Po nainštalovaní Fedora 17 a jej používaní dostávam v nepravidelných intervaloch nižšie uvedené upozornenie.
SELinux is preventing /usr/bin/systemd-tmpfiles from getattr access on the directory /var/tmp/kdecache-root.
***** Plugin catchall_labels (83.8 confidence) suggests ********************
If you want to allow systemd-tmpfiles to have getattr access on the kdecache-root directory
Then you need to change the label on /var/tmp/kdecache-root
Do
semanage fcontext -a -t FILE_TYPE ‘/var/tmp/kdecache-root’
where FILE_TYPE is one of the following: root_t, tmp_t, config_home_t, usr_t, var_t, cpu_online_t, lockfile, setrans_var_run_t, pidfile, tmpfile, var_lib_t, var_run_t, device_t, samba_var_t, sysctl_t, etc_t, abrt_t, bin_t, samba_etc_t, proc_t, avahi_var_run_t, lib_t, sysfs_t, mnt_t, nscd_var_run_t, nslcd_var_run_t, root_t, smbd_var_run_t, sssd_var_lib_t, tmp_t, usr_t, var_t, lost_found_t, net_conf_t, sandbox_file_t, cpu_online_t, security_t, rpm_var_cache_t, faillog_t, systemd_tmpfiles_t, var_spool_t, httpd_cache_t, proc_net_t, var_log_t, var_lib_t, var_run_t, textrel_shlib_t, user_home_type, init_var_run_t, rpm_script_tmp_t, rpm_var_lib_t, file_type, winbind_var_run_t, security_t, httpd_sys_rw_content_t, file_context_t, etc_t, cert_t, default_t, home_root_t, rpm_log_t, var_t, var_log_t, var_run_t, sssd_public_t, abrt_var_run_t, selinux_config_t, likewise_var_lib_t, user_home_dir_t, default_context_t, sysctl_crypto_t, filesystem_type, device_t, locale_t, var_auth_t, var_lock_t, krb5_conf_t, etc_t, file_t, proc_t, man_t, sysfs_t, tmpfs_t, var_run_t, var_run_t, nscd_var_run_t, pcscd_var_run_t, krb5_host_rcache_t, var_t, var_t.
Then execute:
restorecon -v ‘/var/tmp/kdecache-root’
***** Plugin catchall (17.1 confidence) suggests ***************************
If you believe that systemd-tmpfiles should be allowed getattr access on the kdecache-root directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
grep systemd-tmpfile /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:systemd_tmpfiles_t:s0
Target Context system_u:object_r:unlabeled_t:s0
Target Objects /var/tmp/kdecache-root [ dir ]
Source systemd-tmpfile
Source Path /usr/bin/systemd-tmpfiles
Port <Neznáme>
Host localhost.localdomain
Source RPM Packages systemd-44-17.fc17.i686
Target RPM Packages
Policy RPM selinux-policy-3.10.0-142.fc17.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.4.6-2.fc17.i686.PAE
#1 SMP Thu Jul 19 21:49:03 UTC 2012 i686 i686
Alert Count 3
First Seen Pi 3. august 2012, 20:02:37 CEST
Last Seen Pi 3. august 2012, 20:02:38 CEST
Local ID e3b1e1b6-c036-4a2b-b982-447f391022f8
Raw Audit Messages
type=AVC msg=audit(1344016958.562:57): avc: denied { getattr } for pid=2540 comm=“systemd-tmpfile” path="/var/tmp/kdecache-root" dev=“sda1” ino=1436197 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
type=SYSCALL msg=audit(1344016958.562:57): arch=i386 syscall=fstatat64 success=no exit=EACCES a0=4 a1=9d86fc3 a2=bf987fd0 a3=100 items=0 ppid=1 pid=2540 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-tmpfile exe=/usr/bin/systemd-tmpfiles subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null)
Hash: systemd-tmpfile,systemd_tmpfiles_t,unlabeled_t,dir,getattr
audit2allowunable to open /sys/fs/selinux/policy: Permission denied
audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied
Predtým som dlhodobo používal Kubuntu a predtým niekoľko rokov Mandriva Linux, kde som sa s podobnými upozorneniami nestretával. S nástrojom SELinux sa stretávam prakticky až teraz.
Na wiki fedora.cz som sa dozvedel ako SELinux odstaviť. To by ale asi nebolo to najsprávnejšie riešenie.