1286994 – the start of roundup service triggers SELinux denials

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1286994 - the start of roundup service triggers SELinux denials

Summary: the start of roundup service triggers SELinux denials

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.7
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-12-01 10:07 UTC by Milos Malik
Modified:	2017-03-21 09:44 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.7.19-296.el6
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-03-21 09:44:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:0627	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2017-03-21 12:29:23 UTC

Description Milos Malik 2015-12-01 10:07:48 UTC

Description of problem:
 * the roundup-server process stays running, but following accesses seem to be needed

Version-Release number of selected component (if applicable):
roundup-1.4.20-1.el6.noarch
selinux-policy-3.7.19-279.el6.noarch
selinux-policy-targeted-3.7.19-279.el6.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a RHEL-6.7 machine (active targeted policy)
2. start the roundup service
3. search for SELinux denials

Actual results (enforcing mode):
----
type=PATH msg=audit(12/01/2015 04:56:04.179:273) : item=0 name=/etc/httpd/mime.types inode=393268 dev=fc:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:httpd_config_t:s0 nametype=NORMAL 
type=CWD msg=audit(12/01/2015 04:56:04.179:273) :  cwd=/ 
type=SYSCALL msg=audit(12/01/2015 04:56:04.179:273) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x1b7feb0 a1=0x7fffb2213090 a2=0x7fffb2213090 a3=0x20 items=1 ppid=1 pid=5466 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=3 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 04:56:04.179:273) : avc:  denied  { search } for  pid=5466 comm=roundup-server name=httpd dev=vda1 ino=393268 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir 
----
type=PATH msg=audit(12/01/2015 04:56:04.180:274) : item=0 name=/etc/httpd/conf/mime.types inode=393268 dev=fc:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:httpd_config_t:s0 nametype=NORMAL 
type=CWD msg=audit(12/01/2015 04:56:04.180:274) :  cwd=/ 
type=SYSCALL msg=audit(12/01/2015 04:56:04.180:274) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x14e79c0 a1=0x7fffb2213090 a2=0x7fffb2213090 a3=0x20 items=1 ppid=1 pid=5466 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=3 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 04:56:04.180:274) : avc:  denied  { search } for  pid=5466 comm=roundup-server name=httpd dev=vda1 ino=393268 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(12/01/2015 04:56:04.736:275) : arch=x86_64 syscall=socket success=no exit=-13(Permission denied) a0=netlink a1=SOCK_RAW a2=ip a3=0xffffffff items=0 ppid=1 pid=5466 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=3 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 04:56:04.736:275) : avc:  denied  { create } for  pid=5466 comm=roundup-server scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:system_r:roundup_t:s0 tclass=netlink_route_socket 
----
type=PATH msg=audit(12/01/2015 04:56:03.738:272) : item=0 name=/proc/meminfo inode=4026532034 dev=00:03 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_t:s0 nametype=NORMAL 
type=CWD msg=audit(12/01/2015 04:56:03.738:272) :  cwd=/ 
type=SYSCALL msg=audit(12/01/2015 04:56:03.738:272) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x3ed495713e a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x2 items=1 ppid=5462 pid=5463 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 04:56:03.738:272) : avc:  denied  { read } for  pid=5463 comm=roundup-server name=meminfo dev=proc ino=4026532034 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 
----

Expected results:
 * no SELinux denials

Comment 1 Milos Malik 2015-12-01 10:15:34 UTC

Actual results (permissive mode):
----
type=PATH msg=audit(12/01/2015 05:13:23.473:304) : item=0 name=/proc/meminfo inode=4026532034 dev=00:03 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_t:s0 nametype=NORMAL 
type=CWD msg=audit(12/01/2015 05:13:23.473:304) :  cwd=/ 
type=SYSCALL msg=audit(12/01/2015 05:13:23.473:304) : arch=x86_64 syscall=open success=yes exit=3 a0=0x3ed495713e a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x2 items=1 ppid=8091 pid=8092 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 05:13:23.473:304) : avc:  denied  { open } for  pid=8092 comm=roundup-server name=meminfo dev=proc ino=4026532034 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 
type=AVC msg=audit(12/01/2015 05:13:23.473:304) : avc:  denied  { read } for  pid=8092 comm=roundup-server name=meminfo dev=proc ino=4026532034 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 
----
type=SYSCALL msg=audit(12/01/2015 05:13:23.474:305) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x3 a1=0x7ffcfa967380 a2=0x7ffcfa967380 a3=0x2 items=0 ppid=8091 pid=8092 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 05:13:23.474:305) : avc:  denied  { getattr } for  pid=8092 comm=roundup-server path=/proc/meminfo dev=proc ino=4026532034 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 
----
type=PATH msg=audit(12/01/2015 05:13:23.684:306) : item=0 name=/etc/httpd/mime.types nametype=UNKNOWN 
type=CWD msg=audit(12/01/2015 05:13:23.684:306) :  cwd=/ 
type=SYSCALL msg=audit(12/01/2015 05:13:23.684:306) : arch=x86_64 syscall=stat success=no exit=-2(No such file or directory) a0=0x19487a0 a1=0x7ffcfa967d60 a2=0x7ffcfa967d60 a3=0x20 items=1 ppid=1 pid=8095 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=3 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 05:13:23.684:306) : avc:  denied  { search } for  pid=8095 comm=roundup-server name=httpd dev=vda1 ino=393268 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(12/01/2015 05:13:23.994:307) : arch=x86_64 syscall=socket success=yes exit=5 a0=netlink a1=SOCK_RAW a2=ip a3=0xffffffff items=0 ppid=1 pid=8095 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=3 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 05:13:23.994:307) : avc:  denied  { create } for  pid=8095 comm=roundup-server scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:system_r:roundup_t:s0 tclass=netlink_route_socket 
----
type=SOCKADDR msg=audit(12/01/2015 05:13:23.996:308) : saddr=netlink pid:0 
type=SYSCALL msg=audit(12/01/2015 05:13:23.996:308) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x5 a1=0x7ffcfa967c70 a2=0xc a3=0xffffffff items=0 ppid=1 pid=8095 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=3 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 05:13:23.996:308) : avc:  denied  { bind } for  pid=8095 comm=roundup-server scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:system_r:roundup_t:s0 tclass=netlink_route_socket 
----
type=SOCKADDR msg=audit(12/01/2015 05:13:23.996:309) : saddr=netlink pid:8095 
type=SYSCALL msg=audit(12/01/2015 05:13:23.996:309) : arch=x86_64 syscall=getsockname success=yes exit=0 a0=0x5 a1=0x7ffcfa967c70 a2=0x7ffcfa967c7c a3=0xffffffff items=0 ppid=1 pid=8095 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=3 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 05:13:23.996:309) : avc:  denied  { getattr } for  pid=8095 comm=roundup-server scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:system_r:roundup_t:s0 tclass=netlink_route_socket 
----
type=SOCKADDR msg=audit(12/01/2015 05:13:23.996:310) : saddr=netlink pid:0 
type=SYSCALL msg=audit(12/01/2015 05:13:23.996:310) : arch=x86_64 syscall=sendto success=yes exit=20 a0=0x5 a1=0x7ffcfa967be0 a2=0x14 a3=0x0 items=0 ppid=1 pid=8095 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=3 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 05:13:23.996:310) : avc:  denied  { nlmsg_read } for  pid=8095 comm=roundup-server scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:system_r:roundup_t:s0 tclass=netlink_route_socket 
----

Comment 2 Milos Malik 2015-12-01 10:28:36 UTC

The roundup service also communicates with SSSD, when /etc/nsswitch.conf is configured in certain way, which triggers other AVCs in enforcing mode:
----
type=PATH msg=audit(12/01/2015 11:23:03.711:814) : item=0 name=/var/lib/sss/mc/passwd inode=25543 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_var_lib_t:s0 nametype=NORMAL 
type=CWD msg=audit(12/01/2015 11:23:03.711:814) :  cwd=/ 
type=SYSCALL msg=audit(12/01/2015 11:23:03.711:814) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x289dae0 a1=O_RDONLY|O_CLOEXEC a2=0x7ffc76f920ac a3=0x17 items=1 ppid=1 pid=26655 auid=root uid=root gid=roundup euid=root suid=root fsuid=root egid=roundup sgid=roundup fsgid=roundup tty=(none) ses=4 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 11:23:03.711:814) : avc:  denied  { search } for  pid=26655 comm=roundup-server name=sss dev=vda3 ino=25543 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir 
----
type=PATH msg=audit(12/01/2015 11:23:03.711:815) : item=0 name=(null) inode=25543 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_var_lib_t:s0 nametype=NORMAL 
type=SOCKADDR msg=audit(12/01/2015 11:23:03.711:815) : saddr=local /var/lib/sss/pipes/nss 
type=SYSCALL msg=audit(12/01/2015 11:23:03.711:815) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x5 a1=0x7ffc76f92070 a2=0x6e a3=0x17 items=1 ppid=1 pid=26655 auid=root uid=root gid=roundup euid=root suid=root fsuid=root egid=roundup sgid=roundup fsgid=roundup tty=(none) ses=4 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 11:23:03.711:815) : avc:  denied  { search } for  pid=26655 comm=roundup-server name=sss dev=vda3 ino=25543 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir 
----

Comment 3 Milos Malik 2015-12-01 10:33:07 UTC

roundup-server <---> SSSD in permissive mode:
----
type=PATH msg=audit(12/01/2015 11:31:29.741:872) : item=0 name=/var/lib/sss/mc/passwd inode=460 dev=fc:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_public_t:s0 nametype=NORMAL 
type=CWD msg=audit(12/01/2015 11:31:29.741:872) :  cwd=/ 
type=SYSCALL msg=audit(12/01/2015 11:31:29.741:872) : arch=x86_64 syscall=open success=yes exit=4 a0=0x1b60020 a1=O_RDONLY|O_CLOEXEC a2=0x7ffe65e4434c a3=0x7ffe65e43ff0 items=1 ppid=2837 pid=2838 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 11:31:29.741:872) : avc:  denied  { open } for  pid=2838 comm=roundup-server name=passwd dev=vda3 ino=460 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file 
type=AVC msg=audit(12/01/2015 11:31:29.741:872) : avc:  denied  { read } for  pid=2838 comm=roundup-server name=passwd dev=vda3 ino=460 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file 
type=AVC msg=audit(12/01/2015 11:31:29.741:872) : avc:  denied  { search } for  pid=2838 comm=roundup-server name=mc dev=vda3 ino=25545 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir 
type=AVC msg=audit(12/01/2015 11:31:29.741:872) : avc:  denied  { search } for  pid=2838 comm=roundup-server name=sss dev=vda3 ino=25543 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(12/01/2015 11:31:29.741:873) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x4 a1=0x7ffe65e442b0 a2=0x7ffe65e442b0 a3=0x7ffe65e44020 items=0 ppid=2837 pid=2838 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 11:31:29.741:873) : avc:  denied  { getattr } for  pid=2838 comm=roundup-server path=/var/lib/sss/mc/passwd dev=vda3 ino=460 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file 
----
type=PATH msg=audit(12/01/2015 11:31:29.741:874) : item=0 name=(null) inode=370 dev=fc:03 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_var_lib_t:s0 nametype=NORMAL 
type=SOCKADDR msg=audit(12/01/2015 11:31:29.741:874) : saddr=local /var/lib/sss/pipes/nss 
type=SYSCALL msg=audit(12/01/2015 11:31:29.741:874) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x5 a1=0x7ffe65e44310 a2=0x6e a3=0x7ffe65e43fa0 items=1 ppid=2837 pid=2838 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=roundup-server exe=/usr/bin/python subj=unconfined_u:system_r:roundup_t:s0 key=(null) 
type=AVC msg=audit(12/01/2015 11:31:29.741:874) : avc:  denied  { connectto } for  pid=2838 comm=roundup-server path=/var/lib/sss/pipes/nss scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket 
type=AVC msg=audit(12/01/2015 11:31:29.741:874) : avc:  denied  { write } for  pid=2838 comm=roundup-server name=nss dev=vda3 ino=370 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file 
----

Comment 5 Milos Malik 2016-01-12 08:09:51 UTC

The automated TC triggers following SELinux denial in enforcing mode:
----
time->Mon Jan 11 21:34:31 2016
type=PATH msg=audit(1452544471.927:1315): item=0 name="/var/lib/roundup/trackers/default/config.ini" inode=657163 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=NORMAL
type=CWD msg=audit(1452544471.927:1315):  cwd="/"
type=SYSCALL msg=audit(1452544471.927:1315): arch=40000003 syscall=195 success=no exit=-13 a0=98cbb20 a1=bf8351bc a2=36cff4 a3=98cbb20 items=1 ppid=1 pid=2951 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="roundup-server" exe="/usr/bin/python" subj=unconfined_u:system_r:roundup_t:s0 key=(null)
type=AVC msg=audit(1452544471.927:1315): avc:  denied  { getattr } for  pid=2951 comm="roundup-server" path="/var/lib/roundup/trackers/default/config.ini" dev=dm-0 ino=657163 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
----

because file context patterns expect that /var/lib/roundup is a regular file which is not true:

# semanage fcontext -l | grep roundup_var_lib_t
/var/lib/roundup(/.*)?                             regular file       system_u:object_r:roundup_var_lib_t:s0 
# matchpathcon /var/lib/roundup/
/var/lib/roundup	system_u:object_r:var_lib_t:s0
# find /var/lib/roundup | wc -l
65
#

Comment 6 Lukas Vrabec 2016-10-03 13:55:40 UTC

Milos, 
Could we re-test this issue in permissive mode? 

Thanks.

Comment 7 Milos Malik 2016-10-03 14:13:56 UTC

RHEL-6.8 enforcing mode:
----
time->Mon Oct  3 10:08:25 2016
type=SYSCALL msg=audit(1475503705.806:214): arch=c000003e syscall=2 success=no exit=-13 a0=7f2f97d3729e a1=80000 a2=1b6 a3=2 items=0 ppid=6110 pid=6111 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="roundup-server" exe="/usr/bin/python" subj=unconfined_u:system_r:roundup_t:s0 key=(null)
type=AVC msg=audit(1475503705.806:214): avc:  denied  { read } for  pid=6111 comm="roundup-server" name="meminfo" dev=proc ino=4026532034 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Mon Oct  3 10:08:25 2016
type=SYSCALL msg=audit(1475503705.918:215): arch=c000003e syscall=4 success=no exit=-13 a0=11c0120 a1=7ffc38a10250 a2=7ffc38a10250 a3=6f632f746c756166 items=0 ppid=1 pid=6114 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="roundup-server" exe="/usr/bin/python" subj=unconfined_u:system_r:roundup_t:s0 key=(null)
type=AVC msg=audit(1475503705.918:215): avc:  denied  { getattr } for  pid=6114 comm="roundup-server" path="/var/lib/roundup/trackers/default/config.ini" dev=vda1 ino=535435 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
----

RHEL-6.8 permissive mode:
----
time->Mon Oct  3 10:10:23 2016
type=SYSCALL msg=audit(1475503823.161:227): arch=c000003e syscall=2 success=yes exit=3 a0=7fb1d39dc29e a1=80000 a2=1b6 a3=2 items=0 ppid=11520 pid=11521 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="roundup-server" exe="/usr/bin/python" subj=unconfined_u:system_r:roundup_t:s0 key=(null)
type=AVC msg=audit(1475503823.161:227): avc:  denied  { open } for  pid=11521 comm="roundup-server" name="meminfo" dev=proc ino=4026532034 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1475503823.161:227): avc:  denied  { read } for  pid=11521 comm="roundup-server" name="meminfo" dev=proc ino=4026532034 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Mon Oct  3 10:10:23 2016
type=SYSCALL msg=audit(1475503823.161:228): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffcc13a6640 a2=7ffcc13a6640 a3=2 items=0 ppid=11520 pid=11521 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="roundup-server" exe="/usr/bin/python" subj=unconfined_u:system_r:roundup_t:s0 key=(null)
type=AVC msg=audit(1475503823.161:228): avc:  denied  { getattr } for  pid=11521 comm="roundup-server" path="/proc/meminfo" dev=proc ino=4026532034 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Mon Oct  3 10:10:23 2016
type=SYSCALL msg=audit(1475503823.272:229): arch=c000003e syscall=4 success=yes exit=0 a0=2c17120 a1=7ffcc13a6ac0 a2=7ffcc13a6ac0 a3=6f632f746c756166 items=0 ppid=1 pid=11524 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="roundup-server" exe="/usr/bin/python" subj=unconfined_u:system_r:roundup_t:s0 key=(null)
type=AVC msg=audit(1475503823.272:229): avc:  denied  { getattr } for  pid=11524 comm="roundup-server" path="/var/lib/roundup/trackers/default/config.ini" dev=vda1 ino=535435 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
----
time->Mon Oct  3 10:10:23 2016
type=SYSCALL msg=audit(1475503823.276:230): arch=c000003e syscall=2 success=yes exit=4 a0=2a56e20 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=11524 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="roundup-server" exe="/usr/bin/python" subj=unconfined_u:system_r:roundup_t:s0 key=(null)
type=AVC msg=audit(1475503823.276:230): avc:  denied  { open } for  pid=11524 comm="roundup-server" name="config.ini" dev=vda1 ino=535435 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1475503823.276:230): avc:  denied  { read } for  pid=11524 comm="roundup-server" name="config.ini" dev=vda1 ino=535435 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
----
time->Mon Oct  3 10:10:23 2016
type=SYSCALL msg=audit(1475503823.301:231): arch=c000003e syscall=4 success=no exit=-2 a0=2cfda20 a1=7ffcc13a7020 a2=7ffcc13a7020 a3=20 items=0 ppid=1 pid=11524 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="roundup-server" exe="/usr/bin/python" subj=unconfined_u:system_r:roundup_t:s0 key=(null)
type=AVC msg=audit(1475503823.301:231): avc:  denied  { search } for  pid=11524 comm="roundup-server" name="httpd" dev=vda1 ino=271872 scontext=unconfined_u:system_r:roundup_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir
----
time->Mon Oct  3 10:10:23 2016
type=SYSCALL msg=audit(1475503823.505:232): arch=c000003e syscall=41 success=yes exit=5 a0=10 a1=3 a2=0 a3=ffffffff items=0 ppid=1 pid=11524 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="roundup-server" exe="/usr/bin/python" subj=unconfined_u:system_r:roundup_t:s0 key=(null)
type=AVC msg=audit(1475503823.505:232): avc:  denied  { create } for  pid=11524 comm="roundup-server" scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:system_r:roundup_t:s0 tclass=netlink_route_socket
----
time->Mon Oct  3 10:10:23 2016
type=SYSCALL msg=audit(1475503823.507:233): arch=c000003e syscall=49 success=yes exit=0 a0=5 a1=7ffcc13a6f30 a2=c a3=ffffffff items=0 ppid=1 pid=11524 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="roundup-server" exe="/usr/bin/python" subj=unconfined_u:system_r:roundup_t:s0 key=(null)
type=AVC msg=audit(1475503823.507:233): avc:  denied  { bind } for  pid=11524 comm="roundup-server" scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:system_r:roundup_t:s0 tclass=netlink_route_socket
----
time->Mon Oct  3 10:10:23 2016
type=SYSCALL msg=audit(1475503823.507:234): arch=c000003e syscall=51 success=yes exit=0 a0=5 a1=7ffcc13a6f30 a2=7ffcc13a6f3c a3=ffffffff items=0 ppid=1 pid=11524 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="roundup-server" exe="/usr/bin/python" subj=unconfined_u:system_r:roundup_t:s0 key=(null)
type=AVC msg=audit(1475503823.507:234): avc:  denied  { getattr } for  pid=11524 comm="roundup-server" scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:system_r:roundup_t:s0 tclass=netlink_route_socket
----
time->Mon Oct  3 10:10:23 2016
type=SYSCALL msg=audit(1475503823.507:235): arch=c000003e syscall=44 success=yes exit=20 a0=5 a1=7ffcc13a6ea0 a2=14 a3=0 items=0 ppid=1 pid=11524 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="roundup-server" exe="/usr/bin/python" subj=unconfined_u:system_r:roundup_t:s0 key=(null)
type=AVC msg=audit(1475503823.507:235): avc:  denied  { nlmsg_read } for  pid=11524 comm="roundup-server" scontext=unconfined_u:system_r:roundup_t:s0 tcontext=unconfined_u:system_r:roundup_t:s0 tclass=netlink_route_socket
----

Comment 15 errata-xmlrpc 2017-03-21 09:44:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0627.html

Note You need to log in before you can comment on or make changes to this bug.