Hi, I've just upgraded to F-18, and I've noticed the following messages in dmesg when running in permissive mode: [ 87.411333] type=1400 audit(1346591594.833:6): avc: denied { read } for pid=1459 comm="hpfax" name="nsswitch.conf" dev="sdb1" ino=919650 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file [ 87.411423] type=1400 audit(1346591594.833:7): avc: denied { open } for pid=1459 comm="hpfax" path="/etc/nsswitch.conf" dev="sdb1" ino=919650 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file [ 87.411977] type=1400 audit(1346591594.834:8): avc: denied { getattr } for pid=1459 comm="hpfax" path="/etc/nsswitch.conf" dev="sdb1" ino=919650 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file Here is the matching audit,log contents from a *different boot*, this time in enforcing mode, so it stops after the first read: type=AVC msg=audit(1346594180.814:65): avc: denied { read } for pid=1512 comm="hpfax" name="nsswitch.conf" dev="sdb1" ino=919650 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1346594180.814:65): arch=c000003e syscall=2 success=no exit=-13 a0=7f3cec89a3d2 a1=80000 a2=1b6 a3=238 items=0 ppid=1507 pid=1512 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="hpfax" exe="/usr/bin/python2.7" subj=system_u:system_r:hplip_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1346594180.815:66): avc: denied { read } for pid=1512 comm="hpfax" name="nsswitch.conf" dev="sdb1" ino=919650 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1346594180.815:66): arch=c000003e syscall=2 success=no exit=-13 a0=7f3cec89a3d2 a1=80000 a2=1b6 a3=238 items=0 ppid=1507 pid=1512 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="hpfax" exe="/usr/bin/python2.7" subj=system_u:system_r:hplip_t:s0-s0:c0.c1023 key=(null) Regards, Hans
The problem is nsswitch.conf is mislabeled. Something is wrong on an upgrade. $ restorecon -R -v /etc/nsswitch.conf will fix it. What does # rpm -qa --scripts |grep nsswitch
(In reply to comment #1) > The problem is > > nsswitch.conf > > is mislabeled. Something is wrong on an upgrade. > > $ restorecon -R -v /etc/nsswitch.conf > > will fix it. I already did a "fixfiles onboot; reboot" and then checked again before filing any selinux bugs: [hans@shalem qemu]$ ls -Z /etc/nsswitch.conf -rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/nsswitch.conf [hans@shalem qemu]$ restorecon -R -v /etc/nsswitch.conf [hans@shalem qemu]$ ls -Z /etc/nsswitch.conf -rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/nsswitch.conf [hans@shalem qemu]$ > What does > > # rpm -qa --scripts |grep nsswitch [hans@shalem qemu]$ rpm -qa --scripts |grep nsswitch # sed-fu to add myhostname to the hosts line of /etc/nsswitch.conf if [ -f /etc/nsswitch.conf ] ; then ' /etc/nsswitch.conf # sed-fu to remove myhostname from the hosts line of /etc/nsswitch.conf if [ "$1" -eq 0 -a -f /etc/nsswitch.conf ] ; then ' /etc/nsswitch.conf if ! grep -s -q '^hosts: \+files \+dns *$' /etc/nsswitch.conf;then cat /etc/nsswitch.conf >/usr/share/lsb/nsswitch.conf.orig ed -s /etc/nsswitch.conf <<EOF cat /etc/nsswitch.conf >/usr/share/lsb/nsswitch.conf if [ -e /usr/share/lsb/nsswitch.conf -a -e /usr/share/lsb/nsswitch.conf.orig ];then if cmp -s /usr/share/lsb/nsswitch.conf /etc/nsswitch.conf;then cat /usr/share/lsb/nsswitch.conf.orig >/etc/nsswitch.conf rm -f /usr/share/lsb/{nsswitch.conf,nsswitch.conf.orig} # Perl-fu to add mdns4_minimal to the hosts line of /etc/nsswitch.conf if [ -f /etc/nsswitch.conf ] ; then ' /etc/nsswitch.conf # sed-fu to remove mdns4_minimal from the hosts line of /etc/nsswitch.conf if [ "$1" -eq 0 -a -f /etc/nsswitch.conf ] ; then ' /etc/nsswitch.conf
I apologize, this is a valid bug. I read "resolv.con" instead of "nsswitch.conf". Added a fix. Thanks.
selinux-policy-3.11.1-16.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-16.fc18
Package selinux-policy-3.11.1-16.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-16.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-13554/selinux-policy-3.11.1-16.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-18.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/FEDORA-2012-13554/selinux-policy-3.11.1-18.fc18
Package selinux-policy-3.11.1-18.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-18.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-13554/selinux-policy-3.11.1-18.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-18.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.