Bug 1259519
Summary: | SELinux alerts for audispd | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | agilley | ||||||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||||
Status: | CLOSED WORKSFORME | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||||||
Severity: | low | Docs Contact: | |||||||||
Priority: | unspecified | ||||||||||
Version: | 6.8 | CC: | agilley, dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde | ||||||||
Target Milestone: | rc | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | Unspecified | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2015-11-11 16:16:19 UTC | Type: | Bug | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Description
agilley
2015-09-02 20:59:08 UTC
Created attachment 1069596 [details]
audispd AVD denial
Created attachment 1069597 [details]
end of var/log/messages file that contains more information
end of var/log/messages file that contains more information
audispd tries to communicate with a process running as initrc_t. Is auditd running as initrc_t ? # ps -efZ | grep initrc_t auditd does not appear to be running as initrc_t. Created attachment 1073393 [details]
ps output
Based on the latest attachment, there are 2 syslog daemons running (syslog-ng and rsyslogd). syslog daemons usually listen on /dev/log socket. I suspect that one of them is not running in correct SELinux domain. Could you paste here the output of following commands? # fuser /dev/log # ps -efZ | grep syslog The customer has created a SELinux policy module to fix this. I have the full sosreport but I am not sure if having him run those commands to get that information will be helpful at this point. If it will still be beneficial I will get that information. (In reply to agilley from comment #8) > The customer has created a SELinux policy module to fix this. I have the > full sosreport but I am not sure if having him run those commands to get > that information will be helpful at this point. > > If it will still be beneficial I will get that information. Without that we are not able to identify which service is running with initrc_t SELinux domain. We will reopen it if we get requested info. Thank you. |