RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 707616 - MLS selinux mode: cannot register machine
Summary: MLS selinux mode: cannot register machine
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Karel Srot
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-25 14:18 UTC by Petr Sklenar
Modified: 2011-12-06 10:08 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.7.19-107.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 10:08:09 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
selinux denials (26.69 KB, text/plain)
2011-05-25 14:18 UTC, Petr Sklenar
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Petr Sklenar 2011-05-25 14:18:08 UTC
Description of problem:
I cannot register machine which is in MLS selinux mode

Version-Release number of selected component (if applicable):
latest rhel6 rhn-client-tools
rhn-client-tools-1.0.0-61.el6.noarch

How reproducible:
deterministic

Steps to Reproduce:
1. setup machine in MLS selinux mode
2. rhnreg_ks --username=<username> --password=password --server=http://<satellite>/XMLRPC
  
Actual results:
[root/sysadm_r/s0@x86-64-v11 ~]# rhnreg_ks --username=<username> --password=password --server=http://<satellite>/XMLRPC
env: /etc/init.d/rhnsd: Permission denied
env: /etc/init.d/rhnsd: Permission denied
sh: /usr/sbin/rhn_check: /usr/bin/python: bad interpreter: Permission denied

Expected results:
mls machine can be registered without any error

Additional info:

Comment 1 Petr Sklenar 2011-05-25 14:18:45 UTC
Created attachment 500833 [details]
selinux denials

Comment 2 Petr Sklenar 2011-05-25 14:25:17 UTC
It works well in RHEL5 > adding keyword regressions

Comment 7 Jan Pazdziora 2011-08-08 11:58:30 UTC
Miroslav says that it looks like a policy bug -- switching to selinux-policy.

Comment 8 Miroslav Grepl 2011-08-08 12:11:52 UTC
Petr,
if you boot in permissive mode in MLS, are you getting more AVC msgs?

Comment 9 Miroslav Vadkerti 2011-08-08 12:22:24 UTC
I see these AVCs:

----
time->Mon Aug  8 07:19:06 2011
type=SYSCALL msg=audit(1312805946.825:468): arch=c000003e syscall=2 success=yes exit=8 a0=7fe315daa260 a1=0 a2=10000 a3=0 items=0 ppid=25182 pid=25274 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312805946.825:468): avc:  denied  { open } for  pid=25274 comm="rhnreg_ks" name="mem" dev=devtmpfs ino=3598 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:memory_device_t:s15:c0.c1023 tclass=chr_file
type=AVC msg=audit(1312805946.825:468): avc:  denied  { read } for  pid=25274 comm="rhnreg_ks" name="mem" dev=devtmpfs ino=3598 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:memory_device_t:s15:c0.c1023 tclass=chr_file
----
time->Mon Aug  8 07:20:30 2011
type=SYSCALL msg=audit(1312806030.280:469): arch=c000003e syscall=59 success=yes exit=0 a0=7fff7311895a a1=7fff73117c98 a2=8cd030 a3=7fff731178c0 items=0 ppid=25286 pid=25291 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="rhnsd" exe="/bin/bash" subj=staff_u:system_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312806030.280:469): avc:  denied  { entrypoint } for  pid=25291 comm="env" path="/etc/rc.d/init.d/rhnsd" dev=dm-0 ino=140535 scontext=staff_u:system_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=SELINUX_ERR msg=audit(1312806030.280:469): security_compute_sid:  invalid context staff_u:system_r:sysadm_t:s0-s15:c0.c1023 for scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=process
----
time->Mon Aug  8 07:20:30 2011
type=SYSCALL msg=audit(1312806030.752:481): arch=c000003e syscall=62 success=yes exit=0 a0=62c2 a1=0 a2=62e2 a3=1 items=0 ppid=25282 pid=25314 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="rhn_check" exe="/usr/bin/python" subj=staff_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312806030.752:481): avc:  denied  { signull } for  pid=25314 comm="rhn_check" scontext=staff_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=process

Comment 11 Daniel Walsh 2011-08-08 14:15:22 UTC
What happens if you use

run_init to do the update?

Comment 12 Miroslav Grepl 2011-08-08 14:23:40 UTC
Mirek,
could you add your AVC msgs during using run_init?

Comment 13 Miroslav Vadkerti 2011-08-08 14:35:18 UTC
Sure:

----
time->Mon Aug  8 07:39:15 2011
type=SYSCALL msg=audit(1312807155.401:484): arch=c000003e syscall=2 success=yes exit=3 a0=1e66040 a1=2 a2=0 a3=16 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312807155.401:484): avc:  denied  { open } for  pid=25439 comm="rhnreg_ks" name="__db.001" dev=dm-4 ino=1213 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=staff_u:object_r:rpm_var_lib_t:s0 tclass=file
----
time->Mon Aug  8 07:39:15 2011
type=SYSCALL msg=audit(1312807155.403:485): arch=c000003e syscall=2 success=yes exit=3 a0=20b5720 a1=0 a2=0 a3=16 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312807155.403:485): avc:  denied  { open } for  pid=25439 comm="rhnreg_ks" name="Packages" dev=dm-4 ino=18 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
----
time->Mon Aug  8 07:39:15 2011
type=SYSCALL msg=audit(1312807155.581:486): arch=c000003e syscall=41 success=yes exit=5 a0=10 a1=80002 a2=f a3=0 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312807155.581:486): avc:  denied  { create } for  pid=25439 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Mon Aug  8 07:39:15 2011
type=SYSCALL msg=audit(1312807155.583:487): arch=c000003e syscall=54 success=yes exit=0 a0=5 a1=1 a2=1a a3=7f0eacee4030 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312807155.583:487): avc:  denied  { setopt } for  pid=25439 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Mon Aug  8 07:39:15 2011
type=SYSCALL msg=audit(1312807155.583:488): arch=c000003e syscall=49 success=yes exit=0 a0=5 a1=1929100 a2=c a3=7f0eacee4030 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312807155.583:488): avc:  denied  { bind } for  pid=25439 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Mon Aug  8 07:39:15 2011
type=SYSCALL msg=audit(1312807155.583:489): arch=c000003e syscall=51 success=yes exit=0 a0=5 a1=7fffd29b57a0 a2=7fffd29b57b8 a3=7f0eacee4030 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312807155.583:489): avc:  denied  { getattr } for  pid=25439 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Mon Aug  8 07:39:20 2011
type=SYSCALL msg=audit(1312807160.647:491): arch=c000003e syscall=2 success=yes exit=7 a0=30c3b20 a1=241 a2=1b6 a3=0 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312807160.647:491): avc:  denied  { write } for  pid=25439 comm="rhnreg_ks" name="up2date" dev=dm-0 ino=146615 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
----
time->Mon Aug  8 07:39:20 2011
type=SYSCALL msg=audit(1312807160.647:492): arch=c000003e syscall=90 success=yes exit=0 a0=30c3b20 a1=180 a2=7f0ec0b497e8 a3=7fffd29b5940 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312807160.647:492): avc:  denied  { setattr } for  pid=25439 comm="rhnreg_ks" name="up2date" dev=dm-0 ino=146615 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
----
time->Mon Aug  8 07:39:20 2011
type=SYSCALL msg=audit(1312807160.646:490): arch=c000003e syscall=82 success=yes exit=0 a0=30c6c50 a1=30c3b20 a2=7f0ec0b497e8 a3=7fffd29b5988 items=0 ppid=25435 pid=25439 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312807160.646:490): avc:  denied  { unlink } for  pid=25439 comm="rhnreg_ks" name="systemid.save" dev=dm-0 ino=139164 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=staff_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1312807160.646:490): avc:  denied  { rename } for  pid=25439 comm="rhnreg_ks" name="systemid" dev=dm-0 ino=140826 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=staff_u:object_r:etc_t:s0 tclass=file

Comment 14 Daniel Walsh 2011-08-08 14:41:56 UTC
We might want to label rhnreg_ks as rpm_exec_t.

chcon -t rpc_exec_t /usr/bin/rhnreg_ks

Comment 15 Miroslav Vadkerti 2011-08-08 15:09:10 UTC
I relabeled it and tried again with run_init and I ended up again with bunch of AVCs:

secadm# ll -Z /usr/sbin/rhnreg_ks 
# run_init rhnreg_ks --force --username=qa --password=redhatqa --server=http://xmlrpc.rhn.errata.stage.redhat.com/XMLRPC
# ausearch -ts recent -m avc
Warning - freq is non-zero and incremental flushing not selected.
----
time->Mon Aug  8 10:04:59 2011
type=SYSCALL msg=audit(1312815899.745:493): arch=c000003e syscall=188 success=yes exit=0 a0=15510e0 a1=7fc5f0d8f259 a2=1552630 a3=20 items=0 ppid=25182 pid=26338 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="chcon" exe="/usr/bin/chcon" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312815899.745:493): avc:  denied  { relabelto } for  pid=26338 comm="chcon" name="rhnreg_ks" dev=dm-0 ino=20703 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
----
time->Mon Aug  8 10:05:11 2011
type=SYSCALL msg=audit(1312815911.753:495): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fff8eba8460 a3=7fff8eba82b0 items=0 ppid=25182 pid=26348 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312815911.753:495): avc:  denied  { ioctl } for  pid=26348 comm="rhnreg_ks" path="/usr/sbin/rhnreg_ks" dev=dm-0 ino=20703 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
----
time->Mon Aug  8 10:05:11 2011
type=SYSCALL msg=audit(1312815911.732:494): arch=c000003e syscall=59 success=yes exit=0 a0=e5e130 a1=e77ea0 a2=e76a00 a3=7fffc8b5a470 items=0 ppid=25182 pid=26348 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312815911.732:494): avc:  denied  { execute_no_trans } for  pid=26348 comm="bash" path="/usr/sbin/rhnreg_ks" dev=dm-0 ino=20703 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
type=AVC msg=audit(1312815911.732:494): avc:  denied  { read open } for  pid=26348 comm="bash" name="rhnreg_ks" dev=dm-0 ino=20703 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
type=AVC msg=audit(1312815911.732:494): avc:  denied  { execute } for  pid=26348 comm="bash" name="rhnreg_ks" dev=dm-0 ino=20703 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
----
time->Mon Aug  8 10:05:35 2011
type=SYSCALL msg=audit(1312815935.795:497): arch=c000003e syscall=59 success=no exit=-13 a0=e7a1b0 a1=e85790 a2=e76a00 a3=7fffc8b5a470 items=0 ppid=25182 pid=26355 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="bash" exe="/bin/bash" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312815935.795:497): avc:  denied  { execute } for  pid=26355 comm="bash" name="rhnreg_ks" dev=dm-0 ino=20703 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
----
time->Mon Aug  8 10:05:42 2011
type=SYSCALL msg=audit(1312815942.757:500): arch=c000003e syscall=59 success=no exit=-13 a0=7fffd27ade9d a1=7fffd27b2600 a2=7fffd27b2630 a3=7fffd27adcd0 items=0 ppid=26356 pid=26360 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="open_init_pty" exe="/usr/sbin/open_init_pty" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312815942.757:500): avc:  denied  { execute } for  pid=26360 comm="open_init_pty" name="rhnreg_ks" dev=dm-0 ino=20703 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
----
time->Mon Aug  8 10:06:03 2011
type=SYSCALL msg=audit(1312815963.685:503): arch=c000003e syscall=59 success=no exit=-13 a0=7fffe9cb660d a1=7fffe9cbad70 a2=7fffe9cbada0 a3=7fffe9cb6440 items=0 ppid=26371 pid=26375 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="open_init_pty" exe="/usr/sbin/open_init_pty" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312815963.685:503): avc:  denied  { execute } for  pid=26375 comm="open_init_pty" name="rhnreg_ks" dev=dm-0 ino=20703 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
----
time->Mon Aug  8 10:06:43 2011
type=SYSCALL msg=audit(1312816003.965:508): arch=c000003e syscall=4 success=no exit=-13 a0=209b6a0 a1=7fffd403d280 a2=7fffd403d280 a3=1 items=0 ppid=26378 pid=26382 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="bash" exe="/bin/bash" subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816003.965:508): avc:  denied  { read } for  pid=26382 comm="bash" name="selinux-policy" dev=dm-0 ino=35134 scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 tcontext=staff_u:object_r:admin_home_t:s0 tclass=lnk_file
----
time->Mon Aug  8 10:06:44 2011
type=SYSCALL msg=audit(1312816004.120:509): arch=c000003e syscall=4 success=no exit=-13 a0=209b6a0 a1=7fffd403d280 a2=7fffd403d280 a3=1 items=0 ppid=26378 pid=26382 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="bash" exe="/bin/bash" subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816004.120:509): avc:  denied  { read } for  pid=26382 comm="bash" name="selinux-policy" dev=dm-0 ino=35134 scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 tcontext=staff_u:object_r:admin_home_t:s0 tclass=lnk_file
----
time->Mon Aug  8 10:06:44 2011
type=SYSCALL msg=audit(1312816004.236:510): arch=c000003e syscall=4 success=no exit=-13 a0=209b6a0 a1=7fffd403d280 a2=7fffd403d280 a3=1 items=0 ppid=26378 pid=26382 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="bash" exe="/bin/bash" subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816004.236:510): avc:  denied  { read } for  pid=26382 comm="bash" name="selinux-policy" dev=dm-0 ino=35134 scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 tcontext=staff_u:object_r:admin_home_t:s0 tclass=lnk_file
----
time->Mon Aug  8 10:07:12 2011
type=SYSCALL msg=audit(1312816032.577:515): arch=c000003e syscall=59 success=yes exit=0 a0=7fffdf58a03d a1=7fffdf58e7a0 a2=7fffdf58e7d0 a3=7fffdf589e70 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816032.577:515): avc:  denied  { execute_no_trans } for  pid=26431 comm="open_init_pty" path="/usr/sbin/rhnreg_ks" dev=dm-0 ino=20703 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
type=AVC msg=audit(1312816032.577:515): avc:  denied  { read open } for  pid=26431 comm="open_init_pty" name="rhnreg_ks" dev=dm-0 ino=20703 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
type=AVC msg=audit(1312816032.577:515): avc:  denied  { execute } for  pid=26431 comm="open_init_pty" name="rhnreg_ks" dev=dm-0 ino=20703 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
----
time->Mon Aug  8 10:07:12 2011
type=SYSCALL msg=audit(1312816032.597:516): arch=c000003e syscall=6 success=yes exit=0 a0=7fff65c507c0 a1=7fff65c4d6c0 a2=7fff65c4d6c0 a3=7fff65c4d510 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816032.597:516): avc:  denied  { getattr } for  pid=26431 comm="rhnreg_ks" path="/usr/sbin/rhnreg_ks" dev=dm-0 ino=20703 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
----
time->Mon Aug  8 10:07:12 2011
type=SYSCALL msg=audit(1312816032.597:517): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fff65c51740 a3=7fff65c51590 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816032.597:517): avc:  denied  { ioctl } for  pid=26431 comm="rhnreg_ks" path="/usr/sbin/rhnreg_ks" dev=dm-0 ino=20703 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
----
time->Mon Aug  8 10:07:13 2011
type=SYSCALL msg=audit(1312816033.366:518): arch=c000003e syscall=2 success=yes exit=3 a0=27f4750 a1=2 a2=0 a3=16 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816033.366:518): avc:  denied  { open } for  pid=26431 comm="rhnreg_ks" name="__db.001" dev=dm-4 ino=1213 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=staff_u:object_r:rpm_var_lib_t:s0 tclass=file
----
time->Mon Aug  8 10:07:13 2011
type=SYSCALL msg=audit(1312816033.368:519): arch=c000003e syscall=2 success=yes exit=3 a0=2c0b870 a1=0 a2=0 a3=16 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816033.368:519): avc:  denied  { open } for  pid=26431 comm="rhnreg_ks" name="Packages" dev=dm-4 ino=18 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
----
time->Mon Aug  8 10:07:13 2011
type=SYSCALL msg=audit(1312816033.545:520): arch=c000003e syscall=41 success=yes exit=5 a0=10 a1=80002 a2=f a3=0 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816033.545:520): avc:  denied  { create } for  pid=26431 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Mon Aug  8 10:07:13 2011
type=SYSCALL msg=audit(1312816033.547:521): arch=c000003e syscall=54 success=yes exit=0 a0=5 a1=1 a2=1a a3=7f3137e5b030 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816033.547:521): avc:  denied  { setopt } for  pid=26431 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Mon Aug  8 10:07:13 2011
type=SYSCALL msg=audit(1312816033.547:522): arch=c000003e syscall=49 success=yes exit=0 a0=5 a1=2799580 a2=c a3=7f3137e5b030 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816033.547:522): avc:  denied  { bind } for  pid=26431 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Mon Aug  8 10:07:13 2011
type=SYSCALL msg=audit(1312816033.548:523): arch=c000003e syscall=51 success=yes exit=0 a0=5 a1=7fff65c50aa0 a2=7fff65c50ab8 a3=7f3137e5b030 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816033.548:523): avc:  denied  { getattr } for  pid=26431 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Mon Aug  8 10:07:18 2011
type=SYSCALL msg=audit(1312816038.577:525): arch=c000003e syscall=2 success=yes exit=7 a0=3c19af0 a1=241 a2=1b6 a3=0 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816038.577:525): avc:  denied  { write } for  pid=26431 comm="rhnreg_ks" name="up2date" dev=dm-0 ino=146615 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
----
time->Mon Aug  8 10:07:18 2011
type=SYSCALL msg=audit(1312816038.577:526): arch=c000003e syscall=90 success=yes exit=0 a0=3c19af0 a1=180 a2=7f314be4e7e8 a3=7fff65c50c40 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816038.577:526): avc:  denied  { setattr } for  pid=26431 comm="rhnreg_ks" name="up2date" dev=dm-0 ino=146615 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
----
time->Mon Aug  8 10:07:18 2011
type=SYSCALL msg=audit(1312816038.576:524): arch=c000003e syscall=82 success=yes exit=0 a0=3c1cc20 a1=3c19af0 a2=7f314be4e7e8 a3=7fff65c50c88 items=0 ppid=26427 pid=26431 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312816038.576:524): avc:  denied  { unlink } for  pid=26431 comm="rhnreg_ks" name="systemid.save" dev=dm-0 ino=140826 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=staff_u:object_r:etc_t:s0 tclass=file

Comment 16 Daniel Walsh 2011-08-08 15:20:07 UTC
Oops typo.

chcon -t rpm_exec_t ...

Comment 17 Miroslav Vadkerti 2011-08-08 15:31:31 UTC
The results with "chcon -t rpm_exec_t /usr/sbin/rhnreg_ks" using run_init:

time->Mon Aug  8 10:30:12 2011
type=SYSCALL msg=audit(1312817412.241:530): arch=c000003e syscall=41 success=yes exit=5 a0=10 a1=80002 a2=f a3=0 items=0 ppid=26593 pid=26597 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312817412.241:530): avc:  denied  { create } for  pid=26597 comm="rhnreg_ks" scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Mon Aug  8 10:30:12 2011
type=SYSCALL msg=audit(1312817412.243:531): arch=c000003e syscall=54 success=yes exit=0 a0=5 a1=1 a2=1a a3=7f3f6a391030 items=0 ppid=26593 pid=26597 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312817412.243:531): avc:  denied  { setopt } for  pid=26597 comm="rhnreg_ks" scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Mon Aug  8 10:30:12 2011
type=SYSCALL msg=audit(1312817412.243:532): arch=c000003e syscall=49 success=yes exit=0 a0=5 a1=27ec580 a2=c a3=7f3f6a391030 items=0 ppid=26593 pid=26597 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312817412.243:532): avc:  denied  { bind } for  pid=26597 comm="rhnreg_ks" scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Mon Aug  8 10:30:12 2011
type=SYSCALL msg=audit(1312817412.243:533): arch=c000003e syscall=51 success=yes exit=0 a0=5 a1=7fff17b4b940 a2=7fff17b4b958 a3=7f3f6a391030 items=0 ppid=26593 pid=26597 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312817412.243:533): avc:  denied  { getattr } for  pid=26597 comm="rhnreg_ks" scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Mon Aug  8 10:30:18 2011
type=SYSCALL msg=audit(1312817418.193:535): arch=c000003e syscall=42 success=yes exit=0 a0=8 a1=7fff4265c690 a2=10 a3=a items=0 ppid=26597 pid=26610 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhn_check" exe="/usr/bin/python" subj=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312817418.193:535): avc:  denied  { name_connect } for  pid=26610 comm="rhn_check" dest=80 scontext=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
----
time->Mon Aug  8 10:30:18 2011
type=SYSCALL msg=audit(1312817418.789:536): arch=c000003e syscall=42 success=yes exit=0 a0=b a1=7fff42656620 a2=10 a3=a items=0 ppid=26597 pid=26610 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhn_check" exe="/usr/bin/python" subj=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312817418.789:536): avc:  denied  { name_connect } for  pid=26610 comm="rhn_check" dest=80 scontext=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
----
time->Mon Aug  8 10:30:17 2011
type=SYSCALL msg=audit(1312817417.775:534): arch=c000003e syscall=59 success=yes exit=0 a0=7f3f7d4e9e43 a1=7fff17b4be60 a2=7fff17b4c8f0 a3=8 items=0 ppid=26597 pid=26598 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="sh" exe="/bin/bash" subj=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312817417.775:534): avc:  denied  { read write } for  pid=26598 comm="sh" path="socket:[162505]" dev=sockfs ino=162505 scontext=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_route_socket

Comment 18 Daniel Walsh 2011-08-08 15:37:48 UTC
I like that list of AVC's better then what we were seeing before.

Comment 19 Daniel Walsh 2011-08-08 15:38:16 UTC
semanage permissive -a rpm_script_t
semanage permissive -a rpm_t

To collect all AVC's.

Comment 20 Miroslav Vadkerti 2011-08-09 06:50:32 UTC
This is what I did:
+ semanage permissive -a rpm_script_t
+ semanage permissive -a rpm_t
+ left rpm_exec_t on rhnreg_ks
+ setenforce 0
+ re-run rhnreg_ks via run_init

----
time->Tue Aug  9 01:46:46 2011
type=SYSCALL msg=audit(1312872406.233:545): arch=c000003e syscall=41 success=yes exit=5 a0=10 a1=80002 a2=f a3=0 items=0 ppid=32228 pid=32232 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312872406.233:545): avc:  denied  { create } for  pid=32232 comm="rhnreg_ks" scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Tue Aug  9 01:46:46 2011
type=SYSCALL msg=audit(1312872406.235:546): arch=c000003e syscall=54 success=yes exit=0 a0=5 a1=1 a2=1a a3=7f35c6c0b030 items=0 ppid=32228 pid=32232 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312872406.235:546): avc:  denied  { setopt } for  pid=32232 comm="rhnreg_ks" scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Tue Aug  9 01:46:46 2011
type=SYSCALL msg=audit(1312872406.235:547): arch=c000003e syscall=49 success=yes exit=0 a0=5 a1=1643580 a2=c a3=7f35c6c0b030 items=0 ppid=32228 pid=32232 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312872406.235:547): avc:  denied  { bind } for  pid=32232 comm="rhnreg_ks" scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Tue Aug  9 01:46:46 2011
type=SYSCALL msg=audit(1312872406.235:548): arch=c000003e syscall=51 success=yes exit=0 a0=5 a1=7fff91861330 a2=7fff91861348 a3=7f35c6c0b030 items=0 ppid=32228 pid=32232 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhnreg_ks" exe="/usr/bin/python" subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312872406.235:548): avc:  denied  { getattr } for  pid=32232 comm="rhnreg_ks" scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
----
time->Tue Aug  9 01:46:51 2011
type=SYSCALL msg=audit(1312872411.712:550): arch=c000003e syscall=42 success=yes exit=0 a0=8 a1=7fff76326d80 a2=10 a3=a items=0 ppid=32232 pid=32245 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="rhn_check" exe="/usr/bin/python" subj=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312872411.712:550): avc:  denied  { name_connect } for  pid=32245 comm="rhn_check" dest=80 scontext=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
----
time->Tue Aug  9 01:46:51 2011
type=SYSCALL msg=audit(1312872411.126:549): arch=c000003e syscall=59 success=yes exit=0 a0=7f35d9d63e43 a1=7fff91861850 a2=7fff918622e0 a3=8 items=0 ppid=32232 pid=32233 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="sh" exe="/bin/bash" subj=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1312872411.126:549): avc:  denied  { read write } for  pid=32233 comm="sh" path="socket:[179372]" dev=sockfs ino=179372 scontext=system_u:system_r:rpm_script_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tclass=netlink_route_socket

Comment 21 Miroslav Grepl 2011-08-09 11:53:28 UTC
How Dan said, it looks good.

I would add these and change the label to  rpm_exec_t.

Comment 22 Daniel Walsh 2011-08-09 13:32:07 UTC
Excellent.

Comment 23 Miroslav Grepl 2011-08-10 15:48:33 UTC
Fixed in selinux-policy-3.7.19-107.el6

Comment 25 Karel Srot 2011-10-06 11:08:17 UTC
Retested with selinux-policy-3.7.19-113.el6.noarch

# rhnreg_ks --username=XXX --password=XXX --server=https://xmlrpc.ZZZ.com/XMLRPC --force --profilename=`hostname`-bz707616test

works but the run_init version:

# run_init rhnreg_ks --username=XXX --password=XXX --server=https://xmlrpc.ZZZ.com/XMLRPC --force --profilename=`hostname`-bz707616test
Authenticating root.
Password: 
execvp: Permission denied
[root@rhel62 ~]#

type=AVC msg=audit(1317898528.561:38): avc:  denied  { entrypoint } for  pid=1374 comm="run_init" path="/usr/sbin/rhnreg_ks" dev=vda1 ino=269291 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file

in permissive i get:

type=AVC msg=audit(1317899096.407:51): avc:  denied  { entrypoint } for  pid=1452 comm="run_init" path="/usr/sbin/rhnreg_ks" dev=vda1 ino=269291 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file
type=AVC msg=audit(1317899099.243:52): avc:  denied  { open } for  pid=1452 comm="rhnreg_ks" name="__db.001" dev=vda1 ino=132691 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=root:object_r:rpm_var_lib_t:s0 tclass=file
type=AVC msg=audit(1317899099.247:53): avc:  denied  { open } for  pid=1452 comm="rhnreg_ks" name="Packages" dev=vda1 ino=130313 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
type=AVC msg=audit(1317899099.378:54): avc:  denied  { create } for  pid=1452 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
type=AVC msg=audit(1317899099.379:55): avc:  denied  { setopt } for  pid=1452 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
type=AVC msg=audit(1317899099.379:56): avc:  denied  { bind } for  pid=1452 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
type=AVC msg=audit(1317899099.379:57): avc:  denied  { getattr } for  pid=1452 comm="rhnreg_ks" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket
type=AVC msg=audit(1317899106.120:58): avc:  denied  { write } for  pid=1452 comm="rhnreg_ks" name="up2date" dev=vda1 ino=3411 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1317899106.120:59): avc:  denied  { setattr } for  pid=1452 comm="rhnreg_ks" name="up2date" dev=vda1 ino=3411 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file

Am I supposed to use run_init or not?

Comment 26 Miroslav Grepl 2011-10-06 11:29:26 UTC
Well it should work either without run_init because of

allow sysadm_t rpm_t : process transition ;

or also with run_init which obviously worked.

Comment 27 Miroslav Grepl 2011-10-06 12:14:38 UTC
Ok, I would say

# rhnreg_ks --username=XXX --password=XXX
--server=https://xmlrpc.ZZZ.com/XMLRPC --force
--profilename=`hostname`-bz707616test


is the correct way how to run it now. Not sure which way did Mirek test it before.

Comment 28 Karel Srot 2011-10-07 12:48:31 UTC
Just comfirmed again on another system that rhnreg_ks (non run_init variant) works with selinux-policy-3.7.19-115.el6.noarch.

Comment 30 errata-xmlrpc 2011-12-06 10:08:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html


Note You need to log in before you can comment on or make changes to this bug.