Bug 707616

Summary:

MLS selinux mode: cannot register machine

Product:

Red Hat Enterprise Linux 6

Reporter:

Petr Sklenar <psklenar>

Component:

selinux-policy

Assignee:

Miroslav Grepl <mgrepl>

Status:

CLOSED ERRATA

QA Contact:

Karel Srot <ksrot>

Severity:

high

Docs Contact:

Priority:

high

Version:

6.1

CC:

cperry, dwalsh, ksrot, mmalik, mvadkert, slukasik

Target Milestone:

Keywords:

Regression

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

selinux-policy-3.7.19-107.el6

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2011-12-06 10:08:09 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
selinux denials	none

Description Petr Sklenar 2011-05-25 14:18:08 UTC

Description of problem:
I cannot register machine which is in MLS selinux mode

Version-Release number of selected component (if applicable):
latest rhel6 rhn-client-tools
rhn-client-tools-1.0.0-61.el6.noarch

How reproducible:
deterministic

Steps to Reproduce:
1. setup machine in MLS selinux mode
2. rhnreg_ks --username=<username> --password=password --server=http://<satellite>/XMLRPC
  
Actual results:
[root/sysadm_r/s0@x86-64-v11 ~]# rhnreg_ks --username=<username> --password=password --server=http://<satellite>/XMLRPC
env: /etc/init.d/rhnsd: Permission denied
env: /etc/init.d/rhnsd: Permission denied
sh: /usr/sbin/rhn_check: /usr/bin/python: bad interpreter: Permission denied

Expected results:
mls machine can be registered without any error

Additional info:

Comment 1 Petr Sklenar 2011-05-25 14:18:45 UTC

Created attachment 500833 [details]
selinux denials

Comment 2 Petr Sklenar 2011-05-25 14:25:17 UTC

It works well in RHEL5 > adding keyword regressions

Comment 7 Jan Pazdziora 2011-08-08 11:58:30 UTC

Miroslav says that it looks like a policy bug -- switching to selinux-policy.

Comment 8 Miroslav Grepl 2011-08-08 12:11:52 UTC

Petr,
if you boot in permissive mode in MLS, are you getting more AVC msgs?

Comment 9 Miroslav Vadkerti 2011-08-08 12:22:24 UTC

I see these AVCs:

----
time->Mon Aug  8 07:19:06 2011
type=SYSCALL msg=audit(1312805946.825:468): arch=c000003e syscall=2 success=yes exit=8 a0=7fe315daa260 a1=0 a2=10000 a3=0 items=0 ppid=25182 pid=25274 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312805946.825:468): avc:  denied  { open } for  pid=25274 comm="rhnreg_ks" name="mem" dev=devtmpfs ino=3598 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:memory_device_t:s15:c0.c1023 tclass=chr_file
type=AVC msg=audit(1312805946.825:468): avc:  denied  { read } for  pid=25274 comm="rhnreg_ks" name="mem" dev=devtmpfs ino=3598 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:memory_device_t:s15:c0.c1023 tclass=chr_file
----
time->Mon Aug  8 07:20:30 2011
type=SYSCALL msg=audit(1312806030.280:469): arch=c000003e syscall=59 success=yes exit=0 a0=7fff7311895a a1=7fff73117c98 a2=8cd030 a3=7fff731178c0 items=0 ppid=25286 pid=25291 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="rhnsd" exe="/bin/bash" subj=staff_u:system_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312806030.280:469): avc:  denied  { entrypoint } for  pid=25291 comm="env" path="/etc/rc.d/init.d/rhnsd" dev=dm-0 ino=140535 scontext=staff_u:system_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=SELINUX_ERR msg=audit(1312806030.280:469): security_compute_sid:  invalid context staff_u:system_r:sysadm_t:s0-s15:c0.c1023 for scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=process
----
time->Mon Aug  8 07:20:30 2011
type=SYSCALL msg=audit(1312806030.752:481): arch=c000003e syscall=62 success=yes exit=0 a0=62c2 a1=0 a2=62e2 a3=1 items=0 ppid=25282 pid=25314 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="rhn_check" exe="/usr/bin/python" subj=staff_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312806030.752:481): avc:  denied  { signull } for  pid=25314 comm="rhn_check" scontext=staff_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=process

Comment 11 Daniel Walsh 2011-08-08 14:15:22 UTC

What happens if you use

run_init to do the update?

Comment 12 Miroslav Grepl 2011-08-08 14:23:40 UTC

Mirek,
could you add your AVC msgs during using run_init?

Comment 13 Miroslav Vadkerti 2011-08-08 14:35:18 UTC

Sure:

----
time->Mon Aug  8 07:39:15 2011
type=SYSCALL msg=audit(1312807155.401:484): arch=c000003e syscall=2 success=yes exit=3 a0=1e66040 a1=2 a2=0 a3=16 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312807155.401:484): avc:  denied  { open } for  pid=25439 comm="rhnreg_ks" name="__db.001" dev=dm-4 ino=1213 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=staff_u:object_r:rpm_var_lib_t:s0 tclass=file
----
time->Mon Aug  8 07:39:15 2011
type=SYSCALL msg=audit(1312807155.403:485): arch=c000003e syscall=2 success=yes exit=3 a0=20b5720 a1=0 a2=0 a3=16 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312807155.403:485): avc:  denied  { open } for  pid=25439 comm="rhnreg_ks" name="Packages" dev=dm-4 ino=18 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
----
time->Mon Aug  8 07:39:15 2011
type=SYSCALL msg=audit(1312807155.581:486): arch=c000003e syscall=41 success=yes exit=5 a0=10 a1=80002 a2=f a3=0 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312807155.581:486): avc:  denied  { create } for  pid=25439 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Mon Aug  8 07:39:15 2011
type=SYSCALL msg=audit(1312807155.583:487): arch=c000003e syscall=54 success=yes exit=0 a0=5 a1=1 a2=1a a3=7f0eacee4030 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312807155.583:487): avc:  denied  { setopt } for  pid=25439 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Mon Aug  8 07:39:15 2011
type=SYSCALL msg=audit(1312807155.583:488): arch=c000003e syscall=49 success=yes exit=0 a0=5 a1=1929100 a2=c a3=7f0eacee4030 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312807155.583:488): avc:  denied  { bind } for  pid=25439 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Mon Aug  8 07:39:15 2011
type=SYSCALL msg=audit(1312807155.583:489): arch=c000003e syscall=51 success=yes exit=0 a0=5 a1=7fffd29b57a0 a2=7fffd29b57b8 a3=7f0eacee4030 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312807155.583:489): avc:  denied  { getattr } for  pid=25439 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Mon Aug  8 07:39:20 2011
type=SYSCALL msg=audit(1312807160.647:491): arch=c000003e syscall=2 success=yes exit=7 a0=30c3b20 a1=241 a2=1b6 a3=0 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312807160.647:491): avc:  denied  { write } for  pid=25439 comm="rhnreg_ks" name="up2date" dev=dm-0 ino=146615 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
----
time->Mon Aug  8 07:39:20 2011
type=SYSCALL msg=audit(1312807160.647:492): arch=c000003e syscall=90 success=yes exit=0 a0=30c3b20 a1=180 a2=7f0ec0b497e8 a3=7fffd29b5940 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312807160.647:492): avc:  denied  { setattr } for  pid=25439 comm="rhnreg_ks" name="up2date" dev=dm-0 ino=146615 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
----
time->Mon Aug  8 07:39:20 2011
type=SYSCALL msg=audit(1312807160.646:490): arch=c000003e syscall=82 success=yes exit=0 a0=30c6c50 a1=30c3b20 a2=7f0ec0b497e8 a3=7fffd29b5988 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312807160.646:490): avc:  denied  { unlink } for  pid=25439 comm="rhnreg_ks" name="systemid.save" dev=dm-0 ino=139164 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=staff_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1312807160.646:490): avc:  denied  { rename } for  pid=25439 comm="rhnreg_ks" name="systemid" dev=dm-0 ino=140826 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=staff_u:object_r:etc_t:s0 tclass=file

Comment 14 Daniel Walsh 2011-08-08 14:41:56 UTC

We might want to label rhnreg_ks as rpm_exec_t.

chcon -t rpc_exec_t /usr/bin/rhnreg_ks

Comment 15 Miroslav Vadkerti 2011-08-08 15:09:10 UTC

I relabeled it and tried again with run_init and I ended up again with bunch of AVCs:

secadm# ll -Z /usr/sbin/rhnreg_ks 
# run_init rhnreg_ks --force --username=qa --password=redhatqa --server=http://xmlrpc.rhn.errata.stage.redhat.com/XMLRPC
# ausearch -ts recent -m avc
Warning - freq is non-zero and incremental flushing not selected.
----
time->Mon Aug  8 10:04:59 2011
type=SYSCALL msg=audit(1312815899.745:493): arch=c000003e syscall=188 success=yes exit=0 a0=15510e0 a1=7fc5f0d8f259 a2=1552630 a3=20 items=0 ppid=25182 pid=26338 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="chcon" exe="/usr/bin/chcon" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312815899.745:493): avc:  denied  { relabelto } for  pid=26338 comm="chcon" name="rhnreg_ks" dev=dm-0 ino=20703 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
----
time->Mon Aug  8 10:05:11 2011
type=SYSCALL msg=audit(1312815911.753:495): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fff8eba8460 a3=7fff8eba82b0 items=0 ppid=25182 pid=26348 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312815911.753:495): avc:  denied  { ioctl } for  pid=26348 comm="rhnreg_ks" path="/usr/sbin/rhnreg_ks" dev=dm-0 ino=20703 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
----
time->Mon Aug  8 10:05:11 2011
type=SYSCALL msg=audit(1312815911.732:494): arch=c000003e syscall=59 success=yes exit=0 a0=e5e130 a1=e77ea0 a2=e76a00 a3=7fffc8b5a470 items=0 ppid=25182 pid=26348 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312815911.732:494): avc:  denied  { execute_no_trans } for  pid=26348 comm="bash" path="/usr/sbin/rhnreg_ks" dev=dm-0 ino=20703 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
type=AVC msg=audit(1312815911.732:494): avc:  denied  { read open } for  pid=26348 comm="bash" name="rhnreg_ks" dev=dm-0 ino=20703 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
type=AVC msg=audit(1312815911.732:494): avc:  denied  { execute } for  pid=26348 comm="bash" name="rhnreg_ks" dev=dm-0 ino=20703 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
----
time->Mon Aug  8 10:05:35 2011
type=SYSCALL msg=audit(1312815935.795:497): arch=c000003e syscall=59 success=no exit=-13 a0=e7a1b0 a1=e85790 a2=e76a00 a3=7fffc8b5a470 items=0 ppid=25182 pid=26355 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="bash" exe="/bin/bash" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312815935.795:497): avc:  denied  { execute } for  pid=26355 comm="bash" name="rhnreg_ks" dev=dm-0 ino=20703 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
----
time->Mon Aug  8 10:05:42 2011
type=SYSCALL msg=audit(1312815942.757:500): arch=c000003e syscall=59 success=no exit=-13 a0=7fffd27ade9d a1=7fffd27b2600 a2=7fffd27b2630 a3=7fffd27adcd0 items=0 ppid=26356 pid=26360 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="open_init_pty" exe="/usr/sbin/open_init_pty" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312815942.757:500): avc:  denied  { execute } for  pid=26360 comm="open_init_pty" name="rhnreg_ks" dev=dm-0 ino=20703 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
----
time->Mon Aug  8 10:06:03 2011
type=SYSCALL msg=audit(1312815963.685:503): arch=c000003e syscall=59 success=no exit=-13 a0=7fffe9cb660d a1=7fffe9cbad70 a2=7fffe9cbada0 a3=7fffe9cb6440 items=0 ppid=26371 pid=26375 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="open_init_pty" exe="/usr/sbin/open_init_pty" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312815963.685:503): avc:  denied  { execute } for  pid=26375 comm="open_init_pty" name="rhnreg_ks" dev=dm-0 ino=20703 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
----
time->Mon Aug  8 10:06:43 2011
type=SYSCALL msg=audit(1312816003.965:508): arch=c000003e syscall=4 success=no exit=-13 a0=209b6a0 a1=7fffd403d280 a2=7fffd403d280 a3=1 items=0 ppid=26378 pid=26382 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="bash" exe="/bin/bash" subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816003.965:508): avc:  denied  { read } for  pid=26382 comm="bash" name="selinux-policy" dev=dm-0 ino=35134 scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 tcontext=staff_u:object_r:admin_home_t:s0 tclass=lnk_file
----
time->Mon Aug  8 10:06:44 2011
type=SYSCALL msg=audit(1312816004.120:509): arch=c000003e syscall=4 success=no exit=-13 a0=209b6a0 a1=7fffd403d280 a2=7fffd403d280 a3=1 items=0 ppid=26378 pid=26382 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="bash" exe="/bin/bash" subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816004.120:509): avc:  denied  { read } for  pid=26382 comm="bash" name="selinux-policy" dev=dm-0 ino=35134 scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 tcontext=staff_u:object_r:admin_home_t:s0 tclass=lnk_file
----
time->Mon Aug  8 10:06:44 2011
type=SYSCALL msg=audit(1312816004.236:510): arch=c000003e syscall=4 success=no exit=-13 a0=209b6a0 a1=7fffd403d280 a2=7fffd403d280 a3=1 items=0 ppid=26378 pid=26382 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="bash" exe="/bin/bash" subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816004.236:510): avc:  denied  { read } for  pid=26382 comm="bash" name="selinux-policy" dev=dm-0 ino=35134 scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 tcontext=staff_u:object_r:admin_home_t:s0 tclass=lnk_file
----
time->Mon Aug  8 10:07:12 2011
type=SYSCALL msg=audit(1312816032.577:515): arch=c000003e syscall=59 success=yes exit=0 a0=7fffdf58a03d a1=7fffdf58e7a0 a2=7fffdf58e7d0 a3=7fffdf589e70 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816032.577:515): avc:  denied  { execute_no_trans } for  pid=26431 comm="open_init_pty" path="/usr/sbin/rhnreg_ks" dev=dm-0 ino=20703 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
type=AVC msg=audit(1312816032.577:515): avc:  denied  { read open } for  pid=26431 comm="open_init_pty" name="rhnreg_ks" dev=dm-0 ino=20703 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
type=AVC msg=audit(1312816032.577:515): avc:  denied  { execute } for  pid=26431 comm="open_init_pty" name="rhnreg_ks" dev=dm-0 ino=20703 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
----
time->Mon Aug  8 10:07:12 2011
type=SYSCALL msg=audit(1312816032.597:516): arch=c000003e syscall=6 success=yes exit=0 a0=7fff65c507c0 a1=7fff65c4d6c0 a2=7fff65c4d6c0 a3=7fff65c4d510 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816032.597:516): avc:  denied  { getattr } for  pid=26431 comm="rhnreg_ks" path="/usr/sbin/rhnreg_ks" dev=dm-0 ino=20703 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
----
time->Mon Aug  8 10:07:12 2011
type=SYSCALL msg=audit(1312816032.597:517): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fff65c51740 a3=7fff65c51590 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816032.597:517): avc:  denied  { ioctl } for  pid=26431 comm="rhnreg_ks" path="/usr/sbin/rhnreg_ks" dev=dm-0 ino=20703 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
----
time->Mon Aug  8 10:07:13 2011
type=SYSCALL msg=audit(1312816033.366:518): arch=c000003e syscall=2 success=yes exit=3 a0=27f4750 a1=2 a2=0 a3=16 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816033.366:518): avc:  denied  { open } for  pid=26431 comm="rhnreg_ks" name="__db.001" dev=dm-4 ino=1213 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=staff_u:object_r:rpm_var_lib_t:s0 tclass=file
----
time->Mon Aug  8 10:07:13 2011
type=SYSCALL msg=audit(1312816033.368:519): arch=c000003e syscall=2 success=yes exit=3 a0=2c0b870 a1=0 a2=0 a3=16 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816033.368:519): avc:  denied  { open } for  pid=26431 comm="rhnreg_ks" name="Packages" dev=dm-4 ino=18 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
----
time->Mon Aug  8 10:07:13 2011
type=SYSCALL msg=audit(1312816033.545:520): arch=c000003e syscall=41 success=yes exit=5 a0=10 a1=80002 a2=f a3=0 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816033.545:520): avc:  denied  { create } for  pid=26431 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Mon Aug  8 10:07:13 2011
type=SYSCALL msg=audit(1312816033.547:521): arch=c000003e syscall=54 success=yes exit=0 a0=5 a1=1 a2=1a a3=7f3137e5b030 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816033.547:521): avc:  denied  { setopt } for  pid=26431 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Mon Aug  8 10:07:13 2011
type=SYSCALL msg=audit(1312816033.547:522): arch=c000003e syscall=49 success=yes exit=0 a0=5 a1=2799580 a2=c a3=7f3137e5b030 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816033.547:522): avc:  denied  { bind } for  pid=26431 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Mon Aug  8 10:07:13 2011
type=SYSCALL msg=audit(1312816033.548:523): arch=c000003e syscall=51 success=yes exit=0 a0=5 a1=7fff65c50aa0 a2=7fff65c50ab8 a3=7f3137e5b030 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816033.548:523): avc:  denied  { getattr } for  pid=26431 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Mon Aug  8 10:07:18 2011
type=SYSCALL msg=audit(1312816038.577:525): arch=c000003e syscall=2 success=yes exit=7 a0=3c19af0 a1=241 a2=1b6 a3=0 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816038.577:525): avc:  denied  { write } for  pid=26431 comm="rhnreg_ks" name="up2date" dev=dm-0 ino=146615 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
----
time->Mon Aug  8 10:07:18 2011
type=SYSCALL msg=audit(1312816038.577:526): arch=c000003e syscall=90 success=yes exit=0 a0=3c19af0 a1=180 a2=7f314be4e7e8 a3=7fff65c50c40 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816038.577:526): avc:  denied  { setattr } for  pid=26431 comm="rhnreg_ks" name="up2date" dev=dm-0 ino=146615 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
----
time->Mon Aug  8 10:07:18 2011
type=SYSCALL msg=audit(1312816038.576:524): arch=c000003e syscall=82 success=yes exit=0 a0=3c1cc20 a1=3c19af0 a2=7f314be4e7e8 a3=7fff65c50c88 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816038.576:524): avc:  denied  { unlink } for  pid=26431 comm="rhnreg_ks" name="systemid.save" dev=dm-0 ino=140826 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=staff_u:object_r:etc_t:s0 tclass=file

Comment 16 Daniel Walsh 2011-08-08 15:20:07 UTC

Oops typo.

chcon -t rpm_exec_t ...

Comment 17 Miroslav Vadkerti 2011-08-08 15:31:31 UTC

The results with "chcon -t rpm_exec_t /usr/sbin/rhnreg_ks" using run_init:

time->Mon Aug  8 10:30:12 2011
type=SYSCALL msg=audit(1312817412.241:530): arch=c000003e syscall=41 success=yes exit=5 a0=10 a1=80002 a2=f a3=0 items=0 ppid=26593 pid=26597 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312817412.241:530): avc:  denied  { create } for  pid=26597 comm="rhnreg_ks" scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Mon Aug  8 10:30:12 2011
type=SYSCALL msg=audit(1312817412.243:531): arch=c000003e syscall=54 success=yes exit=0 a0=5 a1=1 a2=1a a3=7f3f6a391030 items=0 ppid=26593 pid=26597 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312817412.243:531): avc:  denied  { setopt } for  pid=26597 comm="rhnreg_ks" scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Mon Aug  8 10:30:12 2011
type=SYSCALL msg=audit(1312817412.243:532): arch=c000003e syscall=49 success=yes exit=0 a0=5 a1=27ec580 a2=c a3=7f3f6a391030 items=0 ppid=26593 pid=26597 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312817412.243:532): avc:  denied  { bind } for  pid=26597 comm="rhnreg_ks" scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Mon Aug  8 10:30:12 2011
type=SYSCALL msg=audit(1312817412.243:533): arch=c000003e syscall=51 success=yes exit=0 a0=5 a1=7fff17b4b940 a2=7fff17b4b958 a3=7f3f6a391030 items=0 ppid=26593 pid=26597 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312817412.243:533): avc:  denied  { getattr } for  pid=26597 comm="rhnreg_ks" scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Mon Aug  8 10:30:18 2011
type=SYSCALL msg=audit(1312817418.193:535): arch=c000003e syscall=42 success=yes exit=0 a0=8 a1=7fff4265c690 a2=10 a3=a items=0 ppid=26597 pid=26610 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhn_check" exe="/usr/bin/python" subj=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312817418.193:535): avc:  denied  { name_connect } for  pid=26610 comm="rhn_check" dest=80 scontext=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
----
time->Mon Aug  8 10:30:18 2011
type=SYSCALL msg=audit(1312817418.789:536): arch=c000003e syscall=42 success=yes exit=0 a0=b a1=7fff42656620 a2=10 a3=a items=0 ppid=26597 pid=26610 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhn_check" exe="/usr/bin/python" subj=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312817418.789:536): avc:  denied  { name_connect } for  pid=26610 comm="rhn_check" dest=80 scontext=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
----
time->Mon Aug  8 10:30:17 2011
type=SYSCALL msg=audit(1312817417.775:534): arch=c000003e syscall=59 success=yes exit=0 a0=7f3f7d4e9e43 a1=7fff17b4be60 a2=7fff17b4c8f0 a3=8 items=0 ppid=26597 pid=26598 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="sh" exe="/bin/bash" subj=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312817417.775:534): avc:  denied  { read write } for  pid=26598 comm="sh" path="socket:[162505]" dev=sockfs ino=162505 scontext=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_route_socket

Comment 18 Daniel Walsh 2011-08-08 15:37:48 UTC

I like that list of AVC's better then what we were seeing before.

Comment 19 Daniel Walsh 2011-08-08 15:38:16 UTC

semanage permissive -a rpm_script_t
semanage permissive -a rpm_t

To collect all AVC's.

Comment 20 Miroslav Vadkerti 2011-08-09 06:50:32 UTC

This is what I did:
+ semanage permissive -a rpm_script_t
+ semanage permissive -a rpm_t
+ left rpm_exec_t on rhnreg_ks
+ setenforce 0
+ re-run rhnreg_ks via run_init

----
time->Tue Aug  9 01:46:46 2011
type=SYSCALL msg=audit(1312872406.233:545): arch=c000003e syscall=41 success=yes exit=5 a0=10 a1=80002 a2=f a3=0 items=0 ppid=32228 pid=32232 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312872406.233:545): avc:  denied  { create } for  pid=32232 comm="rhnreg_ks" scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Tue Aug  9 01:46:46 2011
type=SYSCALL msg=audit(1312872406.235:546): arch=c000003e syscall=54 success=yes exit=0 a0=5 a1=1 a2=1a a3=7f35c6c0b030 items=0 ppid=32228 pid=32232 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312872406.235:546): avc:  denied  { setopt } for  pid=32232 comm="rhnreg_ks" scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Tue Aug  9 01:46:46 2011
type=SYSCALL msg=audit(1312872406.235:547): arch=c000003e syscall=49 success=yes exit=0 a0=5 a1=1643580 a2=c a3=7f35c6c0b030 items=0 ppid=32228 pid=32232 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312872406.235:547): avc:  denied  { bind } for  pid=32232 comm="rhnreg_ks" scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Tue Aug  9 01:46:46 2011
type=SYSCALL msg=audit(1312872406.235:548): arch=c000003e syscall=51 success=yes exit=0 a0=5 a1=7fff91861330 a2=7fff91861348 a3=7f35c6c0b030 items=0 ppid=32228 pid=32232 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312872406.235:548): avc:  denied  { getattr } for  pid=32232 comm="rhnreg_ks" scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Tue Aug  9 01:46:51 2011
type=SYSCALL msg=audit(1312872411.712:550): arch=c000003e syscall=42 success=yes exit=0 a0=8 a1=7fff76326d80 a2=10 a3=a items=0 ppid=32232 pid=32245 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhn_check" exe="/usr/bin/python" subj=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312872411.712:550): avc:  denied  { name_connect } for  pid=32245 comm="rhn_check" dest=80 scontext=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
----
time->Tue Aug  9 01:46:51 2011
type=SYSCALL msg=audit(1312872411.126:549): arch=c000003e syscall=59 success=yes exit=0 a0=7f35d9d63e43 a1=7fff91861850 a2=7fff918622e0 a3=8 items=0 ppid=32232 pid=32233 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="sh" exe="/bin/bash" subj=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312872411.126:549): avc:  denied  { read write } for  pid=32233 comm="sh" path="socket:[179372]" dev=sockfs ino=179372 scontext=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_route_socket

Comment 21 Miroslav Grepl 2011-08-09 11:53:28 UTC

How Dan said, it looks good.

I would add these and change the label to  rpm_exec_t.

Comment 22 Daniel Walsh 2011-08-09 13:32:07 UTC

Excellent.

Comment 23 Miroslav Grepl 2011-08-10 15:48:33 UTC

Fixed in selinux-policy-3.7.19-107.el6

Comment 25 Karel Srot 2011-10-06 11:08:17 UTC

Retested with selinux-policy-3.7.19-113.el6.noarch

# rhnreg_ks --username=XXX --password=XXX --server=https://xmlrpc.ZZZ.com/XMLRPC --force --profilename=`hostname`-bz707616test

works but the run_init version:

# run_init rhnreg_ks --username=XXX --password=XXX --server=https://xmlrpc.ZZZ.com/XMLRPC --force --profilename=`hostname`-bz707616test
Authenticating root.
Password: 
execvp: Permission denied
[root@rhel62 ~]#

type=AVC msg=audit(1317898528.561:38): avc:  denied  { entrypoint } for  pid=1374 comm="run_init" path="/usr/sbin/rhnreg_ks" dev=vda1 ino=269291 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file

in permissive i get:

type=AVC msg=audit(1317899096.407:51): avc:  denied  { entrypoint } for  pid=1452 comm="run_init" path="/usr/sbin/rhnreg_ks" dev=vda1 ino=269291 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file
type=AVC msg=audit(1317899099.243:52): avc:  denied  { open } for  pid=1452 comm="rhnreg_ks" name="__db.001" dev=vda1 ino=132691 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=root:object_r:rpm_var_lib_t:s0 tclass=file
type=AVC msg=audit(1317899099.247:53): avc:  denied  { open } for  pid=1452 comm="rhnreg_ks" name="Packages" dev=vda1 ino=130313 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
type=AVC msg=audit(1317899099.378:54): avc:  denied  { create } for  pid=1452 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
type=AVC msg=audit(1317899099.379:55): avc:  denied  { setopt } for  pid=1452 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
type=AVC msg=audit(1317899099.379:56): avc:  denied  { bind } for  pid=1452 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
type=AVC msg=audit(1317899099.379:57): avc:  denied  { getattr } for  pid=1452 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
type=AVC msg=audit(1317899106.120:58): avc:  denied  { write } for  pid=1452 comm="rhnreg_ks" name="up2date" dev=vda1 ino=3411 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1317899106.120:59): avc:  denied  { setattr } for  pid=1452 comm="rhnreg_ks" name="up2date" dev=vda1 ino=3411 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file

Am I supposed to use run_init or not?

Comment 26 Miroslav Grepl 2011-10-06 11:29:26 UTC

Well it should work either without run_init because of

allow sysadm_t rpm_t : process transition ;

or also with run_init which obviously worked.

Comment 27 Miroslav Grepl 2011-10-06 12:14:38 UTC

Ok, I would say

# rhnreg_ks --username=XXX --password=XXX
--server=https://xmlrpc.ZZZ.com/XMLRPC --force
--profilename=`hostname`-bz707616test


is the correct way how to run it now. Not sure which way did Mirek test it before.

Comment 28 Karel Srot 2011-10-07 12:48:31 UTC

Just comfirmed again on another system that rhnreg_ks (non run_init variant) works with selinux-policy-3.7.19-115.el6.noarch.

Comment 30 errata-xmlrpc 2011-12-06 10:08:09 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html