Version-Release number of selected component (if applicable): selinux-policy-3.10.0-128.fc17.noarch How reproducible: systemctl start ddclient.service SELinux is preventing /usr/bin/bash from read access on the file /etc/passwd. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that bash should be allowed read access on the passwd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sh /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ddclient_t:s0 Target Context system_u:object_r:passwd_file_t:s0 Target Objects /etc/passwd [ file ] Source sh Source Path /usr/bin/bash Port <Unknown> Host sameer.laptop Source RPM Packages bash-4.2.29-1.fc17.x86_64 Target RPM Packages setup-2.8.48-1.fc17.noarch Policy RPM selinux-policy-3.10.0-128.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name sameer.laptop Platform Linux sameer.laptop 3.4.0-1.fc17.x86_64 #1 SMP Sun Jun 3 06:35:17 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen Fri 15 Jun 2012 06:46:10 PM IDT Last Seen Fri 15 Jun 2012 06:46:10 PM IDT Local ID ae4d4e24-ed1b-4a0b-987f-87ef163fe320 Raw Audit Messages type=AVC msg=audit(1339775170.822:728): avc: denied { read } for pid=12982 comm="sh" name="passwd" dev="sda1" ino=60955 scontext=system_u:system_r:ddclient_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file type=AVC msg=audit(1339775170.822:728): avc: denied { open } for pid=12982 comm="sh" name="passwd" dev="sda1" ino=60955 scontext=system_u:system_r:ddclient_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file type=SYSCALL msg=audit(1339775170.822:728): arch=x86_64 syscall=open success=yes exit=ESRCH a0=7ff4f29d46ca a1=80000 a2=1b6 a3=238 items=0 ppid=12981 pid=12982 auid=4294967295 uid=992 gid=988 euid=992 suid=992 fsuid=992 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm=sh exe=/usr/bin/bash subj=system_u:system_r:ddclient_t:s0 key=(null) Hash: sh,ddclient_t,passwd_file_t,file,read audit2allow #============= ddclient_t ============== allow ddclient_t passwd_file_t:file { read open }; audit2allow -R #============= ddclient_t ============== allow ddclient_t passwd_file_t:file { read open };
Fixed in selinux-policy-3.10.0-131.fc17