I also encounter the problem with starting/stopping services (installing packages as per bug 722579 works well for me with stated configuration). Packages: ricci-0.12.2-32.el5_7.1 selinux-policy-2.4.6-317.el5 selinux-policy-targeted-2.4.6-317.el5 How ricci handles services: Ricci's executable module /usr/libexec/ricci-modrpm executes "/etc/init.d/$SERVICENAME (start|stop|restart)" Note: I tried using "/sbin/service $SERVICENAME (start|stop|restart)" way instead, but got the same result. +++ Partial manual clone (removing unrelated comments) of bug 722579 +++ > Comment ##4 Brandon Perkins 2011-10-04 19:32:11 CEST The issue described in the original description appears to be fixed (using selinux-policy-2.4.6-317.el5 and ricci-0.12.2-33.el5). However, that then exposes the next issue. While not related to the original installation of RPMs, which is in fact working now, it appears ricci is unable to start the daemons for a similar reason. I am happy to open this as a new bug if that's preferred. Summary: SELinux is preventing ricci-modservic (ricci_modservice_t) "create" to <Unknown> (ricci_modservice_t). Detailed Description: SELinux denied access requested by ricci-modservic. It is not expected that this access is required by ricci-modservic and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:ricci_modservice_t Target Context system_u:system_r:ricci_modservice_t Target Objects None [ unix_dgram_socket ] Source ricci-modservic Source Path /usr/libexec/ricci-modservice Port <Unknown> Host bz722579.dhcp151-173.mpc.lab.eng.bos.redhat.com Source RPM Packages ricci-0.12.2-33.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-317.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name bz722579.dhcp151-173.mpc.lab.eng.bos.redhat.com Platform Linux bz722579.dhcp151-173.mpc.lab.eng.bos.redhat.com 2.6.18-274.3.1.el5 #1 SMP Fri Aug 26 18:49:02 EDT 2011 x86_64 x86_64 Alert Count 4 First Seen Tue Oct 4 13:26:46 2011 Last Seen Tue Oct 4 13:26:46 2011 Local ID 932f9ada-a4cc-4ca7-8149-02ce9f8b91ce Line Numbers Raw Audit Messages host=bz722579.dhcp151-173.mpc.lab.eng.bos.redhat.com type=AVC msg=audit(1317749206.35:39): avc: denied { create } for pid=19400 comm="ricci-modservic" scontext=system_u:system_r:ricci_modservice_t:s0 tcontext=system_u:system_r:ricci_modservice_t:s0 tclass=unix_dgram_socket host=bz722579.dhcp151-173.mpc.lab.eng.bos.redhat.com type=SYSCALL msg=audit(1317749206.35:39): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=2 a2=0 a3=7db items=0 ppid=19398 pid=19400 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ricci-modservic" exe="/usr/libexec/ricci-modservice" subj=system_u:system_r:ricci_modservice_t:s0 key=(null) > Comment ##5 Miroslav Grepl 2011-10-05 07:05:21 CEST Ok, this is a different AVC msg.
In addition to "create -- unix_dgram_socket" message, I got "write -- pipe" one when stopping service bluetooth (the denial messages probably differ according to the content of respective initscripts, i.e. what commands are being executed): Summary: SELinux is preventing rfcomm (bluetooth_t) "write" to pipe (ricci_modservice_t). Detailed Description: SELinux denied access requested by rfcomm [...] Allowing Access: [...] Additional Information: Source Context root:system_r:bluetooth_t Target Context root:system_r:ricci_modservice_t Target Objects pipe [ fifo_file ] Source rfcomm Source Path /usr/bin/rfcomm Port <Unknown> Host localhost.localdomain Source RPM Packages bluez-utils-3.7-2.2 Target RPM Packages Policy RPM selinux-policy-2.4.6-317.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.18-274.6.1.el5 #1 SMP Fri Sep 23 21:12:11 EDT 2011 x86_64 x86_64 Alert Count 2 First Seen Mon Oct 17 17:27:53 2011 Last Seen Mon Oct 17 17:29:28 2011 Local ID e82c731a-91b3-4f6b-8a77-25da319a8b04 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1318865368.500:85): avc: denied { write } for pid=3890 comm="rfcomm" path="pipe:[15659]" dev=pipefs ino=15659 scontext=root:system_r:bluetooth_t:s0 tcontext=root:system_r:ricci_modservice_t:s0 tclass=fifo_file host=localhost.localdomain type=AVC msg=audit(1318865368.500:85): avc: denied { write } for pid=3890 comm="rfcomm" path="pipe:[15660]" dev=pipefs ino=15660 scontext=root:system_r:bluetooth_t:s0 tcontext=root:system_r:ricci_modservice_t:s0 tclass=fifo_file host=localhost.localdomain type=SYSCALL msg=audit(1318865368.500:85): arch=c000003e syscall=59 success=yes exit=0 a0=18e67300 a1=18e67460 a2=18e6dc10 a3=8 items=0 ppid=3883 pid=3890 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="rfcomm" exe="/usr/bin/rfcomm" subj=root:system_r:bluetooth_t:s0 key=(null)
With the same program (ricci's executable module), also proceeding service enable/disable will generate a message like the Brandon's one (comment ##4 within the description). Such requests are handled by executing "/sbin/chkconfig (on|off)".
To be noted that despite the SELinux denial messages, all the mentioned actions regarding services seem to succeed (with enforcing SELinux).
Re comment 2: "/sbin/chkconfig $SERVICENAME (on|off)", indeed
Fixed in selinux-policy-2.4.6-318.el5
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0158.html