Bug 974149

Summary:	MLS: install/upgrade of unbound-libs shows AVC
Product:	Red Hat Enterprise Linux 7	Reporter:	Miroslav Vadkerti <mvadkert>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	7.0	CC:	mmalik, vpavlin, zpytela
Target Milestone:	beta
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.12.1-125.el7	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2014-06-13 12:48:03 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Miroslav Vadkerti 2013-06-13 14:09:37 UTC

Description of problem:
# yum upgrade unbound-libs
[snip]
Running transaction
 Updating   : unbound-libs-1.4.20-9.el7.x86_64             1/2
runuser: System error
 Cleanup    : unbound-libs-1.4.20-8.el7.x86_64             2/2
[snip]

# ausearch -ts 15:04:47 -m avc -sv no
----
time->Thu Jun 13 15:04:55 2013
type=SYSCALL msg=audit(1371128695.213:17568): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=9 a3=7fff7d23e840 items=0 ppid=29143 pid=29145 auid=995 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=6 tty=pts0 comm="runuser" exe="/usr/sbin/runuser" subj=staff_u:system_r:rpm_script_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1371128695.213:17568): avc:  denied  { create } for  pid=29145 comm="runuser" scontext=staff_u:system_r:rpm_script_t:s0-s15:c0.c1023 tcontext=staff_u:system_r:rpm_script_t:s0-s15:c0.c1023 tclass=netlink_audit_socket
----

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-49.el7.noarch
unbound-libs-1.4.20-9.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. yum install unbound-libs or yum upgrade unbound-libs

Actual results:
runuser: System error and AVC

Expected results:
No error and no AVC

Additional info:

Comment 1 Miroslav Grepl 2013-06-14 05:58:34 UTC

commit 47a764b10bfd96a1b6200ebfd22806a9bbaf5af0
Author: Miroslav Grepl <mgrepl>
Date:   Fri Jun 14 07:58:16 2013 +0200

    Allow runuser running as rpm_script_t to create netlink_audit socket

Comment 2 Milos Malik 2013-07-04 13:10:45 UTC

I still see "runuser: System error" message when upgrading via rpm -Uvh ...
Following AVC appeared:
----
type=SOCKADDR msg=audit(07/04/2013 14:40:50.309:10149) : saddr=netlink pid:0 
type=SYSCALL msg=audit(07/04/2013 14:40:50.309:10149) : arch=x86_64 syscall=sendto success=no exit=-13(Permission denied) a0=0x3 a1=0x7fff059aed50 a2=0x74 a3=0x0 items=0 ppid=6066 pid=6068 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=1 tty=tty1 comm=runuser exe=/usr/sbin/runuser subj=root:system_r:rpm_script_t:s0-s15:c0.c1023 key=(null) 
type=AVC msg=audit(07/04/2013 14:40:50.309:10149) : avc:  denied  { nlmsg_relay } for  pid=6068 
comm=runuser scontext=root:system_r:rpm_script_t:s0-s15:c0.c1023 tcontext=root:system_r:rpm_script_t:s0-s15:c0.c1023 tclass=netlink_audit_socket 
----

Comment 3 Milos Malik 2013-07-04 13:15:40 UTC

Forgot to mention: upgrade from unbound-libs-1.4.20-9.el7.x86_64 to unbound-libs-1.4.20-14.el7.x86_64

Comment 4 Miroslav Grepl 2013-07-12 09:30:35 UTC

Fixed.

Comment 5 Milos Malik 2013-08-05 13:24:03 UTC

Following AVC appeared during the installation of unbound-libs package. selinux-policy-mls-3.12.1-69.el7.noarch was present and the machine was in enforcing mode at the time:
----
type=SOCKADDR msg=audit(08/05/2013 13:21:31.395:904) : saddr=netlink pid:0 
type=SOCKETCALL msg=audit(08/05/2013 13:21:31.395:904) : nargs=6 a0=0x3 a1=0x3ffffeb3d34 a2=0x70 a3=0x0 a4=3ffffeb3d28 a5=c 
type=SYSCALL msg=audit(08/05/2013 13:21:31.395:904) : arch=s390x syscall=socketcall(sendto) success=yes exit=112 a0=0xb a1=0x3ffffeb3c48 a2=0x70 a3=0x0 items=0 ppid=3568 pid=3570 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=4 tty=pts0 comm=runuser exe=/usr/sbin/runuser subj=root:system_r:rpm_script_t:s0 key=(null) 
type=AVC msg=audit(08/05/2013 13:21:31.395:904) : avc:  denied  { audit_write } for  pid=3570 comm=runuser capability=audit_write  scontext=root:system_r:rpm_script_t:s0 tcontext=root:system_r:rpm_script_t:s0 tclass=capability 
----

Here is the relevant part of yum output:
Running transaction
  Installing : ldns-1.6.16-4.el7.s390x                                      1/3 
  Installing : unbound-libs-1.4.20-14.el7.s390x                             2/3 
runuser: System error
  Installing : libreswan-3.5-1.el7.s390x                                    3/3 
  Verifying  : unbound-libs-1.4.20-14.el7.s390x                             1/3 
  Verifying  : ldns-1.6.16-4.el7.s390x                                      2/3 
  Verifying  : libreswan-3.5-1.el7.s390x                                    3/3

Comment 10 Milos Malik 2014-01-20 09:11:31 UTC

# rpm -qa systemd\*
systemd-sysv-207-12.el7.x86_64
systemd-207-12.el7.x86_64
systemd-libs-207-12.el7.x86_64
#

The machine was rebooted after systemd* downgrade.

Removal of unbound and unbound-libs packages produced following:
----
type=USER_AVC msg=audit(01/20/2014 10:06:18.080:473) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { disable } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl --no-reload disable unbound-keygen.service" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(01/20/2014 10:06:18.096:474) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { reload } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl daemon-reload" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(01/20/2014 10:06:18.099:475) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { reload } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl daemon-reload" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----

Installation of unbound and unbound-libs packages produced following:
----
type=USER_AVC msg=audit(01/20/2014 10:09:00.767:483) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { enable } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl preset unbound.service" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(01/20/2014 10:09:00.770:484) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { enable } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl preset unbound-keygen.service" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=SOCKADDR msg=audit(01/20/2014 10:09:00.672:482) : saddr=netlink pid:0 
type=SYSCALL msg=audit(01/20/2014 10:09:00.672:482) : arch=x86_64 syscall=sendto success=yes exit=112 a0=0x3 a1=0x7fff42bf1840 a2=0x70 a3=0x0 items=0 ppid=5879 pid=5881 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=runuser exe=/usr/sbin/runuser subj=root:system_r:rpm_script_t:s0 key=(null) 
type=AVC msg=audit(01/20/2014 10:09:00.672:482) : avc:  denied  { audit_write } for  pid=5881 comm=runuser capability=audit_write  scontext=root:system_r:rpm_script_t:s0 tcontext=root:system_r:rpm_script_t:s0 tclass=capability 
----

Comment 11 Milos Malik 2014-01-20 09:19:30 UTC

# rpm -qa systemd\*
systemd-libs-207-11.el7.x86_64
systemd-207-11.el7.x86_64
systemd-sysv-207-11.el7.x86_64
#

The machine was rebooted after systemd* downgrade.

Removal of unbound and unbound-libs packages produced following:
----
type=USER_AVC msg=audit(01/20/2014 10:15:56.353:401) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { disable } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl --no-reload disable unbound.service" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(01/20/2014 10:15:56.361:402) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { disable } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl --no-reload disable unbound-keygen.service" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(01/20/2014 10:15:56.376:403) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { reload } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl daemon-reload" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(01/20/2014 10:15:56.378:404) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { reload } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl daemon-reload" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----

Installation of unbound and unbound-libs packages produced following:
----
type=USER_AVC msg=audit(01/20/2014 10:18:35.438:406) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { enable } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl preset unbound.service" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(01/20/2014 10:18:35.442:407) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { enable } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl preset unbound-keygen.service" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=SOCKADDR msg=audit(01/20/2014 10:18:35.342:405) : saddr=netlink pid:0 
type=SYSCALL msg=audit(01/20/2014 10:18:35.342:405) : arch=x86_64 syscall=sendto success=yes exit=112 a0=0x3 a1=0x7fffd8d5b910 a2=0x70 a3=0x0 items=0 ppid=1063 pid=1065 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=runuser exe=/usr/sbin/runuser subj=root:system_r:rpm_script_t:s0 key=(null) 
type=AVC msg=audit(01/20/2014 10:18:35.342:405) : avc:  denied  { audit_write } for  pid=1065 comm=runuser capability=audit_write  scontext=root:system_r:rpm_script_t:s0 tcontext=root:system_r:rpm_script_t:s0 tclass=capability 
----

Comment 12 Milos Malik 2014-01-20 09:29:38 UTC

Following versions of systemd were tested and the results are the same:
207-10.el7
207-11.el7
207-12.el7
207-13.el7

Comment 13 Miroslav Grepl 2014-01-20 10:11:21 UTC

Milos,
could you add outputs of journactl with debug mode?

Comment 14 Milos Malik 2014-01-20 10:32:56 UTC

Here is the output from journalctl produced by "yum remove unbound unbound-libs" and "yum install unbound unbound-libs" commands:

Jan 20 11:26:41 rhel70mls.localdomain systemd[1]: Setting log level to debug.
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Accepted connection on private bus.
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.DisableUnitFiles() on /org/freedesktop/systemd1
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux policy denies access.
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=disable path=(null) cmdline=/usr/bin/systemctl --no-reload disable unbound.service: -13
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Local.Disconnected() on /org/freedesktop/DBus/Local
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Accepted connection on private bus.
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.StopUnit() on /org/freedesktop/systemd1
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:object_r:named_unit_file_t:s0 tclass=service perm=stop path=/usr/lib/systemd/system/unbound.service cmdline=/usr/bin/systemctl stop unbound.service: 0
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Trying to enqueue job unbound.service/stop/replace
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Installed new job unbound.service/stop as 1114
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Enqueued job unbound.service/stop as 1114
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Job unbound.service/stop finished, result=done
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Stopped Unbound recursive Domain Name Server.
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound.service
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound-keygen.service
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting nss-lookup.target
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.GetUnit() on /org/freedesktop/systemd1
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Properties.Get() on /org/freedesktop/systemd1/unit/unbound_2eservice
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:object_r:named_unit_file_t:s0 tclass=service perm=status path=/usr/lib/systemd/system/unbound.service cmdline=/usr/bin/systemctl stop unbound.service: 0
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound-keygen.service
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting nss-lookup.target
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound.service
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Properties.Get() on /org/freedesktop/systemd1/unit/unbound_2eservice
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:object_r:named_unit_file_t:s0 tclass=service perm=status path=/usr/lib/systemd/system/unbound.service cmdline=/usr/bin/systemctl stop unbound.service: 0
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound-keygen.service
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting nss-lookup.target
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound.service
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Local.Disconnected() on /org/freedesktop/DBus/Local
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Accepted connection on private bus.
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.DisableUnitFiles() on /org/freedesktop/systemd1
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux policy denies access.
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=disable path=(null) cmdline=/usr/bin/systemctl --no-reload disable unbound-keygen.service: -13
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Local.Disconnected() on /org/freedesktop/DBus/Local
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Accepted connection on private bus.
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.StopUnit() on /org/freedesktop/systemd1
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:object_r:named_unit_file_t:s0 tclass=service perm=stop path=/usr/lib/systemd/system/unbound-keygen.service cmdline=/usr/bin/systemctl stop unbound-keygen.service: 0
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Trying to enqueue job unbound-keygen.service/stop/replace
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Installed new job unbound-keygen.service/stop as 1115
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Enqueued job unbound-keygen.service/stop as 1115
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Job unbound-keygen.service/stop finished, result=done
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Stopped Unbound Control Key And Certificate Generator.
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound-keygen.service
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound.service
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting nss-lookup.target
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.GetUnit() on /org/freedesktop/systemd1
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Properties.Get() on /org/freedesktop/systemd1/unit/unbound_2dkeygen_2eservice
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:object_r:named_unit_file_t:s0 tclass=service perm=status path=/usr/lib/systemd/system/unbound-keygen.service cmdline=/usr/bin/systemctl stop unbound-keygen.service: 0
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting nss-lookup.target
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound.service
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound-keygen.service
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Properties.Get() on /org/freedesktop/systemd1/unit/unbound_2dkeygen_2eservice
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:object_r:named_unit_file_t:s0 tclass=service perm=status path=/usr/lib/systemd/system/unbound-keygen.service cmdline=/usr/bin/systemctl stop unbound-keygen.service: 0
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting nss-lookup.target
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound.service
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound-keygen.service
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Local.Disconnected() on /org/freedesktop/DBus/Local
Jan 20 11:26:53 rhel70mls.localdomain yum[1556]: Erased: unbound-1.4.20-18.el7.x86_64
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Accepted connection on private bus.
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.Reload() on /org/freedesktop/systemd1
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux policy denies access.
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=reload path=(null) cmdline=/usr/bin/systemctl daemon-reload: -13
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Local.Disconnected() on /org/freedesktop/DBus/Local
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Accepted connection on private bus.
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.Reload() on /org/freedesktop/systemd1
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux policy denies access.
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=reload path=(null) cmdline=/usr/bin/systemctl daemon-reload: -13
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Local.Disconnected() on /org/freedesktop/DBus/Local
Jan 20 11:26:53 rhel70mls.localdomain yum[1556]: Erased: unbound-libs-1.4.20-18.el7.x86_64
Jan 20 11:27:01 rhel70mls.localdomain crond[316]: ((null)) No SELinux security context (/etc/crontab)
Jan 20 11:27:01 rhel70mls.localdomain crond[316]: (root) FAILED (loading cron table)
Jan 20 11:27:01 rhel70mls.localdomain crond[316]: ((null)) No SELinux security context (/etc/cron.d/0hourly)
Jan 20 11:27:01 rhel70mls.localdomain crond[316]: (root) FAILED (loading cron table)
Jan 20 11:27:18 rhel70mls.localdomain runuser[1580]: PAM audit_log_acct_message() failed: Operation not permitted
Jan 20 11:27:18 rhel70mls.localdomain yum[1569]: Installed: unbound-libs-1.4.20-18.el7.x86_64
Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: Accepted connection on private bus.
Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.PresetUnitFiles() on /org/freedesktop/systemd1
Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: SELinux policy denies access.
Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=enable path=(null) cmdline=/usr/bin/systemctl preset unbound.service: -13
Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Local.Disconnected() on /org/freedesktop/DBus/Local
Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: Accepted connection on private bus.
Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.PresetUnitFiles() on /org/freedesktop/systemd1
Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: SELinux policy denies access.
Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=enable path=(null) cmdline=/usr/bin/systemctl preset unbound-keygen.service: -13
Jan 20 11:27:18 rhel70mls.localdomain yum[1569]: Installed: unbound-1.4.20-18.el7.x86_64
Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Local.Disconnected() on /org/freedesktop/DBus/Local

Comment 15 Miroslav Grepl 2014-01-20 10:52:47 UTC

Ok, this makes sense

Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:object_r:named_unit_file_t:s0 tclass=service perm=status path=/usr/lib/systemd/system/unbound-keygen.service cmdline=/usr/bin/systemctl stop unbound-keygen.service: 0

Not sure about

Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=enable path=(null) cmdline=/usr/bin/systemctl preset unbound.service: -13

Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=reload path=(null) cmdline=/usr/bin/systemctl daemon-reload: -13

Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=disable path=(null) cmdline=/usr/bin/systemctl --no-reload disable unbound-keygen.service: -13


"tclass=system"

Comment 16 Miroslav Grepl 2014-01-20 10:58:36 UTC

Actually I am going to add fixes.

Comment 17 Miroslav Grepl 2014-01-20 11:03:47 UTC

commit 815d7cc02dd8eed7162ce63fbae70961e142a3c5
Author: Miroslav Grepl <mgrepl>
Date:   Mon Jan 20 12:02:35 2014 +0100

    Allow unbound to handle unbound-keygen.service

commit 89fbc4d8f08f2ebb3e60749df2b08a8ba215d2f7
Author: Miroslav Grepl <mgrepl>
Date:   Mon Jan 20 12:01:12 2014 +0100

    Allow scriptlets to enable/disable services

Comment 20 Miroslav Grepl 2014-02-11 19:13:20 UTC

commit b315bd258e8a684ec4345bc5f4fd828d80bd72d7
Author: Miroslav Grepl <mgrepl>
Date:   Tue Feb 11 20:10:55 2014 +0100

    Addopt corenet rules for unbound-anchor to rpm_script_t

commit a88e70f8f5848b09bf36eb594bc9f8811f38264f
Author: Miroslav Grepl <mgrepl>
Date:   Tue Feb 11 20:07:17 2014 +0100

    Allow runuser to send send audit messages

Comment 22 Ludek Smid 2014-06-13 12:48:03 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.