Bug 1525488
| Summary: | AVC denials seen during install of ipa-server | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Sudhir Menon <sumenon> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED DUPLICATE | QA Contact: | Milos Malik <mmalik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.5 | CC: | adam.winberg, dpal, ksiddiqu, lmiksik, lslebodn, lvrabec, mgrepl, mmalik, ndehadra, nsoman, plautrba, ppicka, pvoborni, spoore, ssekidde, vashirov, yoyang |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-25 10:02:00 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Also seeing AVC denials with quickinstall job for IPA-server and Replica installation.
SELINUX-VERSION:
selinux-policy-3.13.1-183.el7.noarch
-------------------------------------------------
Info: Searching AVC errors produced since 1513330736.59 (Fri Dec 15 15:08:56 2017)
Searching logs...
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 12/15/2017 15:08:56 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.f9mHyK 2>&1'
----
time->Fri Dec 15 15:09:46 2017
type=USER_AVC msg=audit(1513330786.107:63): pid=621 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=2) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Fri Dec 15 15:09:46 2017
type=USER_AVC msg=audit(1513330786.959:65): pid=621 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=3) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Fri Dec 15 15:17:14 2017
type=USER_AVC msg=audit(1513331234.470:66): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=2) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Fri Dec 15 15:17:14 2017
type=USER_AVC msg=audit(1513331234.470:67): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=3) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Fri Dec 15 15:26:17 2017
type=USER_AVC msg=audit(1513331777.939:254): pid=621 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=4) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Fri Dec 15 15:26:19 2017
type=USER_AVC msg=audit(1513331779.046:256): pid=621 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=5) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Fri Dec 15 15:26:19 2017
type=USER_AVC msg=audit(1513331779.166:257): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=4) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Fri Dec 15 15:26:19 2017
type=USER_AVC msg=audit(1513331779.166:258): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=5) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Fri Dec 15 15:26:20 2017
type=PROCTITLE msg=audit(1513331780.103:260): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1513331780.103:260): arch=c000003e syscall=233 success=yes exit=0 a0=7 a1=2 a2=5 a3=0 items=0 ppid=1 pid=25823 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1513331780.103:260): avc: denied { block_suspend } for pid=25823 comm="httpd" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2
----
time->Fri Dec 15 15:26:20 2017
type=PROCTITLE msg=audit(1513331780.102:259): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1513331780.102:259): arch=c000003e syscall=233 success=yes exit=0 a0=7 a1=2 a2=5 a3=0 items=0 ppid=1 pid=25823 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1513331780.102:259): avc: denied { block_suspend } for pid=25823 comm="httpd" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2
----
time->Fri Dec 15 15:26:20 2017
type=PROCTITLE msg=audit(1513331780.105:261): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1513331780.105:261): arch=c000003e syscall=233 success=yes exit=0 a0=7 a1=2 a2=5 a3=0 items=0 ppid=1 pid=25823 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1513331780.105:261): avc: denied { block_suspend } for pid=25823 comm="httpd" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2
----
time->Fri Dec 15 15:26:20 2017
type=PROCTITLE msg=audit(1513331780.105:262): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1513331780.105:262): arch=c000003e syscall=233 success=yes exit=0 a0=7 a1=2 a2=5 a3=0 items=0 ppid=1 pid=25823 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1513331780.105:262): avc: denied { block_suspend } for pid=25823 comm="httpd" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2
----
time->Fri Dec 15 15:28:24 2017
type=PROCTITLE msg=audit(1513331904.682:281): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1513331904.682:281): arch=c000003e syscall=233 success=yes exit=0 a0=7 a1=2 a2=5 a3=0 items=0 ppid=1 pid=27217 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1513331904.682:281): avc: denied { block_suspend } for pid=27217 comm="httpd" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2
----
time->Fri Dec 15 15:28:24 2017
type=PROCTITLE msg=audit(1513331904.682:282): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1513331904.682:282): arch=c000003e syscall=233 success=yes exit=0 a0=7 a1=2 a2=5 a3=0 items=0 ppid=1 pid=27217 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1513331904.682:282): avc: denied { block_suspend } for pid=27217 comm="httpd" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2
----
time->Fri Dec 15 15:28:24 2017
type=PROCTITLE msg=audit(1513331904.683:283): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1513331904.683:283): arch=c000003e syscall=233 success=yes exit=0 a0=7 a1=2 a2=5 a3=0 items=0 ppid=1 pid=27217 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1513331904.683:283): avc: denied { block_suspend } for pid=27217 comm="httpd" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2
----
time->Fri Dec 15 15:28:24 2017
type=PROCTITLE msg=audit(1513331904.683:284): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1513331904.683:284): arch=c000003e syscall=233 success=yes exit=0 a0=7 a1=2 a2=5 a3=0 items=0 ppid=1 pid=27217 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1513331904.683:284): avc: denied { block_suspend } for pid=27217 comm="httpd" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2
----
time->Fri Dec 15 15:29:12 2017
type=PROCTITLE msg=audit(1513331952.104:326): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1513331952.104:326): arch=c000003e syscall=233 success=yes exit=0 a0=7 a1=2 a2=5 a3=0 items=0 ppid=1 pid=28131 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1513331952.104:326): avc: denied { block_suspend } for pid=28131 comm="httpd" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2
----
time->Fri Dec 15 15:29:12 2017
type=PROCTITLE msg=audit(1513331952.104:327): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1513331952.104:327): arch=c000003e syscall=233 success=yes exit=0 a0=7 a1=2 a2=5 a3=0 items=0 ppid=1 pid=28131 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1513331952.104:327): avc: denied { block_suspend } for pid=28131 comm="httpd" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2
----
time->Fri Dec 15 15:29:12 2017
type=PROCTITLE msg=audit(1513331952.105:328): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1513331952.105:328): arch=c000003e syscall=233 success=yes exit=0 a0=7 a1=2 a2=5 a3=0 items=0 ppid=1 pid=28131 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1513331952.105:328): avc: denied { block_suspend } for pid=28131 comm="httpd" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2
----
time->Fri Dec 15 15:29:12 2017
type=PROCTITLE msg=audit(1513331952.105:329): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1513331952.105:329): arch=c000003e syscall=233 success=yes exit=0 a0=7 a1=2 a2=5 a3=0 items=0 ppid=1 pid=28131 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1513331952.105:329): avc: denied { block_suspend } for pid=28131 comm="httpd" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.f9mHyK | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.KkGiCj 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
Running 'rpm -q selinux-policy || true'
selinux-policy-3.13.1-183.el7.noarch
A can see similar AVC also in different process
time->Mon Dec 18 18:47:50 2017
type=PROCTITLE msg=audit(1513640870.785:335): proctitle="/usr/sbin/rpc.gssd"
type=SYSCALL msg=audit(1513640870.785:335): arch=c000003e syscall=233 success=yes exit=0 a0=5 a1=2 a2=3 a3=0 items=0 ppid=1 pid=2482 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=system_u:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1513640870.785:335): avc: denied { block_suspend } for pid=2482 comm="rpc.gssd" capability=36 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:system_r:gssd_t:s0 tclass=capability2
*** Bug 1526954 has been marked as a duplicate of this bug. *** Selinux-Policy version: selinux-policy-3.13.1-183.el7.noarch IPA-Server-Version: 4.5.4.7 Noticed similar AVC's while executing test suite for Web_App_Authentication This should be dontaudited. *** Bug 1529845 has been marked as a duplicate of this bug. *** AVC denials seen during IPA-nis-integration suite on NIS Client.
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 01/03/2018 16:48:15 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.K6dEGi 2>&1'
----
time->Wed Jan 3 16:48:16 2018
type=PROCTITLE msg=audit(1514978296.158:713): proctitle="/usr/lib/systemd/systemd-logind"
type=SYSCALL msg=audit(1514978296.158:713): arch=c000003e syscall=2 success=no exit=-13 a0=7ffd7bea6e48 a1=0 a2=7ffd7bea6e67 a3=0 items=0 ppid=1 pid=619 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(1514978296.158:713): avc: denied { search } for pid=619 comm="systemd-logind" name="yp" dev="dm-0" ino=33612106 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
----
time->Wed Jan 3 16:48:16 2018
type=PROCTITLE msg=audit(1514978296.159:714): proctitle="/usr/lib/systemd/systemd-logind"
type=SYSCALL msg=audit(1514978296.159:714): arch=c000003e syscall=42 success=no exit=-13 a0=11 a1=7ffd7bea6e20 a2=10 a3=a items=0 ppid=1 pid=619 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(1514978296.159:714): avc: denied { name_connect } for pid=619 comm="systemd-logind" dest=111 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
----
time->Wed Jan 3 16:48:16 2018
type=PROCTITLE msg=audit(1514978296.159:715): proctitle="/usr/lib/systemd/systemd-logind"
type=SYSCALL msg=audit(1514978296.159:715): arch=c000003e syscall=49 success=no exit=-13 a0=11 a1=7ffd7bea6ba0 a2=10 a3=a items=0 ppid=1 pid=619 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(1514978296.159:715): avc: denied { name_bind } for pid=619 comm="systemd-logind" src=805 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
----
time->Wed Jan 3 16:48:16 2018
type=PROCTITLE msg=audit(1514978296.159:716): proctitle="/usr/lib/systemd/systemd-logind"
type=SYSCALL msg=audit(1514978296.159:716): arch=c000003e syscall=42 success=no exit=-13 a0=11 a1=7ffd7bea6e20 a2=10 a3=a items=0 ppid=1 pid=619 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(1514978296.159:716): avc: denied { name_connect } for pid=619 comm="systemd-logind" dest=111 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
----
time->Wed Jan 3 16:48:16 2018
type=PROCTITLE msg=audit(1514978296.159:717): proctitle="/usr/lib/systemd/systemd-logind"
type=SYSCALL msg=audit(1514978296.159:717): arch=c000003e syscall=42 success=no exit=-13 a0=11 a1=7ffd7bea6e90 a2=10 a3=a items=0 ppid=1 pid=619 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(1514978296.159:717): avc: denied { name_connect } for pid=619 comm="systemd-logind" dest=111 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
----
time->Wed Jan 3 16:48:16 2018
type=PROCTITLE msg=audit(1514978296.159:718): proctitle="/usr/lib/systemd/systemd-logind"
type=SYSCALL msg=audit(1514978296.159:718): arch=c000003e syscall=49 success=no exit=-13 a0=11 a1=7ffd7bea6c10 a2=10 a3=a items=0 ppid=1 pid=619 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(1514978296.159:718): avc: denied { name_bind } for pid=619 comm="systemd-logind" src=806 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
----
time->Wed Jan 3 16:48:16 2018
type=PROCTITLE msg=audit(1514978296.159:719): proctitle="/usr/lib/systemd/systemd-logind"
type=SYSCALL msg=audit(1514978296.159:719): arch=c000003e syscall=42 success=no exit=-13 a0=11 a1=7ffd7bea6e90 a2=10 a3=a items=0 ppid=1 pid=619 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(1514978296.159:719): avc: denied { name_connect } for pid=619 comm="systemd-logind" dest=111 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
(In reply to Sudhir Menon from comment #14) > AVC denials seen during IPA-nis-integration suite on NIS Client. > > Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC > -m SELINUX_ERR -ts 01/03/2018 16:48:15 < /dev/null > >/mnt/testarea/tmp.rhts-db-submit-result.K6dEGi 2>&1' > ---- > time->Wed Jan 3 16:48:16 2018 > type=PROCTITLE msg=audit(1514978296.159:714): > proctitle="/usr/lib/systemd/systemd-logind" > type=SYSCALL msg=audit(1514978296.159:714): arch=c000003e syscall=42 > success=no exit=-13 a0=11 a1=7ffd7bea6e20 a2=10 a3=a items=0 ppid=1 pid=619 > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=(none) ses=4294967295 comm="systemd-logind" > exe="/usr/lib/systemd/systemd-logind" > subj=system_u:system_r:systemd_logind_t:s0 key=(null) > type=AVC msg=audit(1514978296.159:714): avc: denied { name_connect } for > pid=619 comm="systemd-logind" dest=111 > scontext=system_u:system_r:systemd_logind_t:s0 > tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket > ---- > time->Wed Jan 3 16:48:16 2018 > type=PROCTITLE msg=audit(1514978296.159:715): > proctitle="/usr/lib/systemd/systemd-logind" > type=SYSCALL msg=audit(1514978296.159:715): arch=c000003e syscall=49 > success=no exit=-13 a0=11 a1=7ffd7bea6ba0 a2=10 a3=a items=0 ppid=1 pid=619 > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=(none) ses=4294967295 comm="systemd-logind" > exe="/usr/lib/systemd/systemd-logind" > subj=system_u:system_r:systemd_logind_t:s0 key=(null) > type=AVC msg=audit(1514978296.159:715): avc: denied { name_bind } for > pid=619 comm="systemd-logind" src=805 > scontext=system_u:system_r:systemd_logind_t:s0 > tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket AVC should be gone after setting SELinux boolean nis_enabled AVC denial seen during winsync testsuite with selinux-policy-3.13.1-184.el7.noarch
Info: Searching AVC errors produced since 1515657614.79 (Thu Jan 11 03:00:14 2018)
Searching logs...
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 01/11/2018 03:00:14 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.2fNQ57 2>&1'
----
time->Thu Jan 11 03:00:26 2018
type=PROCTITLE msg=audit(1515657626.455:409): proctitle=2F7573722F7362696E2F6E732D736C617064002D44002F6574632F6469727372762F736C6170642D53594E43324B31362D54455354002D69002F7661722F72756E2F6469727372762F736C6170642D53594E43324B31362D544553542E706964
type=PATH msg=audit(1515657626.455:409): item=2 name="/tmp/openldap-tlsmc-slapd-SYNC2K16-TEST--BA2EF6F5D62A641862B40D282E785234CD99C7A9F8B4C11D190A8F0D9C4D7F24/cacerts/c53eabf4.0" objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1515657626.455:409): item=1 name="/tmp/openldap-tlsmc-slapd-SYNC2K16-TEST--BA2EF6F5D62A641862B40D282E785234CD99C7A9F8B4C11D190A8F0D9C4D7F24/cacerts/" inode=30118 dev=fd:00 mode=040700 ouid=389 ogid=389 rdev=00:00 obj=system_u:object_r:dirsrv_tmp_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1515657626.455:409): item=0 name="cert0.pem" objtype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1515657626.455:409): cwd="/var/log/dirsrv/slapd-SYNC2K16-TEST"
type=SYSCALL msg=audit(1515657626.455:409): arch=c000003e syscall=88 success=no exit=-13 a0=55ba9ad8ddd2 a1=55ba9adcb2c0 a2=0 a3=7f555d27c2d9 items=3 ppid=1 pid=14192 auid=4294967295 uid=389 gid=389 euid=389 suid=389 fsuid=389 egid=389 sgid=389 fsgid=389 tty=(none) ses=4294967295 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=system_u:system_r:dirsrv_t:s0 key=(null)
type=AVC msg=audit(1515657626.455:409): avc: denied { create } for pid=14192 comm="ns-slapd" name="c53eabf4.0" scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_tmp_t:s0 tclass=lnk_file
(In reply to Lukas Slebodnik from comment #16) > (In reply to Sudhir Menon from comment #14) > > AVC denials seen during IPA-nis-integration suite on NIS Client. > > > > Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC > > -m SELINUX_ERR -ts 01/03/2018 16:48:15 < /dev/null > > >/mnt/testarea/tmp.rhts-db-submit-result.K6dEGi 2>&1' > > ---- > > time->Wed Jan 3 16:48:16 2018 > > type=PROCTITLE msg=audit(1514978296.159:714): > > proctitle="/usr/lib/systemd/systemd-logind" > > type=SYSCALL msg=audit(1514978296.159:714): arch=c000003e syscall=42 > > success=no exit=-13 a0=11 a1=7ffd7bea6e20 a2=10 a3=a items=0 ppid=1 pid=619 > > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > > tty=(none) ses=4294967295 comm="systemd-logind" > > exe="/usr/lib/systemd/systemd-logind" > > subj=system_u:system_r:systemd_logind_t:s0 key=(null) > > type=AVC msg=audit(1514978296.159:714): avc: denied { name_connect } for > > pid=619 comm="systemd-logind" dest=111 > > scontext=system_u:system_r:systemd_logind_t:s0 > > tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket > > ---- > > time->Wed Jan 3 16:48:16 2018 > > type=PROCTITLE msg=audit(1514978296.159:715): > > proctitle="/usr/lib/systemd/systemd-logind" > > type=SYSCALL msg=audit(1514978296.159:715): arch=c000003e syscall=49 > > success=no exit=-13 a0=11 a1=7ffd7bea6ba0 a2=10 a3=a items=0 ppid=1 pid=619 > > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > > tty=(none) ses=4294967295 comm="systemd-logind" > > exe="/usr/lib/systemd/systemd-logind" > > subj=system_u:system_r:systemd_logind_t:s0 key=(null) > > type=AVC msg=audit(1514978296.159:715): avc: denied { name_bind } for > > pid=619 comm="systemd-logind" src=805 > > scontext=system_u:system_r:systemd_logind_t:s0 > > tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket > > AVC should be gone after setting SELinux boolean nis_enabled Hi Lukas, Are you suggesting any changes to be made at IPA side within our code to get rid of AVC messages. (In reply to Nikhil Dehadrai from comment #19) > (In reply to Lukas Slebodnik from comment #16) > > (In reply to Sudhir Menon from comment #14) > > > AVC denials seen during IPA-nis-integration suite on NIS Client. > > > > > > Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC > > > -m SELINUX_ERR -ts 01/03/2018 16:48:15 < /dev/null > > > >/mnt/testarea/tmp.rhts-db-submit-result.K6dEGi 2>&1' > > > ---- > > > time->Wed Jan 3 16:48:16 2018 > > > type=PROCTITLE msg=audit(1514978296.159:714): > > > proctitle="/usr/lib/systemd/systemd-logind" > > > type=SYSCALL msg=audit(1514978296.159:714): arch=c000003e syscall=42 > > > success=no exit=-13 a0=11 a1=7ffd7bea6e20 a2=10 a3=a items=0 ppid=1 pid=619 > > > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > > > tty=(none) ses=4294967295 comm="systemd-logind" > > > exe="/usr/lib/systemd/systemd-logind" > > > subj=system_u:system_r:systemd_logind_t:s0 key=(null) > > > type=AVC msg=audit(1514978296.159:714): avc: denied { name_connect } for > > > pid=619 comm="systemd-logind" dest=111 > > > scontext=system_u:system_r:systemd_logind_t:s0 > > > tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket > > > ---- > > > time->Wed Jan 3 16:48:16 2018 > > > type=PROCTITLE msg=audit(1514978296.159:715): > > > proctitle="/usr/lib/systemd/systemd-logind" > > > type=SYSCALL msg=audit(1514978296.159:715): arch=c000003e syscall=49 > > > success=no exit=-13 a0=11 a1=7ffd7bea6ba0 a2=10 a3=a items=0 ppid=1 pid=619 > > > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > > > tty=(none) ses=4294967295 comm="systemd-logind" > > > exe="/usr/lib/systemd/systemd-logind" > > > subj=system_u:system_r:systemd_logind_t:s0 key=(null) > > > type=AVC msg=audit(1514978296.159:715): avc: denied { name_bind } for > > > pid=619 comm="systemd-logind" src=805 > > > scontext=system_u:system_r:systemd_logind_t:s0 > > > tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket > > > > AVC should be gone after setting SELinux boolean nis_enabled > > Hi Lukas, > > Are you suggesting any changes to be made at IPA side within our code to get > rid of AVC messages. I cannot see any functional failures in tests just AVCs. So it is up to you whether you want to get rid of these AVCs. But SELinux guys cannot do anything with these AVCs. It's already solved on theyr side. FYI, I tried manually setting nis_enabled before running ipa-server-install and I'm still seeing AVC denials.
Lukas, are you suggesting we need something changed in the IPA installer?
[root@rhel7-2 ~]# setsebool -P nis_enabled=on
[root@rhel7-2 ~]# ipa-server-install --setup-dns --forwarder=192.168.122.1 --auto-reverse -n testrelm.test -r TESTRELM.TEST -a Secret123 -p Secret123 -U
Checking DNS domain testrelm.test, please wait ...
...
Since from one of the jobs I looked at it seemed that it was occurring during httpd startup, I checked right after that during the install and I see the original AVC denials still:
[root@rhel7-2 ~]# ausearch -m avc -ts recent
----
time->Wed Jan 17 08:58:15 2018
type=PROCTITLE msg=audit(1516201095.242:221): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1516201095.242:221): arch=c000003e syscall=233 success=yes exit=0 a0=7 a1=2 a2=5 a3=0 items=0 ppid=1 pid=14140 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1516201095.242:221): avc: denied { block_suspend } for pid=14140 comm="httpd" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2
----
time->Wed Jan 17 08:58:15 2018
type=PROCTITLE msg=audit(1516201095.243:222): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1516201095.243:222): arch=c000003e syscall=233 success=yes exit=0 a0=7 a1=2 a2=5 a3=0 items=0 ppid=1 pid=14140 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1516201095.243:222): avc: denied { block_suspend } for pid=14140 comm="httpd" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2
----
time->Wed Jan 17 08:58:15 2018
type=PROCTITLE msg=audit(1516201095.244:223): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1516201095.244:223): arch=c000003e syscall=233 success=yes exit=0 a0=7 a1=2 a2=5 a3=0 items=0 ppid=1 pid=14140 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1516201095.244:223): avc: denied { block_suspend } for pid=14140 comm="httpd" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2
----
time->Wed Jan 17 08:58:15 2018
type=PROCTITLE msg=audit(1516201095.244:224): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1516201095.244:224): arch=c000003e syscall=233 success=yes exit=0 a0=7 a1=2 a2=5 a3=0 items=0 ppid=1 pid=14140 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1516201095.244:224): avc: denied { block_suspend } for pid=14140 comm="httpd" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2
(In reply to Scott Poore from comment #21) > FYI, I tried manually setting nis_enabled before running ipa-server-install > and I'm still seeing AVC denials. > > Lukas, are you suggesting we need something changed in the IPA installer? > > [root@rhel7-2 ~]# setsebool -P nis_enabled=on > > [root@rhel7-2 ~]# ipa-server-install --setup-dns --forwarder=192.168.122.1 > --auto-reverse -n testrelm.test -r TESTRELM.TEST -a Secret123 -p Secret123 -U > Checking DNS domain testrelm.test, please wait ... > ... > > Since from one of the jobs I looked at it seemed that it was occurring > during httpd startup, I checked right after that during the install and I > see the original AVC denials still: > > [root@rhel7-2 ~]# ausearch -m avc -ts recent > ---- > time->Wed Jan 17 08:58:15 2018 > type=PROCTITLE msg=audit(1516201095.242:221): > proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 > type=SYSCALL msg=audit(1516201095.242:221): arch=c000003e syscall=233 > success=yes exit=0 a0=7 a1=2 a2=5 a3=0 items=0 ppid=1 pid=14140 > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" > subj=system_u:system_r:httpd_t:s0 key=(null) > type=AVC msg=audit(1516201095.242:221): avc: denied { block_suspend } for > pid=14140 comm="httpd" capability=36 scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:system_r:httpd_t:s0 tclass=capability2 This AVC is not related to SELinux boolean nis_enabled. Only AVC from 1525488#c16 can be solved in such way. Ah, ok. Thanks for the clarification, Lukas. I'll let Sudhir know and we can modify our tests accordingly. So we still need something resolved for the other AVC denials. see one more additional avc error not on /etc/selinux/final/targeted
Info: Searching AVC errors produced since 1516041736.16 (Mon Jan 15 13:42:16 2018)
Searching logs...
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 01/15/2018 13:42:16 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.GUgHDI 2>&1'
----
time->Mon Jan 15 13:42:17 2018
type=PROCTITLE msg=audit(1516041737.627:4382): proctitle=2F7573722F7362696E2F7365747365626F6F6C002D50006E616D65645F77726974655F6D61737465725F7A6F6E65733D30
type=PATH msg=audit(1516041737.627:4382): item=1 name="/etc/selinux/final/targeted/contexts" inode=17625158 dev=fd:05 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:default_context_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1516041737.627:4382): item=0 name="/etc/selinux/final/targeted/" inode=666104 dev=fd:05 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:selinux_config_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1516041737.627:4382): cwd="/"
type=SYSCALL msg=audit(1516041737.627:4382): arch=c000003e syscall=84 success=no exit=-13 a0=7ffd1f282730 a1=7f04b7c68788 a2=ffffffff a3=76 items=2 ppid=19551 pid=19552 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setsebool" exe="/usr/sbin/setsebool" subj=system_u:unconfined_r:setsebool_t:s0 key=(null)
type=AVC msg=audit(1516041737.627:4382): avc: denied { rmdir } for pid=19552 comm="setsebool" name="contexts" dev="vda5" ino=17625158 scontext=system_u:unconfined_r:setsebool_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir
----
time->Mon Jan 15 13:42:30 2018
type=PROCTITLE msg=audit(1516041750.875:4384): proctitle=2F7573722F7362696E2F7365747365626F6F6C002D50006E616D65645F77726974655F6D61737465725F7A6F6E65733D31
type=PATH msg=audit(1516041750.875:4384): item=1 name="/etc/selinux/final/targeted/contexts" inode=17625158 dev=fd:05 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:default_context_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1516041750.875:4384): item=0 name="/etc/selinux/final/targeted/" inode=666104 dev=fd:05 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:selinux_config_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1516041750.875:4384): cwd="/"
type=SYSCALL msg=audit(1516041750.875:4384): arch=c000003e syscall=84 success=no exit=-13 a0=7ffe13b99060 a1=0 a2=7fc4899247b8 a3=76 items=2 ppid=19792 pid=19793 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setsebool" exe="/usr/sbin/setsebool" subj=system_u:unconfined_r:setsebool_t:s0 key=(null)
type=AVC msg=audit(1516041750.875:4384): avc: denied { rmdir } for pid=19793 comm="setsebool" name="contexts" dev="vda5" ino=17625158 scontext=system_u:unconfined_r:setsebool_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.GUgHDI | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.D8qJuf 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
Running 'rpm -q selinux-policy || true'
selinux-policy-3.13.1-183.el7.noarch
*** Bug 1536011 has been marked as a duplicate of this bug. *** *** Bug 1536011 has been marked as a duplicate of this bug. *** *** This bug has been marked as a duplicate of bug 1553256 *** The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |
Description of problem:AVC denials seen while running ipa-adtrust suite. Version-Release number of selected component (if applicable): Red Hat Enterprise Linux Server release 7.5 Beta (Maipo) ipa-server-4.5.4-6.el7.x86_64 selinux-policy-3.13.1-183.el7.noarch How reproducible: Always Actual results: Info: Searching AVC errors produced since 1513166288.58 (Wed Dec 13 06:58:08 2017) Searching logs... Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 12/13/2017 06:58:08 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.MR9_Er 2>&1' ---- time->Wed Dec 13 06:59:21 2017 type=PROCTITLE msg=audit(1513166361.310:342): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 type=SYSCALL msg=audit(1513166361.310:342): arch=c000003e syscall=233 success=yes exit=0 a0=7 a1=2 a2=5 a3=0 items=0 ppid=1 pid=1468 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1513166361.310:342): avc: denied { block_suspend } for pid=1468 comm="httpd" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2 ---- time->Wed Dec 13 06:59:21 2017 type=PROCTITLE msg=audit(1513166361.311:343): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 type=SYSCALL msg=audit(1513166361.311:343): arch=c000003e syscall=233 success=yes exit=0 a0=7 a1=2 a2=5 a3=0 items=0 ppid=1 pid=1468 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1513166361.311:343): avc: denied { block_suspend } for pid=1468 comm="httpd" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2 ---- time->Wed Dec 13 06:59:21 2017 type=PROCTITLE msg=audit(1513166361.312:344): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 type=SYSCALL msg=audit(1513166361.312:344): arch=c000003e syscall=233 success=yes exit=0 a0=7 a1=2 a2=5 a3=0 items=0 ppid=1 pid=1468 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1513166361.312:344): avc: denied { block_suspend } for pid=1468 comm="httpd" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2 ---- time->Wed Dec 13 06:59:21 2017 type=PROCTITLE msg=audit(1513166361.312:345): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 type=SYSCALL msg=audit(1513166361.312:345): arch=c000003e syscall=233 success=yes exit=0 a0=7 a1=2 a2=5 a3=0 items=0 ppid=1 pid=1468 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1513166361.312:345): avc: denied { block_suspend } for pid=1468 comm="httpd" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2 Fail: AVC messages found. Checking for errors... Using stronger AVC checks. Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems. Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.MR9_Er | /sbin/ausearch -m AVC -m SELINUX_ERR' Fail: AVC messages found. Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.fpK3c5 2>&1' Info: No AVC messages found. /bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log No AVC messages found in dmesg Running '/usr/sbin/sestatus' SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31 Running 'rpm -q selinux-policy || true' selinux-policy-3.13.1-183.el7.noarch Expected results: No AVC Denials Additional info: