Bug 1186780

Summary: selinux prevents audit to halt the system
Product: Red Hat Enterprise Linux 7 Reporter: Patrik Kis <pkis>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Patrik Kis <pkis>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: lvrabec, mgrepl, mmalik, pkis, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-42.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 10:25:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrik Kis 2015-01-28 14:24:48 UTC 
Description of problem:
The audit daemon has a feature to configure action when audit messages can not be sent to remote log server. One of these actions is system halt, that used to be work on RHEL-6 but on RHEL-7 selinux prevents to halt the system. In permissive mode the system is halted.

/var/log/messages:
Jan 28 15:14:22 rhel70.pkis.net audisp-remote[4027]: read from 192.168.100.61 failed
Jan 28 15:16:30 rhel70.pkis.net audisp-remote[4027]: Error connecting to 192.168.100.61: Connection timed out
Jan 28 15:16:31 rhel70.pkis.net audisp-remote[4027]: remote logging halting system due to network failure
Jan 28 15:16:31 rhel70.pkis.net systemd[1]: SELinux policy denies access.

AVC denials:

----
type=SYSCALL msg=audit(01/28/2015 15:16:31.352:445) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f1999b468e0 a1=O_WRONLY|O_NOCTTY|O_NONBLOCK|O_CLOEXEC a2=0x7f1999b468e0 a3=0x5 items=0 ppid=4027 pid=4073 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:audisp_remote_t:s0 key=(null) 
type=AVC msg=audit(01/28/2015 15:16:31.352:445) : avc:  denied  { search } for  pid=4073 comm=systemctl name=/ dev="devpts" ino=1 scontext=system_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(01/28/2015 15:16:31.352:446) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f1999b468e0 a1=O_WRONLY|O_NOCTTY|O_NONBLOCK|O_CLOEXEC a2=0x7f1999b468e0 a3=0x5 items=0 ppid=4027 pid=4073 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:audisp_remote_t:s0 key=(null) 
type=AVC msg=audit(01/28/2015 15:16:31.352:446) : avc:  denied  { search } for  pid=4073 comm=systemctl name=/ dev="devpts" ino=1 scontext=system_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(01/28/2015 15:16:31.352:447) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f1999b468e0 a1=O_WRONLY|O_NOCTTY|O_NONBLOCK|O_CLOEXEC a2=0x7f1999b468e0 a3=0x5 items=0 ppid=4027 pid=4073 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:audisp_remote_t:s0 key=(null) 
type=AVC msg=audit(01/28/2015 15:16:31.352:447) : avc:  denied  { search } for  pid=4073 comm=systemctl name=/ dev="devpts" ino=1 scontext=system_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=dir 


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-22.el7

How reproducible:
always

Steps to Reproduce:
Two machines are needed; install there audispd-plugins package.

SERVER:
In /etc/audit/auditd.conf add:
 tcp_listen_port = 60
# service auditd restart

CLIENT:
In /etc/audisp/plugins.d/au-remote.conf edit:
 active = yes
In /etc/audisp/audisp-remote.conf edit:
 remote_server = <server_IP>
 network_failure_action = halt
# service auditd restart
# auditctl -m TEST

SERVER:
Check that the "TEST" message appeared in audit log of server.
Block the server:
# iptables -A INPUT -m tcp -p tcp --source <client_IP> -j DROP

CLIENT:
# auditctl -m TEST

Wait a few minutes; monitor /var/log/messages.
Comment 2 Lukas Vrabec 2015-07-10 11:48:42 UTC 
Hi, 
Could you attach also AVS generated in permissive mode? 

Thank you!
Comment 3 Patrik Kis 2015-07-13 13:20:02 UTC 
(In reply to Lukas Vrabec from comment #2)
> Hi, 
> Could you attach also AVS generated in permissive mode? 
> 
> Thank you!

There are no AVCs in permission mode; not sure why (tried twice). Maybe because the system is halted and audit daemon can not catch them, but that's only my theory.
Comment 4 Lukas Vrabec 2015-07-13 16:26:09 UTC 
commit aae25e2ed5962ba3d2e3920522eebdb3c86954d6
Author: Lukas Vrabec <lvrabec>
Date:   Mon Jul 13 18:24:25 2015 +0200

    Allow audisp-remote searching devpts.
Comment 5 Patrik Kis 2015-07-14 14:09:27 UTC 
I've tested this again with  selinux-policy-3.13.1-32.el7, but new AVC denials appeared. The test passed when all these policies were added:

allow audisp_remote_t user_devpts_t:chr_file { write open ioctl };
allow audisp_remote_t power_unit_file_t:service start;
Comment 6 Lukas Vrabec 2015-07-14 14:11:40 UTC 
Hi,
Please add AVCs.
Comment 7 Patrik Kis 2015-07-14 14:59:38 UTC 
Sorry, I don't have them filtered; here goes what is in audit.log:

# ausearch -m avc -m user_avc -i
----
type=USER_AVC msg=audit(07/13/2015 12:44:57.938:48) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(07/13/2015 14:37:37.104:115) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/poweroff.target scontext=system_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=SYSCALL msg=audit(07/13/2015 14:37:37.107:116) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f53a752c8c0 a1=O_WRONLY|O_NOCTTY|O_NONBLOCK|O_CLOEXEC a2=0x7f53a752c8c0 a3=0x5 items=0 ppid=32414 pid=32476 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:audisp_remote_t:s0 key=(null) 
type=AVC msg=audit(07/13/2015 14:37:37.107:116) : avc:  denied  { search } for  pid=32476 comm=systemctl name=/ dev="devpts" ino=1 scontext=system_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(07/13/2015 14:37:37.107:117) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f53a752c8c0 a1=O_WRONLY|O_NOCTTY|O_NONBLOCK|O_CLOEXEC a2=0x7f53a752c8c0 a3=0x5 items=0 ppid=32414 pid=32476 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:audisp_remote_t:s0 key=(null) 
type=AVC msg=audit(07/13/2015 14:37:37.107:117) : avc:  denied  { search } for  pid=32476 comm=systemctl name=/ dev="devpts" ino=1 scontext=system_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=dir 
----
type=USER_AVC msg=audit(07/13/2015 14:47:04.424:126) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(07/13/2015 14:47:04.424:127) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/poweroff.target scontext=system_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(07/13/2015 14:47:04.556:133) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/poweroff.target scontext=system_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(07/13/2015 14:51:21.296:34) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/poweroff.target scontext=system_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(07/13/2015 14:57:18.981:98) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/poweroff.target scontext=system_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(07/13/2015 14:57:19.075:103) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/poweroff.target scontext=system_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(07/14/2015 14:41:00.434:366) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(07/14/2015 14:45:07.762:399) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/poweroff.target scontext=system_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=SYSCALL msg=audit(07/14/2015 14:45:07.763:400) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f2cf42ef8c0 a1=O_WRONLY|O_NOCTTY|O_NONBLOCK|O_CLOEXEC a2=0x7f2cf42ef8c0 a3=0x5 items=0 ppid=4169 pid=4194 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:audisp_remote_t:s0 key=(null) 
type=AVC msg=audit(07/14/2015 14:45:07.763:400) : avc:  denied  { write } for  pid=4194 comm=systemctl name=0 dev="devpts" ino=3 scontext=system_u:system_r:audisp_remote_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file 
----
type=SYSCALL msg=audit(07/14/2015 14:45:07.763:401) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f2cf42ef8c0 a1=O_WRONLY|O_NOCTTY|O_NONBLOCK|O_CLOEXEC a2=0x7f2cf42ef8c0 a3=0x5 items=0 ppid=4169 pid=4194 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:audisp_remote_t:s0 key=(null) 
type=AVC msg=audit(07/14/2015 14:45:07.763:401) : avc:  denied  { write } for  pid=4194 comm=systemctl name=1 dev="devpts" ino=4 scontext=system_u:system_r:audisp_remote_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file 
----
type=USER_AVC msg=audit(07/14/2015 14:48:24.624:402) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/poweroff.target scontext=system_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=SYSCALL msg=audit(07/14/2015 14:48:24.625:403) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7ff9bdfe88c0 a1=O_WRONLY|O_NOCTTY|O_NONBLOCK|O_CLOEXEC a2=0x7ff9bdfe88c0 a3=0x5 items=0 ppid=4169 pid=4196 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:audisp_remote_t:s0 key=(null) 
type=AVC msg=audit(07/14/2015 14:48:24.625:403) : avc:  denied  { write } for  pid=4196 comm=systemctl name=0 dev="devpts" ino=3 scontext=system_u:system_r:audisp_remote_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file 
----
type=SYSCALL msg=audit(07/14/2015 14:48:24.626:404) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7ff9bdfe88c0 a1=O_WRONLY|O_NOCTTY|O_NONBLOCK|O_CLOEXEC a2=0x7ff9bdfe88c0 a3=0x5 items=0 ppid=4169 pid=4196 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:audisp_remote_t:s0 key=(null) 
type=AVC msg=audit(07/14/2015 14:48:24.626:404) : avc:  denied  { write } for  pid=4196 comm=systemctl name=1 dev="devpts" ino=4 scontext=system_u:system_r:audisp_remote_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file 
----
type=USER_AVC msg=audit(07/14/2015 14:58:37.347:425) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/poweroff.target scontext=system_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=SYSCALL msg=audit(07/14/2015 14:58:37.349:426) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7eff8a9408c0 a1=O_WRONLY|O_NOCTTY|O_NONBLOCK|O_CLOEXEC a2=0x7eff8a9408c0 a3=0x5 items=0 ppid=4347 pid=4377 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:audisp_remote_t:s0 key=(null) 
type=AVC msg=audit(07/14/2015 14:58:37.349:426) : avc:  denied  { open } for  pid=4377 comm=systemctl path=/dev/pts/0 dev="devpts" ino=3 scontext=system_u:system_r:audisp_remote_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file 
----
type=SYSCALL msg=audit(07/14/2015 14:58:37.349:427) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7eff8a9408c0 a1=O_WRONLY|O_NOCTTY|O_NONBLOCK|O_CLOEXEC a2=0x7eff8a9408c0 a3=0x5 items=0 ppid=4347 pid=4377 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:audisp_remote_t:s0 key=(null) 
type=AVC msg=audit(07/14/2015 14:58:37.349:427) : avc:  denied  { open } for  pid=4377 comm=systemctl path=/dev/pts/1 dev="devpts" ino=4 scontext=system_u:system_r:audisp_remote_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file 
----
type=USER_AVC msg=audit(07/14/2015 15:05:29.510:448) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/poweroff.target scontext=system_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=SYSCALL msg=audit(07/14/2015 15:05:29.511:449) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f8ae221b8c0 a1=O_WRONLY|O_NOCTTY|O_NONBLOCK|O_CLOEXEC a2=0x7f8ae221b8c0 a3=0x5 items=0 ppid=4471 pid=4493 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:audisp_remote_t:s0 key=(null) 
type=AVC msg=audit(07/14/2015 15:05:29.511:449) : avc:  denied  { write } for  pid=4493 comm=systemctl name=0 dev="devpts" ino=3 scontext=system_u:system_r:audisp_remote_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file 
----
type=SYSCALL msg=audit(07/14/2015 15:05:29.512:450) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f8ae221b8c0 a1=O_WRONLY|O_NOCTTY|O_NONBLOCK|O_CLOEXEC a2=0x7f8ae221b8c0 a3=0x5 items=0 ppid=4471 pid=4493 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:audisp_remote_t:s0 key=(null) 
type=AVC msg=audit(07/14/2015 15:05:29.512:450) : avc:  denied  { write } for  pid=4493 comm=systemctl name=1 dev="devpts" ino=4 scontext=system_u:system_r:audisp_remote_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file 
----
type=USER_AVC msg=audit(07/14/2015 15:29:16.334:463) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=7)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(07/14/2015 15:29:16.334:464) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/poweroff.target scontext=system_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=SYSCALL msg=audit(07/14/2015 15:29:16.338:465) : arch=x86_64 syscall=ioctl success=no exit=-13(Permission denied) a0=0x5 a1=TCGETS a2=0x7fffc8dc9860 a3=0x5 items=0 ppid=4555 pid=4588 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:audisp_remote_t:s0 key=(null) 
type=AVC msg=audit(07/14/2015 15:29:16.338:465) : avc:  denied  { ioctl } for  pid=4588 comm=systemctl path=/dev/pts/0 dev="devpts" ino=3 scontext=system_u:system_r:audisp_remote_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file 
----
type=SYSCALL msg=audit(07/14/2015 15:29:16.338:466) : arch=x86_64 syscall=ioctl success=no exit=-13(Permission denied) a0=0x5 a1=TCGETS a2=0x7fffc8dc9860 a3=0x5 items=0 ppid=4555 pid=4588 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:audisp_remote_t:s0 key=(null) 
type=AVC msg=audit(07/14/2015 15:29:16.338:466) : avc:  denied  { ioctl } for  pid=4588 comm=systemctl path=/dev/pts/1 dev="devpts" ino=4 scontext=system_u:system_r:audisp_remote_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file 
----
type=USER_AVC msg=audit(07/14/2015 15:37:06.476:480) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=8)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(07/14/2015 15:37:06.476:481) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=9)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(07/14/2015 15:37:06.477:482) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/poweroff.target scontext=system_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=SYSCALL msg=audit(07/14/2015 15:37:06.480:483) : arch=x86_64 syscall=ioctl success=no exit=-13(Permission denied) a0=0x5 a1=TCGETS a2=0x7fff3165ca70 a3=0x5 items=0 ppid=4620 pid=4655 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:audisp_remote_t:s0 key=(null) 
type=AVC msg=audit(07/14/2015 15:37:06.480:483) : avc:  denied  { ioctl } for  pid=4655 comm=systemctl path=/dev/pts/0 dev="devpts" ino=3 scontext=system_u:system_r:audisp_remote_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file 
----
type=SYSCALL msg=audit(07/14/2015 15:37:06.480:484) : arch=x86_64 syscall=ioctl success=no exit=-13(Permission denied) a0=0x5 a1=TCGETS a2=0x7fff3165ca70 a3=0x5 items=0 ppid=4620 pid=4655 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:audisp_remote_t:s0 key=(null) 
type=AVC msg=audit(07/14/2015 15:37:06.480:484) : avc:  denied  { ioctl } for  pid=4655 comm=systemctl path=/dev/pts/1 dev="devpts" ino=4 scontext=system_u:system_r:audisp_remote_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file 
----
type=USER_AVC msg=audit(07/14/2015 15:45:01.100:495) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=10)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(07/14/2015 15:45:01.100:496) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=11)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(07/14/2015 15:45:01.101:497) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/poweroff.target scontext=system_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(07/14/2015 16:01:01.339:512) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=12)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(07/14/2015 16:01:01.339:513) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=13)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(07/14/2015 16:01:18.087:523) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/poweroff.target scontext=system_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(07/14/2015 16:10:32.227:112) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
Comment 9 Lukas Vrabec 2015-07-28 14:33:09 UTC 
commit a0d0259d30d5d3a5728af35badd260872ae42419
Author: Lukas Vrabec <lvrabec>
Date:   Tue Jul 28 16:28:13 2015 +0200

    Allow audisp_remote_t to read/write user domain pty.
    Resolves: #1186780

commit 12c42c6a7805fcd0f192918eafe3bf201dbfd36a
Author: Lukas Vrabec <lvrabec>
Date:   Tue Jul 28 16:25:20 2015 +0200

    Allow audisp_remote_t to start power unit files domain to allow halt system.
    Resolves: #1186780
Comment 11 Patrik Kis 2015-08-12 08:32:52 UTC 
During the functional testing the following AVC denial appeared on the client machines while halting the system. This AVC, however, did not prevent correct halting, it just appeared.
Could you please check it and fix it or suggest fix in other other component if the problem is there?

----
type=SYSCALL msg=audit(08/12/2015 10:11:15.520:1865) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f703b348375 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x0 items=0 ppid=7888 pid=7914 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:audisp_remote_t:s0 key=(null) 
type=AVC msg=audit(08/12/2015 10:11:15.520:1865) : avc:  denied  { read } for  pid=7914 comm=systemctl name=cmdline dev="proc" ino=4026532021 scontext=system_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
Comment 12 Lukas Vrabec 2015-08-12 09:21:42 UTC 
commit 78dafee9a0226c3b5c2b3c0b764b36b6231a3810
Author: Lukas Vrabec <lvrabec>
Date:   Wed Aug 12 11:10:54 2015 +0200

    Allow audisp client to read system state.
Comment 16 errata-xmlrpc 2015-11-19 10:25:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html