Bug 974149
Summary: | MLS: install/upgrade of unbound-libs shows AVC | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Miroslav Vadkerti <mvadkert> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.0 | CC: | mmalik, vpavlin, zpytela |
Target Milestone: | beta | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.12.1-125.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-13 12:48:03 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Miroslav Vadkerti
2013-06-13 14:09:37 UTC
commit 47a764b10bfd96a1b6200ebfd22806a9bbaf5af0 Author: Miroslav Grepl <mgrepl> Date: Fri Jun 14 07:58:16 2013 +0200 Allow runuser running as rpm_script_t to create netlink_audit socket I still see "runuser: System error" message when upgrading via rpm -Uvh ... Following AVC appeared: ---- type=SOCKADDR msg=audit(07/04/2013 14:40:50.309:10149) : saddr=netlink pid:0 type=SYSCALL msg=audit(07/04/2013 14:40:50.309:10149) : arch=x86_64 syscall=sendto success=no exit=-13(Permission denied) a0=0x3 a1=0x7fff059aed50 a2=0x74 a3=0x0 items=0 ppid=6066 pid=6068 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=1 tty=tty1 comm=runuser exe=/usr/sbin/runuser subj=root:system_r:rpm_script_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(07/04/2013 14:40:50.309:10149) : avc: denied { nlmsg_relay } for pid=6068 comm=runuser scontext=root:system_r:rpm_script_t:s0-s15:c0.c1023 tcontext=root:system_r:rpm_script_t:s0-s15:c0.c1023 tclass=netlink_audit_socket ---- Forgot to mention: upgrade from unbound-libs-1.4.20-9.el7.x86_64 to unbound-libs-1.4.20-14.el7.x86_64 Fixed. Following AVC appeared during the installation of unbound-libs package. selinux-policy-mls-3.12.1-69.el7.noarch was present and the machine was in enforcing mode at the time: ---- type=SOCKADDR msg=audit(08/05/2013 13:21:31.395:904) : saddr=netlink pid:0 type=SOCKETCALL msg=audit(08/05/2013 13:21:31.395:904) : nargs=6 a0=0x3 a1=0x3ffffeb3d34 a2=0x70 a3=0x0 a4=3ffffeb3d28 a5=c type=SYSCALL msg=audit(08/05/2013 13:21:31.395:904) : arch=s390x syscall=socketcall(sendto) success=yes exit=112 a0=0xb a1=0x3ffffeb3c48 a2=0x70 a3=0x0 items=0 ppid=3568 pid=3570 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=4 tty=pts0 comm=runuser exe=/usr/sbin/runuser subj=root:system_r:rpm_script_t:s0 key=(null) type=AVC msg=audit(08/05/2013 13:21:31.395:904) : avc: denied { audit_write } for pid=3570 comm=runuser capability=audit_write scontext=root:system_r:rpm_script_t:s0 tcontext=root:system_r:rpm_script_t:s0 tclass=capability ---- Here is the relevant part of yum output: Running transaction Installing : ldns-1.6.16-4.el7.s390x 1/3 Installing : unbound-libs-1.4.20-14.el7.s390x 2/3 runuser: System error Installing : libreswan-3.5-1.el7.s390x 3/3 Verifying : unbound-libs-1.4.20-14.el7.s390x 1/3 Verifying : ldns-1.6.16-4.el7.s390x 2/3 Verifying : libreswan-3.5-1.el7.s390x 3/3 # rpm -qa systemd\* systemd-sysv-207-12.el7.x86_64 systemd-207-12.el7.x86_64 systemd-libs-207-12.el7.x86_64 # The machine was rebooted after systemd* downgrade. Removal of unbound and unbound-libs packages produced following: ---- type=USER_AVC msg=audit(01/20/2014 10:06:18.080:473) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc: denied { disable } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl --no-reload disable unbound-keygen.service" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(01/20/2014 10:06:18.096:474) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc: denied { reload } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl daemon-reload" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(01/20/2014 10:06:18.099:475) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc: denied { reload } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl daemon-reload" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- Installation of unbound and unbound-libs packages produced following: ---- type=USER_AVC msg=audit(01/20/2014 10:09:00.767:483) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc: denied { enable } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl preset unbound.service" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(01/20/2014 10:09:00.770:484) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc: denied { enable } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl preset unbound-keygen.service" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=SOCKADDR msg=audit(01/20/2014 10:09:00.672:482) : saddr=netlink pid:0 type=SYSCALL msg=audit(01/20/2014 10:09:00.672:482) : arch=x86_64 syscall=sendto success=yes exit=112 a0=0x3 a1=0x7fff42bf1840 a2=0x70 a3=0x0 items=0 ppid=5879 pid=5881 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=runuser exe=/usr/sbin/runuser subj=root:system_r:rpm_script_t:s0 key=(null) type=AVC msg=audit(01/20/2014 10:09:00.672:482) : avc: denied { audit_write } for pid=5881 comm=runuser capability=audit_write scontext=root:system_r:rpm_script_t:s0 tcontext=root:system_r:rpm_script_t:s0 tclass=capability ---- # rpm -qa systemd\* systemd-libs-207-11.el7.x86_64 systemd-207-11.el7.x86_64 systemd-sysv-207-11.el7.x86_64 # The machine was rebooted after systemd* downgrade. Removal of unbound and unbound-libs packages produced following: ---- type=USER_AVC msg=audit(01/20/2014 10:15:56.353:401) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc: denied { disable } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl --no-reload disable unbound.service" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(01/20/2014 10:15:56.361:402) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc: denied { disable } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl --no-reload disable unbound-keygen.service" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(01/20/2014 10:15:56.376:403) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc: denied { reload } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl daemon-reload" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(01/20/2014 10:15:56.378:404) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc: denied { reload } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl daemon-reload" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- Installation of unbound and unbound-libs packages produced following: ---- type=USER_AVC msg=audit(01/20/2014 10:18:35.438:406) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc: denied { enable } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl preset unbound.service" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(01/20/2014 10:18:35.442:407) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc: denied { enable } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl preset unbound-keygen.service" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=SOCKADDR msg=audit(01/20/2014 10:18:35.342:405) : saddr=netlink pid:0 type=SYSCALL msg=audit(01/20/2014 10:18:35.342:405) : arch=x86_64 syscall=sendto success=yes exit=112 a0=0x3 a1=0x7fffd8d5b910 a2=0x70 a3=0x0 items=0 ppid=1063 pid=1065 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=runuser exe=/usr/sbin/runuser subj=root:system_r:rpm_script_t:s0 key=(null) type=AVC msg=audit(01/20/2014 10:18:35.342:405) : avc: denied { audit_write } for pid=1065 comm=runuser capability=audit_write scontext=root:system_r:rpm_script_t:s0 tcontext=root:system_r:rpm_script_t:s0 tclass=capability ---- Following versions of systemd were tested and the results are the same: 207-10.el7 207-11.el7 207-12.el7 207-13.el7 Milos, could you add outputs of journactl with debug mode? Here is the output from journalctl produced by "yum remove unbound unbound-libs" and "yum install unbound unbound-libs" commands: Jan 20 11:26:41 rhel70mls.localdomain systemd[1]: Setting log level to debug. Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Accepted connection on private bus. Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.DisableUnitFiles() on /org/freedesktop/systemd1 Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux policy denies access. Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=disable path=(null) cmdline=/usr/bin/systemctl --no-reload disable unbound.service: -13 Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Local.Disconnected() on /org/freedesktop/DBus/Local Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Accepted connection on private bus. Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.StopUnit() on /org/freedesktop/systemd1 Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:object_r:named_unit_file_t:s0 tclass=service perm=stop path=/usr/lib/systemd/system/unbound.service cmdline=/usr/bin/systemctl stop unbound.service: 0 Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Trying to enqueue job unbound.service/stop/replace Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Installed new job unbound.service/stop as 1114 Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Enqueued job unbound.service/stop as 1114 Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Job unbound.service/stop finished, result=done Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Stopped Unbound recursive Domain Name Server. Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound.service Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound-keygen.service Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting nss-lookup.target Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.GetUnit() on /org/freedesktop/systemd1 Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Properties.Get() on /org/freedesktop/systemd1/unit/unbound_2eservice Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:object_r:named_unit_file_t:s0 tclass=service perm=status path=/usr/lib/systemd/system/unbound.service cmdline=/usr/bin/systemctl stop unbound.service: 0 Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound-keygen.service Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting nss-lookup.target Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound.service Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Properties.Get() on /org/freedesktop/systemd1/unit/unbound_2eservice Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:object_r:named_unit_file_t:s0 tclass=service perm=status path=/usr/lib/systemd/system/unbound.service cmdline=/usr/bin/systemctl stop unbound.service: 0 Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound-keygen.service Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting nss-lookup.target Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound.service Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Local.Disconnected() on /org/freedesktop/DBus/Local Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Accepted connection on private bus. Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.DisableUnitFiles() on /org/freedesktop/systemd1 Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux policy denies access. Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=disable path=(null) cmdline=/usr/bin/systemctl --no-reload disable unbound-keygen.service: -13 Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Local.Disconnected() on /org/freedesktop/DBus/Local Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Accepted connection on private bus. Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.StopUnit() on /org/freedesktop/systemd1 Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:object_r:named_unit_file_t:s0 tclass=service perm=stop path=/usr/lib/systemd/system/unbound-keygen.service cmdline=/usr/bin/systemctl stop unbound-keygen.service: 0 Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Trying to enqueue job unbound-keygen.service/stop/replace Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Installed new job unbound-keygen.service/stop as 1115 Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Enqueued job unbound-keygen.service/stop as 1115 Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Job unbound-keygen.service/stop finished, result=done Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Stopped Unbound Control Key And Certificate Generator. Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound-keygen.service Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound.service Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting nss-lookup.target Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.GetUnit() on /org/freedesktop/systemd1 Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Properties.Get() on /org/freedesktop/systemd1/unit/unbound_2dkeygen_2eservice Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:object_r:named_unit_file_t:s0 tclass=service perm=status path=/usr/lib/systemd/system/unbound-keygen.service cmdline=/usr/bin/systemctl stop unbound-keygen.service: 0 Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting nss-lookup.target Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound.service Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound-keygen.service Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Properties.Get() on /org/freedesktop/systemd1/unit/unbound_2dkeygen_2eservice Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:object_r:named_unit_file_t:s0 tclass=service perm=status path=/usr/lib/systemd/system/unbound-keygen.service cmdline=/usr/bin/systemctl stop unbound-keygen.service: 0 Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting nss-lookup.target Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound.service Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound-keygen.service Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Local.Disconnected() on /org/freedesktop/DBus/Local Jan 20 11:26:53 rhel70mls.localdomain yum[1556]: Erased: unbound-1.4.20-18.el7.x86_64 Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Accepted connection on private bus. Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.Reload() on /org/freedesktop/systemd1 Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux policy denies access. Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=reload path=(null) cmdline=/usr/bin/systemctl daemon-reload: -13 Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Local.Disconnected() on /org/freedesktop/DBus/Local Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Accepted connection on private bus. Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.Reload() on /org/freedesktop/systemd1 Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux policy denies access. Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=reload path=(null) cmdline=/usr/bin/systemctl daemon-reload: -13 Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Local.Disconnected() on /org/freedesktop/DBus/Local Jan 20 11:26:53 rhel70mls.localdomain yum[1556]: Erased: unbound-libs-1.4.20-18.el7.x86_64 Jan 20 11:27:01 rhel70mls.localdomain crond[316]: ((null)) No SELinux security context (/etc/crontab) Jan 20 11:27:01 rhel70mls.localdomain crond[316]: (root) FAILED (loading cron table) Jan 20 11:27:01 rhel70mls.localdomain crond[316]: ((null)) No SELinux security context (/etc/cron.d/0hourly) Jan 20 11:27:01 rhel70mls.localdomain crond[316]: (root) FAILED (loading cron table) Jan 20 11:27:18 rhel70mls.localdomain runuser[1580]: PAM audit_log_acct_message() failed: Operation not permitted Jan 20 11:27:18 rhel70mls.localdomain yum[1569]: Installed: unbound-libs-1.4.20-18.el7.x86_64 Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: Accepted connection on private bus. Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.PresetUnitFiles() on /org/freedesktop/systemd1 Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: SELinux policy denies access. Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=enable path=(null) cmdline=/usr/bin/systemctl preset unbound.service: -13 Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Local.Disconnected() on /org/freedesktop/DBus/Local Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: Accepted connection on private bus. Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.PresetUnitFiles() on /org/freedesktop/systemd1 Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: SELinux policy denies access. Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=enable path=(null) cmdline=/usr/bin/systemctl preset unbound-keygen.service: -13 Jan 20 11:27:18 rhel70mls.localdomain yum[1569]: Installed: unbound-1.4.20-18.el7.x86_64 Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Local.Disconnected() on /org/freedesktop/DBus/Local Ok, this makes sense Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:object_r:named_unit_file_t:s0 tclass=service perm=status path=/usr/lib/systemd/system/unbound-keygen.service cmdline=/usr/bin/systemctl stop unbound-keygen.service: 0 Not sure about Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=enable path=(null) cmdline=/usr/bin/systemctl preset unbound.service: -13 Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=reload path=(null) cmdline=/usr/bin/systemctl daemon-reload: -13 Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=disable path=(null) cmdline=/usr/bin/systemctl --no-reload disable unbound-keygen.service: -13 "tclass=system" Actually I am going to add fixes. commit 815d7cc02dd8eed7162ce63fbae70961e142a3c5 Author: Miroslav Grepl <mgrepl> Date: Mon Jan 20 12:02:35 2014 +0100 Allow unbound to handle unbound-keygen.service commit 89fbc4d8f08f2ebb3e60749df2b08a8ba215d2f7 Author: Miroslav Grepl <mgrepl> Date: Mon Jan 20 12:01:12 2014 +0100 Allow scriptlets to enable/disable services commit b315bd258e8a684ec4345bc5f4fd828d80bd72d7 Author: Miroslav Grepl <mgrepl> Date: Tue Feb 11 20:10:55 2014 +0100 Addopt corenet rules for unbound-anchor to rpm_script_t commit a88e70f8f5848b09bf36eb594bc9f8811f38264f Author: Miroslav Grepl <mgrepl> Date: Tue Feb 11 20:07:17 2014 +0100 Allow runuser to send send audit messages This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |