Description of problem: SELinux is preventing /usr/bin/rm from 'remove_name' accesses on the directory man-db.lock. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that rm should be allowed remove_name access on the man-db.lock directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep rm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:mandb_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_run_t:s0 Target Objects man-db.lock [ dir ] Source rm Source Path /usr/bin/rm Port <Unknown> Host (removed) Source RPM Packages coreutils-8.21-8.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-24.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.9.0-rc4-fafadora+ #4 SMP Sun Mar 24 08:50:50 CET 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-03-31 15:27:15 CEST Last Seen 2013-03-31 15:27:15 CEST Local ID f6510403-4c22-4cde-8117-f3dfd51563af Raw Audit Messages type=AVC msg=audit(1364736435.25:213): avc: denied { remove_name } for pid=21610 comm="rm" name="man-db.lock" dev="tmpfs" ino=344855 scontext=system_u:system_r:mandb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir type=AVC msg=audit(1364736435.25:213): avc: denied { unlink } for pid=21610 comm="rm" name="man-db.lock" dev="tmpfs" ino=344855 scontext=system_u:system_r:mandb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file type=SYSCALL msg=audit(1364736435.25:213): arch=x86_64 syscall=unlinkat success=yes exit=0 a0=ffffffffffffff9c a1=10c20f0 a2=0 a3=100 items=0 ppid=20636 pid=21610 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=2 tty=(none) comm=rm exe=/usr/bin/rm subj=system_u:system_r:mandb_t:s0-s0:c0.c1023 key=(null) Hash: rm,mandb_t,var_run_t,dir,remove_name audit2allow #============= mandb_t ============== allow mandb_t var_run_t:dir remove_name; allow mandb_t var_run_t:file unlink; audit2allow -R require { type mandb_t; type var_run_t; class file unlink; } #============= mandb_t ============== allow mandb_t var_run_t:file unlink; files_rw_pid_dirs(mandb_t) Additional info: hashmarkername: setroubleshoot kernel: 3.9.0-rc4-fafadora+ type: libreport
Fixed in selinux-policy-3.12.1-25.fc19.noarch
*** Bug 947002 has been marked as a duplicate of this bug. ***
selinux-policy-3.12.1-28.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/FEDORA-2013-5045/selinux-policy-3.12.1-28.fc19
Package selinux-policy-3.12.1-28.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-28.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-5045/selinux-policy-3.12.1-28.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-28.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.