Bug 1243431
| Summary: | selinux denials while trying to register to subscription-manager | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Shwetha Kallesh <skallesh> | ||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.2 | CC: | jhutar, lvrabec, mgrepl, mmalik, pjanda, plautrba, pvrabec, skallesh, ssekidde | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-3.13.1-43.el7 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-11-19 10:40:31 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1186677 | ||||||
| Attachments: |
|
||||||
I also observe denials while trying to remove subscriptions
Version:
selinux-policy-3.13.1-29.el7.noarch
selinux-policy-targeted-3.13.1-29.el7.noarch
subscription-manager-1.16.0-1.git.5.a9bd533.el7.x86_64
[root@dhcp35-236 ~]# subscription-manager remove --all
1 subscription removed at the server.
1 local certificate has been deleted.
[root@dhcp35-236 ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.455:4433) : arch=x86_64 syscall=mmap success=no exit=-13(Permission denied) a0=0x0 a1=0x1000 a2=PROT_READ|PROT_EXEC a3=MAP_SHARED items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.455:4433) : avc: denied { execute } for pid=3046 comm=rhsmd path=/tmp/ffiBpKjvr (deleted) dev="dm-0" ino=1320543 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rhsmcertd_tmp_t:s0 tclass=file
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.455:4434) : arch=x86_64 syscall=mmap success=no exit=-13(Permission denied) a0=0x0 a1=0x1000 a2=PROT_READ|PROT_EXEC a3=MAP_SHARED items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.455:4434) : avc: denied { execute } for pid=3046 comm=rhsmd path=/var/tmp/ffi2KkxMo (deleted) dev="dm-0" ino=204572981 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rhsmcertd_tmp_t:s0 tclass=file
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.455:4435) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7ffdd28b8de0 a1=O_RDWR|O_CREAT|O_EXCL a2=0600 a3=0x0 items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.455:4435) : avc: denied { write } for pid=3046 comm=rhsmd name=/ dev="tmpfs" ino=1185 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.455:4436) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffdd28b5e27 a1=W_OK a2=0x0 a3=0x0 items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.455:4436) : avc: denied { dac_override } for pid=3046 comm=rhsmd capability=dac_override scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tclass=capability
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.455:4437) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffdd28b5e29 a1=W_OK a2=0x0 a3=0x6 items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.455:4437) : avc: denied { write } for pid=3046 comm=rhsmd name=/ dev="devtmpfs" ino=1025 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.456:4438) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffdd28b5e26 a1=W_OK a2=0x0 a3=0x6 items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.456:4438) : avc: denied { write } for pid=3046 comm=rhsmd name=/ dev="tmpfs" ino=1185 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.456:4439) : arch=x86_64 syscall=mmap success=no exit=-13(Permission denied) a0=0x0 a1=0x1000 a2=PROT_READ|PROT_EXEC a3=MAP_SHARED items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.456:4439) : avc: denied { execute } for pid=3046 comm=rhsmd path=/run/ffiCBlalj (deleted) dev="tmpfs" ino=517355 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rhsmcertd_var_run_t:s0 tclass=file
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.456:4440) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffdd28b5e29 a1=W_OK a2=0x8 a3=0x0 items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.456:4440) : avc: denied { write } for pid=3046 comm=rhsmd name=/ dev="configfs" ino=8627 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.456:4441) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffdd28b5e42 a1=W_OK a2=0x0 a3=0x6 items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.456:4441) : avc: denied { dac_override } for pid=3046 comm=rhsmd capability=dac_override scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tclass=capability
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.456:4442) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffdd28b5e2a a1=W_OK a2=0x0 a3=0x0 items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.456:4442) : avc: denied { write } for pid=3046 comm=rhsmd name=/ dev="selinuxfs" ino=1 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.456:4443) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffdd28b5e28 a1=W_OK a2=0x0 a3=0x0 items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.456:4443) : avc: denied { write } for pid=3046 comm=rhsmd name=/ dev="debugfs" ino=1 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.456:4444) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffdd28b5e27 a1=W_OK a2=0x0 a3=0x0 items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.456:4444) : avc: denied { write } for pid=3046 comm=rhsmd name=/ dev="mqueue" ino=8504 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.456:4445) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffdd28b5e2a a1=W_OK a2=0x0 a3=0x0 items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.456:4445) : avc: denied { write } for pid=3046 comm=rhsmd name=/ dev="hugetlbfs" ino=13351 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=dir
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.456:4446) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffdd28b5e2a a1=W_OK a2=0x0 a3=0x6 items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.456:4446) : avc: denied { dac_override } for pid=3046 comm=rhsmd capability=dac_override scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tclass=capability
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.456:4447) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffdd28b5e42 a1=W_OK a2=0x0 a3=0x6 items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.456:4447) : avc: denied { write } for pid=3046 comm=rhsmd name=/ dev="dm-2" ino=192 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.456:4448) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffdd28b5e28 a1=W_OK a2=0x0 a3=0x0 items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.456:4448) : avc: denied { write } for pid=3046 comm=rhsmd name=/ dev="fusectl" ino=1 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.456:4449) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffdd28b5e27 a1=W_OK a2=0x0 a3=0x0 items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.456:4449) : avc: denied { dac_override } for pid=3046 comm=rhsmd capability=dac_override scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tclass=capability
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.457:4450) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffdd28b5e29 a1=W_OK a2=0x0 a3=0x6 items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.457:4450) : avc: denied { write } for pid=3046 comm=rhsmd name=/ dev="devtmpfs" ino=1025 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.457:4451) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffdd28b5e26 a1=W_OK a2=0x0 a3=0x6 items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.457:4451) : avc: denied { write } for pid=3046 comm=rhsmd name=/ dev="tmpfs" ino=1185 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.457:4452) : arch=x86_64 syscall=mmap success=no exit=-13(Permission denied) a0=0x0 a1=0x1000 a2=PROT_READ|PROT_EXEC a3=MAP_SHARED items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.457:4452) : avc: denied { execute } for pid=3046 comm=rhsmd path=/run/ffiCZGKCg (deleted) dev="tmpfs" ino=517356 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rhsmcertd_var_run_t:s0 tclass=file
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.457:4453) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffdd28b5e29 a1=W_OK a2=0x8 a3=0x0 items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.457:4453) : avc: denied { write } for pid=3046 comm=rhsmd name=/ dev="configfs" ino=8627 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.457:4454) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffdd28b5e42 a1=W_OK a2=0x0 a3=0x6 items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.457:4454) : avc: denied { dac_override } for pid=3046 comm=rhsmd capability=dac_override scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tclass=capability
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.457:4455) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffdd28b5e2a a1=W_OK a2=0x0 a3=0x0 items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.457:4455) : avc: denied { write } for pid=3046 comm=rhsmd name=/ dev="selinuxfs" ino=1 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.457:4456) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffdd28b5e28 a1=W_OK a2=0x0 a3=0x0 items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.457:4456) : avc: denied { write } for pid=3046 comm=rhsmd name=/ dev="debugfs" ino=1 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.457:4457) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffdd28b5e27 a1=W_OK a2=0x0 a3=0x0 items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.457:4457) : avc: denied { write } for pid=3046 comm=rhsmd name=/ dev="mqueue" ino=8504 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.457:4458) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffdd28b5e2a a1=W_OK a2=0x0 a3=0x0 items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.457:4458) : avc: denied { write } for pid=3046 comm=rhsmd name=/ dev="hugetlbfs" ino=13351 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=dir
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.457:4459) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffdd28b5e2a a1=W_OK a2=0x0 a3=0x6 items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.457:4459) : avc: denied { dac_override } for pid=3046 comm=rhsmd capability=dac_override scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tclass=capability
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.457:4460) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffdd28b5e42 a1=W_OK a2=0x0 a3=0x6 items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.457:4460) : avc: denied { write } for pid=3046 comm=rhsmd name=/ dev="dm-2" ino=192 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
----
type=SYSCALL msg=audit(07/20/2015 17:03:31.457:4461) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffdd28b5e28 a1=W_OK a2=0x0 a3=0x0 items=0 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/20/2015 17:03:31.457:4461) : avc: denied { write } for pid=3046 comm=rhsmd name=/ dev="fusectl" ino=1 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
Ok we need to add additional fixes. ALso most of these AVCs are access checks and should be dontaudited. Could you also attach AVCs from permissive mode? Thank you. Hi, I've hit same problem so I suppose I can provide requested AVCs
[root@ibm-x3550m3-03-g3 ~]# rpm -qa | grep selinux-policy
selinux-policy-targeted-3.13.1-37.el7.noarch
selinux-policy-3.13.1-37.el7.noarch
[root@ibm-x3550m3-03-g3 ~]# START_DATE_TIME=`date "+%m/%d/%Y %T"`
[root@ibm-x3550m3-03-g3 ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
<no matches>
[root@ibm-x3550m3-03-g3 ~]# subscription-manager register --force
The system with UUID 79dfd830-7a01-427c-9b3c-40b4b83e0b27 has been unregistered
Registering to: subscription.rhn.stage.redhat.com/subscription:443
Username: qa
Password:
The system has been registered with ID: de5d6117-f663-48ff-a28f-f048c445fa58
[root@ibm-x3550m3-03-g3 ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
----
type=SYSCALL msg=audit(08/11/2015 04:34:30.163:364) : arch=x86_64 syscall=mmap success=yes exit=140123170107392 a0=0x0 a1=0x1000 a2=PROT_READ|PROT_EXEC a3=MAP_SHARED items=0 ppid=2511 pid=2512 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(08/11/2015 04:34:30.163:364) : avc: denied { execute } for pid=2512 comm=rhsmd path=/tmp/ffiRstuCn (deleted) dev="dm-0" ino=685 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rhsmcertd_tmp_t:s0 tclass=file
Attached AVC denials for permissive mode
[root@dhcp35-236 ~]# START_DATE_TIME=`date "+%m/%d/%Y %T"`
[root@dhcp35-236 ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
<no matches>
[root@dhcp35-236 ~]# getenforce
Permissive
[root@dhcp35-236 ~]# subscription-manager register
Registering to: subscription.rhn.redhat.com/subscription:443
Username: qa
Password:
The system has been registered with ID: 94474bbe-d95b-4f16-bfbe-05b898796130
[root@dhcp35-236 ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
----
type=SYSCALL msg=audit(08/11/2015 14:54:05.013:9499) : arch=x86_64 syscall=mmap success=yes exit=139695429779456 a0=0x0 a1=0x1000 a2=PROT_READ|PROT_EXEC a3=MAP_SHARED items=0 ppid=18473 pid=18474 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(08/11/2015 14:54:05.013:9499) : avc: denied { execute } for pid=18474 comm=rhsmd path=/tmp/ffikje4wK (deleted) dev="dm-0" ino=1258811 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rhsmcertd_tmp_t:s0 tclass=file
[root@dhcp35-236 ~]# subscription-manager attach --auto
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux Server
Status: Subscribed
[root@dhcp35-236 ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
----
type=SYSCALL msg=audit(08/11/2015 14:54:05.013:9499) : arch=x86_64 syscall=mmap success=yes exit=139695429779456 a0=0x0 a1=0x1000 a2=PROT_READ|PROT_EXEC a3=MAP_SHARED items=0 ppid=18473 pid=18474 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(08/11/2015 14:54:05.013:9499) : avc: denied { execute } for pid=18474 comm=rhsmd path=/tmp/ffikje4wK (deleted) dev="dm-0" ino=1258811 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rhsmcertd_tmp_t:s0 tclass=file
----
type=SYSCALL msg=audit(08/11/2015 14:55:48.446:9500) : arch=x86_64 syscall=mmap success=yes exit=140031875293184 a0=0x0 a1=0x1000 a2=PROT_READ|PROT_EXEC a3=MAP_SHARED items=0 ppid=18568 pid=18569 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(08/11/2015 14:55:48.446:9500) : avc: denied { execute } for pid=18569 comm=rhsmd path=/tmp/ffidTUXlQ (deleted) dev="dm-0" ino=1258811 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rhsmcertd_tmp_t:s0 tclass=file
[root@dhcp35-236 ~]# subscription-manager remove --all
1 subscription removed at the server.
1 local certificate has been deleted.
[root@dhcp35-236 ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
----
type=SYSCALL msg=audit(08/11/2015 14:54:05.013:9499) : arch=x86_64 syscall=mmap success=yes exit=139695429779456 a0=0x0 a1=0x1000 a2=PROT_READ|PROT_EXEC a3=MAP_SHARED items=0 ppid=18473 pid=18474 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(08/11/2015 14:54:05.013:9499) : avc: denied { execute } for pid=18474 comm=rhsmd path=/tmp/ffikje4wK (deleted) dev="dm-0" ino=1258811 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rhsmcertd_tmp_t:s0 tclass=file
----
type=SYSCALL msg=audit(08/11/2015 14:55:48.446:9500) : arch=x86_64 syscall=mmap success=yes exit=140031875293184 a0=0x0 a1=0x1000 a2=PROT_READ|PROT_EXEC a3=MAP_SHARED items=0 ppid=18568 pid=18569 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(08/11/2015 14:55:48.446:9500) : avc: denied { execute } for pid=18569 comm=rhsmd path=/tmp/ffidTUXlQ (deleted) dev="dm-0" ino=1258811 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rhsmcertd_tmp_t:s0 tclass=file
----
type=SYSCALL msg=audit(08/11/2015 14:56:54.334:9501) : arch=x86_64 syscall=mmap success=yes exit=139657261436928 a0=0x0 a1=0x1000 a2=PROT_READ|PROT_EXEC a3=MAP_SHARED items=0 ppid=18607 pid=18608 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(08/11/2015 14:56:54.334:9501) : avc: denied { execute } for pid=18608 comm=rhsmd path=/tmp/ffiauydPl (deleted) dev="dm-0" ino=1258811 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rhsmcertd_tmp_t:s0 tclass=file
I have fix for access check rules, but I would like to ask on these rules. allow rhsmcertd_t rhsmcertd_tmp_t:file execute; allow rhsmcertd_t rhsmcertd_var_run_t:file execute; Why rhsmcertd t needs to execute some file in /tmp? Is this necessary? Same question on /var/run/ Appeared in permissive mode after selinux-policy upgrade (to 3.13.1-42.el7):
----
type=MMAP msg=audit(08/14/2015 19:10:09.653:334) : fd=6 flags=MAP_SHARED
type=SYSCALL msg=audit(08/14/2015 19:10:09.653:334) : arch=x86_64 syscall=mmap success=yes exit=140617029484544 a0=0x0 a1=0x1000 a2=PROT_READ|PROT_EXEC a3=MAP_SHARED items=0 ppid=21725 pid=21726 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(08/14/2015 19:10:09.653:334) : avc: denied { execute } for pid=21726 comm=rhsmd path=/tmp/ffivtz9xs (deleted) dev="vda3" ino=51318331 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rhsmcertd_tmp_t:s0 tclass=file
----
Following policy module solved the problem on my machines:
# cat mypolicy.te
module mypolicy 1.0;
require {
type rhsmcertd_tmp_t;
type rhsmcertd_t;
class file { execute getattr open read };
}
allow rhsmcertd_t rhsmcertd_tmp_t:file { getattr open read execute };
#
It seems that following rules are not needed:
allow rhsmcertd_t configfs_t:dir write;
allow rhsmcertd_t debugfs_t:dir write;
allow rhsmcertd_t device_t:dir write;
allow rhsmcertd_t fusefs_t:dir write;
allow rhsmcertd_t hugetlbfs_t:dir write;
allow rhsmcertd_t nfsd_fs_t:dir write;
allow rhsmcertd_t rhsmcertd_var_run_t:file execute;
allow rhsmcertd_t security_t:dir write;
allow rhsmcertd_t self:capability dac_override;
allow rhsmcertd_t tmpfs_t:dir write;
Milos, could you attach AVCs with full auditing for execute and dac_override, if possible? Thank you. Mirek, What do you mean by new interface? I would say we can add dontaudit rule on dac_override into this interface: files_dontaudit_write_all_mountpoints. What do you think about this solution? Thank you for feedback! (In reply to Lukas Vrabec from comment #13) > Mirek, > What do you mean by new interface? > I would say we can add dontaudit rule on dac_override into this interface: > files_dontaudit_write_all_mountpoints. > > What do you think about this solution? > > Thank you for feedback! Yes, I mean this new interface. Or we can add it directly to .te with a comment. Prefer rule in interface. In this case I'm going to add fixes in to repo. Fix will be included in *-43 version of selinux-policy package. commit 43e2cfbba0ef23d125daee6c89fcdf3f77ae7107
Author: Lukas Vrabec <lvrabec>
Date: Wed Aug 12 14:03:28 2015 +0200
Add mountpoint dontaudit access check in rhsmcertd policy.
Resolves: #1243431
commit 055d76f59e9fdafcb4f5a589ba2bdbee684c5240
Author: Lukas Vrabec <lvrabec>
Date: Tue Aug 18 13:05:07 2015 +0200
Added to files_dontaudit_write_all_mountpoints intefface new dontaudit rule, that domain included this interface dontaudit capability dac_override.
commit 055d76f59e9fdafcb4f5a589ba2bdbee684c5240
Author: Lukas Vrabec <lvrabec>
Date: Tue Aug 18 13:05:07 2015 +0200
Added to files_dontaudit_write_all_mountpoints intefface new dontaudit rule, that domain included this interface dontaudit capability dac_override.
commit 43e2cfbba0ef23d125daee6c89fcdf3f77ae7107
Author: Lukas Vrabec <lvrabec>
Date: Wed Aug 12 14:03:28 2015 +0200
Add mountpoint dontaudit access check in rhsmcertd policy.
Resolves: #1243431
commit c1d4f132a94845ea3c0c35602f960960c6108033
Author: Lukas Vrabec <lvrabec>
Date: Wed Aug 19 10:25:07 2015 +0200
Allow rhsmcertd exec rhsmcertd_var_run_t files and rhsmcerd_tmp_t files. This rules are in hide_broken_sympthons until we find better solution.
Resolves: #1243431
*** Bug 1255623 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |
Created attachment 1052347 [details] selinux denial Description of problem: selinux denials while trying to register to subscription-manager Version-Release number of selected component (if applicable): [root@dhcp35-236 ~]# rpm -qa | grep selinux selinux-policy-3.13.1-29.el7.noarch selinux-policy-targeted-3.13.1-29.el7.noarch [root@dhcp35-236 ~]# rpm -qa | grep subscription-manager subscription-manager-1.15.7-1.git.0.d18b901.el7.x86_64 subscription-manager-gui-1.15.7-1.git.0.d18b901.el7.x86_64 subscription-manager-migration-data-2.0.22-1.git.0.4260892.el7.noarch subscription-manager-initial-setup-addon-1.15.7-1.git.0.d18b901.el7.x86_64 subscription-manager-migration-1.15.7-1.git.0.d18b901.el7.x86_64 subscription-manager-plugin-container-1.15.7-1.git.0.d18b901.el7.x86_64 subscription-manager-plugin-ostree-1.15.7-1.git.0.d18b901.el7.x86_64 How reproducible: Steps to Reproduce: [root@dhcp35-236 ~]# START_DATE_TIME=`date "+%m/%d/%Y %T"` [root@dhcp35-236 ~]# subscription-manager register --force The system with UUID 13a295be-e65e-4e3b-af14-99febc751489 has been unregistered Username: qa Password: The system has been registered with ID: cccf5eb8-eba5-4459-a0d9-21afead337bd [root@dhcp35-236 ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME} ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.334:2364) : arch=x86_64 syscall=mmap success=no exit=-13(Permission denied) a0=0x0 a1=0x1000 a2=PROT_READ|PROT_EXEC a3=MAP_SHARED items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.334:2364) : avc: denied { execute } for pid=3917 comm=rhsmd path=/tmp/ffiS6KcEJ (deleted) dev="dm-0" ino=1320552 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rhsmcertd_tmp_t:s0 tclass=file ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.334:2365) : arch=x86_64 syscall=mmap success=no exit=-13(Permission denied) a0=0x0 a1=0x1000 a2=PROT_READ|PROT_EXEC a3=MAP_SHARED items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.334:2365) : avc: denied { execute } for pid=3917 comm=rhsmd path=/var/tmp/ffian6yjS (deleted) dev="dm-0" ino=204472131 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rhsmcertd_tmp_t:s0 tclass=file ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.334:2366) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7ffcc50e13a0 a1=O_RDWR|O_CREAT|O_EXCL a2=0600 a3=0x0 items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.334:2366) : avc: denied { write } for pid=3917 comm=rhsmd name=/ dev="tmpfs" ino=1185 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.334:2367) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffcc50de3e7 a1=W_OK a2=0x0 a3=0x0 items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.334:2367) : avc: denied { dac_override } for pid=3917 comm=rhsmd capability=dac_override scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tclass=capability ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.334:2368) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffcc50de3e9 a1=W_OK a2=0x0 a3=0x6 items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.334:2368) : avc: denied { write } for pid=3917 comm=rhsmd name=/ dev="devtmpfs" ino=1025 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.335:2369) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffcc50de3e6 a1=W_OK a2=0x0 a3=0x6 items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.335:2369) : avc: denied { write } for pid=3917 comm=rhsmd name=/ dev="tmpfs" ino=1185 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.335:2370) : arch=x86_64 syscall=mmap success=no exit=-13(Permission denied) a0=0x0 a1=0x1000 a2=PROT_READ|PROT_EXEC a3=MAP_SHARED items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.335:2370) : avc: denied { execute } for pid=3917 comm=rhsmd path=/run/ffiAfrsE9 (deleted) dev="tmpfs" ino=503998 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rhsmcertd_var_run_t:s0 tclass=file ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.335:2371) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffcc50de3e9 a1=W_OK a2=0x0 a3=0x0 items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.335:2371) : avc: denied { write } for pid=3917 comm=rhsmd name=/ dev="configfs" ino=9413 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:configfs_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.335:2372) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffcc50de402 a1=W_OK a2=0x0 a3=0x6 items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.335:2372) : avc: denied { dac_override } for pid=3917 comm=rhsmd capability=dac_override scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tclass=capability ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.335:2373) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffcc50de3ea a1=W_OK a2=0x0 a3=0x0 items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.335:2373) : avc: denied { write } for pid=3917 comm=rhsmd name=/ dev="selinuxfs" ino=1 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.335:2374) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffcc50de3e8 a1=W_OK a2=0x0 a3=0x0 items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.335:2374) : avc: denied { write } for pid=3917 comm=rhsmd name=/ dev="debugfs" ino=1 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.335:2375) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffcc50de3e7 a1=W_OK a2=0x0 a3=0x0 items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.335:2375) : avc: denied { write } for pid=3917 comm=rhsmd name=/ dev="mqueue" ino=8504 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.335:2376) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffcc50de3ea a1=W_OK a2=0x0 a3=0x0 items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.335:2376) : avc: denied { write } for pid=3917 comm=rhsmd name=/ dev="hugetlbfs" ino=14354 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.335:2377) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffcc50de3ea a1=W_OK a2=0x0 a3=0x6 items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.335:2377) : avc: denied { dac_override } for pid=3917 comm=rhsmd capability=dac_override scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tclass=capability ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.335:2378) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffcc50de402 a1=W_OK a2=0x0 a3=0x6 items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.335:2378) : avc: denied { write } for pid=3917 comm=rhsmd name=/ dev="dm-2" ino=192 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.335:2379) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffcc50de3e8 a1=W_OK a2=0x0 a3=0x0 items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.335:2379) : avc: denied { write } for pid=3917 comm=rhsmd name=/ dev="fusectl" ino=1 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.335:2380) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffcc50de3e7 a1=W_OK a2=0x0 a3=0x0 items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.335:2380) : avc: denied { dac_override } for pid=3917 comm=rhsmd capability=dac_override scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tclass=capability ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.335:2381) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffcc50de3e9 a1=W_OK a2=0x0 a3=0x6 items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.335:2381) : avc: denied { write } for pid=3917 comm=rhsmd name=/ dev="devtmpfs" ino=1025 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.336:2382) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffcc50de3e6 a1=W_OK a2=0x0 a3=0x6 items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.336:2382) : avc: denied { write } for pid=3917 comm=rhsmd name=/ dev="tmpfs" ino=1185 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.336:2383) : arch=x86_64 syscall=mmap success=no exit=-13(Permission denied) a0=0x0 a1=0x1000 a2=PROT_READ|PROT_EXEC a3=MAP_SHARED items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.336:2383) : avc: denied { execute } for pid=3917 comm=rhsmd path=/run/ffinUraki (deleted) dev="tmpfs" ino=503999 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rhsmcertd_var_run_t:s0 tclass=file ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.336:2384) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffcc50de3e9 a1=W_OK a2=0x0 a3=0x0 items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.336:2384) : avc: denied { write } for pid=3917 comm=rhsmd name=/ dev="configfs" ino=9413 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:configfs_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.336:2385) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffcc50de402 a1=W_OK a2=0x0 a3=0x6 items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.336:2385) : avc: denied { dac_override } for pid=3917 comm=rhsmd capability=dac_override scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tclass=capability ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.336:2386) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffcc50de3ea a1=W_OK a2=0x0 a3=0x0 items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.336:2386) : avc: denied { write } for pid=3917 comm=rhsmd name=/ dev="selinuxfs" ino=1 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.336:2387) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffcc50de3e8 a1=W_OK a2=0x0 a3=0x0 items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.336:2387) : avc: denied { write } for pid=3917 comm=rhsmd name=/ dev="debugfs" ino=1 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.336:2388) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffcc50de3e7 a1=W_OK a2=0x0 a3=0x0 items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.336:2388) : avc: denied { write } for pid=3917 comm=rhsmd name=/ dev="mqueue" ino=8504 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.336:2389) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffcc50de3ea a1=W_OK a2=0x0 a3=0x0 items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.336:2389) : avc: denied { write } for pid=3917 comm=rhsmd name=/ dev="hugetlbfs" ino=14354 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.336:2390) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffcc50de3ea a1=W_OK a2=0x0 a3=0x6 items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.336:2390) : avc: denied { dac_override } for pid=3917 comm=rhsmd capability=dac_override scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tclass=capability ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.336:2391) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffcc50de402 a1=W_OK a2=0x0 a3=0x6 items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.336:2391) : avc: denied { write } for pid=3917 comm=rhsmd name=/ dev="dm-2" ino=192 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/15/2015 17:44:00.336:2392) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ffcc50de3e8 a1=W_OK a2=0x0 a3=0x0 items=0 ppid=1 pid=3917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/15/2015 17:44:00.336:2392) : avc: denied { write } for pid=3917 comm=rhsmd name=/ dev="fusectl" ino=1 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir Actual results: Expected results: Additional info: