~]# audit2allow -w -a
type=AVC msg=audit(1226270358.848:238): avc: denied { write } for pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
第三步,执行audit2allow -a检查需要放通的权限
~]# audit2allow -a
#============= certwatch_t ==============
allow certwatch_t var_t:dir write;
原文中提到一个重要的提醒,提到,出现这种情况都算软件没配好,是应该向Redhat提交故障报告的。
第四步,用 audit2allow -a -M 生成一个可以加载的模块
~]# audit2allow -a -M mycertwatch
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i mycertwatch.pp
~]# ls
mycertwatch.pp mycertwatch.te
DEFAULT vesamenu.c32
PROMPT 0
MENU TITLE Home PXE-Boot Server
label Diskless Debian
MENU LABEL Diskless Debian
KERNEL debian/vmlinuz
append vga=normal initrd=debian/initrd.img ramdisk_size=14332 root=/dev/nfs nfsroot=NFS服务器地址:/PXE/debian rw --
TEXT HELP
Starts the Diskless Debian
ENDTEXT