Description of problem: satellite install, selinux denials Monitoring Satellite-5.3.0-RHEL5-re20090220.1-i386-embedded-oracle.iso clear audit log install latest satellite iso check audit log type=AVC msg=audit(1235187499.116:389): avc: denied { read write } for pid=9410 comm="Monitoring" path="socket:[7018]" dev=sockfs ino=7018 scontext=root:system_r:spacewa lk_monitoring_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1235187499.116:389): avc: denied { read write } for pid=9410 comm="Monitoring" path="socket:[7018]" dev=sockfs ino=7018 scontext=root:system_r:spacewa lk_monitoring_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1235187499.116:389): avc: denied { read write } for pid=9410 comm="Monitoring" path="socket:[7020]" dev=sockfs ino=7020 scontext=root:system_r:spacewa lk_monitoring_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
What did you do after that installation? After the installer said * Deploying configuration files. * Update configuration in database. * Setting up Cobbler.. * Restarting services. Installation complete. Visit https://your-satellite.redhat.com to create the RHN Satellite administrator account. what other steps did you make? Did you go to the WebUI and activate monitoring? Or is this without even activating monitoring?
Generally, these look like leaked descriptors from whatever automation tool you are using. Please provide info about how exactly you run those installations.
the automation tool is a bash script.. $SVNDIR/qa/automation/sat-install-script/install-sat.sh
Wes confirmed that the installation was run under screen and that re-running the installation without screen does not generate the AVC denials. So currently it looks like leaked file descriptor in screen.
running w/ the correct version of screen did NOT produce this error.. I think we can close this.
recreated on a x86_64 install w/o screen type=AVC msg=audit(1235593563.566:119): avc: denied { sigchld } for pid=9980 comm="Monitoring" scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=pr ocess [root@test02-64 ~]# ps -ef | grep 9980 root 27944 20185 0 15:49 pts/1 00:00:00 grep 9980 [root@test02-64 ~]#
Wes, the original report was not about sigchld, if was about read/write on unix_stream_socket. It's not the same issue. We will need new, full bugzilla, describing exactly what you did when you got this sigchld denial -- was it during installation, when services were first restarted, when you activated monitoring, etc.
The same problem as bug 486742: screen possibly leaking descriptors was leading to AVC denials. Closing as NOTABUG as it's not strictly speaking a duplicate -- the cause was the same but the symptoms showed in different programs.