Description of problem: 6/5 selinux in permissive 1. setup monitoring 2. setup serveral probes 3. push scout config 4. verify probes are working 5. turn selinux to enforcing.. restart MonitoringScout service get type=AVC msg=audit(1244480234.543:2676): avc: denied { getattr } for pid=2347 comm="MonitoringScout" path="/var/lock/subsys/MonitoringScout" dev=dm-0 ino=1504714 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=root:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1244480245.015:2677): avc: denied { unlink } for pid=2355 comm="npBootstrap.pl" name="SatCluster.ini" dev=dm-0 ino=8406822 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file type=AVC msg=audit(1244480245.023:2678): avc: denied { read write } for pid=2355 comm="npBootstrap.pl" name="npBootstrap.db" dev=dm-0 ino=1578380 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=root:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1244480245.163:2680): avc: denied { getattr } for pid=2347 comm="MonitoringScout" path="/var/lib/nocpulse/scheduler.xml" dev=dm-0 ino=1578385 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=root:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1244480247.223:2681): avc: denied { read } for pid=2421 comm="gogo.pl" name="SputLite.pid" dev=dm-0 ino=1504683 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=root:object_r:var_run_t:s0 tclass=file type=AVC msg=audit(1244480247.247:2682): avc: denied { write } for pid=2421 comm="gogo.pl" name="SputLite.pid" dev=dm-0 ino=1504683 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=root:object_r:var_run_t:s0 tclass=file type=AVC msg=audit(1244480247.247:2683): avc: denied { signal } for pid=2424 comm="gogo.pl" scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=process type=AVC msg=audit(1244480247.247:2684): avc: denied { getattr } for pid=2424 comm="gogo.pl" path="/var/run/SputLite.pid" dev=dm-0 ino=1504683 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=root:object_r:var_run_t:s0 tclass=file
This may be dupe of 494909.
It is indeed dupe. And after propper restorecon on all files I did not get any selinux AVC messages after scout restart. However I do get AVC denial after Monitoring (backend) restart: type=AVC msg=audit(1244630463.726:33): avc: denied { getattr } for pid=5805 comm="notif-escalator" path="/var/tmp/escalator.state" dev=xvda1 ino=94292 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1244630463.726:33): arch=40000003 syscall=195 success=yes exit=0 a0=a0f7358 a1=9c590c8 a2=b7eff4 a3=a0f7358 items=0 ppid=5804 pid=5805 auid=0 uid=102 gid=104 euid=102 suid=102 fsuid=102 egid=104 sgid=104 fsgid=104 tty=pts0 ses=1 comm="notif-escalator" exe="/usr/bin/perl" subj=root:system_r:spacewalk_monitoring_t:s0 key=(null) type=AVC msg=audit(1244630464.870:34): avc: denied { read } for pid=5805 comm="notif-escalator" name="escalator.state" dev=xvda1 ino=94292 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1244630464.870:34): arch=40000003 syscall=5 success=yes exit=5 a0=a37d8d8 a1=8000 a2=0 a3=8000 items=0 ppid=5804 pid=5805 auid=0 uid=102 gid=104 euid=102 suid=102 fsuid=102 egid=104 sgid=104 fsgid=104 tty=pts0 ses=1 comm="notif-escalator" exe="/usr/bin/perl" subj=root:system_r:spacewalk_monitoring_t:s0 key=(null) type=AVC msg=audit(1244630464.870:35): avc: denied { ioctl } for pid=5805 comm="notif-escalator" path="/var/tmp/escalator.state" dev=xvda1 ino=94292 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1244630464.870:35): arch=40000003 syscall=54 success=no exit=-25 a0=5 a1=5401 a2=bf9376e8 a3=bf937728 items=0 ppid=5804 pid=5805 auid=0 uid=102 gid=104 euid=102 suid=102 fsuid=102 egid=104 sgid=104 fsgid=104 tty=pts0 ses=1 comm="notif-escalator" exe="/usr/bin/perl" subj=root:system_r:spacewalk_monitoring_t:s0 key=(null)
Fixed in commit 3fa178e00aa2ddf2bc07de2c26ee5c8612d286eb
compose 20090612 moving ON_QA
verified 6/12.1
After MonitoringScout service restart: # grep denied /var/log/audit/audit.log type=AVC msg=audit(1251117383.525:27): avc: denied { unlink } for pid=2124 comm="npBootstrap.pl" name="SatCluster.ini" dev=dm-0 ino=1366532 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
The last one remaining denial was cloned as bug #518975. Otherwise RELEASE_PENDING.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1434.html