Description of problem: 1: Edited mcelog.service & mcelog.setup to include --logfile=/var/log/mcelog as an option. 2: reloaded systemd --daemon reload. 3: systemctl restart mcelog SELinux is preventing /usr/sbin/mcelog from 'write' accesses on the sock_file mcelog-client. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that mcelog should be allowed write access on the mcelog-client sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mcelog /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:mcelog_t:s0 Target Context unconfined_u:object_r:var_run_t:s0 Target Objects mcelog-client [ sock_file ] Source mcelog Source Path /usr/sbin/mcelog Port <Unknown> Host (removed) Source RPM Packages mcelog-1.0-0.6.6e4e2a00.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-97.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.9.4-200.fc18.x86_64 #1 SMP Fri May 24 20:10:49 UTC 2013 x86_64 x86_64 Alert Count 2 First Seen 2013-06-06 12:08:00 IST Last Seen 2013-06-06 12:08:00 IST Local ID f34b67b0-dc53-4675-8df5-6c26d156344e Raw Audit Messages type=AVC msg=audit(1370516880.740:787): avc: denied { write } for pid=8415 comm="mcelog" name="mcelog-client" dev="tmpfs" ino=1560272 scontext=system_u:system_r:mcelog_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1370516880.740:787): arch=x86_64 syscall=connect success=no exit=EACCES a0=5 a1=7fff01fa5760 a2=6e a3=8 items=0 ppid=1 pid=8415 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=mcelog exe=/usr/sbin/mcelog subj=system_u:system_r:mcelog_t:s0 key=(null) Hash: mcelog,mcelog_t,var_run_t,sock_file,write audit2allow #============= mcelog_t ============== allow mcelog_t var_run_t:sock_file write; audit2allow -R require { type mcelog_t; type var_run_t; class sock_file write; } #============= mcelog_t ============== allow mcelog_t var_run_t:sock_file write; Additional info: reporter: libreport-2.1.4.24.g872f hashmarkername: setroubleshoot kernel: 3.9.4-200.fc18.x86_64 type: libreport
*** Bug 971366 has been marked as a duplicate of this bug. ***
Does # restorecon -R -v /var/run/mcelog* fix the problem?
(In reply to Miroslav Grepl from comment #2) > Does > > # restorecon -R -v /var/run/mcelog* > > fix the problem? No, and the grep mcelog /var/log/audit/audit.log | audit2allow -M my_mcelog causes the service to fail and creates avc for mcelog.pid
Created attachment 757647 [details] sealert -a All the mcelog things since I added --logfile=/var/log/mcelog to mcelog.service
So if you execute # restorecon -R -v /var/log/mcelog* /var/run/mcelog* you are able to get these AVC msgs again?
(In reply to Miroslav Grepl from comment #5) > So if you execute > > # restorecon -R -v /var/log/mcelog* /var/run/mcelog* > > you are able to get these AVC msgs again? Have run this, no avc messages, and no homegrown policy have entries in /var/log/mcelog (which was what was required) But mcelog.service times out. So am happy with this workaround, even if service broke. systemctl status mcelog.service mcelog.service - Machine Check Exception Logging Daemon Loaded: loaded (/usr/lib/systemd/system/mcelog.service; enabled) Active: failed (Result: timeout) since Fri 2013-06-14 12:29:26 IST; 1min 2s ago Process: 2036 ExecStartPre=/etc/mcelog/mcelog.setup (code=killed, signal=TERM) Jun 14 12:27:56 torrent.frankly3d.home systemd[1]: Starting Machine Check Exception Logging Daemon... Jun 14 12:29:26 torrent.frankly3d.home systemd[1]: mcelog.service operation timed out. Terminating. Jun 14 12:29:26 torrent.frankly3d.home systemd[1]: Failed to start Machine Check Exception Logging Daemon. Jun 14 12:29:26 torrent.frankly3d.home systemd[1]: Unit mcelog.service entered failed state. cat /usr/lib/systemd/system/mcelog.service [Unit] Description=Machine Check Exception Logging Daemon After=syslog.target # FIXME - due to upstream kernel bug always start the mcelog process # twice using the following ExecStartPre hack. This needs fixing. # There is a bug filed against systemd for the ExecStartPre bit # since it is not possible to specify that the ExecStarPre bit # is allowed and expected to fail without aborting the daemon. [Service] ExecStartPre=/etc/mcelog/mcelog.setup ExecStart=/usr/sbin/mcelog --daemon --foreground --filter --logfile=/var/log/mcelog StandardOutput=syslog [Install] WantedBy=multi-user.target