Hide Forgot
Info: Searching AVC errors produced since 1474892210.29 (Mon Sep 26 14:16:50 2016) Searching logs... Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 09/26/2016 14:16:50 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.rFRjd8 2>&1' ---- time->Mon Sep 26 14:22:58 2016 type=USER_AVC msg=audit(1474892578.631:254): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=3) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Mon Sep 26 14:23:05 2016 type=SYSCALL msg=audit(1474892585.830:269): arch=c000003e syscall=9 success=yes exit=140244910362624 a0=0 a1=208470 a2=5 a3=802 items=0 ppid=27132 pid=27133 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dhcpd" exe="/usr/sbin/dhcpd" subj=system_u:system_r:dhcpd_t:s0 key=(null) type=AVC msg=audit(1474892585.830:269): avc: denied { execute } for pid=27133 comm="dhcpd" path="/lib64/libnss_sss.so.2" dev="dm-0" ino=9498937 scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:object_r:dhcpd_state_t:s0 tclass=file ---- time->Mon Sep 26 14:23:27 2016 type=SYSCALL msg=audit(1474892607.507:392): arch=c000003e syscall=9 success=yes exit=140418800103424 a0=0 a1=208470 a2=5 a3=802 items=0 ppid=27791 pid=27792 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dhcpd" exe="/usr/sbin/dhcpd" subj=system_u:system_r:dhcpd_t:s0 key=(null) type=AVC msg=audit(1474892607.507:392): avc: denied { execute } for pid=27792 comm="dhcpd" path="/lib64/libnss_sss.so.2" dev="dm-0" ino=9498937 scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:object_r:dhcpd_state_t:s0 tclass=file Fail: AVC messages found. Checking for errors... Using stronger AVC checks. Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems. Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.rFRjd8 | /sbin/ausearch -m AVC -m SELINUX_ERR' Fail: AVC messages found. Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.u8UuL8 2>&1' Info: No AVC messages found. /bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log No AVC messages found in dmesg Running '/usr/sbin/sestatus' SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 Running 'rpm -q selinux-policy || true' selinux-policy-3.13.1-100.el7.noarch
The /lib64/libnss_sss.so.2 file is mislabeled # matchpathcon /lib64/libnss_sss.so.2 /lib64/libnss_sss.so.2 system_u:object_r:lib_t:s0 # Please run following command on your machine: # restorecon -Rv /lib64
Is this something that I have broken myself or is this something that needs to be fixed in selinux-policy?
It looks like that you system is/was mislabeled, so there is no need to change it in selinux-policy.
Are you able to reproduce it? Where does it come from? Beaker? Thank you.
*** Bug 1388442 has been marked as a duplicate of this bug. ***
Is it still relevant? Do you still see SELinux denials mentioned in comment#0? If not, we will close the bug because of mislableled filesystem on your side. Mislabeled files can be repaired via restorecon -Rv ...
We're going to close this bug as WONTFIX because * of limited capacity of selinux-policy developers * the bug is related to EPEL component or 3rd party SW only * the bug appears in unsupported configuration We believe this bug can be fixed via a local policy module. For more information please see: * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow If you disagree, please re-open the bug.