realmd runs ipa-client-install. We get at least these AVC messages when that happens. type=SYSCALL msg=audit(1366140931.951:2134): arch=c000003e syscall=21 success=no exit=-13 a0=7fff2845b3d0 a1=4 a2=7fff2845b3de a3=10ca8c002 items=0 ppid=9707 pid=10137 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366140931.951:2134): avc: denied { read } for pid=10137 comm="ipa-client-inst" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=SYSCALL msg=audit(1366140932.170:2135): arch=c000003e syscall=4 success=no exit=-13 a0=2514650 a1=7fff28462440 a2=7fff28462440 a3=0 items=0 ppid=9707 pid=10137 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366140932.170:2135): avc: denied { getattr } for pid=10137 comm="ipa-client-inst" path="/usr/sbin/setfiles" dev="sda1" ino=1711236 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file type=SYSCALL msg=audit(1366141588.517:2154): arch=c000003e syscall=21 success=yes exit=0 a0=7fff6f311cf0 a1=4 a2=7fff6f311cfe a3=10ca8c002 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141588.517:2154): avc: denied { read } for pid=11284 comm="ipa-client-inst" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=SYSCALL msg=audit(1366141588.579:2155): arch=c000003e syscall=4 success=yes exit=0 a0=24c2650 a1=7fff6f318d60 a2=7fff6f318d60 a3=0 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141588.579:2155): avc: denied { getattr } for pid=11284 comm="ipa-client-inst" path="/usr/sbin/setfiles" dev="sda1" ino=1711236 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file type=SYSCALL msg=audit(1366141588.579:2156): arch=c000003e syscall=2 success=yes exit=3 a0=23d3b20 a1=241 a2=1b6 a3=676f6c2f7261762f items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141588.579:2156): avc: denied { write open } for pid=11284 comm="ipa-client-inst" path="/var/log/ipaclient-install.log" dev="sda1" ino=1835173 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file type=AVC msg=audit(1366141588.579:2156): avc: denied { create } for pid=11284 comm="ipa-client-inst" name="ipaclient-install.log" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file type=AVC msg=audit(1366141588.579:2156): avc: denied { add_name } for pid=11284 comm="ipa-client-inst" name="ipaclient-install.log" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir type=AVC msg=audit(1366141588.579:2156): avc: denied { write } for pid=11284 comm="ipa-client-inst" name="log" dev="sda1" ino=1841350 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir type=SYSCALL msg=audit(1366141588.579:2157): arch=c000003e syscall=90 success=yes exit=0 a0=20f3560 a1=180 a2=30233bbfa8 a3=676f6c2f7261762f items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141588.579:2157): avc: denied { setattr } for pid=11284 comm="ipa-client-inst" name="ipaclient-install.log" dev="sda1" ino=1835173 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1366141588.633:2158): arch=c000003e syscall=4 success=yes exit=0 a0=29e10e0 a1=7fff6f318ea0 a2=7fff6f318ea0 a3=0 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141588.633:2158): avc: denied { getattr } for pid=11284 comm="ipa-client-inst" path="/usr/sbin/ntpdate" dev="sda1" ino=1704513 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ntpdate_exec_t:s0 tclass=file type=SYSCALL msg=audit(1366141588.635:2159): arch=c000003e syscall=59 success=yes exit=0 a0=2b2fbb0 a1=29e2200 a2=2b4a940 a3=6 items=0 ppid=11284 pid=11289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ntpdate" exe="/usr/sbin/ntpdate" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141588.635:2159): avc: denied { execute_no_trans } for pid=11289 comm="ipa-client-inst" path="/usr/sbin/ntpdate" dev="sda1" ino=1704513 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ntpdate_exec_t:s0 tclass=file type=AVC msg=audit(1366141588.635:2159): avc: denied { read open } for pid=11289 comm="ipa-client-inst" path="/usr/sbin/ntpdate" dev="sda1" ino=1704513 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ntpdate_exec_t:s0 tclass=file type=AVC msg=audit(1366141588.635:2159): avc: denied { execute } for pid=11289 comm="ipa-client-inst" name="ntpdate" dev="sda1" ino=1704513 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ntpdate_exec_t:s0 tclass=file type=SYSCALL msg=audit(1366141588.641:2160): arch=c000003e syscall=49 success=yes exit=0 a0=4 a1=7fff23336620 a2=10 a3=7fff2333657c items=0 ppid=11284 pid=11289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ntpdate" exe="/usr/sbin/ntpdate" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141588.641:2160): avc: denied { net_bind_service } for pid=11289 comm="ntpdate" capability=10 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1366141588.641:2160): avc: denied { name_bind } for pid=11289 comm="ntpdate" src=123 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ntp_port_t:s0 tclass=udp_socket type=SYSCALL msg=audit(1366141588.641:2161): arch=c000003e syscall=116 success=yes exit=0 a0=0 a1=0 a2=0 a3=7fff233364a0 items=0 ppid=11284 pid=11289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ntpdate" exe="/usr/sbin/ntpdate" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141588.641:2161): avc: denied { setgid } for pid=11289 comm="ntpdate" capability=6 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1366141588.641:2162): arch=c000003e syscall=117 success=yes exit=0 a0=ffffffffffffffff a1=26 a2=ffffffffffffffff a3=7fff233364a0 items=0 ppid=11284 pid=11289 auid=4294967295 uid=0 gid=0 euid=38 suid=0 fsuid=38 egid=38 sgid=0 fsgid=38 ses=4294967295 tty=(none) comm="ntpdate" exe="/usr/sbin/ntpdate" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141588.641:2162): avc: denied { setuid } for pid=11289 comm="ntpdate" capability=7 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1366141588.641:2163): arch=c000003e syscall=126 success=yes exit=0 a0=7ff67c0051f4 a1=7ff67c0051fc a2=7ff67a06859c a3=7fff233362d0 items=0 ppid=11284 pid=11289 auid=4294967295 uid=0 gid=0 euid=38 suid=0 fsuid=38 egid=38 sgid=0 fsgid=38 ses=4294967295 tty=(none) comm="ntpdate" exe="/usr/sbin/ntpdate" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141588.641:2163): avc: denied { setcap } for pid=11289 comm="ntpdate" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1366141594.823:2165): arch=c000003e syscall=4 success=yes exit=0 a0=7fa276329820 a1=7ffff6990ef0 a2=7ffff6990ef0 a3=732e736e61656c6f items=0 ppid=11284 pid=11424 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="kinit" exe="/usr/bin/kinit" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141594.823:2165): avc: denied { getattr } for pid=11424 comm="kinit" path="/etc/selinux/targeted/contexts/files/file_contexts" dev="sda1" ino=132553 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file type=AVC msg=audit(1366141594.823:2165): avc: denied { search } for pid=11424 comm="kinit" name="files" dev="sda1" ino=132128 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=dir type=SYSCALL msg=audit(1366141594.823:2166): arch=c000003e syscall=2 success=yes exit=3 a0=7fa276329b10 a1=0 a2=1b6 a3=7ffff698fb40 items=0 ppid=11284 pid=11424 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="kinit" exe="/usr/bin/kinit" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141594.823:2166): avc: denied { open } for pid=11424 comm="kinit" path="/etc/selinux/targeted/contexts/files/file_contexts.subs_dist" dev="sda1" ino=132565 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=file type=AVC msg=audit(1366141594.823:2166): avc: denied { read } for pid=11424 comm="kinit" name="file_contexts.subs_dist" dev="sda1" ino=132565 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=file type=SYSCALL msg=audit(1366141594.823:2167): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffff698f7b0 a2=7ffff698f7b0 a3=0 items=0 ppid=11284 pid=11424 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="kinit" exe="/usr/bin/kinit" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141594.823:2167): avc: denied { getattr } for pid=11424 comm="kinit" path="/etc/selinux/targeted/contexts/files/file_contexts.subs_dist" dev="sda1" ino=132565 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=file type=SYSCALL msg=audit(1366141594.823:2168): arch=c000003e syscall=2 success=yes exit=3 a0=7fa276329820 a1=0 a2=1b6 a3=1 items=0 ppid=11284 pid=11424 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="kinit" exe="/usr/bin/kinit" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141594.823:2168): avc: denied { open } for pid=11424 comm="kinit" path="/etc/selinux/targeted/contexts/files/file_contexts" dev="sda1" ino=132553 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file type=AVC msg=audit(1366141594.823:2168): avc: denied { read } for pid=11424 comm="kinit" name="file_contexts" dev="sda1" ino=132553 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file type=SYSCALL msg=audit(1366141594.742:2164): arch=c000003e syscall=227 success=yes exit=0 a0=0 a1=7fff23336170 a2=b40cc a3=3 items=0 ppid=11284 pid=11289 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 ses=4294967295 tty=(none) comm="ntpdate" exe="/usr/sbin/ntpdate" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141594.742:2164): avc: denied { sys_time } for pid=11289 comm="ntpdate" capability=25 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1366141595.038:2169): arch=c000003e syscall=2 success=yes exit=7 a0=2a03b00 a1=241 a2=1b6 a3=0 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141595.038:2169): avc: denied { write } for pid=11284 comm="ipa-client-inst" path="/etc/ipa/ca.crt.new" dev="sda1" ino=787031 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(1366141595.038:2169): avc: denied { create } for pid=11284 comm="ipa-client-inst" name="ca.crt.new" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(1366141595.038:2169): avc: denied { add_name } for pid=11284 comm="ipa-client-inst" name="ca.crt.new" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir type=AVC msg=audit(1366141595.038:2169): avc: denied { write } for pid=11284 comm="ipa-client-inst" name="ipa" dev="sda1" ino=786692 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir type=SYSCALL msg=audit(1366141595.038:2170): arch=c000003e syscall=82 success=yes exit=0 a0=2b11da0 a1=28e6bd0 a2=30233bbfa8 a3=0 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141595.038:2170): avc: denied { rename } for pid=11284 comm="ipa-client-inst" name="ca.crt.new" dev="sda1" ino=787031 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(1366141595.038:2170): avc: denied { remove_name } for pid=11284 comm="ipa-client-inst" name="ca.crt.new" dev="sda1" ino=787031 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir type=SYSCALL msg=audit(1366141595.038:2171): arch=c000003e syscall=90 success=yes exit=0 a0=28e6bd0 a1=1a4 a2=30233bbfa8 a3=0 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141595.038:2171): avc: denied { setattr } for pid=11284 comm="ipa-client-inst" name="ca.crt" dev="sda1" ino=787031 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1366141595.113:2172): arch=c000003e syscall=87 success=yes exit=0 a0=405175 a1=41 a2=180 a3=7fff65812d40 items=0 ppid=11284 pid=11433 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-join" exe="/usr/sbin/ipa-join" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141595.113:2172): avc: denied { unlink } for pid=11433 comm="ipa-join" name="krb5.keytab" dev="sda1" ino=151601 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1366141595.131:2173): arch=c000003e syscall=21 success=yes exit=0 a0=7f8f202ec5c0 a1=2 a2=d a3=7fff65812300 items=0 ppid=11284 pid=11433 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-join" exe="/usr/sbin/ipa-join" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141595.131:2173): avc: denied { write } for pid=11433 comm="ipa-join" name="nssdb" dev="sda1" ino=132032 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=dir type=SYSCALL msg=audit(1366141595.158:2174): arch=c000003e syscall=2 success=yes exit=4 a0=774ec0 a1=80042 a2=1a4 a3=774ec0 items=0 ppid=11284 pid=11433 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-join" exe="/usr/sbin/ipa-join" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141595.158:2174): avc: denied { write } for pid=11433 comm="ipa-join" name="cert9.db" dev="sda1" ino=132349 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=file type=SYSCALL msg=audit(1366141595.610:2175): arch=c000003e syscall=2 success=yes exit=3 a0=7c5230 a1=c2 a2=180 a3=7fff68932800 items=0 ppid=11433 pid=11460 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-getkeytab" exe="/usr/sbin/ipa-getkeytab" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141595.610:2175): avc: denied { create } for pid=11460 comm="ipa-getkeytab" name="krb5.keytab" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=file type=SYSCALL msg=audit(1366141597.119:2177): arch=c000003e syscall=5 success=yes exit=0 a0=5 a1=7fff6f318be0 a2=7fff6f318be0 a3=1 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141597.119:2177): avc: denied { getattr } for pid=11284 comm="ipa-client-inst" path="/var/lib/ipa-client/sysrestore/daebe44d905627c1-krb5.conf" dev="sda1" ino=787034 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1366141597.119:2178): arch=c000003e syscall=235 success=yes exit=0 a0=459f1a0 a1=7fff6f318dc0 a2=30233bbfa8 a3=3964343465626561 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141597.119:2178): avc: denied { setattr } for pid=11284 comm="ipa-client-inst" name="daebe44d905627c1-krb5.conf" dev="sda1" ino=787034 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1366141597.122:2179): arch=c000003e syscall=90 success=yes exit=0 a0=472afb0 a1=1a4 a2=30233bbfa8 a3=0 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141597.122:2179): avc: denied { setattr } for pid=11284 comm="ipa-client-inst" name="krb5.conf" dev="sda1" ino=132619 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file type=SYSCALL msg=audit(1366141597.326:2180): arch=c000003e syscall=248 success=yes exit=917723814 a0=7fff9af17ebc a1=7fff9af17ec1 a2=606240 a3=8d items=0 ppid=11284 pid=11553 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="keyctl" exe="/usr/bin/keyctl" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141597.326:2180): avc: denied { write } for pid=11553 comm="keyctl" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=key type=SYSCALL msg=audit(1366141598.322:2193): arch=c000003e syscall=2 success=yes exit=7 a0=3ab9630 a1=241 a2=1b6 a3=0 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141598.322:2193): avc: denied { write open } for pid=11284 comm="ipa-client-inst" path="/var/lib/ipa-client/sysrestore/sysrestore.state" dev="sda1" ino=787032 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1366141598.322:2193): avc: denied { create } for pid=11284 comm="ipa-client-inst" name="sysrestore.state" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1366141598.322:2193): avc: denied { add_name } for pid=11284 comm="ipa-client-inst" name="sysrestore.state" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=AVC msg=audit(1366141598.322:2193): avc: denied { write } for pid=11284 comm="ipa-client-inst" name="sysrestore" dev="sda1" ino=786953 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1366141598.322:2194): arch=c000003e syscall=5 success=yes exit=0 a0=7 a1=7fff6f318d40 a2=7fff6f318d40 a3=1 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141598.322:2194): avc: denied { getattr } for pid=11284 comm="ipa-client-inst" path="/var/lib/ipa-client/sysrestore/sysrestore.state" dev="sda1" ino=787032 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1366141597.365:2181): arch=c000003e syscall=233 success=yes exit=0 a0=7 a1=2 a2=15 a3=7f25eee4ec20 items=0 ppid=11284 pid=11557 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="nsupdate" exe="/usr/bin/nsupdate" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141597.365:2181): avc: denied { block_suspend } for pid=11557 comm="nsupdate" capability=36 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=capability2 type=SYSCALL msg=audit(1366141597.119:2176): arch=c000003e syscall=2 success=yes exit=5 a0=45b89c0 a1=241 a2=1b6 a3=0 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141597.119:2176): avc: denied { write open } for pid=11284 comm="ipa-client-inst" path="/var/lib/ipa-client/sysrestore/daebe44d905627c1-krb5.conf" dev="sda1" ino=787034 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1366141597.119:2176): avc: denied { create } for pid=11284 comm="ipa-client-inst" name="daebe44d905627c1-krb5.conf" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1366141597.119:2176): avc: denied { add_name } for pid=11284 comm="ipa-client-inst" name="daebe44d905627c1-krb5.conf" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=AVC msg=audit(1366141597.119:2176): avc: denied { write } for pid=11284 comm="ipa-client-inst" name="sysrestore" dev="sda1" ino=786953 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1366141597.415:2182): arch=c000003e syscall=4 success=yes exit=0 a0=47254f0 a1=7fff6f318b40 a2=7fff6f318b40 a3=7379732f646d6574 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141597.415:2182): avc: denied { getattr } for pid=11284 comm="ipa-client-inst" path="/usr/lib/systemd/system/dbus.service" dev="sda1" ino=1843254 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file type=AVC msg=audit(1366141597.415:2182): avc: denied { read } for pid=11284 comm="ipa-client-inst" name="messagebus.service" dev="sda1" ino=1839305 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1366141597.714:2191): arch=c000003e syscall=87 success=yes exit=0 a0=3a06400 a1=ffffffff a2=30233bbfa8 a3=0 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141597.714:2191): avc: denied { unlink } for pid=11284 comm="ipa-client-inst" name=".dns_ccache" dev="sda1" ino=787032 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(1366141597.714:2191): avc: denied { remove_name } for pid=11284 comm="ipa-client-inst" name=".dns_ccache" dev="sda1" ino=787032 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir type=AVC msg=audit(1366141597.714:2191): avc: denied { write } for pid=11284 comm="ipa-client-inst" name="ipa" dev="sda1" ino=786692 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir type=SYSCALL msg=audit(1366141602.943:2275): arch=c000003e syscall=2 success=yes exit=8 a0=4732c60 a1=241 a2=1b6 a3=3432313563653233 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141602.943:2275): avc: denied { write open } for pid=11284 comm="ipa-client-inst" path="/var/lib/ipa-client/sysrestore/832ec51247a39e8b-ldap.conf" dev="sda1" ino=787036 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1366141602.943:2275): avc: denied { create } for pid=11284 comm="ipa-client-inst" name="832ec51247a39e8b-ldap.conf" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1366141602.943:2275): avc: denied { add_name } for pid=11284 comm="ipa-client-inst" name="832ec51247a39e8b-ldap.conf" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=AVC msg=audit(1366141602.943:2275): avc: denied { write } for pid=11284 comm="ipa-client-inst" name="sysrestore" dev="sda1" ino=786953 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1366141602.943:2276): arch=c000003e syscall=5 success=yes exit=0 a0=8 a1=7fff6f318a80 a2=7fff6f318a80 a3=1 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141602.943:2276): avc: denied { getattr } for pid=11284 comm="ipa-client-inst" path="/var/lib/ipa-client/sysrestore/832ec51247a39e8b-ldap.conf" dev="sda1" ino=787036 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1366141602.943:2277): arch=c000003e syscall=235 success=yes exit=0 a0=3abc170 a1=7fff6f318c60 a2=30233bbfa8 a3=3432313563653233 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141602.943:2277): avc: denied { setattr } for pid=11284 comm="ipa-client-inst" name="832ec51247a39e8b-ldap.conf" dev="sda1" ino=787036 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1366141602.944:2278): arch=c000003e syscall=2 success=yes exit=8 a0=459f8d0 a1=241 a2=1b6 a3=65706f2f6374652f items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141602.944:2278): avc: denied { write } for pid=11284 comm="ipa-client-inst" path="/etc/openldap/ldap.conf.ipabkp" dev="sda1" ino=151606 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(1366141602.944:2278): avc: denied { create } for pid=11284 comm="ipa-client-inst" name="ldap.conf.ipabkp" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(1366141602.944:2278): avc: denied { add_name } for pid=11284 comm="ipa-client-inst" name="ldap.conf.ipabkp" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir type=AVC msg=audit(1366141602.944:2278): avc: denied { write } for pid=11284 comm="ipa-client-inst" name="openldap" dev="sda1" ino=131158 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir type=SYSCALL msg=audit(1366141602.944:2279): arch=c000003e syscall=235 success=yes exit=0 a0=473a470 a1=7fff6f318c60 a2=30233bbfa8 a3=65706f2f6374652f items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141602.944:2279): avc: denied { setattr } for pid=11284 comm="ipa-client-inst" name="ldap.conf.ipabkp" dev="sda1" ino=151606 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1366141603.242:2280): arch=c000003e syscall=2 success=yes exit=8 a0=4732b30 a1=241 a2=1b6 a3=3334373366343363 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141603.242:2280): avc: denied { add_name } for pid=11284 comm="ipa-client-inst" name="bc34f374380655b3-ssh_config" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=AVC msg=audit(1366141603.242:2280): avc: denied { write } for pid=11284 comm="ipa-client-inst" name="sysrestore" dev="sda1" ino=786953 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1366141603.247:2281): arch=c000003e syscall=59 success=yes exit=0 a0=4584b40 a1=4435960 a2=43fdf50 a3=11 items=0 ppid=11284 pid=11942 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141603.247:2281): avc: denied { execute_no_trans } for pid=11942 comm="ipa-client-inst" path="/usr/sbin/sshd" dev="sda1" ino=1713138 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sshd_exec_t:s0 tclass=file type=AVC msg=audit(1366141603.247:2281): avc: denied { read open } for pid=11942 comm="ipa-client-inst" path="/usr/sbin/sshd" dev="sda1" ino=1713138 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sshd_exec_t:s0 tclass=file type=AVC msg=audit(1366141603.247:2281): avc: denied { execute } for pid=11942 comm="ipa-client-inst" name="sshd" dev="sda1" ino=1713138 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sshd_exec_t:s0 tclass=file type=SYSCALL msg=audit(1366141603.253:2282): arch=c000003e syscall=116 success=yes exit=0 a0=0 a1=0 a2=7fff70a5d968 a3=7fe1a9d042e0 items=0 ppid=11284 pid=11942 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141603.253:2282): avc: denied { setgid } for pid=11942 comm="sshd" capability=6 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1366141603.254:2283): arch=c000003e syscall=2 success=yes exit=3 a0=7fe1ace18cd0 a1=0 a2=0 a3=0 items=0 ppid=11284 pid=11942 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141603.254:2283): avc: denied { open } for pid=11942 comm="sshd" path="/etc/ssh/ssh_host_rsa_key" dev="sda1" ino=150871 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sshd_key_t:s0 tclass=file type=AVC msg=audit(1366141603.254:2283): avc: denied { read } for pid=11942 comm="sshd" name="ssh_host_rsa_key" dev="sda1" ino=150871 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sshd_key_t:s0 tclass=file type=SYSCALL msg=audit(1366141603.254:2284): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff70a5cd90 a2=7fff70a5cd90 a3=0 items=0 ppid=11284 pid=11942 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141603.254:2284): avc: denied { getattr } for pid=11942 comm="sshd" path="/etc/ssh/ssh_host_rsa_key" dev="sda1" ino=150871 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sshd_key_t:s0 tclass=file type=SYSCALL msg=audit(1366141603.256:2285): arch=c000003e syscall=4 success=yes exit=0 a0=457dbb0 a1=7fff6f318b40 a2=7fff6f318b40 a3=7379732f646d6574 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1366141603.256:2285): avc: denied { getattr } for pid=11284 comm="ipa-client-inst" path="/usr/lib/systemd/system/sshd.service" dev="sda1" ino=1839211 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file
I also get tons of this in /var/log/messages: Apr 16 21:58:41 localhost audispd: queue is full - dropping event Apr 16 21:58:41 localhost audispd: queue is full - dropping event Apr 16 21:58:41 localhost audispd: queue is full - dropping event Apr 16 21:58:41 localhost audispd: queue is full - dropping event Apr 16 21:58:41 localhost audispd: queue is full - dropping event Apr 16 21:58:41 localhost audispd: queue is full - dropping event Apr 16 21:58:41 localhost audispd: queue is full - dropping event Apr 16 21:58:41 localhost audispd: queue is full - dropping event Apr 16 21:58:41 localhost audispd: queue is full - dropping event Apr 16 21:58:41 localhost audispd: queue is full - dropping event
Created attachment 736546 [details] More AVC's after joining/leaving domains multiple times
c081ef1633556c5c5a630df6e30202b345a8be53 fixes this in git, but realmd really needs to be an unconfined domain, and we need to make sure that when it is done setting up the environment all the files it created are labeled correctly.
Patrik got this output after running restorecon -R -v -n / restorecon: Warning no default label for /mnt/sysimage/home restorecon: Warning no default label for /var/lib/nfs/rpc_pipefs restorecon: Warning no default label for /tmp/krb5cc_0 restorecon: Warning no default label for /tmp/.Test-unix restorecon: Warning no default label for /tmp/.XIM-unix restorecon: Warning no default label for /run/iprdump.pid restorecon: Warning no default label for /run/iprinit.pid restorecon: Warning no default label for /run/iprupdate.pid restorecon: Warning no default label for /run/lvmetad.pid restorecon: Warning no default label for /run/lock/subsys restorecon: Warning no default label for /run/lock/subsys/iprdump restorecon: Warning no default label for /run/lock/subsys/iprupdate restorecon: Warning no default label for /run/lock/subsys/iprinit restorecon: Warning no default label for /run/initramfs restorecon: Warning no default label for /run/initramfs/.need_shutdown restorecon: Warning no default label for /sys/fs/cgroup/cpuacct restorecon: Warning no default label for /sys/fs/cgroup/cpu restorecon: Warning no default label for /dev/mqueue restorecon: Warning no default label for /dev/pts/0 restorecon: Warning no default label for /dev/pts/ptmx restorecon reset /etc/machine-id context system_u:object_r:etc_t:s0->system_u:object_r:machineid_t:s0 restorecon reset /etc/vconsole.conf context system_u:object_r:etc_runtime_t:s0->system_u:object_r:locale_t:s0 restorecon reset /etc/udev/hwdb.bin context unconfined_u:object_r:net_conf_t:s0->unconfined_u:object_r:etc_t:s0 restorecon reset /etc/pam.d/postlogin-ac context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0 restorecon reset /etc/pam.d/smartcard-auth-ac context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0 restorecon reset /etc/pam.d/fingerprint-auth-ac context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0 restorecon reset /etc/pam.d/system-auth-ac context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0 restorecon reset /etc/pam.d/password-auth-ac context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0 restorecon reset /etc/mail/access.db context system_u:object_r:etc_aliases_t:s0->system_u:object_r:etc_mail_t:s0 restorecon reset /etc/mail/domaintable.db context system_u:object_r:etc_aliases_t:s0->system_u:object_r:etc_mail_t:s0 restorecon reset /etc/mail/virtusertable.db context system_u:object_r:etc_aliases_t:s0->system_u:object_r:etc_mail_t:s0 restorecon reset /etc/mail/mailertable.db context system_u:object_r:etc_aliases_t:s0->system_u:object_r:etc_mail_t:s0
after successfully joining realm, there are some selinux errors: # grep realmd /var/log/audit/audit.log type=USER_AVC msg=audit(1366371060.807:504): pid=423 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.43 spid=1993 tpid=2015 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=SELINUX_ERR msg=audit(1366371065.497:505): security_compute_sid: invalid context system_u:system_r:authconfig_t:s0-s0:c0.c1023 for scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:authconfig_exec_t:s0 tclass=process type=SELINUX_ERR msg=audit(1366371073.524:603): security_compute_sid: invalid context system_u:system_r:authconfig_t:s0-s0:c0.c1023 for scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:authconfig_exec_t:s0 tclass=process
Ok I updated policy to handle the SELINUX_ERR, and most of the mislabeled. I am interested in how these etc_runtime_t files are being created? This should only be created by a initrc_t script at boot time. I would like to know if they are there before realmd joins the domain or only afterwards.
selinux-policy-3.12.1-39.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-39.fc19
Package selinux-policy-3.12.1-39.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-39.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-7338/selinux-policy-3.12.1-39.fc19 then log in and leave karma (feedback).
Package selinux-policy-3.12.1-40.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-40.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-7338/selinux-policy-3.12.1-40.fc19 then log in and leave karma (feedback).
This is now in Fedora 19.