[DSE-User] semodule missing permissions to /etc/selinux/default/modules/active
Éric Deschamps
erdesc at free.fr
Wed Oct 2 14:53:25 UTC 2013
Hello,
Trying to load a new policy with semodule, i get this error:
# semodule -i /usr/share/selinux/shorewall-plus.pp
libsemanage.semanage_commit_sandbox: Error while renaming
/etc/selinux/default/modules/active to
/etc/selinux/default/modules/previous. (Permission denied).
semodule: Failed!
Here is an excerpt of audit2why explanation:
# grep semodule /var/log/audit/audit.log | audit2why
type=AVC msg=audit(1380724705.027:9561): avc: denied { getattr } for
pid=6007 comm="semodule" name="/" dev="sysfs" ino=1
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to
allow this access.
type=AVC msg=audit(1380724710.867:9562): avc: denied { rename } for
pid=6007 comm="semodule" name="active" dev="sda1" ino=134215
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=staff_u:object_r:selinux_config_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to
allow this access.
Does this problem look normal to you? Is it a bug in basic policies or
did i miss something?
Regards,
Éric
More information about the Selinux-user
mailing list