Bug 745531
| Summary: | Cloudform need SELinux policies support | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Francesco Vollero <fvollero> | ||||||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||||||
| Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> | ||||||||||
| Severity: | medium | Docs Contact: | |||||||||||
| Priority: | medium | ||||||||||||
| Version: | 6.2 | CC: | benl, dwalsh, hbrock, jrieden, mmalik, morazi, syeghiay, whayutin | ||||||||||
| Target Milestone: | rc | ||||||||||||
| Target Release: | --- | ||||||||||||
| Hardware: | All | ||||||||||||
| OS: | Linux | ||||||||||||
| Whiteboard: | |||||||||||||
| Fixed In Version: | selinux-policy-3.7.19-122.el6 | Doc Type: | Bug Fix | ||||||||||
| Doc Text: | Story Points: | --- | |||||||||||
| Clone Of: | Environment: | ||||||||||||
| Last Closed: | 2011-12-06 10:19:55 UTC | Type: | --- | ||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||
| Documentation: | --- | CRM: | |||||||||||
| Verified Versions: | Category: | --- | |||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
| Embargoed: | |||||||||||||
| Bug Depends On: | |||||||||||||
| Bug Blocks: | 750914, 752757 | ||||||||||||
| Attachments: |
|
||||||||||||
|
Description
Francesco Vollero
2011-10-12 15:48:04 UTC
ok, we have policies for deltacloud, thin, mongod, iwhd services. But these policies needs to be tested by Cloudform QA guys. I've installed some patches from Francesco and my sanity tests pass w/ selinux enforced. We have tests lined and and we're ready to go. Ok, we need to sort this bug. Yes, we have added some fixes which make AEOLUS working but this bug is about cloudform daemons running as initrc_t. So you just execute # ps -eZ |grep initrc and you will see. I am fine to move this on RHEL6.3 since everything should work in enforcing mode and add confinement for cloudform daemons for RHEL6.3? Clearly we can't ship services that run on boot in initrc_t context. They need to be confined properly for a production app that protects potentially sensitive customer data like the image warehouse. Created attachment 528847 [details]
cloudform policy
I attached cloudform policy which contains policy for cloud daemons.
If we add this policy to RHEL6.2, I will add them as unconfined. But I would like to see if I need to add some a new types for files, directories and so on and if all services are running in their contexts.
For QA:
Just download, extract the archive and run
# sh cloudform.sh
# echo "-w /etc/shadow -p wa" >> /etc/audit/audit.rules
# service auditd restart
and you can start/restart services and test them. Then I need to see outputs of
# ps -eZ |grep initrc
# ausearch -m avc -ts recent
FYI.. I have not installed the same policy rpms that I received from Francesco Vollero. Whats not clear to me is whether or not to install the same rpms that Francesco gave me and run this shell script.
Can someone please clarify
10.11.230.102
[root@unused ~]# getenforce
Enforcing
[root@unused ~]# sh cloudform.sh
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile
Compiling targeted cloudform module
/usr/bin/checkmodule: loading policy configuration from tmp/cloudform.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to tmp/cloudform.mod
Creating targeted cloudform.pp policy package
rm tmp/cloudform.mod.fc tmp/cloudform.mod
+ /usr/sbin/semodule -i cloudform.pp
+ /sbin/restorecon -F -R -v /usr/bin/iwhd
+ /sbin/restorecon -F -R -v /etc/rc.d/init.d/iwhd
+ /sbin/restorecon -F -R -v /var/run/iwhd.pid
+ /sbin/restorecon -F -R -v /var/lib/iwhd
+ /sbin/restorecon -F -R -v /usr/bin/deltacloudd
+ /sbin/restorecon -F -R -v /usr/bin/mongod
+ /sbin/restorecon -F -R -v /etc/rc.d/init.d/mongod
+ /sbin/restorecon -F -R -v /var/lib/mongodb
+ /sbin/restorecon -F -R -v /var/log/mongodb
+ /sbin/restorecon -F -R -v /var/run/mongodb
+ /sbin/restorecon -F -R -v /usr/bin/thin
[root@unused ~]# echo "-w /etc/shadow -p wa" >> /etc/audit/audit.rules
[root@unused ~]# service auditd restart
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
[root@unused ~]# ps -eZ | grep initrc
system_u:system_r:initrc_t:s0 8095 ? 00:00:00 rhsmcertd
[root@unused ~]# ausearch -m avc -ts recent
<no matches>
[root@unused ~]#
aeolus-configure -d -v -p ec2
during aeolus-configure... got the following denials..
[root@unused ~]# tail -f /var/log/audit/audit.log | grep -i denied
type=AVC msg=audit(1319039312.122:62237): avc: denied { read } for pid=9186 comm="mongod" name="urandom" dev=devtmpfs ino=3640 scontext=unconfined_u:system_r:mongod_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1319039312.122:62237): avc: denied { open } for pid=9186 comm="mongod" name="urandom" dev=devtmpfs ino=3640 scontext=unconfined_u:system_r:mongod_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1319039312.219:62240): avc: denied { execmem } for pid=9189 comm="mongod" scontext=unconfined_u:system_r:mongod_t:s0 tcontext=unconfined_u:system_r:mongod_t:s0 tclass=process
type=AVC msg=audit(1319039358.135:62264): avc: denied { search } for pid=9536 comm="thin" name="pki" dev=dm-0 ino=392492 scontext=unconfined_u:system_r:thin_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=AVC msg=audit(1319039358.135:62264): avc: denied { read } for pid=9536 comm="thin" name="cert.pem" dev=dm-0 ino=392496 scontext=unconfined_u:system_r:thin_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file
type=AVC msg=audit(1319039358.135:62264): avc: denied { read } for pid=9536 comm="thin" name="ca-bundle.crt" dev=dm-0 ino=392498 scontext=unconfined_u:system_r:thin_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1319039358.135:62264): avc: denied { open } for pid=9536 comm="thin" name="ca-bundle.crt" dev=dm-0 ino=392498 scontext=unconfined_u:system_r:thin_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1319039358.136:62265): avc: denied { getattr } for pid=9536 comm="thin" path="/etc/pki/tls/certs/ca-bundle.crt" dev=dm-0 ino=392498 scontext=unconfined_u:system_r:thin_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
*************************************************
[root@unused ~]# ausearch -m avc -ts recent
----
time->Wed Oct 19 11:48:32 2011
type=PATH msg=audit(1319039312.122:62237): item=0 name="/dev/urandom" inode=3640 dev=00:05 mode=020666 ouid=0 ogid=0 rdev=01:09 obj=system_u:object_r:urandom_device_t:s0
type=CWD msg=audit(1319039312.122:62237): cwd="/"
type=SYSCALL msg=audit(1319039312.122:62237): arch=c000003e syscall=2 success=yes exit=3 a0=7dcd42 a1=0 a2=1b6 a3=0 items=1 ppid=9185 pid=9186 auid=0 uid=498 gid=496 euid=498 suid=498 fsuid=498 egid=496 sgid=496 fsgid=496 tty=(none) ses=5 comm="mongod" exe="/usr/bin/mongod" subj=unconfined_u:system_r:mongod_t:s0 key=(null)
type=AVC msg=audit(1319039312.122:62237): avc: denied { open } for pid=9186 comm="mongod" name="urandom" dev=devtmpfs ino=3640 scontext=unconfined_u:system_r:mongod_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1319039312.122:62237): avc: denied { read } for pid=9186 comm="mongod" name="urandom" dev=devtmpfs ino=3640 scontext=unconfined_u:system_r:mongod_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
----
time->Wed Oct 19 11:48:32 2011
type=SYSCALL msg=audit(1319039312.219:62240): arch=c000003e syscall=9 success=yes exit=140714481811456 a0=0 a1=10000 a2=7 a3=22 items=0 ppid=1 pid=9189 auid=0 uid=498 gid=496 euid=498 suid=498 fsuid=498 egid=496 sgid=496 fsgid=496 tty=(none) ses=5 comm="mongod" exe="/usr/bin/mongod" subj=unconfined_u:system_r:mongod_t:s0 key=(null)
type=AVC msg=audit(1319039312.219:62240): avc: denied { execmem } for pid=9189 comm="mongod" scontext=unconfined_u:system_r:mongod_t:s0 tcontext=unconfined_u:system_r:mongod_t:s0 tclass=process
----
time->Wed Oct 19 11:49:18 2011
type=PATH msg=audit(1319039358.135:62264): item=0 name="/etc/pki/tls/cert.pem" inode=392498 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cert_t:s0
type=CWD msg=audit(1319039358.135:62264): cwd="/"
type=SYSCALL msg=audit(1319039358.135:62264): arch=c000003e syscall=2 success=yes exit=3 a0=7fc5856b5623 a1=0 a2=1b6 a3=0 items=1 ppid=9533 pid=9536 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="thin" exe="/usr/bin/ruby" subj=unconfined_u:system_r:thin_t:s0 key=(null)
type=AVC msg=audit(1319039358.135:62264): avc: denied { open } for pid=9536 comm="thin" name="ca-bundle.crt" dev=dm-0 ino=392498 scontext=unconfined_u:system_r:thin_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1319039358.135:62264): avc: denied { read } for pid=9536 comm="thin" name="ca-bundle.crt" dev=dm-0 ino=392498 scontext=unconfined_u:system_r:thin_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1319039358.135:62264): avc: denied { read } for pid=9536 comm="thin" name="cert.pem" dev=dm-0 ino=392496 scontext=unconfined_u:system_r:thin_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file
type=AVC msg=audit(1319039358.135:62264): avc: denied { search } for pid=9536 comm="thin" name="pki" dev=dm-0 ino=392492 scontext=unconfined_u:system_r:thin_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
----
time->Wed Oct 19 11:49:18 2011
type=SYSCALL msg=audit(1319039358.136:62265): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff688971c0 a2=7fff688971c0 a3=7fff688970b0 items=0 ppid=9533 pid=9536 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="thin" exe="/usr/bin/ruby" subj=unconfined_u:system_r:thin_t:s0 key=(null)
type=AVC msg=audit(1319039358.136:62265): avc: denied { getattr } for pid=9536 comm="thin" path="/etc/pki/tls/certs/ca-bundle.crt" dev=dm-0 ino=392498 scontext=unconfined_u:system_r:thin_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
----
time->Wed Oct 19 11:49:29 2011
type=PATH msg=audit(1319039369.337:62270): item=1 name=(null) inode=17741 dev=00:14 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:autofs_t:s0
type=PATH msg=audit(1319039369.337:62270): item=0 name="./net/ssh.rb"
type=CWD msg=audit(1319039369.337:62270): cwd="/"
type=SYSCALL msg=audit(1319039369.337:62270): arch=c000003e syscall=4 success=no exit=-2 a0=7fe5d6c5a420 a1=7fff306a7c60 a2=7fff306a7c60 a3=8 items=2 ppid=1 pid=9587 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=5 comm="deltacloudd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:deltacloudd_t:s0 key=(null)
type=AVC msg=audit(1319039369.337:62270): avc: denied { search } for pid=9587 comm="deltacloudd" name="/" dev=autofs ino=17741 scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=system_u:object_r:autofs_t:s0 tclass=dir
----
time->Wed Oct 19 11:49:30 2011
type=SOCKADDR msg=audit(1319039370.469:62271): saddr=0A000BBA000000000000000000000000000000000000000100000000
type=SYSCALL msg=audit(1319039370.469:62271): arch=c000003e syscall=42 success=no exit=-115 a0=a a1=babac0 a2=1c a3=7fff68818e10 items=0 ppid=1 pid=9540 auid=0 uid=451 gid=451 euid=451 suid=451 fsuid=451 egid=451 sgid=451 fsgid=451 tty=(none) ses=5 comm="thin" exe="/usr/bin/ruby" subj=unconfined_u:system_r:thin_t:s0 key=(null)
type=AVC msg=audit(1319039370.469:62271): avc: denied { name_connect } for pid=9540 comm="thin" dest=3002 scontext=unconfined_u:system_r:thin_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
----
time->Wed Oct 19 11:49:31 2011
type=PATH msg=audit(1319039371.087:62272): item=1 name="/var/log/iwhd.log" inode=133123 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_log_t:s0
type=PATH msg=audit(1319039371.087:62272): item=0 name="/var/log/" inode=131639 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0
type=CWD msg=audit(1319039371.087:62272): cwd="/"
type=SYSCALL msg=audit(1319039371.087:62272): arch=c000003e syscall=2 success=yes exit=5 a0=7fff41cbff7b a1=441 a2=1b6 a3=7fff41cbd960 items=2 ppid=1 pid=9625 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="iwhd" exe="/usr/bin/iwhd" subj=unconfined_u:system_r:iwhd_t:s0 key=(null)
type=AVC msg=audit(1319039371.087:62272): avc: denied { create } for pid=9625 comm="iwhd" name="iwhd.log" scontext=unconfined_u:system_r:iwhd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1319039371.087:62272): avc: denied { add_name } for pid=9625 comm="iwhd" name="iwhd.log" scontext=unconfined_u:system_r:iwhd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=AVC msg=audit(1319039371.087:62272): avc: denied { write } for pid=9625 comm="iwhd" name="log" dev=dm-0 ino=131639 scontext=unconfined_u:system_r:iwhd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
----
time->Wed Oct 19 11:49:31 2011
type=SOCKADDR msg=audit(1319039371.089:62273): saddr=020069897F0000010000000000000000
type=SYSCALL msg=audit(1319039371.089:62273): arch=c000003e syscall=42 success=yes exit=0 a0=5 a1=7fff41cbd7e8 a2=10 a3=7f99cdb3e9f0 items=0 ppid=1 pid=9628 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="iwhd" exe="/usr/bin/iwhd" subj=unconfined_u:system_r:iwhd_t:s0 key=(null)
type=AVC msg=audit(1319039371.089:62273): avc: denied { name_connect } for pid=9628 comm="iwhd" dest=27017 scontext=unconfined_u:system_r:iwhd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
----
time->Wed Oct 19 11:49:31 2011
type=SOCKADDR msg=audit(1319039371.089:62274): saddr=02002382000000000000000000000000
type=SYSCALL msg=audit(1319039371.089:62274): arch=c000003e syscall=49 success=yes exit=0 a0=6 a1=7fff41cbdb60 a2=10 a3=7fff41cbd860 items=0 ppid=1 pid=9625 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="iwhd" exe="/usr/bin/iwhd" subj=unconfined_u:system_r:iwhd_t:s0 key=(null)
type=AVC msg=audit(1319039371.089:62274): avc: denied { name_bind } for pid=9625 comm="iwhd" src=9090 scontext=unconfined_u:system_r:iwhd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
----
time->Wed Oct 19 11:49:42 2011
type=PATH msg=audit(1319039382.876:62288): item=1 name="/var/tmp/deltacloud-mock-nobody" inode=133113 dev=fd:00 mode=040755 ouid=99 ogid=99 rdev=00:00 obj=unconfined_u:object_r:tmp_t:s0
type=PATH msg=audit(1319039382.876:62288): item=0 name="/var/tmp/" inode=130905 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0
type=CWD msg=audit(1319039382.876:62288): cwd="/"
type=SYSCALL msg=audit(1319039382.876:62288): arch=c000003e syscall=83 success=yes exit=0 a0=2c148e0 a1=1ff a2=2c148ff a3=7fff306a1350 items=2 ppid=1 pid=9587 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=5 comm="deltacloudd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:deltacloudd_t:s0 key=(null)
type=AVC msg=audit(1319039382.876:62288): avc: denied { create } for pid=9587 comm="deltacloudd" name="deltacloud-mock-nobody" scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1319039382.876:62288): avc: denied { add_name } for pid=9587 comm="deltacloudd" name="deltacloud-mock-nobody" scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1319039382.876:62288): avc: denied { write } for pid=9587 comm="deltacloudd" name="tmp" dev=dm-0 ino=130905 scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Wed Oct 19 11:49:42 2011
type=PATH msg=audit(1319039382.877:62289): item=1 name="/var/tmp/deltacloud-mock-nobody/storage_snapshots" inode=133114 dev=fd:00 mode=040755 ouid=99 ogid=99 rdev=00:00 obj=unconfined_u:object_r:tmp_t:s0
type=PATH msg=audit(1319039382.877:62289): item=0 name="/var/tmp/deltacloud-mock-nobody/" inode=133113 dev=fd:00 mode=040755 ouid=99 ogid=99 rdev=00:00 obj=unconfined_u:object_r:tmp_t:s0
type=CWD msg=audit(1319039382.877:62289): cwd="/"
type=SYSCALL msg=audit(1319039382.877:62289): arch=c000003e syscall=83 success=yes exit=0 a0=2c152b0 a1=1ff a2=2c152e1 a3=8 items=2 ppid=1 pid=9587 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=5 comm="deltacloudd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:deltacloudd_t:s0 key=(null)
type=AVC msg=audit(1319039382.877:62289): avc: denied { add_name } for pid=9587 comm="deltacloudd" name="storage_snapshots" scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1319039382.877:62289): avc: denied { write } for pid=9587 comm="deltacloudd" name="deltacloud-mock-nobody" dev=dm-0 ino=133113 scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir
----
time->Wed Oct 19 11:49:42 2011
type=PATH msg=audit(1319039382.877:62290): item=1 name="/var/tmp/deltacloud-mock-nobody/storage_snapshots/snap3.yml" inode=133115 dev=fd:00 mode=0100644 ouid=99 ogid=99 rdev=00:00 obj=unconfined_u:object_r:tmp_t:s0
type=PATH msg=audit(1319039382.877:62290): item=0 name="/var/tmp/deltacloud-mock-nobody/storage_snapshots/" inode=133114 dev=fd:00 mode=040755 ouid=99 ogid=99 rdev=00:00 obj=unconfined_u:object_r:tmp_t:s0
type=CWD msg=audit(1319039382.877:62290): cwd="/"
type=SYSCALL msg=audit(1319039382.877:62290): arch=c000003e syscall=2 success=yes exit=4 a0=2c16960 a1=241 a2=81a4 a3=7fff30693e10 items=2 ppid=1 pid=9587 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=5 comm="deltacloudd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:deltacloudd_t:s0 key=(null)
type=AVC msg=audit(1319039382.877:62290): avc: denied { write open } for pid=9587 comm="deltacloudd" name="snap3.yml" dev=dm-0 ino=133115 scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1319039382.877:62290): avc: denied { create } for pid=9587 comm="deltacloudd" name="snap3.yml" scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
----
time->Wed Oct 19 11:49:42 2011
type=SYSCALL msg=audit(1319039382.881:62291): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7fff30693e90 a2=7fff30693e90 a3=238 items=0 ppid=1 pid=9587 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=5 comm="deltacloudd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:deltacloudd_t:s0 key=(null)
type=AVC msg=audit(1319039382.881:62291): avc: denied { getattr } for pid=9587 comm="deltacloudd" path="/var/tmp/deltacloud-mock-nobody/storage_snapshots/snap3.yml" dev=dm-0 ino=133115 scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
----
time->Wed Oct 19 11:49:42 2011
type=SYSCALL msg=audit(1319039382.887:62292): arch=c000003e syscall=41 success=yes exit=3 a0=1 a1=80002 a2=0 a3=0 items=0 ppid=1 pid=9587 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=5 comm="deltacloudd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:deltacloudd_t:s0 key=(null)
type=AVC msg=audit(1319039382.887:62292): avc: denied { create } for pid=9587 comm="deltacloudd" scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:system_r:deltacloudd_t:s0 tclass=unix_dgram_socket
----
time->Wed Oct 19 11:49:42 2011
type=PATH msg=audit(1319039382.887:62293): item=0 name=(null) inode=12101 dev=00:05 mode=0140666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:devlog_t:s0
type=SOCKADDR msg=audit(1319039382.887:62293): saddr=01002F6465762F6C6F6700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
type=SYSCALL msg=audit(1319039382.887:62293): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=7fe5d5e8d1a0 a2=6e a3=0 items=1 ppid=1 pid=9587 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=5 comm="deltacloudd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:deltacloudd_t:s0 key=(null)
type=AVC msg=audit(1319039382.887:62293): avc: denied { sendto } for pid=9587 comm="deltacloudd" path="/dev/log" scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1319039382.887:62293): avc: denied { write } for pid=9587 comm="deltacloudd" name="log" dev=devtmpfs ino=12101 scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file
type=AVC msg=audit(1319039382.887:62293): avc: denied { connect } for pid=9587 comm="deltacloudd" scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:system_r:deltacloudd_t:s0 tclass=unix_dgram_socket
----
time->Wed Oct 19 11:49:42 2011
type=SYSCALL msg=audit(1319039382.979:62294): arch=c000003e syscall=44 success=yes exit=100 a0=3 a1=2b04280 a2=64 a3=4000 items=0 ppid=1 pid=9587 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=5 comm="deltacloudd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:deltacloudd_t:s0 key=(null)
type=AVC msg=audit(1319039382.979:62294): avc: denied { write } for pid=9587 comm="deltacloudd" scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:system_r:deltacloudd_t:s0 tclass=unix_dgram_socket
[root@unused ~]#
same thing w/ the rpms supplied by fvollero
root@dhcp231-79 selinux]# ls -ltra
total 8472
-rw-r--r--. 1 root root 2366844 Sep 29 08:10 selinux-policy-mls-3.7.19-114.el6.noarch.rpm
-rw-r--r--. 1 root root 511032 Sep 29 08:10 selinux-policy-doc-3.7.19-114.el6.noarch.rpm
-rw-r--r--. 1 root root 2579860 Sep 29 08:10 selinux-policy-targeted-3.7.19-114.el6.noarch.rpm
-rw-r--r--. 1 root root 784464 Sep 29 08:10 selinux-policy-3.7.19-114.el6.noarch.rpm
-rw-r--r--. 1 root root 2420212 Sep 29 08:10 selinux-policy-minimum-3.7.19-114.el6.noarch.rpm
dr-xr-x---. 3 root root 4096 Oct 19 12:22 ..
drwxr-xr-x. 2 root root 4096 Oct 19 12:23 .
[root@dhcp231-79 selinux]# yum localinstall *
Loaded plugins: product-id, subscription-manager
Updating Red Hat repositories.
Setting up Local Package Process
Examining selinux-policy-3.7.19-114.el6.noarch.rpm: selinux-policy-3.7.19-114.el6.noarch
Marking selinux-policy-3.7.19-114.el6.noarch.rpm as an update to selinux-policy-3.7.19-93.el6.noarch
rhel6 | 4.0 kB 00:00
rhel6/primary_db | 3.0 MB 00:00
rhel6-optional | 3.8 kB 00:00
rhel6-optional/primary_db | 1.3 MB 00:00
Examining selinux-policy-doc-3.7.19-114.el6.noarch.rpm: selinux-policy-doc-3.7.19-114.el6.noarch
Marking selinux-policy-doc-3.7.19-114.el6.noarch.rpm to be installed
Examining selinux-policy-minimum-3.7.19-114.el6.noarch.rpm: selinux-policy-minimum-3.7.19-114.el6.noarch
Marking selinux-policy-minimum-3.7.19-114.el6.noarch.rpm to be installed
Examining selinux-policy-mls-3.7.19-114.el6.noarch.rpm: selinux-policy-mls-3.7.19-114.el6.noarch
Marking selinux-policy-mls-3.7.19-114.el6.noarch.rpm to be installed
Examining selinux-policy-targeted-3.7.19-114.el6.noarch.rpm: selinux-policy-targeted-3.7.19-114.el6.noarch
Marking selinux-policy-targeted-3.7.19-114.el6.noarch.rpm as an update to selinux-policy-targeted-3.7.19-93.el6.noarch
Resolving Dependencies
--> Running transaction check
---> Package selinux-policy.noarch 0:3.7.19-93.el6 will be updated
---> Package selinux-policy.noarch 0:3.7.19-114.el6 will be an update
---> Package selinux-policy-doc.noarch 0:3.7.19-114.el6 will be installed
---> Package selinux-policy-minimum.noarch 0:3.7.19-114.el6 will be installed
--> Processing Dependency: policycoreutils-python >= 2.0.78-1 for package: selinux-policy-minimum-3.7.19-114.el6.noarch
---> Package selinux-policy-mls.noarch 0:3.7.19-114.el6 will be installed
--> Processing Dependency: policycoreutils-newrole >= 2.0.78-1 for package: selinux-policy-mls-3.7.19-114.el6.noarch
--> Processing Dependency: setransd for package: selinux-policy-mls-3.7.19-114.el6.noarch
---> Package selinux-policy-targeted.noarch 0:3.7.19-93.el6 will be updated
---> Package selinux-policy-targeted.noarch 0:3.7.19-114.el6 will be an update
--> Running transaction check
---> Package mcstrans.x86_64 0:0.3.1-4.el6 will be installed
---> Package policycoreutils-newrole.x86_64 0:2.0.83-19.8.el6_0 will be installed
---> Package policycoreutils-python.x86_64 0:2.0.83-19.8.el6_0 will be installed
--> Processing Dependency: libsemanage-python >= 2.0.43-4 for package: policycoreutils-python-2.0.83-19.8.el6_0.x86_64
--> Processing Dependency: audit-libs-python >= 1.4.2-1 for package: policycoreutils-python-2.0.83-19.8.el6_0.x86_64
--> Processing Dependency: setools-libs-python for package: policycoreutils-python-2.0.83-19.8.el6_0.x86_64
--> Processing Dependency: libselinux-python for package: policycoreutils-python-2.0.83-19.8.el6_0.x86_64
--> Running transaction check
---> Package audit-libs-python.x86_64 0:2.1-5.el6 will be installed
---> Package libselinux-python.x86_64 0:2.0.94-5.el6 will be installed
---> Package libsemanage-python.x86_64 0:2.0.43-4.el6 will be installed
---> Package setools-libs-python.x86_64 0:3.3.7-4.el6 will be installed
--> Processing Dependency: setools-libs = 3.3.7-4.el6 for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libpoldiff.so.1(VERS_1.3)(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libqpol.so.1(VERS_1.2)(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libqpol.so.1(VERS_1.4)(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libsefs.so.4(VERS_4.0)(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libseaudit.so.4(VERS_4.2)(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libseaudit.so.4(VERS_4.1)(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libqpol.so.1(VERS_1.3)(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libapol.so.4(VERS_4.1)(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libapol.so.4(VERS_4.0)(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libpoldiff.so.1(VERS_1.2)(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libapol.so.4()(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libpoldiff.so.1()(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libqpol.so.1()(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libseaudit.so.4()(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libsefs.so.4()(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Running transaction check
---> Package setools-libs.x86_64 0:3.3.7-4.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
selinux-policy-doc noarch 3.7.19-114.el6 /selinux-policy-doc-3.7.19-114.el6.noarch
12 M
selinux-policy-minimum noarch 3.7.19-114.el6 /selinux-policy-minimum-3.7.19-114.el6.noarch
2.7 M
selinux-policy-mls noarch 3.7.19-114.el6 /selinux-policy-mls-3.7.19-114.el6.noarch
2.6 M
Updating:
selinux-policy noarch 3.7.19-114.el6 /selinux-policy-3.7.19-114.el6.noarch
7.8 M
selinux-policy-targeted noarch 3.7.19-114.el6 /selinux-policy-targeted-3.7.19-114.el6.noarch
2.9 M
Installing for dependencies:
audit-libs-python x86_64 2.1-5.el6 rhel6 57 k
libselinux-python x86_64 2.0.94-5.el6 rhel6 201 k
libsemanage-python x86_64 2.0.43-4.el6 rhel6 81 k
mcstrans x86_64 0.3.1-4.el6 rhel6 85 k
policycoreutils-newrole x86_64 2.0.83-19.8.el6_0 rhel6 106 k
policycoreutils-python x86_64 2.0.83-19.8.el6_0 rhel6 334 k
setools-libs x86_64 3.3.7-4.el6 rhel6 400 k
setools-libs-python x86_64 3.3.7-4.el6 rhel6 222 k
Transaction Summary
================================================================================
Install 11 Package(s)
Upgrade 2 Package(s)
Total size: 30 M
Total download size: 1.5 M
Is this ok [y/N]: y
Downloading Packages:
(1/8): audit-libs-python-2.1-5.el6.x86_64.rpm | 57 kB 00:00
(2/8): libselinux-python-2.0.94-5.el6.x86_64.rpm | 201 kB 00:00
(3/8): libsemanage-python-2.0.43-4.el6.x86_64.rpm | 81 kB 00:00
(4/8): mcstrans-0.3.1-4.el6.x86_64.rpm | 85 kB 00:00
(5/8): policycoreutils-newrole-2.0.83-19.8.el6_0.x86_64. | 106 kB 00:00
(6/8): policycoreutils-python-2.0.83-19.8.el6_0.x86_64.r | 334 kB 00:00
(7/8): setools-libs-3.3.7-4.el6.x86_64.rpm | 400 kB 00:00
(8/8): setools-libs-python-3.3.7-4.el6.x86_64.rpm | 222 kB 00:00
--------------------------------------------------------------------------------
Total 4.6 MB/s | 1.5 MB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : selinux-policy-3.7.19-114.el6.noarch 1/15
Installing : setools-libs-3.3.7-4.el6.x86_64 2/15
Installing : setools-libs-python-3.3.7-4.el6.x86_64 3/15
Installing : libsemanage-python-2.0.43-4.el6.x86_64 4/15
Installing : audit-libs-python-2.1-5.el6.x86_64 5/15
Installing : mcstrans-0.3.1-4.el6.x86_64 6/15
Installing : libselinux-python-2.0.94-5.el6.x86_64 7/15
Installing : policycoreutils-python-2.0.83-19.8.el6_0.x86_64 8/15
Installing : policycoreutils-newrole-2.0.83-19.8.el6_0.x86_64 9/15
Installing : selinux-policy-mls-3.7.19-114.el6.noarch 10/15
Installing : selinux-policy-minimum-3.7.19-114.el6.noarch 11/15
Installing : selinux-policy-doc-3.7.19-114.el6.noarch 12/15
Updating : selinux-policy-targeted-3.7.19-114.el6.noarch 13/15
Cleanup : selinux-policy-targeted-3.7.19-93.el6.noarch 14/15
Cleanup : selinux-policy-3.7.19-93.el6.noarch 15/15
rhel6/productid | 1.7 kB 00:00
duration: 81(ms)
installing: 69.pem
Installed products updated.
Installed:
selinux-policy-doc.noarch 0:3.7.19-114.el6
selinux-policy-minimum.noarch 0:3.7.19-114.el6
selinux-policy-mls.noarch 0:3.7.19-114.el6
Dependency Installed:
audit-libs-python.x86_64 0:2.1-5.el6
libselinux-python.x86_64 0:2.0.94-5.el6
libsemanage-python.x86_64 0:2.0.43-4.el6
mcstrans.x86_64 0:0.3.1-4.el6
policycoreutils-newrole.x86_64 0:2.0.83-19.8.el6_0
policycoreutils-python.x86_64 0:2.0.83-19.8.el6_0
setools-libs.x86_64 0:3.3.7-4.el6
setools-libs-python.x86_64 0:3.3.7-4.el6
Updated:
selinux-policy.noarch 0:3.7.19-114.el6
selinux-policy-targeted.noarch 0:3.7.19-114.el6
Complete!
[root@dhcp231-79 selinux]# ls
selinux-policy-3.7.19-114.el6.noarch.rpm
selinux-policy-doc-3.7.19-114.el6.noarch.rpm
selinux-policy-minimum-3.7.19-114.el6.noarch.rpm
selinux-policy-mls-3.7.19-114.el6.noarch.rpm
selinux-policy-targeted-3.7.19-114.el6.noarch.rpm
[root@dhcp231-79 selinux]# cd /root/
[root@dhcp231-79 ~]# ls
anaconda-ks.cfg cloudform.tar install.log install.log.syslog selinux
[root@dhcp231-79 ~]# mkdir cloudform
[root@dhcp231-79 ~]# mv cloudform.tar cloudform
[root@dhcp231-79 ~]# cd cloudform/
[root@dhcp231-79 cloudform]# ls
cloudform.tar
[root@dhcp231-79 cloudform]# tar -xvf cloudform.tar
cloudform.te
cloudform.fc
cloudform.sh
cloudform.if
[root@dhcp231-79 cloudform]# ls
cloudform.fc cloudform.if cloudform.sh cloudform.tar cloudform.te
[root@dhcp231-79 cloudform]# getE
-bash: getE: command not found
[root@dhcp231-79 cloudform]# getenforce
Enforcing
[root@dhcp231-79 cloudform]# sh cloudform.sh
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile
Compiling targeted cloudform module
/usr/bin/checkmodule: loading policy configuration from tmp/cloudform.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to tmp/cloudform.mod
Creating targeted cloudform.pp policy package
rm tmp/cloudform.mod.fc tmp/cloudform.mod
+ /usr/sbin/semodule -i cloudform.pp
+ /sbin/restorecon -F -R -v /usr/bin/iwhd
+ /sbin/restorecon -F -R -v /etc/rc.d/init.d/iwhd
+ /sbin/restorecon -F -R -v /var/run/iwhd.pid
+ /sbin/restorecon -F -R -v /var/lib/iwhd
+ /sbin/restorecon -F -R -v /usr/bin/deltacloudd
+ /sbin/restorecon -F -R -v /usr/bin/mongod
+ /sbin/restorecon -F -R -v /etc/rc.d/init.d/mongod
+ /sbin/restorecon -F -R -v /var/lib/mongodb
+ /sbin/restorecon -F -R -v /var/log/mongodb
+ /sbin/restorecon -F -R -v /var/run/mongodb
+ /sbin/restorecon -F -R -v /usr/bin/thin
[root@dhcp231-79 cloudform]# echo "-w /etc/shadow -p wa" >> /etc/audit/audit.rules
[root@dhcp231-79 cloudform]# service auditd restart
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
[root@dhcp231-79 cloudform]# ps -eZ |grep initrc
system_u:system_r:initrc_t:s0 8052 ? 00:00:00 rhsmcertd
[root@dhcp231-79 cloudform]#
[root@dhcp231-79 cloudform]# ausearch -m avc -ts recent
<no matches>
[root@dhcp231-79 cloudform]# ls /etc/yum.repos.d/
redhat.repo rhel6-optional.repo rhel6.repo rhel-source.repo
[root@dhcp231-79 cloudform]# cd /etc/yum.repos.d/
[root@dhcp231-79 yum.repos.d]# wget http://repos.fedorapeople.org/repos/aeolus/conductor/rhel-aeolus.repo
--2011-10-19 12:31:43-- http://repos.fedorapeople.org/repos/aeolus/conductor/rhel-aeolus.repo
Resolving repos.fedorapeople.org... 85.236.55.7
Connecting to repos.fedorapeople.org|85.236.55.7|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 479 [text/plain]
Saving to: “rhel-aeolus.repo”
100%[======================================>] 479 --.-K/s in 0s
2011-10-19 12:31:44 (61.9 MB/s) - “rhel-aeolus.repo” saved [479/479]
[root@dhcp231-79 ~]# tail -f /var/log/audit/audit.log
type=ADD_USER msg=audit(1319042196.869:63811): user pid=31155 uid=0 auid=0 ses=15 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user to group acct="qemu" exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=success'
type=ADD_USER msg=audit(1319042196.869:63812): user pid=31155 uid=0 auid=0 ses=15 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user to shadow group acct="qemu" exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=success'
type=CONFIG_CHANGE msg=audit(1319042196.987:63813): auid=0 ses=15 op="updated rules" path="/etc/shadow" key=(null) list=4 res=1
type=SYSCALL msg=audit(1319042196.987:63814): arch=c000003e syscall=82 success=yes exit=0 a0=7fffa3aada30 a1=6153c0 a2=7fffa3aad8f0 a3=fffffffe items=5 ppid=31143 pid=31155 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=15 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1319042196.987:63814): cwd="/"
type=PATH msg=audit(1319042196.987:63814): item=0 name="/etc/" inode=1835009 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
type=PATH msg=audit(1319042196.987:63814): item=1 name="/etc/" inode=1835009 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
type=PATH msg=audit(1319042196.987:63814): item=2 name="/etc/shadow+" inode=1836394 dev=fd:00 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0
type=PATH msg=audit(1319042196.987:63814): item=3 name="/etc/shadow" inode=1836350 dev=fd:00 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0
type=PATH msg=audit(1319042196.987:63814): item=4 name="/etc/shadow" inode=1836394 dev=fd:00 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0
^C
[root@dhcp231-79 ~]# tail -f /var/log/audit/audit.log | grep -i denied
type=AVC msg=audit(1319042396.373:63851): avc: denied { search } for pid=31761 comm="deltacloudd" name="/" dev=autofs ino=18826 scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=system_u:object_r:autofs_t:s0 tclass=dir
type=AVC msg=audit(1319042397.625:63854): avc: denied { read } for pid=31787 comm="mongod" name="urandom" dev=devtmpfs ino=3976 scontext=unconfined_u:system_r:mongod_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1319042397.625:63854): avc: denied { open } for pid=31787 comm="mongod" name="urandom" dev=devtmpfs ino=3976 scontext=unconfined_u:system_r:mongod_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1319042397.689:63857): avc: denied { execmem } for pid=31790 comm="mongod" scontext=unconfined_u:system_r:mongod_t:s0 tcontext=unconfined_u:system_r:mongod_t:s0 tclass=process
type=AVC msg=audit(1319042397.876:63858): avc: denied { write } for pid=31826 comm="iwhd" name="log" dev=dm-0 ino=2491191 scontext=unconfined_u:system_r:iwhd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=AVC msg=audit(1319042397.876:63858): avc: denied { add_name } for pid=31826 comm="iwhd" name="iwhd.log" scontext=unconfined_u:system_r:iwhd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=AVC msg=audit(1319042397.876:63858): avc: denied { create } for pid=31826 comm="iwhd" name="iwhd.log" scontext=unconfined_u:system_r:iwhd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1319042397.877:63859): avc: denied { name_connect } for pid=31829 comm="iwhd" dest=27017 scontext=unconfined_u:system_r:iwhd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1319042397.878:63860): avc: denied { name_bind } for pid=31826 comm="iwhd" src=9090 scontext=unconfined_u:system_r:iwhd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1319042409.965:63879): avc: denied { write } for pid=31761 comm="deltacloudd" name="tmp" dev=dm-0 ino=2490457 scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1319042409.965:63879): avc: denied { add_name } for pid=31761 comm="deltacloudd" name="deltacloud-mock-nobody" scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1319042409.965:63879): avc: denied { create } for pid=31761 comm="deltacloudd" name="deltacloud-mock-nobody" scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1319042409.965:63880): avc: denied { write } for pid=31761 comm="deltacloudd" name="deltacloud-mock-nobody" dev=dm-0 ino=2499218 scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1319042409.965:63880): avc: denied { add_name } for pid=31761 comm="deltacloudd" name="images" scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1319042409.965:63881): avc: denied { create } for pid=31761 comm="deltacloudd" name="img3.yml" scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1319042409.965:63881): avc: denied { write open } for pid=31761 comm="deltacloudd" name="img3.yml" dev=dm-0 ino=2499220 scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1319042409.966:63882): avc: denied { getattr } for pid=31761 comm="deltacloudd" path="/var/tmp/deltacloud-mock-nobody/images/img3.yml" dev=dm-0 ino=2499220 scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
Ok, I am fixing the policies and will attach for re-testing. Wes, could you redirect output of ausearch to a file and attach this file next time. Thanks. # ausearch -m avc -ts recent > /tmp/cloudform.log Created attachment 529251 [details]
Updated cloudform policies
Updated policies.
I am adding these policies to Fedora.
Created attachment 529538 [details]
aeolus-configure -p mock
am fixing it in Fedora and RHEL6. Fixed in selinux-policy-3.7.19-119.el6 RHEL 6.2 [root@qeblade31 nodes]# ps -eZ|grep initrc system_u:system_r:initrc_t:s0 5431 ? 00:00:00 beah-srv system_u:system_r:initrc_t:s0 5452 ? 00:00:00 beah-beaker-bac system_u:system_r:initrc_t:s0 5464 ? 00:00:00 beah-fwd-backen system_u:system_r:initrc_t:s0 6072 ? 00:00:01 beah-rhts-task unconfined_u:system_r:initrc_t:s0 7506 ? 00:00:07 dbomatic unconfined_u:system_r:initrc_t:s0 7601 ? 00:01:40 imagefactory [root@qeblade31 nodes]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.2 Beta (Santiago) [root@qeblade31 nodes]# ausearch -m avc -ts recent <no matches> [root@qeblade31 nodes]# RHEL 6.1 w/ new policies [root@unused ~]# ps -eZ|grep initrc system_u:system_r:initrc_t:s0 8089 ? 00:00:00 rhsmcertd unconfined_u:system_r:initrc_t:s0 10502 ? 00:01:34 imagefactory unconfined_u:system_r:initrc_t:s0 10593 ? 00:00:09 dbomatic [root@unused ~]# ausearch -m avc -ts recent <no matches> [root@unused ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.1 (Santiago) [root@unused ~]# [root@qeblade31 nodes]# rpm -qa | grep selinux libselinux-devel-2.0.94-5.2.el6.x86_64 selinux-policy-3.7.19-120.el6.noarch libselinux-ruby-2.0.94-5.2.el6.x86_64 libselinux-2.0.94-5.2.el6.x86_64 selinux-policy-targeted-3.7.19-120.el6.noarch libselinux-utils-2.0.94-5.2.el6.x86_64 [root@qeblade31 nodes]# imagefactory and dbomatic are running unconfined.. passing back to devel to look Francesco, I thought dbomatic is not needed?? imagefactory should be running as virtd_t. Wes, what does # ps -efZ|grep initrc [root@unused ~]# ps -efZ|grep initrc system_u:system_r:initrc_t:s0 root 8089 1 0 Oct27 ? 00:00:00 /usr/bin/rhsmcertd 240 unconfined_u:system_r:initrc_t:s0 aeolus 14593 1 0 Oct27 ? 00:00:18 /usr/bin/ruby /usr/share/aeolus-conductor/dbomatic/dbomatic unconfined_u:system_r:initrc_t:s0 root 14605 1 0 Oct27 ? 00:00:05 /usr/bin/python /usr/bin/imagefactory --rest --debug unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 23273 23253 0 11:03 pts/0 00:00:00 grep initrc Ok, the path was changed for imagefactory. We have /usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0) So execute chcon -t virtd_exec_t /usr/bin/imagefactory and try to re-test imagefactory. Also what does # matchpathcon /usr/bin/rhsmcertd ok.. I'll have do some more end to end testing.. we still need to get dbomatic fixed... [root@unused ~]# ps -eZ |grep initrc system_u:system_r:initrc_t:s0 8089 ? 00:00:00 rhsmcertd unconfined_u:system_r:initrc_t:s0 25069 ? 00:00:08 dbomatic [root@unused ~]# ps -efZ|grep initrc system_u:system_r:initrc_t:s0 root 8089 1 0 Oct27 ? 00:00:00 /usr/bin/rhsmcertd 240 unconfined_u:system_r:initrc_t:s0 aeolus 25069 1 30 15:28 ? 00:00:08 /usr/bin/ruby /usr/share/aeolus-conductor/dbomatic/dbomatic unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 25114 24707 0 15:29 pts/1 00:00:00 grep initrc <weshay_hm> morazi, dbomatic is staying long term for 1.0 right? <hewbrocca> weshay_hm: OK, so once you have been able to verify <hewbrocca> weshay_hm: (yes) # chcon -t mongod_exec_t /usr/share/aeolus-conductor/dbomatic/dbomatic will fix the issue and I will update cloudform policy. Fixed in selinux-policy-3.7.19-121.el6 now that factory is confined... builds are failing...
[root@unused ~]# ausearch -m avc
----
time->Mon Oct 31 14:32:28 2011
type=SYSCALL msg=audit(1320085948.859:63982): arch=c000003e syscall=59 success=yes exit=0 a0=8deaa0 a1=8ddf20 a2=8def30 a3=7ffff4771770 items=0 ppid=16968 pid=16969 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320085948.859:63982): avc: denied { read write } for pid=16969 comm="qemu-kvm" path=2F746D702F6666696E6D44664250202864656C6574656429 dev=dm-0 ino=1965153 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:virt_tmp_t:s0 tclass=file
----
time->Mon Oct 31 14:32:28 2011
type=SYSCALL msg=audit(1320085948.830:63981): arch=c000003e syscall=59 success=yes exit=0 a0=7ed960 a1=7ecf10 a2=7ede20 a3=7fff9e539150 items=0 ppid=13330 pid=16967 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320085948.830:63981): avc: denied { read write } for pid=16967 comm="qemu-kvm" path=2F746D702F6666696E6D44664250202864656C6574656429 dev=dm-0 ino=1965153 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:virt_tmp_t:s0 tclass=file
----
time->Mon Oct 31 14:32:28 2011
type=SYSCALL msg=audit(1320085948.875:63983): arch=c000003e syscall=59 success=yes exit=0 a0=7f137c13cce0 a1=7f137c13d060 a2=174e410 a3=20 items=0 ppid=13330 pid=16970 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320085948.875:63983): avc: denied { read write } for pid=16970 comm="qemu-kvm" path=2F746D702F6666696E6D44664250202864656C6574656429 dev=dm-0 ino=1965153 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:virt_tmp_t:s0 tclass=file
----
time->Mon Oct 31 14:32:28 2011
type=SYSCALL msg=audit(1320085948.886:63984): arch=c000003e syscall=42 success=no exit=-13 a0=9 a1=7fffd9a27820 a2=6e a3=7fffd9a275a0 items=0 ppid=13330 pid=16970 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320085948.886:63984): avc: denied { write } for pid=16970 comm="qemu-kvm" name="sock" dev=dm-0 ino=1970033 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:virt_tmp_t:s0 tclass=sock_file
[root@unused ~]#
[root@unused ~]# rpm -qa | grep aeolus rubygem-ZenTest-4.3.3-2.aeolus.el6.noarch aeolus-configure-2.2.0-1.el6.noarch aeolus-conductor-doc-0.5.0-1.el6.noarch rubygem-aeolus-image-0.1.0-4.el6.noarch aeolus-conductor-0.5.0-1.el6.noarch rubygem-arel-2.0.10-0.aeolus.el6.noarch rubygem-aeolus-cli-0.1.0-3.el6.noarch aeolus-conductor-daemons-0.5.0-1.el6.noarch aeolus-all-0.5.0-1.el6.noarch rubygem-rack-mount-0.7.1-3.aeolus.el6.noarch [root@unused ~]# rpm -qa | grep selinux libselinux-utils-2.0.94-5.el6.x86_64 selinux-policy-targeted-3.7.19-121.el6.noarch selinux-policy-3.7.19-121.el6.noarch libselinux-ruby-2.0.94-5.el6.x86_64 libselinux-2.0.94-5.el6.x86_64 [root@unused ~]# rpm -qa | grep libvirt libvirt-python-0.8.7-18.el6.x86_64 libvirt-0.8.7-18.el6.x86_64 libvirt-client-0.8.7-18.el6.x86_64 [root@unused ~]# rpm -qa | grep imagefactory imagefactory-jeosconf-ec2-rhel-0.8.0-1.el6.noarch imagefactory-jeosconf-ec2-fedora-0.8.0-1.el6.noarch imagefactory-0.8.0-1.el6.noarch rubygem-imagefactory-console-0.5.0-4.20110824113238gitd9debef.el6.noarch [root@unused ~]# rpm -qa | grep oz python-repoze-who-friendlyform-1.0-0.3.b3.el6.noarch python-repoze-who-1.0.13-2.el6.noarch python-repoze-what-1.0.8-6.el6.noarch python-repoze-tm2-1.0-0.5.a4.el6.noarch oz-0.7.0-3.el6.noarch python-repoze-what-pylons-1.0-4.el6.noarch python-repoze-who-testutil-1.0-0.4.rc1.el6.noarch Wes, are you up-to-date? Francesco, I thought it should be fixed? Wes, if you execute # grep virt_tmp_t /var/log/audit/audit.log |audit2allow -M myvirt.te # semodule -i myvirt.pp does it work then? [root@unused ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.1 (Santiago)
[root@unused ~]# grep virt_tmp_t /var/log/audit/audit.log |audit2allow -M myvirt
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i myvirt.pp
[root@unused ~]# semodule -i myvirt.pp
[root@unused ~]# getenforce
Enforcing
[root@unused ~]# /etc/init.d/auditd restart
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
[root@unused ~]#
[root@unused ~]# ausearch -m avc
----
time->Mon Oct 31 18:59:13 2011
type=SYSCALL msg=audit(1320101953.363:69368): arch=c000003e syscall=2 success=no exit=-13 a0=2709b80 a1=800 a2=0 a3=1 items=0 ppid=13330 pid=19450 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320101953.363:69368): avc: denied { read } for pid=19450 comm="qemu-kvm" name="base-image-0a4cabb4-6304-4ca2-bd42-3bc34da6606f.dsk" dev=dm-0 ino=1179881 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
time->Mon Oct 31 18:59:13 2011
type=SYSCALL msg=audit(1320101953.363:69369): arch=c000003e syscall=4 success=no exit=-13 a0=2709b80 a1=7fff7563c3e0 a2=7fff7563c3e0 a3=1 items=0 ppid=13330 pid=19450 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320101953.363:69369): avc: denied { getattr } for pid=19450 comm="qemu-kvm" path="/var/lib/imagefactory/images/base-image-0a4cabb4-6304-4ca2-bd42-3bc34da6606f.dsk" dev=dm-0 ino=1179881 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
time->Mon Oct 31 18:59:13 2011
type=SYSCALL msg=audit(1320101953.363:69370): arch=c000003e syscall=2 success=no exit=-13 a0=2709b80 a1=84002 a2=0 a3=48 items=0 ppid=13330 pid=19450 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320101953.363:69370): avc: denied { read write } for pid=19450 comm="qemu-kvm" name="base-image-0a4cabb4-6304-4ca2-bd42-3bc34da6606f.dsk" dev=dm-0 ino=1179881 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
[root@unused ~]#
if you execute # chcon -R -t virt_image_t /var/lib/imagefactory/image does it work then? no dice :(
contact me on irc if you want access to the server..
root@unused ~]# ausearch -m avc
----
time->Mon Oct 31 18:59:13 2011
type=SYSCALL msg=audit(1320101953.363:69368): arch=c000003e syscall=2 success=no exit=-13 a0=2709b80 a1=800 a2=0 a3=1 items=0 ppid=13330 pid=19450 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320101953.363:69368): avc: denied { read } for pid=19450 comm="qemu-kvm" name="base-image-0a4cabb4-6304-4ca2-bd42-3bc34da6606f.dsk" dev=dm-0 ino=1179881 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
time->Mon Oct 31 18:59:13 2011
type=SYSCALL msg=audit(1320101953.363:69369): arch=c000003e syscall=4 success=no exit=-13 a0=2709b80 a1=7fff7563c3e0 a2=7fff7563c3e0 a3=1 items=0 ppid=13330 pid=19450 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320101953.363:69369): avc: denied { getattr } for pid=19450 comm="qemu-kvm" path="/var/lib/imagefactory/images/base-image-0a4cabb4-6304-4ca2-bd42-3bc34da6606f.dsk" dev=dm-0 ino=1179881 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
time->Mon Oct 31 18:59:13 2011
type=SYSCALL msg=audit(1320101953.363:69370): arch=c000003e syscall=2 success=no exit=-13 a0=2709b80 a1=84002 a2=0 a3=48 items=0 ppid=13330 pid=19450 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320101953.363:69370): avc: denied { read write } for pid=19450 comm="qemu-kvm" name="base-image-0a4cabb4-6304-4ca2-bd42-3bc34da6606f.dsk" dev=dm-0 ino=1179881 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
time->Tue Nov 1 09:46:24 2011
type=SYSCALL msg=audit(1320155184.222:70597): arch=c000003e syscall=2 success=no exit=-13 a0=1af9b80 a1=800 a2=0 a3=1 items=0 ppid=13330 pid=914 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320155184.222:70597): avc: denied { read } for pid=914 comm="qemu-kvm" name="base-image-0b23de22-7abe-4866-b89d-fe7c99f35e2c.dsk" dev=dm-0 ino=1179885 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
time->Tue Nov 1 09:46:24 2011
type=SYSCALL msg=audit(1320155184.223:70598): arch=c000003e syscall=4 success=no exit=-13 a0=1af9b80 a1=7fffcebb9ac0 a2=7fffcebb9ac0 a3=1 items=0 ppid=13330 pid=914 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320155184.223:70598): avc: denied { getattr } for pid=914 comm="qemu-kvm" path="/var/lib/imagefactory/images/base-image-0b23de22-7abe-4866-b89d-fe7c99f35e2c.dsk" dev=dm-0 ino=1179885 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
time->Tue Nov 1 09:46:24 2011
type=SYSCALL msg=audit(1320155184.223:70599): arch=c000003e syscall=2 success=no exit=-13 a0=1af9b80 a1=84002 a2=0 a3=48 items=0 ppid=13330 pid=914 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320155184.223:70599): avc: denied { read write } for pid=914 comm="qemu-kvm" name="base-image-0b23de22-7abe-4866-b89d-fe7c99f35e2c.dsk" dev=dm-0 ino=1179885 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
[root@unused ~]#
Well I have typo # chcon -R -t virt_image_t /var/lib/imagefactory/images yes.. I fixed that typo before executing. Fixed in selinux-policy-3.7.19-122.el6 I was able to create a new image using "aeolus-image" in enforcing mode. [root@qeblade30 cron.d]# ausearch -m avc <no matches> [root@qeblade30 cron.d]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.2 Beta (Santiago) [root@qeblade30 cron.d]# rpm -qa | grep selinux libselinux-devel-2.0.94-5.2.el6.x86_64 libselinux-ruby-2.0.94-5.2.el6.x86_64 selinux-policy-targeted-3.7.19-122.el6.noarch libselinux-2.0.94-5.2.el6.x86_64 selinux-policy-3.7.19-122.el6.noarch libselinux-utils-2.0.94-5.2.el6.x86_64 [root@qeblade30 cron.d]# Created attachment 531420 [details]
automation log
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html |