Description of problem: The arpwatch daemon can't start on F17 because of selinux denials: type=AVC msg=audit(1331635217.527:10713): avc: denied { create } for pid=22103 comm="arpwatch" scontext=system_u:system_r:arpwatch_t:s0 tcontext=system_u:system_r:arpwatch_t:s0 tclass=netlink_socket type=SYSCALL msg=audit(1331635217.527:10713): arch=c000003e syscall=41 success=yes exit=3 a0=10 a1=3 a2=c a3=7fff0fc58ad0 items=0 ppid=1 pid=22103 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="arpwatch" exe="/usr/sbin/arpwatch" subj=system_u:system_r:arpwatch_t:s0 key=(null) type=AVC msg=audit(1331635217.528:10714): avc: denied { write } for pid=22103 comm="arpwatch" scontext=system_u:system_r:arpwatch_t:s0 tcontext=system_u:system_r:arpwatch_t:s0 tclass=netlink_socket type=SYSCALL msg=audit(1331635217.528:10714): arch=c000003e syscall=44 success=yes exit=28 a0=3 a1=7fff0fc58610 a2=1c a3=0 items=0 ppid=1 pid=22103 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="arpwatch" exe="/usr/sbin/arpwatch" subj=system_u:system_r:arpwatch_t:s0 key=(null) type=AVC msg=audit(1331635217.529:10715): avc: denied { read } for pid=22103 comm="arpwatch" scontext=system_u:system_r:arpwatch_t:s0 tcontext=system_u:system_r:arpwatch_t:s0 tclass=netlink_socket type=SYSCALL msg=audit(1331635217.529:10715): arch=c000003e syscall=45 success=yes exit=36 a0=3 a1=7fff0fc58610 a2=400 a3=0 items=0 ppid=1 pid=22103 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="arpwatch" exe="/usr/sbin/arpwatch" subj=system_u:system_r:arpwatch_t:s0 key=(null) type=SERVICE_START msg=audit(1331635217.535:10716): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="arpwatch" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=ANOM_PROMISCUOUS msg=audit(1331635217.540:10717): dev=eth0 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295 type=SYSCALL msg=audit(1331635217.540:10717): arch=c000003e syscall=54 success=yes exit=0 a0=0 a1=107 a2=1 a3=7fff0fc58d80 items=0 ppid=1 pid=22104 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="arpwatch" exe="/usr/sbin/arpwatch" subj=system_u:system_r:arpwatch_t:s0 key=(null) type=AVC msg=audit(1331635217.554:10718): avc: denied { sys_ptrace } for pid=20221 comm="cgrulesengd" capability=19 scontext=system_u:system_r:cgred_t:s0 tcontext=system_u:system_r:cgred_t:s0 tclass=capability type=SYSCALL msg=audit(1331635217.554:10718): arch=c000003e syscall=89 success=yes exit=18 a0=7fffd7bcccf0 a1=7fffd7bcdcf0 a2=1000 a3=7f728d62da1b items=0 ppid=1 pid=20221 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cgrulesengd" exe="/usr/sbin/cgrulesengd" subj=system_u:system_r:cgred_t:s0 key=(null) Version-Release number of selected component (if applicable): # getenforce; cat /etc/redhat-release; rpm -q selinux-policy systemd arpwatch Permissive Fedora release 17 (Beefy Miracle) selinux-policy-3.10.0-97.fc17.noarch systemd-43-2.fc17.x86_64 arpwatch-2.1a15-19.fc17.x86_64 How reproducible: Always Steps to Reproduce: Start the service
Fixed in selinux-policy-3.10.0-100.fc17
selinux-policy-3.10.0-103.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-103.fc17
Package selinux-policy-3.10.0-104.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-104.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-4248/selinux-policy-3.10.0-104.fc17 then log in and leave karma (feedback).
Verified using: # getenforce; cat /etc/redhat-release; rpm -q selinux-policy systemd arpwatch Enforcing Fedora release 17 (Beefy Miracle) selinux-policy-3.10.0-104.fc17.noarch systemd-44-1.fc17.x86_64 arpwatch-2.1a15-19.fc17.x86_64 Thanks for the fix!
Could update karma, please. Thank you.
Karma increased.
selinux-policy-3.10.0-104.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.