Additional info: libreport version: 2.0.13 kernel: 3.6.0-0.rc2.git2.1.fc18.x86_64 description: :SELinux is preventing /usr/sbin/setfiles from 'getattr' accesses on the directory /boot. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that setfiles should be allowed getattr access on the boot directory by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep restorecon /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:firewalld_t:s0 :Target Context system_u:object_r:boot_t:s0 :Target Objects /boot [ dir ] :Source restorecon :Source Path /usr/sbin/setfiles :Port <Unknown> :Host (removed) :Source RPM Packages policycoreutils-2.1.12-5.fc18.x86_64 :Target RPM Packages filesystem-3.1-2.fc18.x86_64 :Policy RPM selinux-policy-3.11.1-18.fc18.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.6.0-0.rc2.git2.1.fc18.x86_64 #1 : SMP Wed Aug 22 11:54:04 UTC 2012 x86_64 x86_64 :Alert Count 2 :First Seen 2012-09-17 20:51:42 GMT :Last Seen 2012-09-17 20:51:42 GMT :Local ID 0f66dcaf-1676-4351-aff7-04c38b4b777f : :Raw Audit Messages :type=AVC msg=audit(1347915102.637:373): avc: denied { getattr } for pid=2127 comm="restorecon" path="/boot" dev="sda1" ino=2 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir : : :type=SYSCALL msg=audit(1347915102.637:373): arch=x86_64 syscall=stat success=no exit=EACCES a0=7f8f46aa639a a1=7fff02b685a0 a2=7fff02b685a0 a3=6c65722c6c656261 items=0 ppid=603 pid=2127 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=restorecon exe=/usr/sbin/setfiles subj=system_u:system_r:firewalld_t:s0 key=(null) : :Hash: restorecon,firewalld_t,boot_t,dir,getattr : :audit2allow : :#============= firewalld_t ============== :allow firewalld_t boot_t:dir getattr; : :audit2allow -R : :#============= firewalld_t ============== :allow firewalld_t boot_t:dir getattr; :
Created attachment 613776 [details] File: type
Created attachment 613777 [details] File: hashmarkername
Why is firewalld executing restorecon?
*** Bug 858046 has been marked as a duplicate of this bug. ***
*** Bug 858047 has been marked as a duplicate of this bug. ***
*** Bug 858049 has been marked as a duplicate of this bug. ***
*** Bug 858050 has been marked as a duplicate of this bug. ***
*** Bug 858051 has been marked as a duplicate of this bug. ***
firewalld is using restorecon, because it is moving a tempfile in the place of /etc/firewalld/firewalld.conf. But it does not do anything in /boot.
Thomas where are is the tempfile being created? Can't we just create it as /etc/firewalld/firewalld.conf.new or something and then rename it? I don't see any reason for this file to be created in /tmp?
It is created in the same directory, not in /tmp. So it should be safe to remove the restorecon call(s).
If it creates the content in /etc/firewalld, then you should not need restorecon, correct. We really do not want any daemons running restorecon, if they need to, it is a bug.
*** Bug 862974 has been marked as a duplicate of this bug. ***
Fixed in GIT: http://git.fedorahosted.org/cgit/firewalld.git/commit/?id=4ae1f97767f2fe82f792a6c7c9f34f71949f3957
I have not seen this latly.