I'm getting following AVC denial: time->Tue Nov 20 10:01:12 2012 type=SYSCALL msg=audit(1353402072.877:816): arch=c000003e syscall=42 success=no exit=-13 a0=7 a1=7f09c21aae80 a2=6e a3=20 items=0 ppid=1 pid=2069 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/sbin/cimprovagt" subj=system_u:system_r:pegasus_t:s0 key=(null) type=AVC msg=audit(1353402072.877:816): avc: denied { write } for pid=2069 comm="cimprovagt" name="cimxml.socket" dev="tmpfs" ino=20335 scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:pegasus_var_run_t:s0 tclass=sock_file This causes that CIM providers don't work at all. selinux-policy-3.11.1-54.fc18.noarch tog-pegasus-2.11.1-11.fc18.x86_64
Fixed in selinux-policy-3.11.1-55.fc18
Thank you, -55 fixes the issue, but another problem appears once the previous one disappears: type=SYSCALL msg=audit(1353684774.859:377): arch=c000003e syscall=42 success=no exit=-13 a0=7 a1=7f0e5f162eb0 a2=6e a3=20 items=0 ppid=1 pid=1164 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/sbin/cimprovagt" subj=system_u:system_r:pegasus_t:s0 key=(null) type=AVC msg=audit(1353684774.859:377): avc: denied { connectto } for pid=1164 comm="cimprovagt" path="/run/tog-pegasus/cimxml.socket" scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:system_r:pegasus_t:s0 tclass=unix_stream_socket Could you fix that too?
Radek, could you switch to permissive to see if you get more AVC msgs?
Thanks for the tip, I'm also getting following two AVC messages: time->Fri Nov 23 15:49:02 2012 type=SYSCALL msg=audit(1353682142.653:2375): arch=c000003e syscall=2 success=yes exit=31 a0=7f0e48014610 a1=241 a2=1b6 a3=238 items=0 ppid=1 pid=1164 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/sbin/cimprovagt" subj=system_u:system_r:pegasus_t:s0 key=(null) type=AVC msg=audit(1353682142.653:2375): avc: denied { write } for pid=1164 comm="cimprovagt" name="flags" dev="sysfs" ino=11313 scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file ---- time->Fri Nov 23 15:49:02 2012 type=SYSCALL msg=audit(1353682142.653:2376): arch=c000003e syscall=1 success=yes exit=6 a0=1f a1=7f0e43fff000 a2=6 a3=22 items=0 ppid=1 pid=1164 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/sbin/cimprovagt" subj=system_u:system_r:pegasus_t:s0 key=(null) type=AVC msg=audit(1353682142.653:2376): avc: denied { net_admin } for pid=1164 comm="cimprovagt" capability=12 scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:system_r:pegasus_t:s0 tclass=capability The first one looks like selinux forbids the provider to write to /sys/class/net/<interface>/flags.
Fixed in selinux-policy-3.11.1-56.fc18 commit fbd5a98f8c9b2f822c3be3efe6bbc07e7d5c01ca Author: Miroslav Grepl <mgrepl> Date: Mon Nov 26 08:42:02 2012 +0100 Allow pegasus_t to have net_admin capability Allow pegasus_t to write /sys/class/net/<interface>/flags
selinux-policy-3.11.1-57.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-57.fc18
Package selinux-policy-3.11.1-57.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-57.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-57.fc18 then log in and leave karma (feedback).
Package selinux-policy-3.11.1-59.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-59.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-59.fc18 then log in and leave karma (feedback).
Package selinux-policy-3.11.1-60.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-60.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-60.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-60.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.