Description of problem: Upgrade from clean installed F18 to F19 Rawhide. SELinux is preventing /usr/lib/systemd/systemd-udevd from 'write' accesses on the directory watch. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemd-udevd should be allowed write access on the watch directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-udevd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:udev_t:s0-s0:c0.c1023 Target Context system_u:object_r:sound_device_t:s0 Target Objects watch [ dir ] Source systemd-udevd Source Path /usr/lib/systemd/systemd-udevd Port <Unknown> Host (removed) Source RPM Packages systemd-195-15.fc18.x86_64 systemd-197-2.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-66.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.6.10-4.fc18.x86_64 #1 SMP Tue Dec 11 18:01:27 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen 2013-01-24 15:07:31 CET Last Seen 2013-01-24 15:07:31 CET Local ID a00a2815-cd70-4f5c-a380-ace5d428560f Raw Audit Messages type=AVC msg=audit(1359036451.123:338): avc: denied { write } for pid=3069 comm="systemd-udevd" name="watch" dev="tmpfs" ino=37767 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sound_device_t:s0 tclass=dir type=AVC msg=audit(1359036451.123:338): avc: denied { add_name } for pid=3069 comm="systemd-udevd" name="1" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sound_device_t:s0 tclass=dir type=SYSCALL msg=audit(1359036451.123:338): arch=x86_64 syscall=symlink success=yes exit=0 a0=7f41d3df8b90 a1=7fff4d64c860 a2=7f41d2c97770 a3=7 items=0 ppid=1 pid=3069 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-udevd exe=/usr/lib/systemd/systemd-udevd subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) Hash: systemd-udevd,udev_t,sound_device_t,dir,write audit2allow #============= udev_t ============== #!!!! The source type 'udev_t' can write to a 'dir' of the following types: # etc_mail_t, sysctl_type, xend_var_log_t, net_conf_t, mqueue_spool_t, postgresql_db_t, data_home_t, filesystem_type, cache_home_t, nx_server_var_lib_t, var_spool_t, var_log_t, init_var_run_t, modules_object_t, virt_var_run_t, device_t, var_lib_t, var_run_t, etc_t, httpd_sys_content_t, systemd_passwd_var_run_t, home_root_t, admin_home_t, httpd_user_script_exec_t, httpd_user_content_t, udev_rules_t, semanage_store_t, krb5kdc_conf_t, krb5_host_rcache_t, virt_home_t, user_home_dir_t, unlabeled_t, hugetlbfs_t, proc_type, mail_spool_t, file_type, device_t, devpts_t, etc_t, config_home_t, bin_t, boot_t, root_t, tmp_t, usr_t, var_t, user_tmp_t, cupsd_etc_t, postfix_etc_t, udev_var_run_t, var_run_t allow udev_t sound_device_t:dir { write add_name }; audit2allow -R #============= udev_t ============== #!!!! The source type 'udev_t' can write to a 'dir' of the following types: # etc_mail_t, sysctl_type, xend_var_log_t, net_conf_t, mqueue_spool_t, postgresql_db_t, data_home_t, filesystem_type, cache_home_t, nx_server_var_lib_t, var_spool_t, var_log_t, init_var_run_t, modules_object_t, virt_var_run_t, device_t, var_lib_t, var_run_t, etc_t, httpd_sys_content_t, systemd_passwd_var_run_t, home_root_t, admin_home_t, httpd_user_script_exec_t, httpd_user_content_t, udev_rules_t, semanage_store_t, krb5kdc_conf_t, krb5_host_rcache_t, virt_home_t, user_home_dir_t, unlabeled_t, hugetlbfs_t, proc_type, mail_spool_t, file_type, device_t, devpts_t, etc_t, config_home_t, bin_t, boot_t, root_t, tmp_t, usr_t, var_t, user_tmp_t, cupsd_etc_t, postfix_etc_t, udev_var_run_t, var_run_t allow udev_t sound_device_t:dir { write add_name }; Additional info: hashmarkername: setroubleshoot kernel: 3.6.10-4.fc18.x86_64 type: libreport
Fixed in libselinux-2.1.12-18.fc19.x86_64
*** Bug 903679 has been marked as a duplicate of this bug. ***
*** Bug 903678 has been marked as a duplicate of this bug. ***
*** Bug 903677 has been marked as a duplicate of this bug. ***
*** Bug 903681 has been marked as a duplicate of this bug. ***
*** Bug 903680 has been marked as a duplicate of this bug. ***