Bug 1027285
Summary: | SELinux AVC denials for pki | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Steeve Goveas <sgoveas> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.0 | CC: | ksiddiqu, mgregg, mkosek, mmalik, mniranja, nkinder, nsoman, sgoveas |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.12.1-104.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-13 09:32:34 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
This is a weird issue. Basically this directory is created by Java in the post install so we are not able to control the labeling. I guess there is not a way how to tell Java to create this directory in a different location, right? The directory is created while installing java-1.7.0-openjdk and its dependences rhino, jline, and java-1.7.0-openjdk-headless, not sure if location of its creation can be controlled. [root@hp-z600-01 ~]# ll /tmp/ -Z -rw-------. root root unconfined_u:object_r:user_tmp_t:s0 tmp.u1IQb2 -rw-------. root root system_u:object_r:initrc_tmp_t:s0 yum.log -rw-------. root root unconfined_u:object_r:rpm_tmp_t:s0 yum_save_tx.2013-11-07.08-54._xMuN7.yumtx -rw-------. root root unconfined_u:object_r:rpm_tmp_t:s0 yum_save_tx.2013-11-08.04-53.s0bqpU.yumtx [root@hp-z600-01 ~]# yum install java-1.7.0-openjdk -y ====================================================================================================================================================== Package Arch Version Repository Size ====================================================================================================================================================== Installing: java-1.7.0-openjdk x86_64 1:1.7.0.45-2.4.3.4.el7 brew70 205 k Installing for dependencies: java-1.7.0-openjdk-headless x86_64 1:1.7.0.45-2.4.3.4.el7 brew70 25 M jline noarch 1.0-7.el7 beaker-Server 70 k rhino noarch 1.7R4-3.el7 beaker-Server 1.0 M Transaction Summary ====================================================================================================================================================== [root@hp-z600-01 ~]# ll /tmp/ -Z drwxr-xr-x. root root unconfined_u:object_r:rpm_script_tmp_t:s0 hsperfdata_root -rw-------. root root unconfined_u:object_r:user_tmp_t:s0 tmp.u1IQb2 -rw-------. root root system_u:object_r:initrc_tmp_t:s0 yum.log -rw-------. root root unconfined_u:object_r:rpm_tmp_t:s0 yum_save_tx.2013-11-07.08-54._xMuN7.yumtx -rw-------. root root unconfined_u:object_r:rpm_tmp_t:s0 yum_save_tx.2013-11-08.04-53.s0bqpU.yumtx This seems as a general JDK issue, see for example https://bugzilla.redhat.com/show_bug.cgi?id=917843#c6. Also adding Nathan to know about this one. We can add filename transition rule for this. I mean for hsperfdata_root. We just need to select the correct label which is probably user_tmp_t. allow pki_tomcat_t user_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow pki_tomcat_t user_tmp_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; Could you guys test it with this label? # chcon -R -t user_tmp_t /tmp/hsperfdata_root commit 0290b27e98dd229bf05f94233ac08924b2b52d6a Author: Dan Walsh <dwalsh> Date: Fri Nov 15 13:33:18 2013 -0500 Label hsperfdata_root as tmp_t This still seems to be a issue as of /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR: time->Fri Dec 13 14:00:23 2013 type=SYSCALL msg=audit(1386961223.120:125): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f1b44008590 a2=90800 a3=0 items=0 ppid=1 pid=14474 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45-2.4.3.4.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1386961223.120:125): avc: denied { read } for pid=14474 comm="java" name="hsperfdata_root" dev="dm-1" ino=203115876 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir ---- time->Fri Dec 13 14:01:10 2013 type=SYSCALL msg=audit(1386961270.658:142): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f7168008160 a2=90800 a3=0 items=0 ppid=15108 pid=15124 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45-2.4.3.4.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1386961270.658:142): avc: denied { read } for pid=15124 comm="java" name="hsperfdata_root" dev="dm-1" ino=203115876 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir ---- time->Fri Dec 13 14:01:10 2013 type=SYSCALL msg=audit(1386961270.658:143): arch=c000003e syscall=2 success=no exit=-13 a0=7f7168008180 a1=242 a2=180 a3=0 items=0 ppid=15108 pid=15124 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45-2.4.3.4.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1386961270.658:143): avc: denied { write } for pid=15124 comm="java" name="hsperfdata_root" dev="dm-1" ino=203115876 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir ---- time->Fri Dec 13 14:01:13 2013 type=SYSCALL msg=audit(1386961273.141:147): arch=c000003e syscall=2 success=no exit=-13 a0=7f48bc0085b0 a1=242 a2=180 a3=0 items=0 ppid=1 pid=15330 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45-2.4.3.4.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1386961273.141:147): avc: denied { write } for pid=15330 comm="java" name="hsperfdata_root" dev="dm-1" ino=203115876 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir ---- time->Fri Dec 13 14:01:13 2013 type=SYSCALL msg=audit(1386961273.140:146): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f48bc008590 a2=90800 a3=0 items=0 ppid=1 pid=15330 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45-2.4.3.4.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1386961273.140:146): avc: denied { read } for pid=15330 comm="java" name="hsperfdata_root" dev="dm-1" ino=203115876 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir I will try a run again with "chcon -R -t user_tmp_t /tmp/hsperfdata_root" I confirmed that running the following before ipa-install is a work-around for this BZ: mkdir /tmp/hsperfdata_root chcon -R -t user_tmp_t /tmp/hsperfdata_root As of ipa-server-3.3.3-6.el7.x86_64 I no longer need to utilize the work-around. This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
Description of problem: AVC denials found during IPA installation Version-Release number of selected component (if applicable): [root@hp-z600-01 ~]# rpm -q ipa-server ipa-server-3.3.2-1.el7.x86_64 [root@hp-z600-01 ~]# rpm -q selinux-policy selinux-policy-3.12.1-95.el7.noarch How reproducible: always Steps to Reproduce: [root@hp-z600-01 ~]# ll -Z /tmp >>drwxr-xr-x. root root unconfined_u:object_r:rpm_script_tmp_t:s0 hsperfdata_root -rwx------. root root system_u:object_r:initrc_tmp_t:s0 ks-script-D9dn29 -rwx------. root root system_u:object_r:initrc_tmp_t:s0 ks-script-HbzcnF -rwx------. root root system_u:object_r:initrc_tmp_t:s0 ks-script-hCeAVu -rw-------. root root unconfined_u:object_r:user_tmp_t:s0 tmp.u1IQb2 -rw-------. root root system_u:object_r:initrc_tmp_t:s0 yum.log [root@hp-z600-01 ~]# ipa-server-install -U -r testrelm.com -p Secret123 -a Secret123 --setup-dns --forwarder 10.16.36.29 The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management ... .. . . <truncated> [root@hp-z600-01 ~]# /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 11/06/2013 07:17:39 Actual results: [root@hp-z600-01 ~]# /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 11/06/2013 07:17:39 ---- time->Wed Nov 6 07:17:53 2013 type=USER_AVC msg=audit(1383740273.203:259): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=2) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Wed Nov 6 07:18:45 2013 type=SYSCALL msg=audit(1383740325.593:282): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f6ea0015e70 a2=90800 a3=0 items=0 ppid=1 pid=27096 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1383740325.593:282): avc: denied { read } for pid=27096 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir ---- time->Wed Nov 6 07:18:45 2013 type=SYSCALL msg=audit(1383740325.593:283): arch=c000003e syscall=2 success=no exit=-13 a0=7f6ea0015e90 a1=242 a2=180 a3=0 items=0 ppid=1 pid=27096 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1383740325.593:283): avc: denied { write } for pid=27096 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir ---- time->Wed Nov 6 07:19:49 2013 type=SYSCALL msg=audit(1383740389.179:286): arch=c000003e syscall=2 success=no exit=-13 a0=7f62180159e0 a1=242 a2=180 a3=0 items=0 ppid=27283 pid=27299 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1383740389.179:286): avc: denied { write } for pid=27299 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir ---- time->Wed Nov 6 07:19:50 2013 type=SYSCALL msg=audit(1383740390.860:288): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fcaf4015e70 a2=90800 a3=0 items=0 ppid=1 pid=27497 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1383740390.860:288): avc: denied { read } for pid=27497 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir ---- time->Wed Nov 6 07:19:49 2013 type=SYSCALL msg=audit(1383740389.179:285): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f62180159c0 a2=90800 a3=0 items=0 ppid=27283 pid=27299 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1383740389.179:285): avc: denied { read } for pid=27299 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir ---- time->Wed Nov 6 07:19:50 2013 type=SYSCALL msg=audit(1383740390.861:289): arch=c000003e syscall=2 success=no exit=-13 a0=7fcaf4015e90 a1=242 a2=180 a3=0 items=0 ppid=1 pid=27497 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1383740390.861:289): avc: denied { write } for pid=27497 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir ---- time->Wed Nov 6 07:19:58 2013 type=SYSCALL msg=audit(1383740398.915:292): arch=c000003e syscall=2 success=no exit=-13 a0=7f77480159e0 a1=242 a2=180 a3=0 items=0 ppid=27594 pid=27610 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1383740398.915:292): avc: denied { write } for pid=27610 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir ---- time->Wed Nov 6 07:20:00 2013 type=SYSCALL msg=audit(1383740400.968:294): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f1ac4015e70 a2=90800 a3=0 items=0 ppid=1 pid=27800 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1383740400.968:294): avc: denied { read } for pid=27800 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir ---- time->Wed Nov 6 07:20:00 2013 type=SYSCALL msg=audit(1383740400.968:295): arch=c000003e syscall=2 success=no exit=-13 a0=7f1ac4015e90 a1=242 a2=180 a3=0 items=0 ppid=1 pid=27800 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1383740400.968:295): avc: denied { write } for pid=27800 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir ---- time->Wed Nov 6 07:19:58 2013 type=SYSCALL msg=audit(1383740398.915:291): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f77480159c0 a2=90800 a3=0 items=0 ppid=27594 pid=27610 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1383740398.915:291): avc: denied { read } for pid=27610 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir ---- time->Wed Nov 6 07:20:40 2013 type=SYSCALL msg=audit(1383740440.795:304): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f89c00159c0 a2=90800 a3=0 items=0 ppid=28088 pid=28104 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1383740440.795:304): avc: denied { read } for pid=28104 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir ---- time->Wed Nov 6 07:20:40 2013 type=SYSCALL msg=audit(1383740440.796:305): arch=c000003e syscall=2 success=no exit=-13 a0=7f89c00159e0 a1=242 a2=180 a3=0 items=0 ppid=28088 pid=28104 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1383740440.796:305): avc: denied { write } for pid=28104 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir ---- time->Wed Nov 6 07:20:42 2013 type=SYSCALL msg=audit(1383740442.386:308): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f5274015e70 a2=90800 a3=0 items=0 ppid=1 pid=28299 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1383740442.386:308): avc: denied { read } for pid=28299 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir ---- time->Wed Nov 6 07:20:42 2013 type=SYSCALL msg=audit(1383740442.386:309): arch=c000003e syscall=2 success=no exit=-13 a0=7f5274015e90 a1=242 a2=180 a3=0 items=0 ppid=1 pid=28299 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1383740442.386:309): avc: denied { write } for pid=28299 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir ---- time->Wed Nov 6 07:22:32 2013 type=USER_AVC msg=audit(1383740552.857:319): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=3) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Wed Nov 6 07:22:32 2013 type=USER_AVC msg=audit(1383740552.857:320): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=4) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Expected results: No AVC denials found Additional info: * No avc denials were found after changing context # cd /tmp # chcon -t tmp_t hsperf*