Odd Selinux Complaints On New, Fully Updated CentOS 7

Home » CentOS » Odd Selinux Complaints On New, Fully Updated CentOS 7
CentOS No Comments

Just installed 7.2, and I’m seeing this – is this a bug in the policy?

SELinux is preventing systemd-readahe from add_name access on the directory .readahead.new.

***** Plugin catchall_labels (83.8 confidence) suggests

If you want to allow systemd-readahe to have add_name access on the
.readahead.new directory Then you need to change the label on .readahead.new Do
# semanage fcontext -a -t FILE_TYPE ‘.readahead.new’
where FILE_TYPE is one of the following: device_t, init_var_run_t, readahead_var_lib_t, readahead_var_run_t, root_t, var_run_t. Then execute:
restorecon -v ‘.readahead.new’

***** Plugin catchall (17.1 confidence) suggests

If you believe that systemd-readahe should be allowed add_name access on the .readahead.new directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing:
# grep systemd-readahe /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context system_u:system_r:readahead_t:s0
Target Context system_u:object_r:mnt_t:s0
Target Objects .readahead.new [ dir ]
Source systemd-readahe Source Path systemd-readahe Port
Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.3.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name
Platform Linux 3.10.0-327.10.1.el7.x86_64
#1 SMP Tue Feb 16 17:03:50 UTC 2016 x86_64
Alert Count 4
First Seen 2016-02-29 10:06:27 EST
Last Seen 2016-02-29 16:50:22 EST
Local ID 0ba32e6a-e502-45be-a2dc-cda4c380a2bb

Raw Audit Messages type=AVC msg=audit(1456782622.230:435): avc: denied { add_name } for pidA0 comm=”systemd-readahe” name=”.readahead.new”
tcontext=system_u:object_r:mnt_t:s0 tclass=dir