Description of problem: SELinux is preventing /usr/sbin/semodule from 'search' accesses on the directory /var/log/audit. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that semodule should be allowed search access on the audit directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep semodule /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:semanage_t:s0-s0:c0.c1023 Target Context system_u:object_r:auditd_log_t:s0 Target Objects /var/log/audit [ dir ] Source semodule Source Path /usr/sbin/semodule Port <Unknown> Host (removed) Source RPM Packages policycoreutils-2.1.13-59.fc18.x86_64 Target RPM Packages audit-2.3.1-2.fc18.x86_64 Policy RPM selinux-policy-3.11.1-98.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.9.11-200.fc18.x86_64 #1 SMP Mon Jul 22 21:04:50 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-07-24 08:46:20 PDT Last Seen 2013-07-24 08:46:20 PDT Local ID d10d7e4c-7db1-4013-a8f6-7bea16831c24 Raw Audit Messages type=AVC msg=audit(1374680780.506:362): avc: denied { search } for pid=11009 comm="semodule" name="audit" dev="dm-0" ino=923408 scontext=unconfined_u:system_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir type=SYSCALL msg=audit(1374680780.506:362): arch=x86_64 syscall=open success=no exit=EACCES a0=7fea4e3ae050 a1=0 a2=0 a3=38 items=0 ppid=10796 pid=11009 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=2 tty=pts0 comm=semodule exe=/usr/sbin/semodule subj=unconfined_u:system_r:semanage_t:s0-s0:c0.c1023 key=(null) Hash: semodule,semanage_t,auditd_log_t,dir,search audit2allow #============= semanage_t ============== allow semanage_t auditd_log_t:dir search; audit2allow -R require { type semanage_t; } #============= semanage_t ============== logging_read_audit_log(semanage_t) Additional info: reporter: libreport-2.1.5 hashmarkername: setroubleshoot kernel: 3.9.11-200.fc18.x86_64 type: libreport
Did you run semodule while sitting in the /var/log/audit directory?
(In reply to Daniel Walsh from comment #1) > Did you run semodule while sitting in the /var/log/audit directory? I don't remember. Does it make a difference, from which directory I run semodule from?
In theory no, but when you run an app in any directory the first thing the app tries to do is getattr of the Current Working Direcory. If the app you are executing does a transition, SELinux could generate an AVC saying the confined app is not allowed to getattr on the directory.