SELinux is preventing /bin/systemd-tmpfiles from 'unlink' accesses on the file cimv2.21.0-interop.mof. ***** Plugin catchall_labels (83.8 confidence) suggests ******************** If you want to allow systemd-tmpfiles to have unlink access on the cimv2.21.0-interop.mof file Then you need to change the label on cimv2.21.0-interop.mof Do # semanage fcontext -a -t FILE_TYPE 'cimv2.21.0-interop.mof' where FILE_TYPE is one of the following: man_t, tmp_t, var_auth_t, file_t, lockfile, pidfile, tmpfile, sandbox_file_t, user_home_t, faillog_t, rpm_var_lib_t, etc_runtime_t. Then execute: restorecon -v 'cimv2.21.0-interop.mof' ***** Plugin catchall (17.1 confidence) suggests *************************** If you believe that systemd-tmpfiles should be allowed unlink access on the cimv2.21.0-interop.mof file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-tmpfile /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_tmpfiles_t:s0 Target Context system_u:object_r:usr_t:s0 Target Objects cimv2.21.0-interop.mof [ file ] Source systemd-tmpfile Source Path /bin/systemd-tmpfiles Port <Unknown> Host (removed) Source RPM Packages systemd-units-26-8.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-35.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.40-4.fc15.i686 #1 SMP Fri Jul 29 18:54:39 UTC 2011 i686 i686 Alert Count 2 First Seen Mon 01 Aug 2011 10:09:22 PM CDT Last Seen Fri 12 Aug 2011 09:09:49 AM CDT Local ID bc1885a6-cf10-4e13-886e-ad181dfd0c23 Raw Audit Messages type=AVC msg=audit(1313158189.670:87): avc: denied { unlink } for pid=2261 comm="systemd-tmpfile" name="cimv2.21.0-interop.mof" dev=dm-2 ino=331736 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1313158189.670:87): arch=i386 syscall=unlinkat success=yes exit=0 a0=6 a1=9d6a7db a2=0 a3=bfe263b0 items=0 ppid=1 pid=2261 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-tmpfile exe=/bin/systemd-tmpfiles subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null) Hash: systemd-tmpfile,systemd_tmpfiles_t,usr_t,file,unlink audit2allow #============= systemd_tmpfiles_t ============== allow systemd_tmpfiles_t usr_t:file unlink; audit2allow -R #============= systemd_tmpfiles_t ============== allow systemd_tmpfiles_t usr_t:file unlink;
Any idea where cimv2.21.0-interop.mof was located?
Sorry, I was not using this system for about a week so did not get a chance to figure out the answer to your question until now. The full path to the file is: /usr/share/libvirt-cim/cimv2.21.0-interop_mof. This file is part of the libvirt-cim.i686 package. I have no idea why this is happening or an opinion as to whether it should or should not have access to do what it is trying to do.
Did you move a copy of this file to /tmp?
Miroslav we are allowing this in F16 now.
Fixed in selinux-policy-3.9.16-39.fc15
selinux-policy-3.9.16-39.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15
Package selinux-policy-3.9.16-39.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-39.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15 then log in and leave karma (feedback).
selinux-policy-3.9.16-39.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.