I get repeated SELinux alerts, as many as 20 a day, always in multiples of 4, sometimes 100s day.
I troubleshoot the alert and as advised do
ausearch -c 'admin' --raw | audit2allow -M my-admin
semodule -X 300 -i my-admin.pp
However, I have learned not to expect much from this because the affected files/folders are under /proc
and therefore transitory.
ausearch -c 'admin' --raw | tail -4
type=AVC msg=audit(1747062997.287:1829): avc: denied { search } for pid=10235 comm="admin" name="13419" dev="proc" ino=67936 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023 tclass=dir permissive=1
type=AVC msg=audit(1747063007.319:1830): avc: denied { read } for pid=10235 comm="admin" name="comm" dev="proc" ino=67983 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(1747063007.319:1831): avc: denied { open } for pid=10235 comm="admin" path="/proc/13419/comm" dev="proc" ino=67983 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(1747063007.319:1832): avc: denied { getattr } for pid=10235 comm="admin" path="/proc/13419/comm" dev="proc" ino=67983 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023 tclass=file permissive=1
This problem has persisted for many months, through several OS upgrades (F40,F41,F42), and program updates.
I have web searched for all related key words and attempted many “adjustments” and “tidy ups”, all to no avail.
The nearest I came to somethling relevant was
I have clearly not understood the root cause of the problem and I do not understand what the system log means.
/var/log/messages
May 12 15:22:17 vericalm audit[10235]: AVC avc: denied { search } for pid=10235 comm="admin" name="13419" dev="proc" ino=67936 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023 tclass=dir permissive=1
May 12 15:22:19 vericalm setroubleshootd[14399]: libsepol.context_from_record: invalid security context: "unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023"
May 12 15:22:19 vericalm setroubleshootd[14399]: libsepol.context_from_record: could not create context structure
May 12 15:22:19 vericalm setroubleshootd[14399]: libsepol.context_from_string: could not create context structure
May 12 15:22:19 vericalm setroubleshootd[14399]: libsepol.sepol_context_to_sid: could not convert unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023 to sid
May 12 15:22:19 vericalm setroubleshoot[14399]: Unable to process audit event: cannot access local variable 'syslog' where it is not associated with a value
May 12 15:22:19 vericalm setroubleshoot[14399]: Traceback (most recent call last):
May 12 15:22:19 vericalm setroubleshoot[14399]: File "/usr/lib/python3.13/site-packages/setroubleshoot/audit_data.py", line 1106, in compute_avcs
May 12 15:22:19 vericalm setroubleshoot[14399]: avcs.append(AVC(audit_event, record))
May 12 15:22:19 vericalm setroubleshoot[14399]: ~~~^^^^^^^^^^^^^^^^^^^^^
May 12 15:22:19 vericalm setroubleshoot[14399]: File "/usr/lib/python3.13/site-packages/setroubleshoot/audit_data.py", line 675, in __init__
May 12 15:22:19 vericalm setroubleshoot[14399]: self.derive_avc_info_from_audit_event(avc_record)
May 12 15:22:19 vericalm setroubleshoot[14399]: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^
May 12 15:22:19 vericalm setroubleshoot[14399]: File "/usr/lib/python3.13/site-packages/setroubleshoot/audit_data.py", line 1027, in derive_avc_info_from_audit_event
May 12 15:22:19 vericalm setroubleshoot[14399]: raise AVCError(_("%s \n**** Invalid AVC: bad target context ****\n") % self.avc_record)
May 12 15:22:19 vericalm setroubleshoot[14399]: setroubleshoot.audit_data.AVCError: node=vericalm type=AVC msg=audit(1747059737.265:964): avc: denied { search } for pid=10235 comm="admin" name="13419" dev="proc" ino=67936 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023 tclass=dir permissive=1
May 12 15:22:19 vericalm setroubleshoot[14399]:
May 12 15:22:19 vericalm setroubleshoot[14399]: **** Invalid AVC: bad target context ****
May 12 15:22:19 vericalm setroubleshoot[14399]: During handling of the above exception, another exception occurred:
May 12 15:22:19 vericalm setroubleshoot[14399]: Traceback (most recent call last):
May 12 15:22:19 vericalm setroubleshoot[14399]: File "/usr/lib/python3.13/site-packages/setroubleshoot/audit_data.py", line 1108, in compute_avcs
May 12 15:22:19 vericalm setroubleshoot[14399]: syslog.syslog(syslog.LOG_ERR, "%s" % e)
May 12 15:22:19 vericalm setroubleshoot[14399]: ^^^^^^
May 12 15:22:19 vericalm setroubleshoot[14399]: UnboundLocalError: cannot access local variable 'syslog' where it is not associated with a value
My SELinux level is permissive. I am running several machines on F42, but the only machine affected is the
one which serves a public facing web site (LAMP) with a Nextcloud server. Everything is latest stable version.
I cannot think of a change that may have introduced the problem,
and I cannot even ascertain when the problem first started because of multiple much more severe problems.
This is a live system which is subject to a host of real world issues:
- Thousands of attempted hacks per day.
- Power outages (a handful per year).
- Hardware component failures (all recoverable because of redundancy).
- Corrupt databases and similar (again all recoverable).
- System administrator user error (yes, I’m the culprit, e.g. accidentally deleting a critical s/w component).