720505 – proftpd and cgroups

Bug 720505 - proftpd and cgroups

Summary: proftpd and cgroups

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	15
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-07-11 20:46 UTC by Paul Howarth
Modified:	2011-12-04 02:33 UTC (History)
CC List:	11 users (show)
Fixed In Version:	selinux-policy-3.9.16-48.fc15
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-04 02:33:40 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Paul Howarth 2011-07-11 20:46:01 UTC

I get various AVCs related to cgroup usage with systemd when logging in 
to proftpd on F-15:

type=AVC msg=audit(1310388446.140:7884): avc:  denied  { read } for 
pid=12071 comm="proftpd" name="cgroup" dev=proc ino=58466916 
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:init_t:s0 tclass=file

type=AVC msg=audit(1310388446.140:7884): avc:  denied  { open } for 
pid=12071 comm="proftpd" name="cgroup" dev=proc ino=58466916 
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:init_t:s0 tclass=file
type=SYSCALL msg=audit(1310388446.140:7884): arch=c000003e syscall=2 
success=yes exit=10 a0=2150480 a1=80000 a2=1b6 a3=9 items=0 ppid=11443 
pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" 
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1310388446.142:7885): avc:  denied  { getattr } for 
pid=12071 comm="proftpd" path="/proc/1/cgroup" dev=proc ino=58466916 
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:init_t:s0 tclass=file
type=SYSCALL msg=audit(1310388446.142:7885): arch=c000003e syscall=5 
success=yes exit=0 a0=a a1=7fff0173a930 a2=7fff0173a930 a3=9 items=0 
ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" 
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1310388446.143:7886): avc:  denied  { write } for 
pid=12071 comm="proftpd" name="phowarth" dev=cgroup ino=27218 
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:cgroup_t:s0 tclass=dir

type=AVC msg=audit(1310388446.143:7886): avc:  denied  { add_name } for 
  pid=12071 comm="proftpd" name="785" 
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1310388446.143:7886): avc:  denied  { create } for 
pid=12071 comm="proftpd" name="785" 
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=SYSCALL msg=audit(1310388446.143:7886): arch=c000003e syscall=83 
success=yes exit=0 a0=2150370 a1=1ed a2=0 a3=776f68702f726573 items=0 
ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" 
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1310388446.143:7887): avc:  denied  { write } for 
pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429 
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:cgroup_t:s0 tclass=file

type=AVC msg=audit(1310388446.143:7887): avc:  denied  { open } for 
pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429 
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=SYSCALL msg=audit(1310388446.143:7887): arch=c000003e syscall=2 
success=yes exit=11 a0=2150370 a1=80241 a2=1b6 a3=9 items=0 ppid=11443 
pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" 
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1310388446.143:7888): avc:  denied  { getattr } for 
pid=12071 comm="proftpd" 
path="/sys/fs/cgroup/systemd/user/phowarth/785/tasks" dev=cgroup 
ino=58575429 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=SYSCALL msg=audit(1310388446.143:7888): arch=c000003e syscall=5 
success=yes exit=0 a0=b a1=7fff0173b100 a2=7fff0173b100 a3=9 items=0 
ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" 
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1310388446.150:7889): avc:  denied  { setattr } for 
pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429 
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=SYSCALL msg=audit(1310388446.150:7889): arch=c000003e syscall=90 
success=yes exit=0 a0=2150370 a1=1a4 a2=3f4 a3=6f68702f72657375 items=0 
ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" 
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1310388446.150:7890): avc:  denied  { setattr } for 
pid=12071 comm="proftpd" name="785" dev=cgroup ino=58575428 
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=SYSCALL msg=audit(1310388446.150:7890): arch=c000003e syscall=90 
success=yes exit=0 a0=2150370 a1=1ed a2=3f4 a3=6f68702f72657375 items=0 
ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" 
subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

/var/log/messages includes:

Jul 11 13:47:21 roary proftpd[12071]: 10.9.2.1 (10.9.2.1[10.9.2.1]) - 
FTP session opened.
Jul 11 12:47:26 roary proftpd[12071]: 10.9.2.1 (10.9.2.1[10.9.2.1]) - 
Preparing to chroot to directory '/nis-home/phowarth'
Jul 11 13:47:29 roary kernel: [2670919.902960] proftpd[12071]: 
pam_systemd(proftpd:session): Failed to lock runtime directory: 
Permission denied
Jul 11 13:47:29 roary kernel: [2670919.902978] proftpd[12071]: 
pam_unix(proftpd:session): session closed for user phowarth
Jul 11 13:47:29 roary kernel: [2670919.904278] proftpd[12071]: 10.9.2.1 
(10.9.2.1[10.9.2.1]) - FTP session closed.

audit2allow -R suggests:

fs_manage_cgroup_dirs(ftpd_t)
fs_manage_cgroup_files(ftpd_t)
init_read_state(ftpd_t)

proftpd does appear to work despite these messages, so I'm wondering if 
it would be better to dontaudit these rather than allow them?

Dan (on the fedora selinux list) reckons that proftpd may be trying to set up its own cgroups but I can't see anything in the code relating to that.

I've established that the "Failed to lock runtime directory" message is due to proftpd dropping capabilities but I don't know which one it needs to retain for this to work.

Comment 1 Daniel Walsh 2011-07-11 22:21:17 UTC

Is this being caused by pam_systemd?

Comment 2 Paul Howarth 2011-07-12 06:45:10 UTC

(In reply to comment #0)
> I've established that the "Failed to lock runtime directory" message is due to
> proftpd dropping capabilities but I don't know which one it needs to retain for
> this to work.

It turns out to be CAP_DAC_OVERRIDE; does this mean that everything using pam_systemd needs to retain (and be permitted to use by SELinux) this capability?

(In reply to comment #1)
> Is this being caused by pam_systemd?

That's my suspicion. I may be able to try it without pam_systemd later today.

Comment 3 Daniel Walsh 2011-07-12 16:53:00 UTC

Well if that is the case, we had better figure out a way to fix this.

Comment 4 Daniel Walsh 2011-07-12 16:53:38 UTC

I think we need a way to setup cgroups that does not require this priv.

Comment 5 Lennart Poettering 2011-07-13 02:05:36 UTC

So, in general PAM hooks really need to invoked with full privileges, and running them with reduced caps is bound to fail in some cases depending on the PAM modules used.

In pam_systemd in F15 we need CAP_DAC_OVERRIDE. This will change in F16, where most of the smart stuff pam_systemd is responsible for is actually moved out of the PAM module code and into a tiny service of its own. That means CAP_DAC_OVERRIDE will not be necessary anymore then.

Comment 6 Daniel Walsh 2011-07-13 12:46:36 UTC

I think from an SELinux point of view, we need additional labeling for cgroups file system, since I might want to allow a process to modify limit it's children processes but not change its own cgroups, or other processes cgroups.

The other question I have is does proftp or any ftp daemon need pam_systemd?

Comment 7 Paul Howarth 2011-07-13 13:05:14 UTC

proftpd's PAM configuration includes "password-auth" to handle authentication in the system-default way, and this is set up by authconfig and includes pam_systemd by default.

Comment 8 Paul Howarth 2011-07-13 13:17:13 UTC

I tried copying password-auth to password-auth-proftpd and including that instead of password-auth in proftpd's PAM config. I restarted proftpd and tried logging in, and the AVCs were generated as before. I then commented out the one line in password-auth-proftpd that referred to pam_systemd (-session optional      pam_systemd.so), restarted proftpd and tried again, and no AVCs were generated. So the cgroup-related AVCs are definitely coming from pam_systemd running as ftpd_t.

Comment 9 Daniel Walsh 2011-07-13 13:32:07 UTC

The question is, does anything in ftp daemons benefit from using pam_systemd?  Or is this really only useful for login shells?

Adding dac_override for ftpd_t is not that big a deal since it can already setuid.  But the cgroup stuff is another question.

Comment 10 Paul Howarth 2011-07-13 13:42:53 UTC

(In reply to comment #9)
> The question is, does anything in ftp daemons benefit from using pam_systemd? 
> Or is this really only useful for login shells?

Assuming the answer to this is "no" (Lennart will know the answer better than me, for sure), there's then the question of how can an ftp daemon hook into what authconfig has produced without pulling in pam_systemd.

Comment 11 Lennart Poettering 2011-07-14 12:53:48 UTC

(In reply to comment #10)
> (In reply to comment #9)
> > The question is, does anything in ftp daemons benefit from using pam_systemd? 
> > Or is this really only useful for login shells?
> 
> Assuming the answer to this is "no" (Lennart will know the answer better than
> me, for sure), there's then the question of how can an ftp daemon hook into
> what authconfig has produced without pulling in pam_systemd.

Hmm, it's a good question whether pam-systemd should be in the PAM chain for protftpd. It might actually be useful, if people want the ftp users show up in their own cgroups. Might be good to apply cgroup limits to them. Then again, this probably doesn't matter too much and keeping it out of the chain is a OK too.

Comment 12 Paul Howarth 2011-07-14 13:00:39 UTC

Random thought: would there be any harm in having authconfig put pam_systemd in postlogin rather than password-auth?

Comment 13 Paul Howarth 2011-09-28 13:15:19 UTC

Just tried proftpd on F16 alpha + updates + updates-testing and login with user from LDAP via sssd. I needed this local policy:

#============= ftpd_t ==============
systemd_write_inherited_logind_sessions_pipes(ftpd_t)

#============= systemd_logind_t ==============
allow systemd_logind_t ftpd_t:dir search;
allow systemd_logind_t ftpd_t:file { read getattr open };


Don't know if this is related to pam-systemd or not.

Comment 14 Daniel Walsh 2011-09-28 15:16:17 UTC

Miroslav

30467adf1bc421ea2b42a995f45ea550c5dcb90e 

In F16 policy implements the changes to make this work in F15

Comment 15 Paul Howarth 2011-09-28 18:46:51 UTC

Note that Comment #13 was from an F-16 system, not an F-15 one.

Comment 16 Daniel Walsh 2011-09-28 19:27:21 UTC

Ok in that case this will be fixed in 

selinux-policy-3.10.0-35.fc16

Comment 17 Miroslav Grepl 2011-09-29 08:06:00 UTC

Added to f15.

Comment 18 Paul Howarth 2011-11-11 09:47:50 UTC

Still getting these on F15 with selinux-policy-3.9.16-46.fc15:

type=AVC msg=audit(1321004214.811:756818): avc:  denied  { read } for  pid=22369 comm="proftpd" name="cgroup" dev=proc ino=19395563 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file

type=AVC msg=audit(1321004214.811:756818): avc:  denied  { open } for  pid=22369 comm="proftpd" name="cgroup" dev=proc ino=19395563 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file

type=SYSCALL msg=audit(1321004214.811:756818): arch=c000003e syscall=2 success=yes exit=13 a0=256faf0 a1=80000 a2=1b6 a3=9 items=0 ppid=22269 pid=22369 auid=500 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=66692 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1321004214.813:756819): avc:  denied  { getattr } for  pid=22369 comm="proftpd" path="/proc/1/cgroup" dev=proc ino=19395563 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file

type=SYSCALL msg=audit(1321004214.813:756819): arch=c000003e syscall=5 success=yes exit=0 a0=d a1=7fff6555fb20 a2=7fff6555fb20 a3=9 items=0 ppid=22269 pid=22369 auid=500 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=66692 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1321004214.813:756820): avc:  denied  { write } for  pid=22369 comm="proftpd" name="paul" dev=cgroup ino=48633 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir

type=AVC msg=audit(1321004214.813:756820): avc:  denied  { add_name } for  pid=22369 comm="proftpd" name="66692" scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir

type=AVC msg=audit(1321004214.813:756820): avc:  denied  { create } for  pid=22369 comm="proftpd" name="66692" scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir

type=SYSCALL msg=audit(1321004214.813:756820): arch=c000003e syscall=83 success=yes exit=0 a0=256f9f0 a1=1ed a2=0 a3=6c7561702f726573 items=0 ppid=22269 pid=22369 auid=500 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=66692 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1321004214.813:756821): avc:  denied  { write } for  pid=22369 comm="proftpd" name="tasks" dev=cgroup ino=19396451 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file

type=AVC msg=audit(1321004214.813:756821): avc:  denied  { open } for  pid=22369 comm="proftpd" name="tasks" dev=cgroup ino=19396451 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file

type=SYSCALL msg=audit(1321004214.813:756821): arch=c000003e syscall=2 success=yes exit=14 a0=256fc40 a1=80241 a2=1b6 a3=9 items=0 ppid=22269 pid=22369 auid=500 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=66692 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1321004214.814:756822): avc:  denied  { getattr } for  pid=22369 comm="proftpd" path="/sys/fs/cgroup/systemd/user/paul/66692/tasks" dev=cgroup ino=19396451 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file

type=SYSCALL msg=audit(1321004214.814:756822): arch=c000003e syscall=5 success=yes exit=0 a0=e a1=7fff655602f0 a2=7fff655602f0 a3=9 items=0 ppid=22269 pid=22369 auid=500 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=66692 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1321004214.818:756823): avc:  denied  { setattr } for  pid=22369 comm="proftpd" name="tasks" dev=cgroup ino=19396451 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file

type=SYSCALL msg=audit(1321004214.818:756823): arch=c000003e syscall=90 success=yes exit=0 a0=256fc40 a1=1a4 a2=1f4 a3=7561702f72657375 items=0 ppid=22269 pid=22369 auid=500 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=66692 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1321004214.818:756824): avc:  denied  { setattr } for  pid=22369 comm="proftpd" name="66692" dev=cgroup ino=19396450 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir

type=SYSCALL msg=audit(1321004214.818:756824): arch=c000003e syscall=90 success=yes exit=0 a0=256fc10 a1=1ed a2=1f4 a3=7561702f72657375 items=0 ppid=22269 pid=22369 auid=500 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=66692 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)



On F-16 with selinux-policy-3.10.0-55.fc16 I'm getting:

type=AVC msg=audit(1321004707.304:1143): avc:  denied  { search } for  pid=30199 comm="systemd-logind" name="1591" dev=proc ino=14162393 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=dir

type=AVC msg=audit(1321004707.304:1143): avc:  denied  { read } for  pid=30199 comm="systemd-logind" name="sessionid" dev=proc ino=14163596 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=file

type=AVC msg=audit(1321004707.304:1143): avc:  denied  { open } for  pid=30199 comm="systemd-logind" name="sessionid" dev=proc ino=14163596 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=file

type=SYSCALL msg=audit(1321004707.304:1143): arch=c000003e syscall=2 success=yes exit=11 a0=15d1430 a1=80000 a2=1b6 a3=0 items=0 ppid=1 pid=30199 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)

type=AVC msg=audit(1321004707.304:1144): avc:  denied  { getattr } for  pid=30199 comm="systemd-logind" path="/proc/1591/sessionid" dev=proc ino=14163596 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=file

type=SYSCALL msg=audit(1321004707.304:1144): arch=c000003e syscall=5 success=yes exit=0 a0=b a1=7fffe3b39190 a2=7fffe3b39190 a3=0 items=0 ppid=1 pid=30199 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)

None of these appear to prevent proftpd from working as expected.

Comment 19 Fedora Update System 2011-11-16 16:15:35 UTC

selinux-policy-3.9.16-48.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-48.fc15

Comment 20 Fedora Update System 2011-11-17 23:34:09 UTC

Package selinux-policy-3.9.16-48.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-48.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-16023/selinux-policy-3.9.16-48.fc15
then log in and leave karma (feedback).

Comment 21 Fedora Update System 2011-12-04 02:33:40 UTC

selinux-policy-3.9.16-48.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.