libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.5.1-1.fc17.x86_64 time: Sat 18 Aug 2012 03:11:34 PM CEST description: :SELinux is preventing /usr/sbin/tmpwatch from 'rmdir' accesses on the directory include. : :***** Plugin catchall_labels (83.8 confidence) suggests ******************** : :If you want to allow tmpwatch to have rmdir access on the include directory :Then you need to change the label on include :Do :# semanage fcontext -a -t FILE_TYPE 'include' :where FILE_TYPE is one of the following: print_spool_t, amavis_spool_t, file_t, man_t, tmpfile, sandbox_file_t, kismet_log_t, rpm_var_cache_t, httpd_cache_t, user_home_type, httpd_sys_rw_content_t. :Then execute: :restorecon -v 'include' : : :***** Plugin catchall (17.1 confidence) suggests *************************** : :If you believe that tmpwatch should be allowed rmdir access on the include directory by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep tmpwatch /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 :Target Context system_u:object_r:usr_t:s0 :Target Objects include [ dir ] :Source tmpwatch :Source Path /usr/sbin/tmpwatch :Port <Unknown> :Host (removed) :Source RPM Packages tmpwatch-2.10.3-2.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-145.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.5.1-1.fc17.x86_64 #1 SMP Thu Aug : 9 17:50:43 UTC 2012 x86_64 x86_64 :Alert Count 57 :First Seen 2012-08-04 07:25:04 CEST :Last Seen 2012-08-18 03:09:39 CEST :Local ID be1f3d77-50e6-4898-812a-fb1eca2f1206 : :Raw Audit Messages :type=AVC msg=audit(1345252179.374:707): avc: denied { rmdir } for pid=18330 comm="tmpwatch" name="include" dev="dm-1" ino=407857 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir : : :type=SYSCALL msg=audit(1345252179.374:707): arch=x86_64 syscall=rmdir success=no exit=EACCES a0=1553a83 a1=404848 a2=1553240 a3=31e0daf778 items=0 ppid=18328 pid=18330 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=40 comm=tmpwatch exe=/usr/sbin/tmpwatch subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null) : :Hash: tmpwatch,tmpreaper_t,usr_t,dir,rmdir : :audit2allow : :#============= tmpreaper_t ============== :allow tmpreaper_t usr_t:dir rmdir; : :audit2allow -R : :#============= tmpreaper_t ============== :allow tmpreaper_t usr_t:dir rmdir; :
It looks like you moved include dir to /tmp directory? If yes, you need to execute # chcon -Rt user_tmp_t /tmp/include
I have clean Fedora installation without any my specific modification. I found out these "include" directories: file:///tmp/vbox.0/include/ file:///usr/include/ file:///usr/lib/gcc/x86_64-redhat-linux/4.7.0/include/ file:///usr/lib/kbd/keymaps/include/ file:///usr/lib/kbd/keymaps/mac/include/ file:///usr/lib/kbd/keymaps/i386/include/ file:///usr/lib/python2.7/site-packages/django/contrib/admin/templates/admin/includes/ file:///usr/share/selinux/devel/include/ file:///usr/share/doc/xen-licenses-4.1.2/tools/include/ file:///usr/share/doc/xen-licenses-4.1.2/xen/include/ file:///usr/share/doc/xen-licenses-4.1.2/dist/install/usr/include/ file:///usr/share/doc/python-paste-1.7.5.1/include/ file:///usr/share/virtualbox/src/vboxhost/vboxnetadp/include/ file:///usr/share/virtualbox/src/vboxhost/vboxnetflt/include/ file:///usr/share/virtualbox/src/vboxhost/vboxdrv/include/ file:///usr/share/virtualbox/src/vboxhost/vboxpci/include/ file:///usr/local/include/ file:///usr/src/kernels/3.5.2-1.fc17.x86_64/include/ file:///usr/src/kernels/3.5.2-1.fc17.x86_64/arch/cris/include/ file:///usr/src/kernels/3.5.2-1.fc17.x86_64/arch/x86/include/ file:///usr/src/kernels/3.5.1-1.fc17.x86_64/include/ file:///usr/src/kernels/3.5.1-1.fc17.x86_64/arch/cris/include/ file:///usr/src/kernels/3.5.1-1.fc17.x86_64/arch/x86/include/ file:///usr/src/kernels/3.5.0-2.fc17.x86_64/include/ file:///usr/src/kernels/3.5.0-2.fc17.x86_64/arch/cris/include/ file:///usr/src/kernels/3.5.0-2.fc17.x86_64/arch/x86/include/
Ok, what does # ls -lZ /tmp/vbox.0
# ls -lZ /tmp/vbox.0 drwxr-xr-x. root root system_u:object_r:usr_t:s0 common drwxr-xr-x. root root system_u:object_r:usr_t:s0 include drwxr-xr-x. root root system_u:object_r:usr_t:s0 linux drwxr-xr-x. root root system_u:object_r:usr_t:s0 math drwxr-xr-x. root root system_u:object_r:usr_t:s0 r0drv
Ok, just to be sure could you give your output of # ls -dZ /tmp/ and then execute # chcon -R -t user_tmp_t /tmp/vbox.0 which should fix it.
# ls -dZ /tmp/ drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /tmp/ & # chcon -R -t user_tmp_t /tmp/vbox.0 done