Description of problem: Run a script which did various 'cobbler distro add' and 'cobbler profile add' SELinux is preventing /usr/bin/python2.7 from 'read' accesses on the directory cpu. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that python2.7 should be allowed read access on the cpu directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep cobblerd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:cobblerd_t:s0 Target Context system_u:object_r:sysfs_t:s0 Target Objects cpu [ dir ] Source cobblerd Source Path /usr/bin/python2.7 Port <Unknown> Host (removed) Source RPM Packages python-2.7.5-1.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-54.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.9.6-301.fc19.x86_64 #1 SMP Mon Jun 17 14:26:26 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-07-01 13:16:09 EDT Last Seen 2013-07-01 13:16:09 EDT Local ID 5a0873fd-9c9c-4788-840a-59a280a839c7 Raw Audit Messages type=AVC msg=audit(1372698969.855:8943): avc: denied { read } for pid=29133 comm="cobblerd" name="cpu" dev="sysfs" ino=37 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir type=SYSCALL msg=audit(1372698969.855:8943): arch=x86_64 syscall=openat success=yes exit=EIO a0=ffffffffffffff9c a1=3cdc37b9fc a2=90800 a3=0 items=0 ppid=1 pid=29133 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=cobblerd exe=/usr/bin/python2.7 subj=system_u:system_r:cobblerd_t:s0 key=(null) Hash: cobblerd,cobblerd_t,sysfs_t,dir,read Additional info: reporter: libreport-2.1.5 hashmarkername: setroubleshoot kernel: 3.9.6-301.fc19.x86_64 type: libreport
#============= cobblerd_t ============== #!!!! This avc is allowed in the current policy allow cobblerd_t sysfs_t:dir read; Please update to the latest policy.