Description of problem: Trying to start the riak.service SELinux is preventing /usr/bin/df from 'getattr' accesses on the directory /dev/mqueue. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that df should be allowed getattr access on the mqueue directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep df /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:rabbitmq_beam_t:s0 Target Context system_u:object_r:tmpfs_t:s0 Target Objects /dev/mqueue [ dir ] Source df Source Path /usr/bin/df Port <Unknown> Host (removed) Source RPM Packages coreutils-8.21-11.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-54.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.9.8-300.fc19.x86_64 #1 SMP Thu Jun 27 19:24:23 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-07-04 00:42:02 EDT Last Seen 2013-07-04 00:42:02 EDT Local ID 358d9d62-3781-46c9-bb77-a62a917b5d6f Raw Audit Messages type=AVC msg=audit(1372912922.128:709): avc: denied { getattr } for pid=4658 comm="df" path="/dev/mqueue" dev="mqueue" ino=1122 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=SYSCALL msg=audit(1372912922.128:709): arch=x86_64 syscall=stat success=no exit=EACCES a0=c6f460 a1=7fff65f72450 a2=7fff65f72450 a3=0 items=0 ppid=4656 pid=4658 auid=4294967295 uid=992 gid=991 euid=992 suid=992 fsuid=992 egid=991 sgid=991 fsgid=991 ses=4294967295 tty=(none) comm=df exe=/usr/bin/df subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null) Hash: df,rabbitmq_beam_t,tmpfs_t,dir,getattr Additional info: reporter: libreport-2.1.5 hashmarkername: setroubleshoot kernel: 3.9.8-300.fc19.x86_64 type: libreport
Looks like rabbitmq_beam_t needs to getattr on all file system dirs?
Hi Mark, I think the problem is that your /usr/bin/df has bad security context, you might try use: "# restorecon -v /usr/bin/df ".
The labeling will be OK. # ls -Z /usr/bin/df -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/df which means if rabbitmq_beam_t domain executes "df" then it will end up with rabbitmq_beam_t. # sesearch -A -s rabbitmq_beam_t -t bin_t -c file Yes, additional rules are needed how Dan wrote above.
commit 7101471234126c9a382cd68f0b6e22cb3d734d2d Author: Miroslav Grepl <mgrepl> Date: Tue Jul 16 15:32:18 2013 +0200 Allow /usr/bin/df running as rabbitmq_beam_t to getattr on all fs dirs
selinux-policy-3.12.1-65.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-65.fc19
Package selinux-policy-3.12.1-65.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-65.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-13172/selinux-policy-3.12.1-65.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-65.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.