SELinux is preventing accounts-daemon from read access on the directory /var/log

bitlord bitlord0xff at gmail.com
Fri Jun 14 15:20:36 UTC 2013 

On Fri, 2013-06-14 at 18:15 +0300, Cristian Sava wrote:
> On any F19 x64 Gnome we get:
> 
> SELinux is preventing accounts-daemon from read access on the
> directory /var/log.
> 
> *****  Plugin catchall (100. confidence) suggests
> ***************************
> 
> If you believe that accounts-daemon should be allowed read access on the
> log directory by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep accounts-daemon /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
> 
> Additional Information:
> Source Context                system_u:system_r:accountsd_t:s0
> Target Context                system_u:object_r:var_log_t:s0
> Target Objects                /var/log [ dir ]
> Source                        accounts-daemon
> Source Path                   accounts-daemon
> Port                          <Unknown>
> Host                          s198.central.ucv.ro
> Source RPM Packages           accountsservice-0.6.34-1.fc19.x86_64
> Target RPM Packages           filesystem-3.2-10.fc19.x86_64
> Policy RPM                    selinux-policy-3.12.1-48.fc19.noarch
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Host Name                     s198.central.ucv.ro
> Platform                      Linux s198.central.ucv.ro
> 3.9.5-301.fc19.x86_64 #1
>                               SMP Tue Jun 11 19:39:38 UTC 2013 x86_64
> x86_64
> Alert Count                   9303
> First Seen                    2013-06-14 07:41:29 EEST
> Last Seen                     2013-06-14 18:10:33 EEST
> Local ID                      0f10e959-1983-410a-80b4-9eb06538e467
> 
> Raw Audit Messages
> type=AVC msg=audit(1371222633.229:4335): avc:  denied  { read } for
> pid=432 comm="accounts-daemon" name="log" dev="dm-1" ino=1179686
> scontext=system_u:system_r:accountsd_t:s0
> tcontext=system_u:object_r:var_log_t:s0 tclass=dir
> 
> 
> type=SYSCALL msg=audit(1371222633.229:4335): arch=x86_64
> syscall=inotify_add_watch success=no exit=EACCES a0=8 a1=7f00d27c5d10
> a2=1002fce a3=0 items=0 ppid=1 pid=432 auid=4294967295 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none)
> comm=accounts-daemon exe=/usr/libexec/accounts-daemon
> subj=system_u:system_r:accountsd_t:s0 key=(null)
> 
> Hash: accounts-daemon,accountsd_t,var_log_t,dir,read
> 
> Cristian Sava
> 
> 

It is probably this, "fixed"
bug report
https://bugzilla.redhat.com/show_bug.cgi?id=974200
updated selinux-policy
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-52.fc19

More information about the test mailing list