F8 updates kill setroubleshootd?

Fri Feb 29 11:09:33 UTC 2008

Paul Howarth wrote:
> Having installed the latest bunch of Fedora 8 updates this morning, 
> which included selinux-policy and setroubleshoot, I'm getting these 
> denials:
> 
> type=AVC msg=audit(1204275163.032:209): avc:  denied  { connectto } for 
>  pid=26345 comm="setroubleshootd" path="/var/run/audispd_events" 
> scontext=unconfined_u:system_r:setroubleshootd_t:s0 
> tcontext=system_u:system_r:auditd_t:s0 tclass=unix_stream_socket
> 
> type=AVC msg=audit(1204275171.133:210): avc:  denied  { read } for 
> pid=26379 comm="setroubleshootd" name=".rpmmacros" dev=0:15 ino=6331637 
> scontext=unconfined_u:system_r:setroubleshootd_t:s0 
> tcontext=system_u:object_r:nfs_t:s0 tclass=file
> 
> The first one looks like a policy issue but I can't fathom why 
> setroubleshootd would be trying access ~/.rpmmacros for the second one.

Following a reboot, the socket /var/run/audispd_events changed from 
auditd_t to audisp_var_run_t and there are no more AVCs for this. I 
tried a restorecon before the reboot but that didn't do anything, which 
is strange given that policy does indeed specify context:

# semanage fcontext -l | grep audisp
/sbin/audispd                                      regular file 
system_u:object_r:audisp_exec_t:s0
/sbin/audisp-prelude                               regular file 
system_u:object_r:audisp_prelude_exec_t:s0
/var/run/audispd_events                            socket 
system_u:object_r:audisp_var_run_t:s0

Perhaps that was finger trouble?

Paul.