RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 836311 - New corosync SELinux policy makes heartbeat unusable by default
Summary: New corosync SELinux policy makes heartbeat unusable by default
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.3
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
: 879805 879806 (view as bug list)
Depends On:
Blocks: 782183 840699
TreeView+ depends on / blocked
 
Reported: 2012-06-28 16:35 UTC by Robert Scheck
Modified: 2018-12-03 17:40 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.7.19-160.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-02-21 08:24:59 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 167183 0 None None None 2012-07-19 18:04:21 UTC
Red Hat Product Errata RHBA-2013:0314 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-02-20 20:35:01 UTC

Description Robert Scheck 2012-06-28 16:35:51 UTC 
Description of problem:
New corosync SELinux policy makes heartbeat unusable by default.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-155.el6_3.noarch
selinux-policy-targeted-3.7.19-155.el6_3.noarch
heartbeat-3.0.4-1.el6.x86_64

How reproducible:
Everytime, install RHEL 6.3 and heartbeat from EPEL with e.g. legacy setup
in hearbeat 1.x mode, thus without pacemaker.

Actual results:
New corosync SELinux policy makes heartbeat unusable by default.

Expected results:
Adaption of the corosync SELinux policy in order to support heartbeat.

Additional info:
It's hard to provide you audit logs because they are rotated faster once I
enable heartbeat then I could copy them. Adding new SELinux policy module with
a minor RHEL release like in this case is just fail, sorry.
Comment 2 Robert Scheck 2012-06-28 16:44:42 UTC 
- Cross-filed case #00668208 for my employer
- Cross-filed case #00668210 for a customer
- Cross-filed case #00668212 for another customer
- Cross-filed case #00668213 for one more customer
Comment 3 Robert Scheck 2012-06-28 16:52:03 UTC 
Some things from SELinux Troubleshoot (which died in this AVC denied mess):

type=AVC msg=audit(1340899821.909:16322): avc:  denied  { name_bind } for  pid=27791 comm="heartbeat" src=694 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1340899821.909:16322): arch=x86_64 syscall=bind success=no exit=EACCES a0=8 a1=7fffd2147370 a2=10 a3=7fffd2147070 items=0 ppid=1 pid=27791 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm=heartbeat exe=/usr/lib64/heartbeat/heartbeat subj=unconfined_u:system_r:corosync_t:s0 key=(null)


type=AVC msg=audit(1340900068.961:16333): avc:  denied  { net_bind_service } for  pid=27996 comm="heartbeat" capability=10  scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:system_r:corosync_t:s0 tclass=capability
type=SYSCALL msg=audit(1340900068.961:16333): arch=x86_64 syscall=bind success=no exit=EACCES a0=7 a1=7fffe7965ac0 a2=10 a3=7fffe79657c0 items=0 ppid=1 pid=27996 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm=heartbeat exe=/usr/lib64/heartbeat/heartbeat subj=unconfined_u:system_r:corosync_t:s0 key=(null)


type=AVC msg=audit(1340900259.991:16352): avc:  denied  { create } for  pid=28228 comm="heartbeat" scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:system_r:corosync_t:s0 tclass=rawip_socket
type=SYSCALL msg=audit(1340900259.991:16352): arch=x86_64 syscall=socket success=no exit=EACCES a0=2 a1=3 a2=1 a3=7fff48054070 items=0 ppid=1 pid=28228 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6
comm=heartbeat exe=/usr/lib64/heartbeat/heartbeat subj=unconfined_u:system_r:corosync_t:s0 key=(null)


type=AVC msg=audit(1340900375.432:16354): avc:  denied  { sigkill } for  pid=28368 comm="heartbeat" scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:system_r:corosync_t:s0 tclass=process
type=SYSCALL msg=audit(1340900375.432:16354): arch=x86_64 syscall=kill success=no exit=EACCES a0=6ed5 a1=9 a2=0 a3=7fff7937e6e0 items=0 ppid=1 pid=28368 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm=heartbeat exe=/usr/lib64/heartbeat/heartbeat subj=unconfined_u:system_r:corosync_t:s0 key=(null)


type=AVC msg=audit(1340900494.789:16380): avc:  denied  { execute } for  pid=28434 comm="sh" name="ResourceManager" dev=vda1 ino=921549 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1340900494.789:16380): arch=x86_64 syscall=execve success=no exit=EACCES a0=1830160 a1=1831540 a2=1830190 a3=20 items=0 ppid=28433 pid=28434 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm=sh exe=/bin/bash subj=unconfined_u:system_r:corosync_t:s0 key=(null)


type=AVC msg=audit(1340900782.70:16409): avc:  denied  { execute_no_trans } for  pid=30163 comm="sh" path="/usr/share/heartbeat/ResourceManager" dev=vda1 ino=921549 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1340900782.70:16409): arch=x86_64 syscall=execve success=no exit=EACCES a0=fb8160 a1=fb9540 a2=fb8190 a3=20 items=0 ppid=30162 pid=30163 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm=sh exe=/bin/bash subj=unconfined_u:system_r:corosync_t:s0 key=(null)


type=AVC msg=audit(1340900925.666:16430): avc:  denied  { setgid } for  pid=31250 comm="heartbeat" capability=6  scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:system_r:corosync_t:s0 tclass=capability
type=SYSCALL msg=audit(1340900925.666:16430): arch=x86_64 syscall=setgroups success=no exit=EPERM a0=1 a1=1003480 a2=10000 a3=1 items=0 ppid=30279 pid=31250 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm=heartbeat exe=/usr/lib64/heartbeat/heartbeat subj=unconfined_u:system_r:corosync_t:s0 key=(null)


type=AVC msg=audit(1340900925.664:16429): avc:  denied  { execute } for  pid=31247 comm="heartbeat" name="harc" dev=vda1 ino=652932 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1340900925.664:16429): arch=x86_64 syscall=execve success=no exit=EACCES a0=42856e a1=7fff2f1d2440 a2=1002260 a3=7fff2f1d21b0 items=0 ppid=30279 pid=31247 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm=heartbeat exe=/usr/lib64/heartbeat/heartbeat subj=unconfined_u:system_r:corosync_t:s0 key=(null)


type=AVC msg=audit(1340902087.509:15868): avc:  denied  { execute } for  pid=26649 comm="heartbeat" name="harc" dev=vda1 ino=392324 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1340902087.509:15868): arch=x86_64 syscall=execve success=no exit=EACCES a0=42856e a1=7fffd91fdaf0 a2=19a03a0 a3=7fffd91fd860 items=0 ppid=26641 pid=26649 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=24 comm=heartbeat exe=/usr/lib64/heartbeat/heartbeat subj=unconfined_u:system_r:corosync_t:s0 key=(null)


type=AVC msg=audit(1340902088.16:15869): avc:  denied  { setgid } for  pid=26653 comm="heartbeat" capability=6  scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:system_r:corosync_t:s0 tclass=capability
type=SYSCALL msg=audit(1340902088.16:15869): arch=x86_64 syscall=setgroups success=no exit=EPERM a0=1 a1=19a14e0 a2=10000 a3=1 items=0 ppid=26641 pid=26653 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=24 comm=heartbeat exe=/usr/lib64/heartbeat/heartbeat subj=unconfined_u:system_r:corosync_t:s0 key=(null)
Comment 4 Robert Scheck 2012-06-28 16:57:09 UTC 
type=AVC msg=audit(1340902448.713:322363): avc:  denied  { kill } for  pid=32029 comm="heartbeat" capability=5  scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:system_r:corosync_t:s0 tclass=capability
type=SYSCALL msg=audit(1340902448.713:322363): arch=x86_64 syscall=kill success=no exit=EPERM a0=7d2a a1=0 a2=419f40 a3=1 items=0 ppid=1 pid=32029 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm=heartbeat exe=/usr/lib64/heartbeat/heartbeat subj=unconfined_u:system_r:corosync_t:s0 key=(null)


type=AVC msg=audit(1340902497.343:322368): avc:  denied  { execute_no_trans } for  pid=32330 comm="heartbeat" path="/etc/ha.d/harc" dev=vda1 ino=652932 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:etc_t:s0
tclass=file
type=SYSCALL msg=audit(1340902497.343:322368): arch=x86_64 syscall=execve success=no exit=EACCES a0=42856e a1=7fffc6143690 a2=bdc360 a3=7fffc6143400 items=0 ppid=32321 pid=32330 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm=heartbeat exe=/usr/lib64/heartbeat/heartbeat subj=unconfined_u:system_r:corosync_t:s0 key=(null)
Comment 5 Robert Scheck 2012-06-28 17:01:52 UTC 
type=AVC msg=audit(1340902812.735:322378): avc:  denied  { execute_no_trans } for  pid=32605 comm="MailTo" path="/usr/lib/ocf/resource.d/heartbeat/MailTo" dev=vda1 ino=921398 scontext=unconfined_u:system_r:corosync_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1340902812.735:322378): arch=x86_64 syscall=execve success=no exit=EACCES a0=14a0a60 a1=14cc500 a2=14a1590 a3=18 items=0 ppid=32597 pid=32605 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=6 comm=MailTo exe=/bin/bash subj=unconfined_u:system_r:corosync_t:s0 key=(null)
Comment 6 Robert Scheck 2012-06-28 17:02:32 UTC 
type=AVC msg=audit(1340902903.384:322430): avc:  denied  { getattr } for  pid=3456 comm="which" path="/bin/mailx" dev=vda1 ino=914099 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1340902903.384:322430): arch=x86_64 syscall=stat success=no exit=EACCES a0=1a19060 a1=7fffeec00a00 a2=7fffeec00a00 a3=a items=0 ppid=3455 pid=3456 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=6 comm=which exe=/usr/bin/which subj=unconfined_u:system_r:corosync_t:s0 key=(null)
Comment 7 Robert Scheck 2012-06-28 17:18:04 UTC 
Above stuff results from a simple heartbeat setup in 1.x mode with the MailTo
script sending an e-mail after a hb_takeover. A quick hack for this separate
stuff was:

allow corosync_t hi_reserved_port_t:udp_socket name_bind;
allow corosync_t self:capability { net_bind_service setgid kill };
allow corosync_t self:rawip_socket create;
allow corosync_t self:process sigkill;
allow corosync_t usr_t:file { execute execute_no_trans };
allow corosync_t self:rawip_socket { read write };
allow corosync_t etc_t:file { execute execute_no_trans };
allow corosync_t lib_t:file execute_no_trans;
allow corosync_t sendmail_exec_t:file getattr;

I don't want to imagine how much other stuff will come up for own heartbeat
resource scripts, DRBD, Zarafa, Mailman, Apache, MySQL, PostgreSQL, Postfix
and friends here. Ideas?
Comment 8 Robert Scheck 2012-06-28 22:10:06 UTC 
Example setup:

1. Install RHEL 6.3 minimal including all updates + EPEL repository
2. Ensure that SELinux is enforced
3. yum install heartbeat
4. cat >> /etc/ha.d/ha.cf << EOF
logfacility	local0
keepalive 2
deadtime 10
warntime 5
initdead 120
udpport	694
ucast eth1 [IPv4 of other node]
auto_failback on
node	[uname -n of this node]
node	[uname -n of other node]
ping [IPv4 of default gateway]
respawn hacluster /usr/lib64/heartbeat/ipfail
EOF
5. cat >> /etc/ha.d/haresources << EOF
[uname -n of this node] \
MailTo::root@localhost
EOF
6. cat >> /etc/ha.d/authkeys << EOF
auth 1 
1 sha1 PutYourSuperSecretKeyHere
EOF
7. chmod 600 /etc/ha.d/authkeys
8. /etc/init.d/heartbeat
9. Have fun as in comment #3 and following ones
Comment 10 Miroslav Grepl 2012-06-29 07:43:01 UTC 
Robert,
so you can define whatever you want using

/usr/lib/ocf/resource.d/heartbeat/<whatever>

right?

It looks like for me either as rgmanager policy rather than corosync policy or a new policy for heartbeat which will end up as unconfined.


Try to do

# chcon -t bin_t  /usr/lib/heartbeat/heartbeat

which will switch heartbeat back to initrc domain.
Comment 11 Robert Scheck 2012-06-29 08:54:38 UTC 
FYI: There is also /etc/ha.d/resource.d/<whatever> for heartbeat 1.x mode,
which we are using heavily, while /usr/lib/ocf/resource.d/heartbeat/<whatever>
we don't use at all.
Comment 12 Robert Scheck 2012-06-29 10:11:25 UTC 
Oh, alternatively it also uses /etc/rc.d/init.d/<whatever>, if there is no
/etc/ha.d/resource.d/<whatever> in heartbeat 1.x mode.
Comment 13 Robert Scheck 2012-06-29 21:33:57 UTC 
Yes, "chcon -t bin_t /usr/lib64/heartbeat/heartbeat" seems to work around.
Comment 14 Robert Scheck 2012-07-06 12:16:59 UTC 
Well, works partitially after running an hb_takeover(1). First the correct
label is lib_t instead of bin_t, which was it previously. But then even this
causes some AVC denieds such as:


type=AVC msg=audit(1341576354.654:11321463): avc:  denied  { search } for  pid=29179 comm="mysqld_safe" name="root" dev=vda1 ino=131501 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:corosync_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1341576354.654:11321463): arch=c000003e syscall=4 success=no exit=-13 a0=4a3b4b a1=7fffdbb475a0 a2=7fffdbb475a0 a3=7f42a5044040 items=0 ppid=4016 pid=29179 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mysqld_safe" exe=2F62696E2F62617368202864656C6574656429 subj=system_u:system_r:mysqld_safe_t:s0 key=(null)

type=AVC msg=audit(1341576736.323:11322395): avc:  denied  { search } for  pid=17440 comm="mysqld_safe" name="heartbeat" dev=vda1 ino=131491 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:corosync_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1341576736.323:11322395): arch=c000003e syscall=4 success=yes exit=0 a0=12efd70 a1=7fff3144b0a0 a2=7fff3144b0a0 a3=7fff3144ad80 items=0 ppid=17398 pid=17440 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mysqld_safe" exe="/bin/bash" subj=system_u:system_r:mysqld_safe_t:s0 key=(null)
type=AVC msg=audit(1341576736.445:11322396): avc:  denied  { search } for  pid=17552 comm="mysqld" name="root" dev=vda1 ino=131501 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:corosync_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1341576736.445:11322396): arch=c000003e syscall=4 success=no exit=-2 a0=7fff3cb33e40 a1=7fff3cb30da0 a2=7fff3cb30da0 a3=fffffffffffffffd items=0 ppid=17440 pid=17552 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mysqld" exe="/usr/libexec/mysqld" subj=system_u:system_r:mysqld_t:s0 key=(null)
Comment 15 Robert Scheck 2012-07-06 12:26:29 UTC 
Ah, looks like dontaudit for these two is also doing the job without issues.
Comment 16 Robert Scheck 2012-07-06 19:12:13 UTC 
type=AVC msg=audit(1341601839.087:22090): avc:  denied  { search } for  pid=3559 comm="squid" name="root" dev=sda1 ino=132225 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:corosync_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1341601839.087:22090): arch=c000003e syscall=59 success=no exit=-13 a0=7fffd35266f0 a1=7fffd3524650 a2=7fc191e01f80 a3=7fffd3526460 items=0 ppid=3558 pid=3559 auid=4294967295 uid=0 gid=23 euid=0 suid=0 fsuid=0 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="squid" exe="/usr/sbin/squid" subj=system_u:system_r:squid_t:s0 key=(null)

Same here..dontaudit seems to do the job.
Comment 17 RHEL Program Management 2012-07-10 07:18:25 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 18 RHEL Program Management 2012-07-11 01:57:25 UTC 
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 24 Miroslav Grepl 2012-11-26 11:06:00 UTC 
*** Bug 879805 has been marked as a duplicate of this bug. ***
Comment 25 Miroslav Grepl 2012-11-26 11:06:37 UTC 
*** Bug 879806 has been marked as a duplicate of this bug. ***
Comment 27 errata-xmlrpc 2013-02-21 08:24:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html
Comment 28 Robert Scheck 2013-03-19 16:06:23 UTC 
I disagree so far, the latest selinux-policy brought up the following:

type=AVC msg=audit(1363694647.207:432387): avc:  denied  { search } for  pid=32588 comm="mysqld_safe" name="root" dev=sda1 ino=1314605 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:rgmanager_var_lib_t:s0
tclass=dir
type=SYSCALL msg=audit(1363694647.207:432387): arch=x86_64 syscall=stat success=no exit=EACCES a0=4a3b4b a1=7fff999df260 a2=7fff999df260 a3=39e5d37110 items=0 ppid=7112 pid=32588 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mysqld_safe exe=2F62696E2F62617368202864656C6574656429 subj=system_u:system_r:mysqld_safe_t:s0 key=(null)

type=AVC msg=audit(1363694697.319:96081): avc:  denied  { search } for  pid=20910 comm="mysqld_safe" name="heartbeat" dev=sda1 ino=3153187 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:rgmanager_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1363694697.319:96081): arch=x86_64 syscall=stat success=no exit=EACCES a0=1c6fd80 a1=7fffd37a7940 a2=7fffd37a7940 a3=4 items=0 ppid=20878 pid=20910 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mysqld_safe exe=/bin/bash subj=system_u:system_r:mysqld_safe_t:s0 key=(null)

type=AVC msg=audit(1363694697.836:96126): avc:  denied  { search } for  pid=21017 comm="mysqld" name="root" dev=sda1 ino=3153191 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:rgmanager_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1363694697.836:96126): arch=x86_64 syscall=stat success=no exit=EACCES a0=7fff733d7860 a1=7fff733d47c0 a2=7fff733d47c0 a3=fffffffffffffffd items=0 ppid=20910 pid=21017 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mysqld exe=/usr/libexec/mysqld subj=system_u:system_r:mysqld_t:s0 key=(null)
Comment 29 Robert Scheck 2013-03-19 16:18:14 UTC 
type=AVC msg=audit(1363623429.464:75833): avc:  denied  { search } for  pid=4148 comm="squid" name="root" dev=sda1 ino=394795 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:rgmanager_var_lib_t:s0 tclass=dir

type=SYSCALL msg=audit(1363623429.464:75833): arch=x86_64 syscall=execve success=no exit=EACCES a0=7fff5184dad0 a1=7fff5184ba30 a2=7fe12b610010 a3=7fff5184d840 items=0 ppid=4147 pid=4148 auid=4294967295 uid=0 gid=23 euid=0 suid=0 fsuid=0 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm=squid exe=/usr/sbin/squid subj=system_u:system_r:squid_t:s0 key=(null)
Comment 30 Miroslav Grepl 2013-03-20 12:38:39 UTC 
Robert,
could you please open a new bug with this new issue. Thank you.
Comment 31 Robert Scheck 2013-03-22 15:45:23 UTC 
Miroslav, I have opened bug #924843. However this is still related to this issue.
Note You need to log in before you can comment on or make changes to this bug.