<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
This looks like the file_context file does not match the policy that
is loaded into the kernel.<br>
<br>
Execute:<br>
<br>
# semodule -B<br>
Which should recompile and load the policy.<br>
<br>
<br>
<div class="moz-cite-prefix">On 05/25/2014 06:40 AM, Shintaro
Fujiwara wrote:<br>
</div>
<blockquote
cite="mid:CAPhFHN-+fmBkP_Wyge0xkPBATQ9nJYyc2vQRoOnBeYTm-xG2uQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>I updated fedora20 now and got SELinux alert.<br>
</div>
What's wrong?<br>
<div>
<div>
<div>
<div><br>
SELinux is preventing /usr/sbin/setfiles from mac_admin
access on the capability2 .<br>
<br>
***** Plugin catchall (100. confidence) suggests
**************************<br>
<br>
# grep restorecon /var/log/audit/audit.log | audit2allow
-M mypol<br>
# semodule -i mypol.pp<br>
<br>
Additional Information:<br>
Source Context
unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023<br>
Target Context
unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023<br>
Target Objects [ capability2 ]<br>
Source restorecon<br>
Source Path /usr/sbin/setfiles<br>
Port <Unknown><br>
Host localhost.localdomain<br>
Source RPM Packages
policycoreutils-2.2.5-3.fc20.x86_64<br>
Target RPM Packages <br>
Policy RPM
selinux-policy-3.12.1-158.fc20.noarch selinux-<br>
policy-3.12.1-166.fc20.noarch<br>
Selinux Enabled True<br>
Policy Type targeted<br>
Enforcing Mode Enforcing<br>
Host Name localhost.localdomain<br>
Platform Linux
localhost.localdomain 3.14.4-200.fc20.x86_64<br>
#1 SMP Tue May 13 13:51:08
UTC 2014 x86_64 x86_64<br>
Alert Count 3<br>
First Seen 2014-02-20 00:11:29 JST<br>
Last Seen 2014-05-25 19:36:13 JST<br>
Local ID
0a51e340-8e41-42fb-8c41-4c3d3d7fee6f<br>
<br>
Raw Audit Messages<br>
type=AVC msg=audit(1401014173.443:796): avc: denied {
mac_admin } for pid=13598 comm="restorecon"
capability=33
scontext=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023
tclass=capability2<br>
<br>
<br>
type=SYSCALL msg=audit(1401014173.443:796): arch=x86_64
syscall=lsetxattr success=no exit=EINVAL a0=7f5e992cc820
a1=7f5e9708556e a2=7f5e992cf070 a3=29 items=0 ppid=13002
pid=13598 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm=restorecon
exe=/usr/sbin/setfiles
subj=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023
key=(null)<br>
<br>
Hash:
restorecon,setfiles_t,setfiles_t,capability2,mac_admin<br>
<br clear="all">
<br>
-- <br>
<div dir="ltr">
<div>日本にヘヴィメタル・ハードロックを根付かせるページ<br>
<a moz-do-not-send="true"
href="http://heavymetalhardrock.no-ip.info/"
target="_blank">http://heavymetalhardrock.no-ip.info/</a><br>
<br>
世界中でセキュアOSのSELinuxを使いやすくするフリーソフト<br>
<a moz-do-not-send="true"
href="http://sourceforge.net/projects/segatex/"
target="_blank">http://sourceforge.net/projects/segatex/</a><br>
</div>
<div><br>
CMS(PHPとPostgreSQLを使ったフリーソフト)<br>
</div>
<a moz-do-not-send="true"
href="http://sourceforge.net/projects/webon/"
target="_blank">http://sourceforge.net/projects/webon/</a><br>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
selinux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
<br>
</body>
</html>