Bug 1305467

Summary: Unexpected audit message
Product: Red Hat Enterprise Linux 7 Reporter: Marius Vollmer <mvollmer>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED INSUFFICIENT_DATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: bcourt, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-25 14:12:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Marius Vollmer 2016-02-08 10:40:50 UTC 
Description of problem:

Running the Cockpit integration tests triggers these messages occasionally:

type=1400 audit(1454848791.816:4): avc: denied { append } for pid=1833 comm="rhsmcertd-worke" name="rhsm.log" dev="vda3" ino=25411401 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
type=1400 audit(1454848792.184:5): avc: denied { append } for pid=1835 comm="rhsmcertd-worke" name="rhsm.log" dev="vda3" ino=25411401 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

Version-Release number of selected component (if applicable):

subscription-manager-1.15.9-15.el7.x86_64
selinux-policy-targeted-3.13.1-60.el7.noarch
Comment 2 Marius Vollmer 2016-02-08 10:51:47 UTC 
I initially reported that this happens on RHEL Atomic, but it actually happens on non-atomic RHEL.  Sorry for the confusion.
Comment 3 Barnaby Court 2016-02-11 20:26:10 UTC 
If this is not a selinux policy fix, please re-route back to subscription-manager with instructions on what we need to fix. Thanks
Comment 4 Milos Malik 2016-02-11 21:37:25 UTC 
The rhsm.log file is mislabeled. Following command should fix it:

# restorecon -v /path/to/rhsm.log

Was SELinux enabled when the file was created ?
Comment 5 Marius Vollmer 2016-02-12 13:50:47 UTC 
(In reply to Milos Malik from comment #4)

> Was SELinux enabled when the file was created ?

I think so.

# ls -Z /var/log/rhsm/rhsm.log 
-rw-r--r--. root root unconfined_u:object_r:rhsmcertd_log_t:s0 /var/log/rhsm/rhsm.log

I don't know when it is created.  I don't have a reliable way to reproduce this error, unforuntaly.  It happens very rarely.

After removing the file I wasn't able to provoke its recreation via "systemctl restart rhsmcertd", for example.