SELinux is preventing /bin/systemd-notify from 'search' accesses on the directory /sys. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemd-notify should be allowed search access on the sys directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-notify /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_notify_t:s0 Target Context system_u:object_r:sysfs_t:s0 Target Objects /sys [ dir ] Source systemd-notify Source Path /bin/systemd-notify Port <Unknown> Host (removed) Source RPM Packages systemd-28-1.fc16 Target RPM Packages filesystem-2.4.42-1.fc16 Policy RPM selinux-policy-3.9.16-24.fc16 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.39-1.fc16.x86_64 #1 SMP Sat May 21 02:34:01 UTC 2011 x86_64 x86_64 Alert Count 3 First Seen Fri 27 May 2011 08:05:02 PM CEST Last Seen Sat 28 May 2011 08:57:12 PM CEST Local ID a04ed3a3-db3e-4fa3-8257-a4e23e8f07a6 Raw Audit Messages type=AVC msg=audit(1306609032.322:49): avc: denied { search } for pid=1567 comm="systemd-notify" name="/" dev=sysfs ino=1 scontext=system_u:system_r:systemd_notify_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir type=SYSCALL msg=audit(1306609032.322:49): arch=x86_64 syscall=statfs success=no exit=EACCES a0=7f299eed1510 a1=7fff1f6978d0 a2=1000 a3=7fff1f697660 items=0 ppid=1 pid=1567 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-notify exe=/bin/systemd-notify subj=system_u:system_r:systemd_notify_t:s0 key=(null) Hash: systemd-notify,systemd_notify_t,sysfs_t,dir,search audit2allow #============= systemd_notify_t ============== allow systemd_notify_t sysfs_t:dir search; audit2allow -R #============= systemd_notify_t ============== allow systemd_notify_t sysfs_t:dir search;
systemd-notify --boot stat() /sys/fs/group/systemd in order to determine whether systemd is running: http://git.fedorahosted.org/git/?p=selinux-policy.git;a=commitdiff;h=90438146289f1e2bc07a7b01c014ccbeb9ba4ab5
Fixed in selinux-policy-3.9.16-27.fc15
selinux-policy-3.9.16-29.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-29.fc15
Package selinux-policy-3.9.16-29.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-29.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-29.fc15 then log in and leave karma (feedback).
Package selinux-policy-3.9.16-30.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-30.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-30.fc15 then log in and leave karma (feedback).
selinux-policy-3.9.16-30.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.