Hide Forgot
SELinux is preventing /usr/sbin/callweaver from 'write' accesses on the sock_file /var/run/callweaver/callweaver.ctl. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that callweaver should be allowed write access on the callweaver.ctl sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep callweaver /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_run_t:s0 Target Objects /var/run/callweaver/callweaver.ctl [ sock_file ] Source callweaver Source Path /usr/sbin/callweaver Port <Inconnu> Host (removed) Source RPM Packages callweaver-1.2.1-6.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-40.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.35.13-91.fc14.x86_64 #1 SMP Tue May 3 13:23:06 UTC 2011 x86_64 x86_64 Alert Count 3 First Seen dim. 01 mai 2011 11:18:37 CEST Last Seen dim. 15 mai 2011 11:25:55 CEST Local ID eac8db36-029e-4736-ae75-cc8948a9dd94 Raw Audit Messages type=AVC msg=audit(1305451555.315:44): avc: denied { write } for pid=5463 comm="callweaver" name="callweaver.ctl" dev=dm-1 ino=917728 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file type=AVC msg=audit(1305451555.315:44): avc: denied { connectto } for pid=5463 comm="callweaver" path="/var/run/callweaver/callweaver.ctl" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1305451555.315:44): arch=x86_64 syscall=connect success=yes exit=0 a0=3 a1=7fffc7db0150 a2=6e a3=3b0a997210 items=0 ppid=5462 pid=5463 auid=0 uid=492 gid=489 euid=492 suid=492 fsuid=492 egid=489 sgid=489 fsgid=489 tty=(none) ses=5 comm=callweaver exe=/usr/sbin/callweaver subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) Hash: callweaver,logrotate_t,var_run_t,sock_file,write audit2allow #============= logrotate_t ============== allow logrotate_t initrc_t:unix_stream_socket connectto; allow logrotate_t var_run_t:sock_file write; audit2allow -R #============= logrotate_t ============== allow logrotate_t initrc_t:unix_stream_socket connectto; allow logrotate_t var_run_t:sock_file write;
Looks like we need a new policy for callweaver or find a proper domain.
Miroslav I agree but it would probably not be a bad allow this communication also. I wrote an initial callweaver policy in F16
(In reply to comment #2) > Miroslav I agree but it would probably not be a bad allow this communication > also. > Yes, I was thinking also about that. It could prevent other bugs.
Fixed in selinux-policy-3.9.7-42.fc14
selinux-policy-3.9.7-42.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-42.fc14
Package selinux-policy-3.9.7-42.fc14: * should fix your issue, * was pushed to the Fedora 14 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.7-42.fc14' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-42.fc14 then log in and leave karma (feedback).
selinux-policy-3.9.7-42.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.