Description of problem: Hundreds of messages in the logs saying "SELinux is preventing omiagent (initrc_t) "write" to ./status (unconfined_t)" omiagent is a daemon installed by SCOM 2012 R2 to monitor Linux server health and performance. I am unable to find the "./status" file to run 'restorecon'. Version-Release number of selected component (if applicable): How reproducible: Constant Steps to Reproduce:n/a 1. 2. 3. Actual results: Expected results: Additional info: Aug 11 12:37:54 <hostname> setroubleshoot: SELinux is preventing omiagent (initrc_t) "write" to ./status (udev_t). For complete SELinux messages. run sealert -l 867d72ac-1ea2-42ff-97ab-821938b68e54 Aug 11 12:37:55 <hostname> setroubleshoot: SELinux is preventing omiagent (initrc_t) "write" to ./status (unconfined_t). For complete SELinux messages. run sealert -l 5d2aa218-1a57-4f13-b447-3ea3ab828582 Aug 11 12:37:56 <hostname> setroubleshoot: SELinux is preventing omiagent (initrc_t) "write" to ./status (crond_t). For complete SELinux messages. run sealert -l 46fd5761-3132-419a-848c-86f3de9db8f4 Aug 11 12:38:54 <hostname> setroubleshoot: SELinux is preventing omiagent (initrc_t) "write" to ./status (setrans_t). For complete SELinux messages. run sealert -l 46ae74f8-894e-4adf-b7ff-e1e7b01eef60 As the messages suggest, I ran "sealert -l 867d72ac-1ea2-42ff-97ab-821938b68e54" Output: # sealert -l 867d72ac-1ea2-42ff-97ab-821938b68e54 Summary: SELinux is preventing omiagent (initrc_t) "write" to ./status (udev_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by omiagent. It is not expected that this access is required by omiagent and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./status, restorecon -v './status' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context user_u:system_r:initrc_t Target Context system_u:system_r:udev_t:SystemLow-SystemHigh Target Objects ./status [ file ] Source omiagent Source Path /opt/microsoft/scx/bin/omiagent Port <Unknown> Host <hostname> Source RPM Packages scx-1.5.0-128.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-327.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name <hostname> Platform Linux <hostname> 2.6.18-308.11.1.el5 #1 SMP Fri Jun 15 15:41:53 EDT 2012 x86_64 x86_64 Alert Count 760 First Seen Thu Aug 7 17:00:53 2014 Last Seen Mon Aug 11 13:11:53 2014 Local ID 867d72ac-1ea2-42ff-97ab-821938b68e54 Line Numbers Raw Audit Messages host=<hostname> type=AVC msg=audit(1407787913.463:86463): avc: denied { write } for pid=10697 comm="omiagent" name="status" dev=proc ino=45285380 scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=file host=<hostname> type=SYSCALL msg=audit(1407787913.463:86463): arch=c000003e syscall=2 success=yes exit=8 a0=2aaaac036b88 a1=2 a2=1b6 a3=2 items=0 ppid=10564 pid=10697 auid=46101 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=10341 comm="omiagent" exe="/opt/microsoft/scx/bin/omiagent" subj=user_u:system_r:initrc_t:s0 key=(null)
You will need to add a local policy to address this issue in RHEL5.