Hide Forgot
Description of problem: I am facing selinux alerts of this kind: "SELinux is preventing /usr/sbin/ypbind from 'read, write' accesses on the file ypbind.pid." This behavior leaves users clueless about which file the alert actually is referring to and is not helpful. Version-Release number of selected component (if applicable): setroubleshoot-3.0.41-1.fc16.x86_64 How reproducible: No idea - Produce an alert :-) Steps to Reproduce: No idea - The alert doesn't provide sufficient infos to be able to provide a reproducer. Actual results: c.f. above. The alert is referring to a filename. Expected results: SELinux to produce human-understandable alerts. Additional info: The corresponding sealert also doesn't contain more info: # sealert -l 011cc86d-9bb3-4d75-ab56-b1a8803a87fd SELinux is preventing /usr/sbin/ypbind from 'read, write' accesses on the file ypbind.pid. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that ypbind should be allowed read write access on the ypbind.pid file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep ypbind /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Sadly this is a kernel issue. Because of performance issues under certain workloads the kernel can not reconstruct the path. If you want to turn on full auditing, you can add line like -w /etc/shadow -p w to /etc/audit/audit.rules Then next time you boot, the kernel should assemble the full path. I would doubt you would notice the loss in performance, but it is considered too big an impact to turn on in general.