc14
Package selinux-policy-3.9.7-42.fc14: * should fix your issue, * was pushed to the Fedora 14 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.7-42.fc14' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-42.fc14 then log in and leave karma (feedback).
Hicham could you attach the AVC that you are now seeing?
SELinux is preventing /usr/sbin/logrotate from read access on the directory /. ***** Plugin catchall_labels (83.8 confidence) suggests ******************** If you want to allow logrotate to have read access on the directory Then you need to change the label on / Do # semanage fcontext -a -t FILE_TYPE '/' where FILE_TYPE is one of the following: sysctl_kernel_t, sysctl_crypto_t, mailman_log_t, logrotate_t, abrt_t, lib_t, root_t, varnishlog_log_t, usr_t, var_lock_t, device_t, bin_t, cert_t, etc_t, tmp_t, usr_t, user_home_dir_t, logrotate_var_lib_t, textrel_shlib_t, device_t, devpts_t, locale_t, logrotate_tmp_t, etc_t, logfile, pidfile, proc_t, named_cache_t, httpd_config_t, acct_data_t, var_run_t, security_t, munin_etc_t, var_spool_t, mysqld_etc_t, var_lib_t, domain, abrt_var_cache_t, var_log_t, net_conf_t, inotifyfs_t, nscd_var_run_t. Then execute: restorecon -v '/' ***** Plugin catchall (17.1 confidence) suggests *************************** If you believe that logrotate should be allowed read access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep logrotate /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023 Target Context system_u:object_r:mnt_t:s0 Target Objects / [ dir ] Source logrotate Source Path /usr/sbin/logrotate Port <Unknown> Host (removed) Source RPM Packages logrotate-3.7.9-2.fc14 Target RPM Packages filesystem-2.4.35-1.fc14 Policy RPM selinux-policy-3.9.7-42.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux localhost.localdomain 2.6.35.13-92.fc14.i686 #1 SMP Sat May 21 17:39:42 UTC 2011 i686 i686 Alert Count 4 First Seen Wed 22 Jun 2011 03:20:02 PM WEST Last Seen Fri 08 Jul 2011 08:17:02 PM WEST Local ID 10d08932-839c-4598-a0be-e04ea2eea2a4 Raw Audit Messages type=AVC msg=audit(1310152622.164:43): avc: denied { read } for pid=3471 comm="logrotate" name="/" dev=sda1 ino=2 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mnt_t:s0 tclass=dir type=SYSCALL msg=audit(1310152622.164:43): arch=i386 syscall=open success=no exit=EACCES a0=8052ea2 a1=8000 a2=0 a3=a items=0 ppid=3469 pid=3471 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) Hash: logrotate,logrotate_t,mnt_t,dir,read audit2allow #============= logrotate_t ============== allow logrotate_t mnt_t:dir read; audit2allow -R #============= logrotate_t ============== allow logrotate_t mnt_t:dir read;
Miroslav add files_dontaudit_list_mnt(logrotate_t)
selinux-policy-3.9.7-42.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.