Bug 1286994

Summary: the start of roundup service triggers SELinux denials
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.7CC: dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-296.el6 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-21 09:44:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2015-12-01 10:07:48 UTC 
Description of problem:
 * the roundup-server process stays running, but following accesses seem to be needed

Version-Release number of selected component (if applicable):
roundup-1.4.20-1.el6.noarch
selinux-policy-3.7.19-279.el6.noarch
selinux-policy-targeted-3.7.19-279.el6.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a RHEL-6.7 machine (active targeted policy)
2. start the roundup service
3. search for SELinux denials

Actual results (enforcing mode):
----
type=PATH msg=audit(12/01/2015 04:56:04.179:273) : item=0 name=/etc/httpd/mime.types inode=393268 dev=fc:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:httpd_config_t:s0 nametype=NORMAL 
type=CWD msg=audit(12/01/2015 04:56:04.179:273) :  cwd=/ 
type=SYSCALL msg=audit(12/01/2015 04:56:04.179:273) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x1b7feb0 a1=0x7fffb2213090 a2=0x7fffb2213090 a3=0x20 items=1 ppid=1 pid=5466 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=3 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 04:56:04.179:273) : avc:  denied  { search } for  pid=5466 comm=roundup-server name=httpd dev=vda1 ino=393268 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir 
----
type=PATH msg=audit(12/01/2015 04:56:04.180:274) : item=0 name=/etc/httpd/conf/mime.types inode=393268 dev=fc:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:httpd_config_t:s0 nametype=NORMAL 
type=CWD msg=audit(12/01/2015 04:56:04.180:274) :  cwd=/ 
type=SYSCALL msg=audit(12/01/2015 04:56:04.180:274) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x14e79c0 a1=0x7fffb2213090 a2=0x7fffb2213090 a3=0x20 items=1 ppid=1 pid=5466 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=3 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 04:56:04.180:274) : avc:  denied  { search } for  pid=5466 comm=roundup-server name=httpd dev=vda1 ino=393268 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(12/01/2015 04:56:04.736:275) : arch=x86_64 syscall=socket success=no exit=-13(Permission denied) a0=netlink a1=SOCK_RAW a2=ip a3=0xffffffff items=0 ppid=1 pid=5466 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=3 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 04:56:04.736:275) : avc:  denied  { create } for  pid=5466 comm=roundup-server scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:system_r:roundup_t:s0 tclass=netlink_route_socket 
----
type=PATH msg=audit(12/01/2015 04:56:03.738:272) : item=0 name=/proc/meminfo inode=4026532034 dev=00:03 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_t:s0 nametype=NORMAL 
type=CWD msg=audit(12/01/2015 04:56:03.738:272) :  cwd=/ 
type=SYSCALL msg=audit(12/01/2015 04:56:03.738:272) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x3ed495713e a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x2 items=1 ppid=5462 pid=5463 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 04:56:03.738:272) : avc:  denied  { read } for  pid=5463 comm=roundup-server name=meminfo dev=proc ino=4026532034 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 
----

Expected results:
 * no SELinux denials
Comment 1 Milos Malik 2015-12-01 10:15:34 UTC 
Actual results (permissive mode):
----
type=PATH msg=audit(12/01/2015 05:13:23.473:304) : item=0 name=/proc/meminfo inode=4026532034 dev=00:03 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_t:s0 nametype=NORMAL 
type=CWD msg=audit(12/01/2015 05:13:23.473:304) :  cwd=/ 
type=SYSCALL msg=audit(12/01/2015 05:13:23.473:304) : arch=x86_64 syscall=open success=yes exit=3 a0=0x3ed495713e a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x2 items=1 ppid=8091 pid=8092 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 05:13:23.473:304) : avc:  denied  { open } for  pid=8092 comm=roundup-server name=meminfo dev=proc ino=4026532034 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 
type=AVC msg=audit(12/01/2015 05:13:23.473:304) : avc:  denied  { read } for  pid=8092 comm=roundup-server name=meminfo dev=proc ino=4026532034 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 
----
type=SYSCALL msg=audit(12/01/2015 05:13:23.474:305) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x3 a1=0x7ffcfa967380 a2=0x7ffcfa967380 a3=0x2 items=0 ppid=8091 pid=8092 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 05:13:23.474:305) : avc:  denied  { getattr } for  pid=8092 comm=roundup-server path=/proc/meminfo dev=proc ino=4026532034 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 
----
type=PATH msg=audit(12/01/2015 05:13:23.684:306) : item=0 name=/etc/httpd/mime.types nametype=UNKNOWN 
type=CWD msg=audit(12/01/2015 05:13:23.684:306) :  cwd=/ 
type=SYSCALL msg=audit(12/01/2015 05:13:23.684:306) : arch=x86_64 syscall=stat success=no exit=-2(No such file or directory) a0=0x19487a0 a1=0x7ffcfa967d60 a2=0x7ffcfa967d60 a3=0x20 items=1 ppid=1 pid=8095 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=3 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 05:13:23.684:306) : avc:  denied  { search } for  pid=8095 comm=roundup-server name=httpd dev=vda1 ino=393268 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(12/01/2015 05:13:23.994:307) : arch=x86_64 syscall=socket success=yes exit=5 a0=netlink a1=SOCK_RAW a2=ip a3=0xffffffff items=0 ppid=1 pid=8095 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=3 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 05:13:23.994:307) : avc:  denied  { create } for  pid=8095 comm=roundup-server scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:system_r:roundup_t:s0 tclass=netlink_route_socket 
----
type=SOCKADDR msg=audit(12/01/2015 05:13:23.996:308) : saddr=netlink pid:0 
type=SYSCALL msg=audit(12/01/2015 05:13:23.996:308) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x5 a1=0x7ffcfa967c70 a2=0xc a3=0xffffffff items=0 ppid=1 pid=8095 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=3 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 05:13:23.996:308) : avc:  denied  { bind } for  pid=8095 comm=roundup-server scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:system_r:roundup_t:s0 tclass=netlink_route_socket 
----
type=SOCKADDR msg=audit(12/01/2015 05:13:23.996:309) : saddr=netlink pid:8095 
type=SYSCALL msg=audit(12/01/2015 05:13:23.996:309) : arch=x86_64 syscall=getsockname success=yes exit=0 a0=0x5 a1=0x7ffcfa967c70 a2=0x7ffcfa967c7c a3=0xffffffff items=0 ppid=1 pid=8095 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=3 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 05:13:23.996:309) : avc:  denied  { getattr } for  pid=8095 comm=roundup-server scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:system_r:roundup_t:s0 tclass=netlink_route_socket 
----
type=SOCKADDR msg=audit(12/01/2015 05:13:23.996:310) : saddr=netlink pid:0 
type=SYSCALL msg=audit(12/01/2015 05:13:23.996:310) : arch=x86_64 syscall=sendto success=yes exit=20 a0=0x5 a1=0x7ffcfa967be0 a2=0x14 a3=0x0 items=0 ppid=1 pid=8095 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=3 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 05:13:23.996:310) : avc:  denied  { nlmsg_read } for  pid=8095 comm=roundup-server scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:system_r:roundup_t:s0 tclass=netlink_route_socket 
----
Comment 2 Milos Malik 2015-12-01 10:28:36 UTC 
The roundup service also communicates with SSSD, when /etc/nsswitch.conf is configured in certain way, which triggers other AVCs in enforcing mode:
----
type=PATH msg=audit(12/01/2015 11:23:03.711:814) : item=0 name=/var/lib/sss/mc/passwd inode=25543 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_var_lib_t:s0 nametype=NORMAL 
type=CWD msg=audit(12/01/2015 11:23:03.711:814) :  cwd=/ 
type=SYSCALL msg=audit(12/01/2015 11:23:03.711:814) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x289dae0 a1=O_RDONLY|O_CLOEXEC a2=0x7ffc76f920ac a3=0x17 items=1 ppid=1 pid=26655 auid=root uid=root gid=roundup euid=root suid=root fsuid=root egid=roundup sgid=roundup fsgid=roundup tty=(none) ses=4 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 11:23:03.711:814) : avc:  denied  { search } for  pid=26655 comm=roundup-server name=sss dev=vda3 ino=25543 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir 
----
type=PATH msg=audit(12/01/2015 11:23:03.711:815) : item=0 name=(null) inode=25543 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_var_lib_t:s0 nametype=NORMAL 
type=SOCKADDR msg=audit(12/01/2015 11:23:03.711:815) : saddr=local /var/lib/sss/pipes/nss 
type=SYSCALL msg=audit(12/01/2015 11:23:03.711:815) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x5 a1=0x7ffc76f92070 a2=0x6e a3=0x17 items=1 ppid=1 pid=26655 auid=root uid=root gid=roundup euid=root suid=root fsuid=root egid=roundup sgid=roundup fsgid=roundup tty=(none) ses=4 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 11:23:03.711:815) : avc:  denied  { search } for  pid=26655 comm=roundup-server name=sss dev=vda3 ino=25543 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir 
----
Comment 3 Milos Malik 2015-12-01 10:33:07 UTC 
roundup-server <---> SSSD in permissive mode:
----
type=PATH msg=audit(12/01/2015 11:31:29.741:872) : item=0 name=/var/lib/sss/mc/passwd inode=460 dev=fc:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_public_t:s0 nametype=NORMAL 
type=CWD msg=audit(12/01/2015 11:31:29.741:872) :  cwd=/ 
type=SYSCALL msg=audit(12/01/2015 11:31:29.741:872) : arch=x86_64 syscall=open success=yes exit=4 a0=0x1b60020 a1=O_RDONLY|O_CLOEXEC a2=0x7ffe65e4434c a3=0x7ffe65e43ff0 items=1 ppid=2837 pid=2838 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 11:31:29.741:872) : avc:  denied  { open } for  pid=2838 comm=roundup-server name=passwd dev=vda3 ino=460 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file 
type=AVC msg=audit(12/01/2015 11:31:29.741:872) : avc:  denied  { read } for  pid=2838 comm=roundup-server name=passwd dev=vda3 ino=460 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file 
type=AVC msg=audit(12/01/2015 11:31:29.741:872) : avc:  denied  { search } for  pid=2838 comm=roundup-server name=mc dev=vda3 ino=25545 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir 
type=AVC msg=audit(12/01/2015 11:31:29.741:872) : avc:  denied  { search } for  pid=2838 comm=roundup-server name=sss dev=vda3 ino=25543 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(12/01/2015 11:31:29.741:873) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x4 a1=0x7ffe65e442b0 a2=0x7ffe65e442b0 a3=0x7ffe65e44020 items=0 ppid=2837 pid=2838 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 11:31:29.741:873) : avc:  denied  { getattr } for  pid=2838 comm=roundup-server path=/var/lib/sss/mc/passwd dev=vda3 ino=460 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file 
----
type=PATH msg=audit(12/01/2015 11:31:29.741:874) : item=0 name=(null) inode=370 dev=fc:03 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_var_lib_t:s0 nametype=NORMAL 
type=SOCKADDR msg=audit(12/01/2015 11:31:29.741:874) : saddr=local /var/lib/sss/pipes/nss 
type=SYSCALL msg=audit(12/01/2015 11:31:29.741:874) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x5 a1=0x7ffe65e44310 a2=0x6e a3=0x7ffe65e43fa0 items=1 ppid=2837 pid=2838 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 11:31:29.741:874) : avc:  denied  { connectto } for  pid=2838 comm=roundup-server path=/var/lib/sss/pipes/nss scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket 
type=AVC msg=audit(12/01/2015 11:31:29.741:874) : avc:  denied  { write } for  pid=2838 comm=roundup-server name=nss dev=vda3 ino=370 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file 
----
Comment 5 Milos Malik 2016-01-12 08:09:51 UTC 
The automated TC triggers following SELinux denial in enforcing mode:
----
time->Mon Jan 11 21:34:31 2016
type=PATH msg=audit(1452544471.927:1315): item=0 name="/var/lib/roundup/trackers/default/config.ini" inode=657163 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=NORMAL
type=CWD msg=audit(1452544471.927:1315):  cwd="/"
type=SYSCALL msg=audit(1452544471.927:1315): arch=40000003 syscall=195 success=no exit=-13 a0=98cbb20 a1=bf8351bc a2=36cff4 a3=98cbb20 items=1 ppid=1 pid=2951 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="roundup-server" exe="/usr/bin/python" subj=unconfined_u:system_r:roundup_t:s0 key=(null)
type=AVC msg=audit(1452544471.927:1315): avc:  denied  { getattr } for  pid=2951 comm="roundup-server" path="/var/lib/roundup/trackers/default/config.ini" dev=dm-0 ino=657163 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
----

because file context patterns expect that /var/lib/roundup is a regular file which is not true:

# semanage fcontext -l | grep roundup_var_lib_t
/var/lib/roundup(/.*)?                             regular file       system_u:object_r:roundup_var_lib_t:s0 
# matchpathcon /var/lib/roundup/
/var/lib/roundup	system_u:object_r:var_lib_t:s0
# find /var/lib/roundup | wc -l
65
#
Comment 6 Lukas Vrabec 2016-10-03 13:55:40 UTC 
Milos, 
Could we re-test this issue in permissive mode? 

Thanks.
Comment 7 Milos Malik 2016-10-03 14:13:56 UTC 
RHEL-6.8 enforcing mode:
----
time->Mon Oct  3 10:08:25 2016
type=SYSCALL msg=audit(1475503705.806:214): arch=c000003e syscall=2 success=no exit=-13 a0=7f2f97d3729e a1=80000 a2=1b6 a3=2 items=0 ppid=6110 pid=6111 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="roundup-server" exe="/usr/bin/python" subj=unconfined_u:system_r:roundup_t:s0 key=(null)
type=AVC msg=audit(1475503705.806:214): avc:  denied  { read } for  pid=6111 comm="roundup-server" name="meminfo" dev=proc ino=4026532034 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Mon Oct  3 10:08:25 2016
type=SYSCALL msg=audit(1475503705.918:215): arch=c000003e syscall=4 success=no exit=-13 a0=11c0120 a1=7ffc38a10250 a2=7ffc38a10250 a3=6f632f746c756166 items=0 ppid=1 pid=6114 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="roundup-server" exe="/usr/bin/python" subj=unconfined_u:system_r:roundup_t:s0 key=(null)
type=AVC msg=audit(1475503705.918:215): avc:  denied  { getattr } for  pid=6114 comm="roundup-server" path="/var/lib/roundup/trackers/default/config.ini" dev=vda1 ino=535435 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
----

RHEL-6.8 permissive mode:
----
time->Mon Oct  3 10:10:23 2016
type=SYSCALL msg=audit(1475503823.161:227): arch=c000003e syscall=2 success=yes exit=3 a0=7fb1d39dc29e a1=80000 a2=1b6 a3=2 items=0 ppid=11520 pid=11521 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="roundup-server" exe="/usr/bin/python" subj=unconfined_u:system_r:roundup_t:s0 key=(null)
type=AVC msg=audit(1475503823.161:227): avc:  denied  { open } for  pid=11521 comm="roundup-server" name="meminfo" dev=proc ino=4026532034 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1475503823.161:227): avc:  denied  { read } for  pid=11521 comm="roundup-server" name="meminfo" dev=proc ino=4026532034 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Mon Oct  3 10:10:23 2016
type=SYSCALL msg=audit(1475503823.161:228): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffcc13a6640 a2=7ffcc13a6640 a3=2 items=0 ppid=11520 pid=11521 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="roundup-server" exe="/usr/bin/python" subj=unconfined_u:system_r:roundup_t:s0 key=(null)
type=AVC msg=audit(1475503823.161:228): avc:  denied  { getattr } for  pid=11521 comm="roundup-server" path="/proc/meminfo" dev=proc ino=4026532034 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Mon Oct  3 10:10:23 2016
type=SYSCALL msg=audit(1475503823.272:229): arch=c000003e syscall=4 success=yes exit=0 a0=2c17120 a1=7ffcc13a6ac0 a2=7ffcc13a6ac0 a3=6f632f746c756166 items=0 ppid=1 pid=11524 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="roundup-server" exe="/usr/bin/python" subj=unconfined_u:system_r:roundup_t:s0 key=(null)
type=AVC msg=audit(1475503823.272:229): avc:  denied  { getattr } for  pid=11524 comm="roundup-server" path="/var/lib/roundup/trackers/default/config.ini" dev=vda1 ino=535435 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
----
time->Mon Oct  3 10:10:23 2016
type=SYSCALL msg=audit(1475503823.276:230): arch=c000003e syscall=2 success=yes exit=4 a0=2a56e20 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=11524 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="roundup-server" exe="/usr/bin/python" subj=unconfined_u:system_r:roundup_t:s0 key=(null)
type=AVC msg=audit(1475503823.276:230): avc:  denied  { open } for  pid=11524 comm="roundup-server" name="config.ini" dev=vda1 ino=535435 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1475503823.276:230): avc:  denied  { read } for  pid=11524 comm="roundup-server" name="config.ini" dev=vda1 ino=535435 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
----
time->Mon Oct  3 10:10:23 2016
type=SYSCALL msg=audit(1475503823.301:231): arch=c000003e syscall=4 success=no exit=-2 a0=2cfda20 a1=7ffcc13a7020 a2=7ffcc13a7020 a3=20 items=0 ppid=1 pid=11524 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="roundup-server" exe="/usr/bin/python" subj=unconfined_u:system_r:roundup_t:s0 key=(null)
type=AVC msg=audit(1475503823.301:231): avc:  denied  { search } for  pid=11524 comm="roundup-server" name="httpd" dev=vda1 ino=271872 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir
----
time->Mon Oct  3 10:10:23 2016
type=SYSCALL msg=audit(1475503823.505:232): arch=c000003e syscall=41 success=yes exit=5 a0=10 a1=3 a2=0 a3=ffffffff items=0 ppid=1 pid=11524 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="roundup-server" exe="/usr/bin/python" subj=unconfined_u:system_r:roundup_t:s0 key=(null)
type=AVC msg=audit(1475503823.505:232): avc:  denied  { create } for  pid=11524 comm="roundup-server" scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:system_r:roundup_t:s0 tclass=netlink_route_socket
----
time->Mon Oct  3 10:10:23 2016
type=SYSCALL msg=audit(1475503823.507:233): arch=c000003e syscall=49 success=yes exit=0 a0=5 a1=7ffcc13a6f30 a2=c a3=ffffffff items=0 ppid=1 pid=11524 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="roundup-server" exe="/usr/bin/python" subj=unconfined_u:system_r:roundup_t:s0 key=(null)
type=AVC msg=audit(1475503823.507:233): avc:  denied  { bind } for  pid=11524 comm="roundup-server" scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:system_r:roundup_t:s0 tclass=netlink_route_socket
----
time->Mon Oct  3 10:10:23 2016
type=SYSCALL msg=audit(1475503823.507:234): arch=c000003e syscall=51 success=yes exit=0 a0=5 a1=7ffcc13a6f30 a2=7ffcc13a6f3c a3=ffffffff items=0 ppid=1 pid=11524 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="roundup-server" exe="/usr/bin/python" subj=unconfined_u:system_r:roundup_t:s0 key=(null)
type=AVC msg=audit(1475503823.507:234): avc:  denied  { getattr } for  pid=11524 comm="roundup-server" scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:system_r:roundup_t:s0 tclass=netlink_route_socket
----
time->Mon Oct  3 10:10:23 2016
type=SYSCALL msg=audit(1475503823.507:235): arch=c000003e syscall=44 success=yes exit=20 a0=5 a1=7ffcc13a6ea0 a2=14 a3=0 items=0 ppid=1 pid=11524 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="roundup-server" exe="/usr/bin/python" subj=unconfined_u:system_r:roundup_t:s0 key=(null)
type=AVC msg=audit(1475503823.507:235): avc:  denied  { nlmsg_read } for  pid=11524 comm="roundup-server" scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:system_r:roundup_t:s0 tclass=netlink_route_socket
----
Comment 15 errata-xmlrpc 2017-03-21 09:44:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0627.html