Bug 1439179
| Summary: | AVC denials noticed during ipa-upgrade. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Nikhil Dehadrai <ndehadra> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.4 | CC: | lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-04-11 07:43:56 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** This bug has been marked as a duplicate of bug 1436689 *** |
Description of problem: AVC denials noticed during ipa-upgrade. Version-Release number of selected component (if applicable): ipa-server-4.5.0-4.el7.x86_64 How reproducible: always Steps to Reproduce: 1. Setup IPA server for IPA-upgrade test suite execution. 2. Initiate automation for IPA-upgrade test suite. Actual results: AVC denials are observed on IPA matser/ IPA replica during test execution. ------------------- Info: Searching AVC errors produced since 1491375348.26 (Wed Apr 5 02:55:48 2017) Searching logs... Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 04/05/2017 02:55:48 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.oP3GAH 2>&1' ---- time->Wed Apr 5 02:55:50 2017 type=PATH msg=audit(1491375350.035:918): item=0 name="/var/lib/ipa/gssproxy/http.keytab" inode=68629445 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:httpd_config_t:s0 objtype=NORMAL type=CWD msg=audit(1491375350.035:918): cwd="/" type=SYSCALL msg=audit(1491375350.035:918): arch=c000003e syscall=2 success=yes exit=12 a0=7fc9500025b0 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=13183 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gssproxy" exe="/usr/sbin/gssproxy" subj=system_u:system_r:gssproxy_t:s0 key=(null) type=AVC msg=audit(1491375350.035:918): avc: denied { open } for pid=13183 comm="gssproxy" path="/var/lib/ipa/gssproxy/http.keytab" dev="dm-0" ino=68629445 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file type=AVC msg=audit(1491375350.035:918): avc: denied { read } for pid=13183 comm="gssproxy" name="http.keytab" dev="dm-0" ino=68629445 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file ---- time->Wed Apr 5 02:55:50 2017 type=SYSCALL msg=audit(1491375350.036:919): arch=c000003e syscall=72 success=yes exit=0 a0=c a1=7 a2=7fc957059a90 a3=1 items=0 ppid=1 pid=13183 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gssproxy" exe="/usr/sbin/gssproxy" subj=system_u:system_r:gssproxy_t:s0 key=(null) type=AVC msg=audit(1491375350.036:919): avc: denied { lock } for pid=13183 comm="gssproxy" path="/var/lib/ipa/gssproxy/http.keytab" dev="dm-0" ino=68629445 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file ---- time->Wed Apr 5 02:55:50 2017 type=PATH msg=audit(1491375350.071:920): item=1 name="/var/run/ipa/ccaches/admin" inode=197775 dev=00:12 mode=0100600 ouid=48 ogid=48 rdev=00:00 obj=system_u:object_r:ipa_var_run_t:s0 objtype=CREATE type=PATH msg=audit(1491375350.071:920): item=0 name="/var/run/ipa/ccaches/" inode=166912 dev=00:12 mode=040770 ouid=387 ogid=386 rdev=00:00 obj=system_u:object_r:ipa_var_run_t:s0 objtype=PARENT type=CWD msg=audit(1491375350.071:920): cwd="/" type=SYSCALL msg=audit(1491375350.071:920): arch=c000003e syscall=2 success=yes exit=24 a0=7fc651d90140 a1=800c2 a2=180 a3=7e items=2 ppid=15954 pid=15965 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1491375350.071:920): avc: denied { read write open } for pid=15965 comm="httpd" path="/run/ipa/ccaches/admin" dev="tmpfs" ino=197775 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=file type=AVC msg=audit(1491375350.071:920): avc: denied { create } for pid=15965 comm="httpd" name="admin" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=file type=AVC msg=audit(1491375350.071:920): avc: denied { add_name } for pid=15965 comm="httpd" name="admin" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=dir type=AVC msg=audit(1491375350.071:920): avc: denied { write } for pid=15965 comm="httpd" name="ccaches" dev="tmpfs" ino=166912 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=dir ---- time->Wed Apr 5 02:55:50 2017 type=PATH msg=audit(1491375350.071:921): item=0 name=(null) inode=197775 dev=00:12 mode=0100600 ouid=48 ogid=48 rdev=00:00 obj=system_u:object_r:ipa_var_run_t:s0 objtype=NORMAL type=SYSCALL msg=audit(1491375350.071:921): arch=c000003e syscall=91 success=yes exit=0 a0=18 a1=180 a2=1 a3=7e items=1 ppid=15954 pid=15965 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1491375350.071:921): avc: denied { setattr } for pid=15965 comm="httpd" name="admin" dev="tmpfs" ino=197775 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=file ---- time->Wed Apr 5 02:55:50 2017 type=SYSCALL msg=audit(1491375350.071:922): arch=c000003e syscall=72 success=yes exit=0 a0=18 a1=7 a2=7ffd6ae13430 a3=7e items=0 ppid=15954 pid=15965 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1491375350.071:922): avc: denied { lock } for pid=15965 comm="httpd" path="/run/ipa/ccaches/admin" dev="tmpfs" ino=197775 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=file ---- time->Wed Apr 5 02:55:50 2017 type=PATH msg=audit(1491375350.071:923): item=0 name="/var/run/ipa/ccaches/admin" inode=197775 dev=00:12 mode=0100600 ouid=48 ogid=48 rdev=00:00 obj=system_u:object_r:ipa_var_run_t:s0 objtype=NORMAL type=CWD msg=audit(1491375350.071:923): cwd="/" type=SYSCALL msg=audit(1491375350.071:923): arch=c000003e syscall=2 success=yes exit=24 a0=7fc651d90140 a1=80402 a2=180 a3=9 items=1 ppid=15954 pid=15965 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1491375350.071:923): avc: denied { append } for pid=15965 comm="httpd" name="admin" dev="tmpfs" ino=197775 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=file ---- time->Wed Apr 5 02:55:50 2017 type=PATH msg=audit(1491375350.098:924): item=1 name="/var/run/ipa/ccaches/admin" inode=197775 dev=00:12 mode=0100660 ouid=48 ogid=386 rdev=00:00 obj=system_u:object_r:ipa_var_run_t:s0 objtype=DELETE type=PATH msg=audit(1491375350.098:924): item=0 name="/var/run/ipa/ccaches/" inode=166912 dev=00:12 mode=040770 ouid=387 ogid=386 rdev=00:00 obj=system_u:object_r:ipa_var_run_t:s0 objtype=PARENT type=CWD msg=audit(1491375350.098:924): cwd="/var/lib" type=SYSCALL msg=audit(1491375350.098:924): arch=c000003e syscall=87 success=yes exit=0 a0=7fc62c01d7e0 a1=0 a2=0 a3=7e items=2 ppid=15954 pid=16282 auid=4294967295 uid=387 gid=386 euid=387 suid=387 fsuid=387 egid=386 sgid=386 fsgid=386 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1491375350.098:924): avc: denied { unlink } for pid=16282 comm="httpd" name="admin" dev="tmpfs" ino=197775 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=file type=AVC msg=audit(1491375350.098:924): avc: denied { remove_name } for pid=16282 comm="httpd" name="admin" dev="tmpfs" ino=197775 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=dir ---- time->Wed Apr 5 02:55:59 2017 type=PATH msg=audit(1491375359.008:929): item=0 name="/var/run/ipa/ccaches/admin" inode=197840 dev=00:12 mode=0100600 ouid=387 ogid=386 rdev=00:00 obj=system_u:object_r:ipa_var_run_t:s0 objtype=NORMAL type=CWD msg=audit(1491375359.008:929): cwd="/" type=SYSCALL msg=audit(1491375359.008:929): arch=c000003e syscall=90 success=no exit=-1 a0=7fc652629028 a1=1b0 a2=1b1 a3=7fc642700672 items=1 ppid=15954 pid=15964 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1491375359.008:929): avc: denied { setattr } for pid=15964 comm="httpd" name="admin" dev="tmpfs" ino=197840 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=file ---- time->Wed Apr 5 02:55:59 2017 type=PATH msg=audit(1491375359.011:930): item=0 name="/var/run/ipa/ccaches/admin" inode=197840 dev=00:12 mode=0100600 ouid=387 ogid=386 rdev=00:00 obj=system_u:object_r:ipa_var_run_t:s0 objtype=NORMAL type=CWD msg=audit(1491375359.011:930): cwd="/var/lib" type=SYSCALL msg=audit(1491375359.011:930): arch=c000003e syscall=2 success=yes exit=23 a0=7fc62c023490 a1=80000 a2=180 a3=5345542e4d4c4552 items=1 ppid=15954 pid=16282 auid=4294967295 uid=387 gid=386 euid=387 suid=387 fsuid=387 egid=386 sgid=386 fsgid=386 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1491375359.011:930): avc: denied { open } for pid=16282 comm="httpd" path="/run/ipa/ccaches/admin" dev="tmpfs" ino=197840 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=file type=AVC msg=audit(1491375359.011:930): avc: denied { read } for pid=16282 comm="httpd" name="admin" dev="tmpfs" ino=197840 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=file ---- time->Wed Apr 5 02:55:59 2017 type=SYSCALL msg=audit(1491375359.011:931): arch=c000003e syscall=72 success=yes exit=0 a0=17 a1=7 a2=7fc631395bd0 a3=5345542e4d4c4552 items=0 ppid=15954 pid=16282 auid=4294967295 uid=387 gid=386 euid=387 suid=387 fsuid=387 egid=386 sgid=386 fsgid=386 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1491375359.011:931): avc: denied { lock } for pid=16282 comm="httpd" path="/run/ipa/ccaches/admin" dev="tmpfs" ino=197840 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=file ---- time->Wed Apr 5 02:56:11 2017 type=PATH msg=audit(1491375371.864:940): item=0 name="/var/lib/ipa/gssproxy/http.keytab" inode=68629445 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:httpd_config_t:s0 objtype=NORMAL type=CWD msg=audit(1491375371.864:940): cwd="/" type=SYSCALL msg=audit(1491375371.864:940): arch=c000003e syscall=2 success=yes exit=15 a0=7fc95007bbe0 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=13183 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gssproxy" exe="/usr/sbin/gssproxy" subj=system_u:system_r:gssproxy_t:s0 key=(null) type=AVC msg=audit(1491375371.864:940): avc: denied { open } for pid=13183 comm="gssproxy" path="/var/lib/ipa/gssproxy/http.keytab" dev="dm-0" ino=68629445 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file type=AVC msg=audit(1491375371.864:940): avc: denied { read } for pid=13183 comm="gssproxy" name="http.keytab" dev="dm-0" ino=68629445 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file ---- time->Wed Apr 5 02:56:11 2017 type=SYSCALL msg=audit(1491375371.864:941): arch=c000003e syscall=72 success=yes exit=0 a0=f a1=7 a2=7fc957059c90 a3=1 items=0 ppid=1 pid=13183 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gssproxy" exe="/usr/sbin/gssproxy" subj=system_u:system_r:gssproxy_t:s0 key=(null) type=AVC msg=audit(1491375371.864:941): avc: denied { lock } for pid=13183 comm="gssproxy" path="/var/lib/ipa/gssproxy/http.keytab" dev="dm-0" ino=68629445 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file ---- time->Wed Apr 5 02:56:11 2017 type=PATH msg=audit(1491375371.866:942): item=1 name="/var/run/ipa/ccaches/admin" inode=197840 dev=00:12 mode=0100600 ouid=387 ogid=386 rdev=00:00 obj=system_u:object_r:ipa_var_run_t:s0 objtype=DELETE type=PATH msg=audit(1491375371.866:942): item=0 name="/var/run/ipa/ccaches/" inode=166912 dev=00:12 mode=040770 ouid=387 ogid=386 rdev=00:00 obj=system_u:object_r:ipa_var_run_t:s0 objtype=PARENT type=CWD msg=audit(1491375371.866:942): cwd="/" type=SYSCALL msg=audit(1491375371.866:942): arch=c000003e syscall=87 success=yes exit=0 a0=7fc6524eef90 a1=0 a2=0 a3=23000 items=2 ppid=15954 pid=15964 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1491375371.866:942): avc: denied { unlink } for pid=15964 comm="httpd" name="admin" dev="tmpfs" ino=197840 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=file type=AVC msg=audit(1491375371.866:942): avc: denied { remove_name } for pid=15964 comm="httpd" name="admin" dev="tmpfs" ino=197840 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=dir type=AVC msg=audit(1491375371.866:942): avc: denied { write } for pid=15964 comm="httpd" name="ccaches" dev="tmpfs" ino=166912 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=dir ---- time->Wed Apr 5 02:56:11 2017 type=PATH msg=audit(1491375371.866:943): item=1 name="/var/run/ipa/ccaches/admin" inode=200724 dev=00:12 mode=0100600 ouid=48 ogid=48 rdev=00:00 obj=system_u:object_r:ipa_var_run_t:s0 objtype=CREATE type=PATH msg=audit(1491375371.866:943): item=0 name="/var/run/ipa/ccaches/" inode=166912 dev=00:12 mode=040770 ouid=387 ogid=386 rdev=00:00 obj=system_u:object_r:ipa_var_run_t:s0 objtype=PARENT type=CWD msg=audit(1491375371.866:943): cwd="/" type=SYSCALL msg=audit(1491375371.866:943): arch=c000003e syscall=2 success=yes exit=25 a0=7fc6524eef90 a1=800c2 a2=180 a3=23000 items=2 ppid=15954 pid=15964 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1491375371.866:943): avc: denied { write } for pid=15964 comm="httpd" path="/run/ipa/ccaches/admin" dev="tmpfs" ino=200724 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=file type=AVC msg=audit(1491375371.866:943): avc: denied { create } for pid=15964 comm="httpd" name="admin" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=file type=AVC msg=audit(1491375371.866:943): avc: denied { add_name } for pid=15964 comm="httpd" name="admin" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=dir ---- time->Wed Apr 5 02:56:11 2017 type=PATH msg=audit(1491375371.866:944): item=0 name="/var/run/ipa/ccaches/admin" inode=200724 dev=00:12 mode=0100600 ouid=48 ogid=48 rdev=00:00 obj=system_u:object_r:ipa_var_run_t:s0 objtype=NORMAL type=CWD msg=audit(1491375371.866:944): cwd="/" type=SYSCALL msg=audit(1491375371.866:944): arch=c000003e syscall=2 success=yes exit=25 a0=7fc6524eef90 a1=80402 a2=180 a3=9 items=1 ppid=15954 pid=15964 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1491375371.866:944): avc: denied { append } for pid=15964 comm="httpd" name="admin" dev="tmpfs" ino=200724 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=file ---- time->Wed Apr 5 02:56:12 2017 type=PATH msg=audit(1491375372.038:945): item=1 name="/var/run/ipa/ccaches/admin" inode=200760 dev=00:12 mode=0100600 ouid=387 ogid=386 rdev=00:00 obj=system_u:object_r:ipa_var_run_t:s0 objtype=DELETE type=PATH msg=audit(1491375372.038:945): item=0 name="/var/run/ipa/ccaches/" inode=166912 dev=00:12 mode=040770 ouid=387 ogid=386 rdev=00:00 obj=system_u:object_r:ipa_var_run_t:s0 objtype=PARENT type=CWD msg=audit(1491375372.038:945): cwd="/" type=SYSCALL msg=audit(1491375372.038:945): arch=c000003e syscall=87 success=yes exit=0 a0=7fc65258c3c0 a1=0 a2=0 a3=7e items=2 ppid=15954 pid=15964 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1491375372.038:945): avc: denied { remove_name } for pid=15964 comm="httpd" name="admin" dev="tmpfs" ino=200760 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=dir type=AVC msg=audit(1491375372.038:945): avc: denied { write } for pid=15964 comm="httpd" name="ccaches" dev="tmpfs" ino=166912 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=dir ---- time->Wed Apr 5 02:56:12 2017 type=PATH msg=audit(1491375372.039:946): item=1 name="/var/run/ipa/ccaches/admin" inode=200777 dev=00:12 mode=0100600 ouid=48 ogid=48 rdev=00:00 obj=system_u:object_r:ipa_var_run_t:s0 objtype=CREATE type=PATH msg=audit(1491375372.039:946): item=0 name="/var/run/ipa/ccaches/" inode=166912 dev=00:12 mode=040770 ouid=387 ogid=386 rdev=00:00 obj=system_u:object_r:ipa_var_run_t:s0 objtype=PARENT type=CWD msg=audit(1491375372.039:946): cwd="/" type=SYSCALL msg=audit(1491375372.039:946): arch=c000003e syscall=2 success=yes exit=24 a0=7fc65258c3c0 a1=800c2 a2=180 a3=7e items=2 ppid=15954 pid=15964 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1491375372.039:946): avc: denied { add_name } for pid=15964 comm="httpd" name="admin" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=dir ---- time->Wed Apr 5 02:56:13 2017 type=PATH msg=audit(1491375373.048:947): item=0 name="/var/run/ipa/ccaches/admin" inode=200790 dev=00:12 mode=0100600 ouid=387 ogid=386 rdev=00:00 obj=system_u:object_r:ipa_var_run_t:s0 objtype=NORMAL type=CWD msg=audit(1491375373.048:947): cwd="/" type=SYSCALL msg=audit(1491375373.048:947): arch=c000003e syscall=90 success=no exit=-1 a0=7fc652653f20 a1=1b0 a2=1b1 a3=7fc642700672 items=1 ppid=15954 pid=15966 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1491375373.048:947): avc: denied { setattr } for pid=15966 comm="httpd" name="admin" dev="tmpfs" ino=200790 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=file ---- time->Wed Apr 5 02:56:13 2017 type=PATH msg=audit(1491375373.051:948): item=0 name="/var/run/ipa/ccaches/admin" inode=200790 dev=00:12 mode=0100600 ouid=387 ogid=386 rdev=00:00 obj=system_u:object_r:ipa_var_run_t:s0 objtype=NORMAL type=CWD msg=audit(1491375373.051:948): cwd="/var/lib" type=SYSCALL msg=audit(1491375373.051:948): arch=c000003e syscall=2 success=yes exit=23 a0=7fc62c01fca0 a1=80000 a2=180 a3=5345542e4d4c4552 items=1 ppid=15954 pid=16282 auid=4294967295 uid=387 gid=386 euid=387 suid=387 fsuid=387 egid=386 sgid=386 fsgid=386 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1491375373.051:948): avc: denied { open } for pid=16282 comm="httpd" path="/run/ipa/ccaches/admin" dev="tmpfs" ino=200790 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=file type=AVC msg=audit(1491375373.051:948): avc: denied { read } for pid=16282 comm="httpd" name="admin" dev="tmpfs" ino=200790 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=file ---- time->Wed Apr 5 02:56:13 2017 type=SYSCALL msg=audit(1491375373.051:949): arch=c000003e syscall=72 success=yes exit=0 a0=17 a1=7 a2=7fc631395bd0 a3=5345542e4d4c4552 items=0 ppid=15954 pid=16282 auid=4294967295 uid=387 gid=386 euid=387 suid=387 fsuid=387 egid=386 sgid=386 fsgid=386 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1491375373.051:949): avc: denied { lock } for pid=16282 comm="httpd" path="/run/ipa/ccaches/admin" dev="tmpfs" ino=200790 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=file ---- time->Wed Apr 5 02:56:16 2017 type=PATH msg=audit(1491375376.238:951): item=1 name="/var/run/ipa/ccaches/admin" inode=201235 dev=00:12 mode=0100600 ouid=48 ogid=48 rdev=00:00 obj=system_u:object_r:ipa_var_run_t:s0 objtype=CREATE type=PATH msg=audit(1491375376.238:951): item=0 name="/var/run/ipa/ccaches/" inode=166912 dev=00:12 mode=040770 ouid=387 ogid=386 rdev=00:00 obj=system_u:object_r:ipa_var_run_t:s0 objtype=PARENT type=CWD msg=audit(1491375376.238:951): cwd="/" type=SYSCALL msg=audit(1491375376.238:951): arch=c000003e syscall=2 success=yes exit=25 a0=7fc6524f0600 a1=800c2 a2=180 a3=7e items=2 ppid=15954 pid=15965 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1491375376.238:951): avc: denied { write } for pid=15965 comm="httpd" path="/run/ipa/ccaches/admin" dev="tmpfs" ino=201235 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=file type=AVC msg=audit(1491375376.238:951): avc: denied { create } for pid=15965 comm="httpd" name="admin" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=file ---- time->Wed Apr 5 02:56:16 2017 type=PATH msg=audit(1491375376.238:952): item=0 name="/var/run/ipa/ccaches/admin" inode=201235 dev=00:12 mode=0100600 ouid=48 ogid=48 rdev=00:00 obj=system_u:object_r:ipa_var_run_t:s0 objtype=NORMAL type=CWD msg=audit(1491375376.238:952): cwd="/" type=SYSCALL msg=audit(1491375376.238:952): arch=c000003e syscall=2 success=yes exit=25 a0=7fc6524f0600 a1=80402 a2=180 a3=9 items=1 ppid=15954 pid=15965 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1491375376.238:952): avc: denied { append } for pid=15965 comm="httpd" name="admin" dev="tmpfs" ino=201235 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=file ---- time->Wed Apr 5 02:56:16 2017 type=PATH msg=audit(1491375376.237:950): item=1 name="/var/run/ipa/ccaches/admin" inode=200790 dev=00:12 mode=0100600 ouid=387 ogid=386 rdev=00:00 obj=system_u:object_r:ipa_var_run_t:s0 objtype=DELETE type=PATH msg=audit(1491375376.237:950): item=0 name="/var/run/ipa/ccaches/" inode=166912 dev=00:12 mode=040770 ouid=387 ogid=386 rdev=00:00 obj=system_u:object_r:ipa_var_run_t:s0 objtype=PARENT type=CWD msg=audit(1491375376.237:950): cwd="/" type=SYSCALL msg=audit(1491375376.237:950): arch=c000003e syscall=87 success=yes exit=0 a0=7fc6524f0600 a1=0 a2=0 a3=7e items=2 ppid=15954 pid=15965 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1491375376.237:950): avc: denied { unlink } for pid=15965 comm="httpd" name="admin" dev="tmpfs" ino=200790 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_run_t:s0 tclass=file Fail: AVC messages found. Checking for errors... Using stronger AVC checks. Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems. Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.oP3GAH | /sbin/ausearch -m AVC -m SELINUX_ERR' Fail: AVC messages found. Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.jhwo0N 2>&1' Info: No AVC messages found. /bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log No AVC messages found in dmesg Running '/usr/sbin/sestatus' SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 Running 'rpm -q selinux-policy || true' selinux-policy-3.13.1-102.el7_3.16.noarch Expected results: No AVC denials should be observed for IPA-upgrade process.