Description of problem: I think this occured when it attempted to rotate the chrony daemon's log files. SELinux is preventing /usr/bin/bash from 'getattr' accesses on the filesystem /tmp. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that bash should be allowed getattr access on the tmp filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep chrony-helper /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023 Target Context system_u:object_r:tmpfs_t:s0 Target Objects /tmp [ filesystem ] Source chrony-helper Source Path /usr/bin/bash Port <Unknown> Host (removed) Source RPM Packages bash-4.2.42-3.fc18.i686 Target RPM Packages filesystem-3.1-2.fc18.i686 Policy RPM selinux-policy-3.11.1-79.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.7.9-201.fc18.i686.PAE #1 SMP Mon Feb 18 21:21:43 UTC 2013 i686 i686 Alert Count 1 First Seen 2013-02-24 03:28:01 PST Last Seen 2013-02-24 03:28:01 PST Local ID 8125cb35-caa4-4ed3-b5f8-7069c0b102dc Raw Audit Messages type=AVC msg=audit(1361705281.402:701): avc: denied { getattr } for pid=6626 comm="chrony-helper" name="/" dev="tmpfs" ino=10286 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1361705281.402:701): arch=i386 syscall=statfs success=no exit=EACCES a0=810377e a1=bfdc16a0 a2=4c3ef000 a3=810377e items=0 ppid=6620 pid=6626 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=51 tty=(none) comm=chrony-helper exe=/usr/bin/bash subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) Hash: chrony-helper,logrotate_t,tmpfs_t,filesystem,getattr audit2allow #============= logrotate_t ============== allow logrotate_t tmpfs_t:filesystem getattr; audit2allow -R #============= logrotate_t ============== allow logrotate_t tmpfs_t:filesystem getattr; Additional info: hashmarkername: setroubleshoot kernel: 3.7.9-201.fc18.i686.PAE type: libreport
Have you been ever running in permissive mode? And are you able to get this again?
Miroslav, this is a recent Fedora 18 installation, and I have never changed the SELinux mode. I've got two other systems that I've recently installed Fedora 18 on, but they have not yet reached the point of needing to rotate their chronyd log files. I'll keep an eye out to see what happens the next time it rotates the log files, and I'll clear this report's "needinfo" flag at that point. I see that I had reported this problem before on Fedora 16 (RHBZ 797578), but in that case, I had modified the file system assignment of /tmp; this time, I haven't made any change. Also, I don't seem to have ever had this problem on Fedora 17. Link to prior bug: https://bugzilla.redhat.com/show_bug.cgi?id=797578
I think you should just add fs_getattr_all_fs(logrotate_t) 4bb325d5d3c0b7b4bd2e81d9f6a2625f6e65e8a6 in rawhide fixes this.
Backported. commit df0ebac32e68edb1ad20f771a4f135aa44c0c513 Author: Dan Walsh <dwalsh> Date: Tue Feb 26 16:18:43 2013 -0500 Allow logrotote to getattr on all file sytems
selinux-policy-3.11.1-82.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-82.fc18
Package selinux-policy-3.11.1-82.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-82.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-3309/selinux-policy-3.11.1-82.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-82.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.