Description of problem: There's SELinux denial when running TPS RHN test case on ia64: Running: /sbin/ausearch -sv no -m AVC -ts 12/07/2010 10:37:35 SELinux Check: FAIL SELinux AVC messages found: ---- time->Tue Dec 7 10:38:06 2010 type=SYSCALL msg=audit(1291736286.817:5914): arch=c0000032 syscall=1027 success=no exit=-13 a0=5 a1=200000000000c000 a2=2a a3=220 items=0 ppid=17886 pid=21402 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=913 comm="bash" exe="/usr/lib/ia32el/ia32x_loader" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1291736286.817:5914): avc: denied { dyntransition } for pid=21402 comm="bash" scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
# getsebool -a NetworkManager_disable_trans --> off aisexec_disable_trans --> off allow_aisexec_rw_tmpfs --> off allow_console_login --> off allow_cvs_read_shadow --> off allow_daemons_dump_core --> on allow_daemons_use_tty --> on allow_domain_fd_use --> on allow_execheap --> off allow_execmem --> on allow_execmod --> off allow_execstack --> on allow_ftpd_anon_write --> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off allow_gpg_execstack --> off allow_gssd_read_tmp --> on allow_httpd_anon_write --> off allow_httpd_bugzilla_script_anon_write --> off allow_httpd_cvs_script_anon_write --> off allow_httpd_mod_auth_pam --> off allow_httpd_nagios_script_anon_write --> off allow_httpd_prewikka_script_anon_write --> off allow_httpd_squid_script_anon_write --> off allow_httpd_sys_script_anon_write --> off allow_java_execstack --> off allow_kerberos --> on allow_mount_anyfile --> off allow_mounton_anydir --> on allow_mplayer_execstack --> off allow_nfsd_anon_write --> off allow_polyinstantiation --> off allow_postfix_local_write_mail_spool --> off allow_ptrace --> off allow_rsync_anon_write --> off allow_saslauthd_read_shadow --> off allow_smbd_anon_write --> off allow_ssh_keysign --> off allow_tftp_anon_write --> off allow_unconfined_execmem_dyntrans --> off allow_unconfined_mmap_low --> on allow_unlabeled_packets --> on allow_user_mysql_connect --> off allow_write_xshm --> off allow_ypbind --> on allow_zebra_write_config --> on amanda_disable_trans --> off amavis_disable_trans --> off apmd_disable_trans --> off arpwatch_disable_trans --> off auditd_disable_trans --> off automount_disable_trans --> off avahi_disable_trans --> off bluetooth_disable_trans --> off canna_disable_trans --> off cardmgr_disable_trans --> off ccs_disable_trans --> off cdrecord_read_content --> off clamd_disable_trans --> off clamscan_disable_trans --> off clogd_disable_trans --> off clvmd_disable_trans --> off comsat_disable_trans --> off cron_can_relabel --> off crond_disable_trans --> off cupsd_config_disable_trans --> off cupsd_disable_trans --> off cupsd_lpd_disable_trans --> off cvs_disable_trans --> off cyrus_disable_trans --> off dbskkd_disable_trans --> off dccd_disable_trans --> off dccifd_disable_trans --> off dccm_disable_trans --> off dhcpc_disable_trans --> off dhcpd_disable_trans --> off disable_evolution_trans --> off disable_games_trans --> off disable_mozilla_trans --> off disable_thunderbird_trans --> off dlm_controld_disable_trans --> off dnsmasq_disable_trans --> off dovecot_disable_trans --> off fcron_crond --> off fenced_can_network_connect --> off fenced_disable_trans --> off fetchmail_disable_trans --> off fingerd_disable_trans --> off freshclam_disable_trans --> off fsdaemon_disable_trans --> off ftp_home_dir --> off ftpd_connect_db --> off ftpd_disable_trans --> off ftpd_is_daemon --> on gfs_controld_disable_trans --> off global_ssp --> off gpm_disable_trans --> off groupd_disable_trans --> off gssd_disable_trans --> off hald_disable_trans --> off hotplug_disable_trans --> off howl_disable_trans --> off hplip_disable_trans --> off httpd_builtin_scripting --> on httpd_can_network_connect --> off httpd_can_network_connect_db --> off httpd_can_network_relay --> off httpd_can_sendmail --> on httpd_disable_trans --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> on httpd_read_user_content --> off httpd_rotatelogs_disable_trans --> off httpd_setrlimit --> off httpd_ssi_exec --> off httpd_suexec_disable_trans --> off httpd_tty_comm --> on httpd_unified --> on httpd_use_cifs --> off httpd_use_nfs --> off inetd_child_disable_trans --> off inetd_disable_trans --> off innd_disable_trans --> off ipsec_disable_trans --> off irqbalance_disable_trans --> off iscsid_disable_trans --> off kadmind_disable_trans --> off klogd_disable_trans --> off kpropd_disable_trans --> off krb5kdc_disable_trans --> off ktalkd_disable_trans --> off lpd_disable_trans --> off mail_read_content --> off mailman_mail_disable_trans --> off mdadm_disable_trans --> off mozilla_read_content --> off mysqld_disable_trans --> off nagios_disable_trans --> off named_disable_trans --> off named_write_master_zones --> off nfs_export_all_ro --> on nfs_export_all_rw --> on nfsd_disable_trans --> off nmbd_disable_trans --> off nrpe_disable_trans --> off nscd_disable_trans --> off ntpd_disable_trans --> off oddjob_disable_trans --> off oddjob_mkhomedir_disable_trans --> off openvpn_disable_trans --> off openvpn_enable_homedirs --> off pcscd_disable_trans --> off pegasus_disable_trans --> off piranha_fos_disable_trans --> off piranha_lvs_can_network_connect --> off piranha_lvs_disable_trans --> off piranha_pulse_disable_trans --> off piranha_web_disable_trans --> off portmap_disable_trans --> off postfix_disable_trans --> off postgresql_disable_trans --> off postgrey_disable_trans --> off pppd_can_insmod --> off pppd_disable_trans --> off pppd_for_user --> off pptp_disable_trans --> off prelude_audisp_disable_trans --> off prelude_disable_trans --> off prelude_lml_disable_trans --> off privoxy_connect_any --> off privoxy_disable_trans --> off ptal_disable_trans --> off pyzord_disable_trans --> off qdiskd_disable_trans --> off qemu_full_network --> on qemu_use_cifs --> on qemu_use_comm --> off qemu_use_nfs --> on qemu_use_usb --> on racoon_disable_trans --> off racoon_read_shadow --> off radiusd_disable_trans --> off radvd_disable_trans --> off rdisc_disable_trans --> off read_default_t --> on read_untrusted_content --> off readahead_disable_trans --> off regex_milter_disable_trans --> off restorecond_disable_trans --> off rgmanager_can_network_connect --> off rgmanager_disable_trans --> off rhgb_disable_trans --> off ricci_disable_trans --> off ricci_modclusterd_disable_trans --> off rlogind_disable_trans --> off rpcd_disable_trans --> off rshd_disable_trans --> off rsync_client --> off rsync_disable_trans --> off rsync_export_all_ro --> off run_ssh_inetd --> off samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_share_fusefs --> off samba_share_nfs --> off saslauthd_disable_trans --> off secure_mode_insmod --> off secure_mode_policyload --> off setrans_disable_trans --> off setroubleshootd_disable_trans --> off slapd_disable_trans --> off smbd_disable_trans --> off snmpd_disable_trans --> off spamass_milter_disable_trans --> off spamassassin_can_network --> off spamd_disable_trans --> off spamd_enable_home_dirs --> on squid_connect_any --> off squid_disable_trans --> off ssh_sysadm_login --> off staff_read_sysadm_file --> off stunnel_disable_trans --> off stunnel_is_daemon --> off swat_disable_trans --> off syslogd_disable_trans --> off tcpd_disable_trans --> off telnetd_disable_trans --> off tftpd_disable_trans --> off tzdata_disable_trans --> off udev_disable_trans --> off use_lpd_server --> off use_nfs_home_dirs --> off use_samba_home_dirs --> off user_direct_mouse --> off user_dmesg --> off user_net_control --> off user_ping --> on user_rw_noexattrfile --> off user_tcp_server --> off user_ttyfile_stat --> off uucpd_disable_trans --> off vhostmd_disable_trans --> off virt_use_comm --> off virt_use_fusefs --> off virt_use_nfs --> off virt_use_samba --> off virt_use_sysfs --> off virt_use_usb --> on virtd_disable_trans --> off winbind_disable_trans --> off write_untrusted_content --> off xdm_disable_trans --> off xdm_sysadm_login --> off xend_disable_trans --> off xfs_disable_trans --> off xm_disable_trans --> off ypbind_disable_trans --> off yppasswdd_disable_trans --> off ypserv_disable_trans --> off ypxfr_disable_trans --> off zebra_disable_trans --> off
# cat /usr/share/doc/ia32el-1.7/README-SELINUX Using Intel IA-32 Execution Layer on SELinux-enabled systems ------------------------------------------------------------ On systems running SELinux in enforcing mode, to support emulation properly, Intal IA-32 Execution Layer needs the following three SELinux Booleans to be turned on: "allow_unconfined_execmem_dyntrans", and "allow_execstack" and "allow_execmem". When either of "allow_execstack" and "allow_execmem" SELinux Booleans is turned on, the system will be able to support the emulation, but AVC denials will appear. # getsebool allow_unconfined_execmem_dyntrans allow_execmem allow_execstack allow_unconfined_execmem_dyntrans --> off allow_execmem --> on allow_execstack --> on Looks like we're OK with the settings. *** This bug has been marked as a duplicate of bug 474152 ***