Description of problem: I am running vpnc with a custom scripts. This results in selinux warnings. setroubleshoot also says: If you believe that vpnc should be allowed getattr access on the vpnc-fifo.conf fifo_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep vpnc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp If I execute these command I get a warning: WARNING: Policy would be downgraded from version 27 to 26. ******************** IMPORTANT *********************** Version-Release number of selected component (if applicable): selinux-policy-3.10.0-130.fc17.noarch How reproducible: always Steps to Reproduce: 1. do something to trigger a warning. For example: vpnc ./vpnc.conf where vpnc.conf is in user home directory 2. click setroubleshoot, click details. copy these lines, and execute: 3. grep vpnc /var/log/audit/audit.log | audit2allow -M mypol 4 semodule -i mypol.pp Actual results: warning is displayed: WARNING: Policy would be downgraded from version 27 to 26. ******************** IMPORTANT *********************** Expected results: no warning should occur note that selinux itself recommends this course of action, and user is not given any hint whether it's good or bad to downgrade a policy Additional info:
I believe you see different AVC msgs and this is a reason why you get a new AVC. if you swith to permissive mode or execute # semanage permissive -a vpnc_t then you can collect all AVC msgs # grep vpnc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp