Description of problem: Version-Release number of selected component (if applicable): beah-0.7.6-1.el7eng.noarch selinux-policy-3.13.1-3.el7.noarch selinux-policy-targeted-3.13.1-3.el7.noarch How reproducible: always Steps to Reproduce: 1. get a RHEL-7.0 machine 2. install the latest selinux-policy 3. reboot the machine 4. check the context of running beah processes 5. search for AVCs Actual results: ---- type=SYSCALL msg=audit(10/09/2014 04:01:38.544:46) : arch=s390x syscall=execve success=no exit=-13(Permission denied) a0=0x3ffff9e2b27 a1=0x3ffff9e2ed8 a2=0x3ffff9e2ee8 a3=0x0 items=0 ppid=2246 pid=2285 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=runcon exe=/usr/bin/runcon subj=system_u:system_r:unconfined_service_t:s0 key=(null) type=AVC msg=audit(10/09/2014 04:01:38.544:46) : avc: denied { transition } for pid=2285 comm=runcon path=/usr/bin/true dev="dm-0" ino=33842238 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process ---- Expected results: Following lines in the /var/lib/beah/tortilla/wrappers.d/unconfined should be modified: if runcon | grep -q ":unconfined_r:unconfined_t:"; then # Already in the desired context exec "$@" elif $runcon_cmd -- true; then # Run command with SELinux context of the root exec $runcon_cmd -- "$@" else echo "-- WARNING: '$runcon_cmd -- true' failed. Running in default context!" exec "$@" fi
*** This bug has been marked as a duplicate of bug 1149988 ***