Bug 707616
Summary: | MLS selinux mode: cannot register machine | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Petr Sklenar <psklenar> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED ERRATA | QA Contact: | Karel Srot <ksrot> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 6.1 | CC: | cperry, dwalsh, ksrot, mmalik, mvadkert, slukasik | ||||
Target Milestone: | rc | Keywords: | Regression | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.7.19-107.el6 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2011-12-06 10:08:09 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Petr Sklenar
2011-05-25 14:18:08 UTC
Created attachment 500833 [details]
selinux denials
It works well in RHEL5 > adding keyword regressions Miroslav says that it looks like a policy bug -- switching to selinux-policy. Petr, if you boot in permissive mode in MLS, are you getting more AVC msgs? I see these AVCs: ---- time->Mon Aug 8 07:19:06 2011 type=SYSCALL msg=audit(1312805946.825:468): arch=c000003e syscall=2 success=yes exit=8 a0=7fe315daa260 a1=0 a2=10000 a3=0 items=0 ppid=25182 pid=25274 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312805946.825:468): avc: denied { open } for pid=25274 comm="rhnreg_ks" name="mem" dev=devtmpfs ino=3598 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:memory_device_t:s15:c0.c1023 tclass=chr_file type=AVC msg=audit(1312805946.825:468): avc: denied { read } for pid=25274 comm="rhnreg_ks" name="mem" dev=devtmpfs ino=3598 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:memory_device_t:s15:c0.c1023 tclass=chr_file ---- time->Mon Aug 8 07:20:30 2011 type=SYSCALL msg=audit(1312806030.280:469): arch=c000003e syscall=59 success=yes exit=0 a0=7fff7311895a a1=7fff73117c98 a2=8cd030 a3=7fff731178c0 items=0 ppid=25286 pid=25291 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="rhnsd" exe="/bin/bash" subj=staff_u:system_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312806030.280:469): avc: denied { entrypoint } for pid=25291 comm="env" path="/etc/rc.d/init.d/rhnsd" dev=dm-0 ino=140535 scontext=staff_u:system_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file type=SELINUX_ERR msg=audit(1312806030.280:469): security_compute_sid: invalid context staff_u:system_r:sysadm_t:s0-s15:c0.c1023 for scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=process ---- time->Mon Aug 8 07:20:30 2011 type=SYSCALL msg=audit(1312806030.752:481): arch=c000003e syscall=62 success=yes exit=0 a0=62c2 a1=0 a2=62e2 a3=1 items=0 ppid=25282 pid=25314 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="rhn_check" exe="/usr/bin/python" subj=staff_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312806030.752:481): avc: denied { signull } for pid=25314 comm="rhn_check" scontext=staff_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=process What happens if you use run_init to do the update? Mirek, could you add your AVC msgs during using run_init? Sure: ---- time->Mon Aug 8 07:39:15 2011 type=SYSCALL msg=audit(1312807155.401:484): arch=c000003e syscall=2 success=yes exit=3 a0=1e66040 a1=2 a2=0 a3=16 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312807155.401:484): avc: denied { open } for pid=25439 comm="rhnreg_ks" name="__db.001" dev=dm-4 ino=1213 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=staff_u:object_r:rpm_var_lib_t:s0 tclass=file ---- time->Mon Aug 8 07:39:15 2011 type=SYSCALL msg=audit(1312807155.403:485): arch=c000003e syscall=2 success=yes exit=3 a0=20b5720 a1=0 a2=0 a3=16 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312807155.403:485): avc: denied { open } for pid=25439 comm="rhnreg_ks" name="Packages" dev=dm-4 ino=18 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file ---- time->Mon Aug 8 07:39:15 2011 type=SYSCALL msg=audit(1312807155.581:486): arch=c000003e syscall=41 success=yes exit=5 a0=10 a1=80002 a2=f a3=0 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312807155.581:486): avc: denied { create } for pid=25439 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket ---- time->Mon Aug 8 07:39:15 2011 type=SYSCALL msg=audit(1312807155.583:487): arch=c000003e syscall=54 success=yes exit=0 a0=5 a1=1 a2=1a a3=7f0eacee4030 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312807155.583:487): avc: denied { setopt } for pid=25439 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket ---- time->Mon Aug 8 07:39:15 2011 type=SYSCALL msg=audit(1312807155.583:488): arch=c000003e syscall=49 success=yes exit=0 a0=5 a1=1929100 a2=c a3=7f0eacee4030 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312807155.583:488): avc: denied { bind } for pid=25439 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket ---- time->Mon Aug 8 07:39:15 2011 type=SYSCALL msg=audit(1312807155.583:489): arch=c000003e syscall=51 success=yes exit=0 a0=5 a1=7fffd29b57a0 a2=7fffd29b57b8 a3=7f0eacee4030 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312807155.583:489): avc: denied { getattr } for pid=25439 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket ---- time->Mon Aug 8 07:39:20 2011 type=SYSCALL msg=audit(1312807160.647:491): arch=c000003e syscall=2 success=yes exit=7 a0=30c3b20 a1=241 a2=1b6 a3=0 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312807160.647:491): avc: denied { write } for pid=25439 comm="rhnreg_ks" name="up2date" dev=dm-0 ino=146615 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file ---- time->Mon Aug 8 07:39:20 2011 type=SYSCALL msg=audit(1312807160.647:492): arch=c000003e syscall=90 success=yes exit=0 a0=30c3b20 a1=180 a2=7f0ec0b497e8 a3=7fffd29b5940 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312807160.647:492): avc: denied { setattr } for pid=25439 comm="rhnreg_ks" name="up2date" dev=dm-0 ino=146615 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file ---- time->Mon Aug 8 07:39:20 2011 type=SYSCALL msg=audit(1312807160.646:490): arch=c000003e syscall=82 success=yes exit=0 a0=30c6c50 a1=30c3b20 a2=7f0ec0b497e8 a3=7fffd29b5988 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312807160.646:490): avc: denied { unlink } for pid=25439 comm="rhnreg_ks" name="systemid.save" dev=dm-0 ino=139164 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=staff_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(1312807160.646:490): avc: denied { rename } for pid=25439 comm="rhnreg_ks" name="systemid" dev=dm-0 ino=140826 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=staff_u:object_r:etc_t:s0 tclass=file We might want to label rhnreg_ks as rpm_exec_t. chcon -t rpc_exec_t /usr/bin/rhnreg_ks I relabeled it and tried again with run_init and I ended up again with bunch of AVCs: secadm# ll -Z /usr/sbin/rhnreg_ks # run_init rhnreg_ks --force --username=qa --password=redhatqa --server=http://xmlrpc.rhn.errata.stage.redhat.com/XMLRPC # ausearch -ts recent -m avc Warning - freq is non-zero and incremental flushing not selected. ---- time->Mon Aug 8 10:04:59 2011 type=SYSCALL msg=audit(1312815899.745:493): arch=c000003e syscall=188 success=yes exit=0 a0=15510e0 a1=7fc5f0d8f259 a2=1552630 a3=20 items=0 ppid=25182 pid=26338 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="chcon" exe="/usr/bin/chcon" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312815899.745:493): avc: denied { relabelto } for pid=26338 comm="chcon" name="rhnreg_ks" dev=dm-0 ino=20703 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file ---- time->Mon Aug 8 10:05:11 2011 type=SYSCALL msg=audit(1312815911.753:495): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fff8eba8460 a3=7fff8eba82b0 items=0 ppid=25182 pid=26348 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312815911.753:495): avc: denied { ioctl } for pid=26348 comm="rhnreg_ks" path="/usr/sbin/rhnreg_ks" dev=dm-0 ino=20703 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file ---- time->Mon Aug 8 10:05:11 2011 type=SYSCALL msg=audit(1312815911.732:494): arch=c000003e syscall=59 success=yes exit=0 a0=e5e130 a1=e77ea0 a2=e76a00 a3=7fffc8b5a470 items=0 ppid=25182 pid=26348 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312815911.732:494): avc: denied { execute_no_trans } for pid=26348 comm="bash" path="/usr/sbin/rhnreg_ks" dev=dm-0 ino=20703 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file type=AVC msg=audit(1312815911.732:494): avc: denied { read open } for pid=26348 comm="bash" name="rhnreg_ks" dev=dm-0 ino=20703 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file type=AVC msg=audit(1312815911.732:494): avc: denied { execute } for pid=26348 comm="bash" name="rhnreg_ks" dev=dm-0 ino=20703 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file ---- time->Mon Aug 8 10:05:35 2011 type=SYSCALL msg=audit(1312815935.795:497): arch=c000003e syscall=59 success=no exit=-13 a0=e7a1b0 a1=e85790 a2=e76a00 a3=7fffc8b5a470 items=0 ppid=25182 pid=26355 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="bash" exe="/bin/bash" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312815935.795:497): avc: denied { execute } for pid=26355 comm="bash" name="rhnreg_ks" dev=dm-0 ino=20703 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file ---- time->Mon Aug 8 10:05:42 2011 type=SYSCALL msg=audit(1312815942.757:500): arch=c000003e syscall=59 success=no exit=-13 a0=7fffd27ade9d a1=7fffd27b2600 a2=7fffd27b2630 a3=7fffd27adcd0 items=0 ppid=26356 pid=26360 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="open_init_pty" exe="/usr/sbin/open_init_pty" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312815942.757:500): avc: denied { execute } for pid=26360 comm="open_init_pty" name="rhnreg_ks" dev=dm-0 ino=20703 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file ---- time->Mon Aug 8 10:06:03 2011 type=SYSCALL msg=audit(1312815963.685:503): arch=c000003e syscall=59 success=no exit=-13 a0=7fffe9cb660d a1=7fffe9cbad70 a2=7fffe9cbada0 a3=7fffe9cb6440 items=0 ppid=26371 pid=26375 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="open_init_pty" exe="/usr/sbin/open_init_pty" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312815963.685:503): avc: denied { execute } for pid=26375 comm="open_init_pty" name="rhnreg_ks" dev=dm-0 ino=20703 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file ---- time->Mon Aug 8 10:06:43 2011 type=SYSCALL msg=audit(1312816003.965:508): arch=c000003e syscall=4 success=no exit=-13 a0=209b6a0 a1=7fffd403d280 a2=7fffd403d280 a3=1 items=0 ppid=26378 pid=26382 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="bash" exe="/bin/bash" subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312816003.965:508): avc: denied { read } for pid=26382 comm="bash" name="selinux-policy" dev=dm-0 ino=35134 scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 tcontext=staff_u:object_r:admin_home_t:s0 tclass=lnk_file ---- time->Mon Aug 8 10:06:44 2011 type=SYSCALL msg=audit(1312816004.120:509): arch=c000003e syscall=4 success=no exit=-13 a0=209b6a0 a1=7fffd403d280 a2=7fffd403d280 a3=1 items=0 ppid=26378 pid=26382 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="bash" exe="/bin/bash" subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312816004.120:509): avc: denied { read } for pid=26382 comm="bash" name="selinux-policy" dev=dm-0 ino=35134 scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 tcontext=staff_u:object_r:admin_home_t:s0 tclass=lnk_file ---- time->Mon Aug 8 10:06:44 2011 type=SYSCALL msg=audit(1312816004.236:510): arch=c000003e syscall=4 success=no exit=-13 a0=209b6a0 a1=7fffd403d280 a2=7fffd403d280 a3=1 items=0 ppid=26378 pid=26382 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="bash" exe="/bin/bash" subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312816004.236:510): avc: denied { read } for pid=26382 comm="bash" name="selinux-policy" dev=dm-0 ino=35134 scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 tcontext=staff_u:object_r:admin_home_t:s0 tclass=lnk_file ---- time->Mon Aug 8 10:07:12 2011 type=SYSCALL msg=audit(1312816032.577:515): arch=c000003e syscall=59 success=yes exit=0 a0=7fffdf58a03d a1=7fffdf58e7a0 a2=7fffdf58e7d0 a3=7fffdf589e70 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312816032.577:515): avc: denied { execute_no_trans } for pid=26431 comm="open_init_pty" path="/usr/sbin/rhnreg_ks" dev=dm-0 ino=20703 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file type=AVC msg=audit(1312816032.577:515): avc: denied { read open } for pid=26431 comm="open_init_pty" name="rhnreg_ks" dev=dm-0 ino=20703 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file type=AVC msg=audit(1312816032.577:515): avc: denied { execute } for pid=26431 comm="open_init_pty" name="rhnreg_ks" dev=dm-0 ino=20703 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file ---- time->Mon Aug 8 10:07:12 2011 type=SYSCALL msg=audit(1312816032.597:516): arch=c000003e syscall=6 success=yes exit=0 a0=7fff65c507c0 a1=7fff65c4d6c0 a2=7fff65c4d6c0 a3=7fff65c4d510 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312816032.597:516): avc: denied { getattr } for pid=26431 comm="rhnreg_ks" path="/usr/sbin/rhnreg_ks" dev=dm-0 ino=20703 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file ---- time->Mon Aug 8 10:07:12 2011 type=SYSCALL msg=audit(1312816032.597:517): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fff65c51740 a3=7fff65c51590 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312816032.597:517): avc: denied { ioctl } for pid=26431 comm="rhnreg_ks" path="/usr/sbin/rhnreg_ks" dev=dm-0 ino=20703 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file ---- time->Mon Aug 8 10:07:13 2011 type=SYSCALL msg=audit(1312816033.366:518): arch=c000003e syscall=2 success=yes exit=3 a0=27f4750 a1=2 a2=0 a3=16 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312816033.366:518): avc: denied { open } for pid=26431 comm="rhnreg_ks" name="__db.001" dev=dm-4 ino=1213 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=staff_u:object_r:rpm_var_lib_t:s0 tclass=file ---- time->Mon Aug 8 10:07:13 2011 type=SYSCALL msg=audit(1312816033.368:519): arch=c000003e syscall=2 success=yes exit=3 a0=2c0b870 a1=0 a2=0 a3=16 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312816033.368:519): avc: denied { open } for pid=26431 comm="rhnreg_ks" name="Packages" dev=dm-4 ino=18 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file ---- time->Mon Aug 8 10:07:13 2011 type=SYSCALL msg=audit(1312816033.545:520): arch=c000003e syscall=41 success=yes exit=5 a0=10 a1=80002 a2=f a3=0 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312816033.545:520): avc: denied { create } for pid=26431 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket ---- time->Mon Aug 8 10:07:13 2011 type=SYSCALL msg=audit(1312816033.547:521): arch=c000003e syscall=54 success=yes exit=0 a0=5 a1=1 a2=1a a3=7f3137e5b030 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312816033.547:521): avc: denied { setopt } for pid=26431 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket ---- time->Mon Aug 8 10:07:13 2011 type=SYSCALL msg=audit(1312816033.547:522): arch=c000003e syscall=49 success=yes exit=0 a0=5 a1=2799580 a2=c a3=7f3137e5b030 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312816033.547:522): avc: denied { bind } for pid=26431 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket ---- time->Mon Aug 8 10:07:13 2011 type=SYSCALL msg=audit(1312816033.548:523): arch=c000003e syscall=51 success=yes exit=0 a0=5 a1=7fff65c50aa0 a2=7fff65c50ab8 a3=7f3137e5b030 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312816033.548:523): avc: denied { getattr } for pid=26431 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket ---- time->Mon Aug 8 10:07:18 2011 type=SYSCALL msg=audit(1312816038.577:525): arch=c000003e syscall=2 success=yes exit=7 a0=3c19af0 a1=241 a2=1b6 a3=0 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312816038.577:525): avc: denied { write } for pid=26431 comm="rhnreg_ks" name="up2date" dev=dm-0 ino=146615 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file ---- time->Mon Aug 8 10:07:18 2011 type=SYSCALL msg=audit(1312816038.577:526): arch=c000003e syscall=90 success=yes exit=0 a0=3c19af0 a1=180 a2=7f314be4e7e8 a3=7fff65c50c40 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312816038.577:526): avc: denied { setattr } for pid=26431 comm="rhnreg_ks" name="up2date" dev=dm-0 ino=146615 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file ---- time->Mon Aug 8 10:07:18 2011 type=SYSCALL msg=audit(1312816038.576:524): arch=c000003e syscall=82 success=yes exit=0 a0=3c1cc20 a1=3c19af0 a2=7f314be4e7e8 a3=7fff65c50c88 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312816038.576:524): avc: denied { unlink } for pid=26431 comm="rhnreg_ks" name="systemid.save" dev=dm-0 ino=140826 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=staff_u:object_r:etc_t:s0 tclass=file Oops typo. chcon -t rpm_exec_t ... The results with "chcon -t rpm_exec_t /usr/sbin/rhnreg_ks" using run_init: time->Mon Aug 8 10:30:12 2011 type=SYSCALL msg=audit(1312817412.241:530): arch=c000003e syscall=41 success=yes exit=5 a0=10 a1=80002 a2=f a3=0 items=0 ppid=26593 pid=26597 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312817412.241:530): avc: denied { create } for pid=26597 comm="rhnreg_ks" scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket ---- time->Mon Aug 8 10:30:12 2011 type=SYSCALL msg=audit(1312817412.243:531): arch=c000003e syscall=54 success=yes exit=0 a0=5 a1=1 a2=1a a3=7f3f6a391030 items=0 ppid=26593 pid=26597 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312817412.243:531): avc: denied { setopt } for pid=26597 comm="rhnreg_ks" scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket ---- time->Mon Aug 8 10:30:12 2011 type=SYSCALL msg=audit(1312817412.243:532): arch=c000003e syscall=49 success=yes exit=0 a0=5 a1=27ec580 a2=c a3=7f3f6a391030 items=0 ppid=26593 pid=26597 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312817412.243:532): avc: denied { bind } for pid=26597 comm="rhnreg_ks" scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket ---- time->Mon Aug 8 10:30:12 2011 type=SYSCALL msg=audit(1312817412.243:533): arch=c000003e syscall=51 success=yes exit=0 a0=5 a1=7fff17b4b940 a2=7fff17b4b958 a3=7f3f6a391030 items=0 ppid=26593 pid=26597 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312817412.243:533): avc: denied { getattr } for pid=26597 comm="rhnreg_ks" scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket ---- time->Mon Aug 8 10:30:18 2011 type=SYSCALL msg=audit(1312817418.193:535): arch=c000003e syscall=42 success=yes exit=0 a0=8 a1=7fff4265c690 a2=10 a3=a items=0 ppid=26597 pid=26610 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhn_check" exe="/usr/bin/python" subj=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312817418.193:535): avc: denied { name_connect } for pid=26610 comm="rhn_check" dest=80 scontext=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket ---- time->Mon Aug 8 10:30:18 2011 type=SYSCALL msg=audit(1312817418.789:536): arch=c000003e syscall=42 success=yes exit=0 a0=b a1=7fff42656620 a2=10 a3=a items=0 ppid=26597 pid=26610 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhn_check" exe="/usr/bin/python" subj=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312817418.789:536): avc: denied { name_connect } for pid=26610 comm="rhn_check" dest=80 scontext=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket ---- time->Mon Aug 8 10:30:17 2011 type=SYSCALL msg=audit(1312817417.775:534): arch=c000003e syscall=59 success=yes exit=0 a0=7f3f7d4e9e43 a1=7fff17b4be60 a2=7fff17b4c8f0 a3=8 items=0 ppid=26597 pid=26598 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="sh" exe="/bin/bash" subj=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312817417.775:534): avc: denied { read write } for pid=26598 comm="sh" path="socket:[162505]" dev=sockfs ino=162505 scontext=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_route_socket I like that list of AVC's better then what we were seeing before. semanage permissive -a rpm_script_t semanage permissive -a rpm_t To collect all AVC's. This is what I did: + semanage permissive -a rpm_script_t + semanage permissive -a rpm_t + left rpm_exec_t on rhnreg_ks + setenforce 0 + re-run rhnreg_ks via run_init ---- time->Tue Aug 9 01:46:46 2011 type=SYSCALL msg=audit(1312872406.233:545): arch=c000003e syscall=41 success=yes exit=5 a0=10 a1=80002 a2=f a3=0 items=0 ppid=32228 pid=32232 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312872406.233:545): avc: denied { create } for pid=32232 comm="rhnreg_ks" scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket ---- time->Tue Aug 9 01:46:46 2011 type=SYSCALL msg=audit(1312872406.235:546): arch=c000003e syscall=54 success=yes exit=0 a0=5 a1=1 a2=1a a3=7f35c6c0b030 items=0 ppid=32228 pid=32232 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312872406.235:546): avc: denied { setopt } for pid=32232 comm="rhnreg_ks" scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket ---- time->Tue Aug 9 01:46:46 2011 type=SYSCALL msg=audit(1312872406.235:547): arch=c000003e syscall=49 success=yes exit=0 a0=5 a1=1643580 a2=c a3=7f35c6c0b030 items=0 ppid=32228 pid=32232 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312872406.235:547): avc: denied { bind } for pid=32232 comm="rhnreg_ks" scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket ---- time->Tue Aug 9 01:46:46 2011 type=SYSCALL msg=audit(1312872406.235:548): arch=c000003e syscall=51 success=yes exit=0 a0=5 a1=7fff91861330 a2=7fff91861348 a3=7f35c6c0b030 items=0 ppid=32228 pid=32232 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312872406.235:548): avc: denied { getattr } for pid=32232 comm="rhnreg_ks" scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket ---- time->Tue Aug 9 01:46:51 2011 type=SYSCALL msg=audit(1312872411.712:550): arch=c000003e syscall=42 success=yes exit=0 a0=8 a1=7fff76326d80 a2=10 a3=a items=0 ppid=32232 pid=32245 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhn_check" exe="/usr/bin/python" subj=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312872411.712:550): avc: denied { name_connect } for pid=32245 comm="rhn_check" dest=80 scontext=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket ---- time->Tue Aug 9 01:46:51 2011 type=SYSCALL msg=audit(1312872411.126:549): arch=c000003e syscall=59 success=yes exit=0 a0=7f35d9d63e43 a1=7fff91861850 a2=7fff918622e0 a3=8 items=0 ppid=32232 pid=32233 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="sh" exe="/bin/bash" subj=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1312872411.126:549): avc: denied { read write } for pid=32233 comm="sh" path="socket:[179372]" dev=sockfs ino=179372 scontext=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_route_socket How Dan said, it looks good. I would add these and change the label to rpm_exec_t. Excellent. Fixed in selinux-policy-3.7.19-107.el6 Retested with selinux-policy-3.7.19-113.el6.noarch # rhnreg_ks --username=XXX --password=XXX --server=https://xmlrpc.ZZZ.com/XMLRPC --force --profilename=`hostname`-bz707616test works but the run_init version: # run_init rhnreg_ks --username=XXX --password=XXX --server=https://xmlrpc.ZZZ.com/XMLRPC --force --profilename=`hostname`-bz707616test Authenticating root. Password: execvp: Permission denied [root@rhel62 ~]# type=AVC msg=audit(1317898528.561:38): avc: denied { entrypoint } for pid=1374 comm="run_init" path="/usr/sbin/rhnreg_ks" dev=vda1 ino=269291 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file in permissive i get: type=AVC msg=audit(1317899096.407:51): avc: denied { entrypoint } for pid=1452 comm="run_init" path="/usr/sbin/rhnreg_ks" dev=vda1 ino=269291 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file type=AVC msg=audit(1317899099.243:52): avc: denied { open } for pid=1452 comm="rhnreg_ks" name="__db.001" dev=vda1 ino=132691 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=root:object_r:rpm_var_lib_t:s0 tclass=file type=AVC msg=audit(1317899099.247:53): avc: denied { open } for pid=1452 comm="rhnreg_ks" name="Packages" dev=vda1 ino=130313 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file type=AVC msg=audit(1317899099.378:54): avc: denied { create } for pid=1452 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1317899099.379:55): avc: denied { setopt } for pid=1452 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1317899099.379:56): avc: denied { bind } for pid=1452 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1317899099.379:57): avc: denied { getattr } for pid=1452 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket type=AVC msg=audit(1317899106.120:58): avc: denied { write } for pid=1452 comm="rhnreg_ks" name="up2date" dev=vda1 ino=3411 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(1317899106.120:59): avc: denied { setattr } for pid=1452 comm="rhnreg_ks" name="up2date" dev=vda1 ino=3411 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file Am I supposed to use run_init or not? Well it should work either without run_init because of allow sysadm_t rpm_t : process transition ; or also with run_init which obviously worked. Ok, I would say # rhnreg_ks --username=XXX --password=XXX --server=https://xmlrpc.ZZZ.com/XMLRPC --force --profilename=`hostname`-bz707616test is the correct way how to run it now. Not sure which way did Mirek test it before. Just comfirmed again on another system that rhnreg_ks (non run_init variant) works with selinux-policy-3.7.19-115.el6.noarch. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html |