Description of problem: - first install system-config-kdump: $ sudo yum install -y system-config-kdump run the program: $ sudo system-config-kdump enable kdump configure kdump, set filtering settings with following activated: - zero pages - free pages the level should be 17. Now try to apply the ruleset for kdump. SELinux is preventing /usr/bin/systemctl from 'search' accesses on the directory log. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemctl should be allowed search access on the log directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemctl /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 Target Context system_u:object_r:syslogd_var_run_t:s0 Target Objects log [ dir ] Source systemctl Source Path /usr/bin/systemctl Port <Unknown> Host (removed) Source RPM Packages systemd-197-1.fc18.2.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-86.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.8.4-202.fc18.x86_64 #1 SMP Thu Mar 21 17:02:20 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-03-25 20:29:16 CET Last Seen 2013-03-25 20:29:16 CET Local ID 55bb0361-29c6-4325-8278-74de4932c91b Raw Audit Messages type=AVC msg=audit(1364239756.128:905): avc: denied { search } for pid=9141 comm="systemctl" name="log" dev="tmpfs" ino=9288 scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir type=SYSCALL msg=audit(1364239756.128:905): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7fff02140110 a2=90800 a3=0 items=0 ppid=669 pid=9141 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 key=(null) Hash: systemctl,kdumpgui_t,syslogd_var_run_t,dir,search audit2allow #============= kdumpgui_t ============== allow kdumpgui_t syslogd_var_run_t:dir search; audit2allow -R require { type kdumpgui_t; } #============= kdumpgui_t ============== logging_stream_connect_syslog(kdumpgui_t) Additional info: hashmarkername: setroubleshoot kernel: 3.8.4-202.fc18.x86_64 type: libreport
This is allowed in F19 policy.
Fixed in selinux-policy-3.11.1-88.fc18.noarch
selinux-policy-3.11.1-90.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-90.fc18
Package selinux-policy-3.11.1-90.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-90.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-5742/selinux-policy-3.11.1-90.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-90.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.