Description of problem: SELinux has blocked asterisk from accessing a file. SELinux troubleshooter information below. This is a fresh installation of asterisk - no configuration or customisation has been performed as yet. Only thing I've done since installation was "service asterisk start". Version-Release number of selected component (if applicable): selinux-policy-3.10.0-84.fc16.noarch asterisk-1.8.11.0-1.fc16.i686 asterisk-ooh323-1.8.11.0-1.fc16.i686 How reproducible: Always. Deny message in audit.log is approx 1 second after asterisk service start message. type=SERVICE_START msg=audit(1336121106.636:84): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="asterisk" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1336121107.677:85): avc: denied { read } for pid=3016 comm="asterisk" name="unix" dev="proc" ino=4026532001 context=system_u:system_r:asterisk_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file Steps to Reproduce: 1. Install asterisk RPM via yum 2. service asterisk start 3. check audit.log or SELinux troubleshooter Actual results: SELinux is preventing asterisk from read access on the file unix. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that asterisk should be allowed read access on the unix file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep asterisk /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:asterisk_t:s0 Target Context system_u:object_r:proc_net_t:s0 Target Objects unix [ file ] Source asterisk Source Path asterisk Port <Unknown> Host opti.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.10.0-84.fc16.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name opti.localdomain Platform Linux opti.localdomain 3.3.2-6.fc16.i686 #1 SMP Sat Apr 21 13:23:12 UTC 2012 i686 i686 Alert Count 1 First Seen Fri 04 May 2012 09:45:07 AM BST Last Seen Fri 04 May 2012 09:45:07 AM BST Local ID c9815f10-65bf-48f6-92c9-291e9db88f5f Raw Audit Messages type=AVC msg=audit(1336121107.677:85): avc: denied { read } for pid=3016 comm="asterisk" name="unix" dev="proc" ino=4026532001 scontext=system_u:system_r:asterisk_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file Hash: asterisk,asterisk_t,proc_net_t,file,read audit2allow #============= asterisk_t ============== allow asterisk_t proc_net_t:file read; audit2allow -R #============= asterisk_t ============== allow asterisk_t proc_net_t:file read; Expected results: Additional info:
Fixed in selinux-policy-3.10.0-90.fc16.noarch
selinux-policy-3.10.0-90.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-90.fc16
Package selinux-policy-3.10.0-90.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-90.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-10203/selinux-policy-3.10.0-90.fc16 then log in and leave karma (feedback).
selinux-policy-3.10.0-90.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.