libreport version: 2.0.8 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.2.3-2.fc16.x86_64 reason: SELinux is preventing /usr/sbin/usermod from 'read' accesses on the None /var/spool/mail/speed. time: mar. 07 févr. 2012 23:07:43 CET description: :SELinux is preventing /usr/sbin/usermod from 'read' accesses on the None /var/spool/mail/speed. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that usermod should be allowed read access on the speed <Inconnu> by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep usermod /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 :Target Context system_u:object_r:quota_db_t:s0 :Target Objects /var/spool/mail/speed [ None ] :Source usermod :Source Path /usr/sbin/usermod :Port <Inconnu> :Host (removed) :Source RPM Packages shadow-utils-4.1.4.3-11.fc16.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-75.fc16.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.2.3-2.fc16.x86_64 #1 SMP Fri Feb 3 : 20:08:08 UTC 2012 x86_64 x86_64 :Alert Count 1 :First Seen mar. 07 févr. 2012 09:38:05 CET :Last Seen mar. 07 févr. 2012 09:38:05 CET :Local ID 520b6bdb-0903-42c5-a9e1-acfba283e628 : :Raw Audit Messages :type=AVC msg=audit(1328603885.977:234): avc: denied { read } for pid=11483 comm="usermod" name="speed" dev=dm-0 ino=525470 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:quota_db_t:s0 tclass=filenode=(removed) type=SYSCALL msg=audit(1328603885.977:234): arch=c000003e syscall=2 success=no exit=-13 a0=7fff4661e0f0 a1=800 a2=0 a3=3b2e135dd0 items=0 ppid=2655 pid=11483 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty4 ses=4 comm="usermod" exe="/usr/sbin/usermod" subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) : : :Hash: usermod,useradd_t,quota_db_t,None,read : :audit2allow : : :audit2allow -R : :
The context is this : # usermod -u 1234 username This changes the UID of username to 1234, and applies a subset of fixes to the filesystem. Among those fixes, it tries to chown the /var/spool/mail/username file, which SELinux denies to `usermod`... where it shouldn't be, as `usermod` is definitely legitimate in this action here.
Stephane could you run restorecon -R -v /var/spool/mail This looks like the content here is mislabeled. Did you turn on quota on the mail system?
The install was one-day fresh (complete reinstall after an SSD crash), the `usermod` was one of my first commands, almost nothing was tweaked before it. [root@mercure ~]# ls -Z /var/spool/mail/ -rw-rw----. joe mail unconfined_u:object_r:mail_spool_t:s0 joe -rw-rw----. rpc mail system_u:object_r:mail_spool_t:s0 rpc -rw-rw----. speed mail system_u:object_r:quota_db_t:s0 speed [root@mercure ~]# restorecon -R -v /var/spool/mail/ restorecon reset /var/spool/mail/speed context system_u:object_r:quota_db_t:s0->system_u:object_r:mail_spool_t:s0 [root@mercure ~]# ls -Z /var/spool/mail/ -rw-rw----. joe mail unconfined_u:object_r:mail_spool_t:s0 joe -rw-rw----. rpc mail system_u:object_r:mail_spool_t:s0 rpc -rw-rw----. speed mail system_u:object_r:mail_spool_t:s0 speed You're right, it was mislabeled, and it was even a quota_db_t ! ... But I don't remember enabling anything related to quota during the install, or even after it. Am I missing something here ?
*** This bug has been marked as a duplicate of bug 785759 ***