Bug 952830 - SELinux prevents realmd from running ipa-client-install correctly
Summary: SELinux prevents realmd from running ipa-client-install correctly
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 918092
TreeView+ depends on / blocked
 
Reported: 2013-04-16 19:52 UTC by Stef Walter
Modified: 2013-06-12 16:05 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-06-12 16:05:44 UTC


Attachments (Terms of Use)
More AVC's after joining/leaving domains multiple times (258.75 KB, text/x-log)
2013-04-16 20:52 UTC, Stef Walter
no flags Details

Description Stef Walter 2013-04-16 19:52:54 UTC
realmd runs ipa-client-install. We get at least these AVC messages when that happens. 

type=SYSCALL msg=audit(1366140931.951:2134): arch=c000003e syscall=21 success=no exit=-13 a0=7fff2845b3d0 a1=4 a2=7fff2845b3de a3=10ca8c002 items=0 ppid=9707 pid=10137 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366140931.951:2134): avc:  denied  { read } for  pid=10137 comm="ipa-client-inst" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=SYSCALL msg=audit(1366140932.170:2135): arch=c000003e syscall=4 success=no exit=-13 a0=2514650 a1=7fff28462440 a2=7fff28462440 a3=0 items=0 ppid=9707 pid=10137 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366140932.170:2135): avc:  denied  { getattr } for  pid=10137 comm="ipa-client-inst" path="/usr/sbin/setfiles" dev="sda1" ino=1711236 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1366141588.517:2154): arch=c000003e syscall=21 success=yes exit=0 a0=7fff6f311cf0 a1=4 a2=7fff6f311cfe a3=10ca8c002 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141588.517:2154): avc:  denied  { read } for  pid=11284 comm="ipa-client-inst" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=SYSCALL msg=audit(1366141588.579:2155): arch=c000003e syscall=4 success=yes exit=0 a0=24c2650 a1=7fff6f318d60 a2=7fff6f318d60 a3=0 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141588.579:2155): avc:  denied  { getattr } for  pid=11284 comm="ipa-client-inst" path="/usr/sbin/setfiles" dev="sda1" ino=1711236 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1366141588.579:2156): arch=c000003e syscall=2 success=yes exit=3 a0=23d3b20 a1=241 a2=1b6 a3=676f6c2f7261762f items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141588.579:2156): avc:  denied  { write open } for  pid=11284 comm="ipa-client-inst" path="/var/log/ipaclient-install.log" dev="sda1" ino=1835173 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1366141588.579:2156): avc:  denied  { create } for  pid=11284 comm="ipa-client-inst" name="ipaclient-install.log" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1366141588.579:2156): avc:  denied  { add_name } for  pid=11284 comm="ipa-client-inst" name="ipaclient-install.log" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=AVC msg=audit(1366141588.579:2156): avc:  denied  { write } for  pid=11284 comm="ipa-client-inst" name="log" dev="sda1" ino=1841350 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1366141588.579:2157): arch=c000003e syscall=90 success=yes exit=0 a0=20f3560 a1=180 a2=30233bbfa8 a3=676f6c2f7261762f items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141588.579:2157): avc:  denied  { setattr } for  pid=11284 comm="ipa-client-inst" name="ipaclient-install.log" dev="sda1" ino=1835173 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1366141588.633:2158): arch=c000003e syscall=4 success=yes exit=0 a0=29e10e0 a1=7fff6f318ea0 a2=7fff6f318ea0 a3=0 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141588.633:2158): avc:  denied  { getattr } for  pid=11284 comm="ipa-client-inst" path="/usr/sbin/ntpdate" dev="sda1" ino=1704513 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ntpdate_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1366141588.635:2159): arch=c000003e syscall=59 success=yes exit=0 a0=2b2fbb0 a1=29e2200 a2=2b4a940 a3=6 items=0 ppid=11284 pid=11289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ntpdate" exe="/usr/sbin/ntpdate" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141588.635:2159): avc:  denied  { execute_no_trans } for  pid=11289 comm="ipa-client-inst" path="/usr/sbin/ntpdate" dev="sda1" ino=1704513 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ntpdate_exec_t:s0 tclass=file
type=AVC msg=audit(1366141588.635:2159): avc:  denied  { read open } for  pid=11289 comm="ipa-client-inst" path="/usr/sbin/ntpdate" dev="sda1" ino=1704513 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ntpdate_exec_t:s0 tclass=file
type=AVC msg=audit(1366141588.635:2159): avc:  denied  { execute } for  pid=11289 comm="ipa-client-inst" name="ntpdate" dev="sda1" ino=1704513 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ntpdate_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1366141588.641:2160): arch=c000003e syscall=49 success=yes exit=0 a0=4 a1=7fff23336620 a2=10 a3=7fff2333657c items=0 ppid=11284 pid=11289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ntpdate" exe="/usr/sbin/ntpdate" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141588.641:2160): avc:  denied  { net_bind_service } for  pid=11289 comm="ntpdate" capability=10  scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1366141588.641:2160): avc:  denied  { name_bind } for  pid=11289 comm="ntpdate" src=123 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ntp_port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1366141588.641:2161): arch=c000003e syscall=116 success=yes exit=0 a0=0 a1=0 a2=0 a3=7fff233364a0 items=0 ppid=11284 pid=11289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ntpdate" exe="/usr/sbin/ntpdate" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141588.641:2161): avc:  denied  { setgid } for  pid=11289 comm="ntpdate" capability=6  scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1366141588.641:2162): arch=c000003e syscall=117 success=yes exit=0 a0=ffffffffffffffff a1=26 a2=ffffffffffffffff a3=7fff233364a0 items=0 ppid=11284 pid=11289 auid=4294967295 uid=0 gid=0 euid=38 suid=0 fsuid=38 egid=38 sgid=0 fsgid=38 ses=4294967295 tty=(none) comm="ntpdate" exe="/usr/sbin/ntpdate" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141588.641:2162): avc:  denied  { setuid } for  pid=11289 comm="ntpdate" capability=7  scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1366141588.641:2163): arch=c000003e syscall=126 success=yes exit=0 a0=7ff67c0051f4 a1=7ff67c0051fc a2=7ff67a06859c a3=7fff233362d0 items=0 ppid=11284 pid=11289 auid=4294967295 uid=0 gid=0 euid=38 suid=0 fsuid=38 egid=38 sgid=0 fsgid=38 ses=4294967295 tty=(none) comm="ntpdate" exe="/usr/sbin/ntpdate" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141588.641:2163): avc:  denied  { setcap } for  pid=11289 comm="ntpdate" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1366141594.823:2165): arch=c000003e syscall=4 success=yes exit=0 a0=7fa276329820 a1=7ffff6990ef0 a2=7ffff6990ef0 a3=732e736e61656c6f items=0 ppid=11284 pid=11424 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="kinit" exe="/usr/bin/kinit" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141594.823:2165): avc:  denied  { getattr } for  pid=11424 comm="kinit" path="/etc/selinux/targeted/contexts/files/file_contexts" dev="sda1" ino=132553 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1366141594.823:2165): avc:  denied  { search } for  pid=11424 comm="kinit" name="files" dev="sda1" ino=132128 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=dir
type=SYSCALL msg=audit(1366141594.823:2166): arch=c000003e syscall=2 success=yes exit=3 a0=7fa276329b10 a1=0 a2=1b6 a3=7ffff698fb40 items=0 ppid=11284 pid=11424 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="kinit" exe="/usr/bin/kinit" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141594.823:2166): avc:  denied  { open } for  pid=11424 comm="kinit" path="/etc/selinux/targeted/contexts/files/file_contexts.subs_dist" dev="sda1" ino=132565 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1366141594.823:2166): avc:  denied  { read } for  pid=11424 comm="kinit" name="file_contexts.subs_dist" dev="sda1" ino=132565 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=file
type=SYSCALL msg=audit(1366141594.823:2167): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffff698f7b0 a2=7ffff698f7b0 a3=0 items=0 ppid=11284 pid=11424 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="kinit" exe="/usr/bin/kinit" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141594.823:2167): avc:  denied  { getattr } for  pid=11424 comm="kinit" path="/etc/selinux/targeted/contexts/files/file_contexts.subs_dist" dev="sda1" ino=132565 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=file
type=SYSCALL msg=audit(1366141594.823:2168): arch=c000003e syscall=2 success=yes exit=3 a0=7fa276329820 a1=0 a2=1b6 a3=1 items=0 ppid=11284 pid=11424 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="kinit" exe="/usr/bin/kinit" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141594.823:2168): avc:  denied  { open } for  pid=11424 comm="kinit" path="/etc/selinux/targeted/contexts/files/file_contexts" dev="sda1" ino=132553 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1366141594.823:2168): avc:  denied  { read } for  pid=11424 comm="kinit" name="file_contexts" dev="sda1" ino=132553 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
type=SYSCALL msg=audit(1366141594.742:2164): arch=c000003e syscall=227 success=yes exit=0 a0=0 a1=7fff23336170 a2=b40cc a3=3 items=0 ppid=11284 pid=11289 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 ses=4294967295 tty=(none) comm="ntpdate" exe="/usr/sbin/ntpdate" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141594.742:2164): avc:  denied  { sys_time } for  pid=11289 comm="ntpdate" capability=25  scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1366141595.038:2169): arch=c000003e syscall=2 success=yes exit=7 a0=2a03b00 a1=241 a2=1b6 a3=0 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141595.038:2169): avc:  denied  { write } for  pid=11284 comm="ipa-client-inst" path="/etc/ipa/ca.crt.new" dev="sda1" ino=787031 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1366141595.038:2169): avc:  denied  { create } for  pid=11284 comm="ipa-client-inst" name="ca.crt.new" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1366141595.038:2169): avc:  denied  { add_name } for  pid=11284 comm="ipa-client-inst" name="ca.crt.new" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1366141595.038:2169): avc:  denied  { write } for  pid=11284 comm="ipa-client-inst" name="ipa" dev="sda1" ino=786692 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=SYSCALL msg=audit(1366141595.038:2170): arch=c000003e syscall=82 success=yes exit=0 a0=2b11da0 a1=28e6bd0 a2=30233bbfa8 a3=0 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141595.038:2170): avc:  denied  { rename } for  pid=11284 comm="ipa-client-inst" name="ca.crt.new" dev="sda1" ino=787031 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1366141595.038:2170): avc:  denied  { remove_name } for  pid=11284 comm="ipa-client-inst" name="ca.crt.new" dev="sda1" ino=787031 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=SYSCALL msg=audit(1366141595.038:2171): arch=c000003e syscall=90 success=yes exit=0 a0=28e6bd0 a1=1a4 a2=30233bbfa8 a3=0 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141595.038:2171): avc:  denied  { setattr } for  pid=11284 comm="ipa-client-inst" name="ca.crt" dev="sda1" ino=787031 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1366141595.113:2172): arch=c000003e syscall=87 success=yes exit=0 a0=405175 a1=41 a2=180 a3=7fff65812d40 items=0 ppid=11284 pid=11433 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-join" exe="/usr/sbin/ipa-join" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141595.113:2172): avc:  denied  { unlink } for  pid=11433 comm="ipa-join" name="krb5.keytab" dev="sda1" ino=151601 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1366141595.131:2173): arch=c000003e syscall=21 success=yes exit=0 a0=7f8f202ec5c0 a1=2 a2=d a3=7fff65812300 items=0 ppid=11284 pid=11433 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-join" exe="/usr/sbin/ipa-join" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141595.131:2173): avc:  denied  { write } for  pid=11433 comm="ipa-join" name="nssdb" dev="sda1" ino=132032 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=SYSCALL msg=audit(1366141595.158:2174): arch=c000003e syscall=2 success=yes exit=4 a0=774ec0 a1=80042 a2=1a4 a3=774ec0 items=0 ppid=11284 pid=11433 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-join" exe="/usr/sbin/ipa-join" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141595.158:2174): avc:  denied  { write } for  pid=11433 comm="ipa-join" name="cert9.db" dev="sda1" ino=132349 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=SYSCALL msg=audit(1366141595.610:2175): arch=c000003e syscall=2 success=yes exit=3 a0=7c5230 a1=c2 a2=180 a3=7fff68932800 items=0 ppid=11433 pid=11460 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-getkeytab" exe="/usr/sbin/ipa-getkeytab" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141595.610:2175): avc:  denied  { create } for  pid=11460 comm="ipa-getkeytab" name="krb5.keytab" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=file
type=SYSCALL msg=audit(1366141597.119:2177): arch=c000003e syscall=5 success=yes exit=0 a0=5 a1=7fff6f318be0 a2=7fff6f318be0 a3=1 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141597.119:2177): avc:  denied  { getattr } for  pid=11284 comm="ipa-client-inst" path="/var/lib/ipa-client/sysrestore/daebe44d905627c1-krb5.conf" dev="sda1" ino=787034 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1366141597.119:2178): arch=c000003e syscall=235 success=yes exit=0 a0=459f1a0 a1=7fff6f318dc0 a2=30233bbfa8 a3=3964343465626561 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141597.119:2178): avc:  denied  { setattr } for  pid=11284 comm="ipa-client-inst" name="daebe44d905627c1-krb5.conf" dev="sda1" ino=787034 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1366141597.122:2179): arch=c000003e syscall=90 success=yes exit=0 a0=472afb0 a1=1a4 a2=30233bbfa8 a3=0 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141597.122:2179): avc:  denied  { setattr } for  pid=11284 comm="ipa-client-inst" name="krb5.conf" dev="sda1" ino=132619 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file
type=SYSCALL msg=audit(1366141597.326:2180): arch=c000003e syscall=248 success=yes exit=917723814 a0=7fff9af17ebc a1=7fff9af17ec1 a2=606240 a3=8d items=0 ppid=11284 pid=11553 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="keyctl" exe="/usr/bin/keyctl" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141597.326:2180): avc:  denied  { write } for  pid=11553 comm="keyctl" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=key
type=SYSCALL msg=audit(1366141598.322:2193): arch=c000003e syscall=2 success=yes exit=7 a0=3ab9630 a1=241 a2=1b6 a3=0 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141598.322:2193): avc:  denied  { write open } for  pid=11284 comm="ipa-client-inst" path="/var/lib/ipa-client/sysrestore/sysrestore.state" dev="sda1" ino=787032 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1366141598.322:2193): avc:  denied  { create } for  pid=11284 comm="ipa-client-inst" name="sysrestore.state" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1366141598.322:2193): avc:  denied  { add_name } for  pid=11284 comm="ipa-client-inst" name="sysrestore.state" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1366141598.322:2193): avc:  denied  { write } for  pid=11284 comm="ipa-client-inst" name="sysrestore" dev="sda1" ino=786953 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1366141598.322:2194): arch=c000003e syscall=5 success=yes exit=0 a0=7 a1=7fff6f318d40 a2=7fff6f318d40 a3=1 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141598.322:2194): avc:  denied  { getattr } for  pid=11284 comm="ipa-client-inst" path="/var/lib/ipa-client/sysrestore/sysrestore.state" dev="sda1" ino=787032 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1366141597.365:2181): arch=c000003e syscall=233 success=yes exit=0 a0=7 a1=2 a2=15 a3=7f25eee4ec20 items=0 ppid=11284 pid=11557 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="nsupdate" exe="/usr/bin/nsupdate" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141597.365:2181): avc:  denied  { block_suspend } for  pid=11557 comm="nsupdate" capability=36  scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=capability2
type=SYSCALL msg=audit(1366141597.119:2176): arch=c000003e syscall=2 success=yes exit=5 a0=45b89c0 a1=241 a2=1b6 a3=0 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141597.119:2176): avc:  denied  { write open } for  pid=11284 comm="ipa-client-inst" path="/var/lib/ipa-client/sysrestore/daebe44d905627c1-krb5.conf" dev="sda1" ino=787034 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1366141597.119:2176): avc:  denied  { create } for  pid=11284 comm="ipa-client-inst" name="daebe44d905627c1-krb5.conf" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1366141597.119:2176): avc:  denied  { add_name } for  pid=11284 comm="ipa-client-inst" name="daebe44d905627c1-krb5.conf" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1366141597.119:2176): avc:  denied  { write } for  pid=11284 comm="ipa-client-inst" name="sysrestore" dev="sda1" ino=786953 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1366141597.415:2182): arch=c000003e syscall=4 success=yes exit=0 a0=47254f0 a1=7fff6f318b40 a2=7fff6f318b40 a3=7379732f646d6574 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141597.415:2182): avc:  denied  { getattr } for  pid=11284 comm="ipa-client-inst" path="/usr/lib/systemd/system/dbus.service" dev="sda1" ino=1843254 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file
type=AVC msg=audit(1366141597.415:2182): avc:  denied  { read } for  pid=11284 comm="ipa-client-inst" name="messagebus.service" dev="sda1" ino=1839305 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1366141597.714:2191): arch=c000003e syscall=87 success=yes exit=0 a0=3a06400 a1=ffffffff a2=30233bbfa8 a3=0 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141597.714:2191): avc:  denied  { unlink } for  pid=11284 comm="ipa-client-inst" name=".dns_ccache" dev="sda1" ino=787032 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1366141597.714:2191): avc:  denied  { remove_name } for  pid=11284 comm="ipa-client-inst" name=".dns_ccache" dev="sda1" ino=787032 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1366141597.714:2191): avc:  denied  { write } for  pid=11284 comm="ipa-client-inst" name="ipa" dev="sda1" ino=786692 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=SYSCALL msg=audit(1366141602.943:2275): arch=c000003e syscall=2 success=yes exit=8 a0=4732c60 a1=241 a2=1b6 a3=3432313563653233 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141602.943:2275): avc:  denied  { write open } for  pid=11284 comm="ipa-client-inst" path="/var/lib/ipa-client/sysrestore/832ec51247a39e8b-ldap.conf" dev="sda1" ino=787036 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1366141602.943:2275): avc:  denied  { create } for  pid=11284 comm="ipa-client-inst" name="832ec51247a39e8b-ldap.conf" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1366141602.943:2275): avc:  denied  { add_name } for  pid=11284 comm="ipa-client-inst" name="832ec51247a39e8b-ldap.conf" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1366141602.943:2275): avc:  denied  { write } for  pid=11284 comm="ipa-client-inst" name="sysrestore" dev="sda1" ino=786953 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1366141602.943:2276): arch=c000003e syscall=5 success=yes exit=0 a0=8 a1=7fff6f318a80 a2=7fff6f318a80 a3=1 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141602.943:2276): avc:  denied  { getattr } for  pid=11284 comm="ipa-client-inst" path="/var/lib/ipa-client/sysrestore/832ec51247a39e8b-ldap.conf" dev="sda1" ino=787036 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1366141602.943:2277): arch=c000003e syscall=235 success=yes exit=0 a0=3abc170 a1=7fff6f318c60 a2=30233bbfa8 a3=3432313563653233 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141602.943:2277): avc:  denied  { setattr } for  pid=11284 comm="ipa-client-inst" name="832ec51247a39e8b-ldap.conf" dev="sda1" ino=787036 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1366141602.944:2278): arch=c000003e syscall=2 success=yes exit=8 a0=459f8d0 a1=241 a2=1b6 a3=65706f2f6374652f items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141602.944:2278): avc:  denied  { write } for  pid=11284 comm="ipa-client-inst" path="/etc/openldap/ldap.conf.ipabkp" dev="sda1" ino=151606 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1366141602.944:2278): avc:  denied  { create } for  pid=11284 comm="ipa-client-inst" name="ldap.conf.ipabkp" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1366141602.944:2278): avc:  denied  { add_name } for  pid=11284 comm="ipa-client-inst" name="ldap.conf.ipabkp" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1366141602.944:2278): avc:  denied  { write } for  pid=11284 comm="ipa-client-inst" name="openldap" dev="sda1" ino=131158 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=SYSCALL msg=audit(1366141602.944:2279): arch=c000003e syscall=235 success=yes exit=0 a0=473a470 a1=7fff6f318c60 a2=30233bbfa8 a3=65706f2f6374652f items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141602.944:2279): avc:  denied  { setattr } for  pid=11284 comm="ipa-client-inst" name="ldap.conf.ipabkp" dev="sda1" ino=151606 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1366141603.242:2280): arch=c000003e syscall=2 success=yes exit=8 a0=4732b30 a1=241 a2=1b6 a3=3334373366343363 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141603.242:2280): avc:  denied  { add_name } for  pid=11284 comm="ipa-client-inst" name="bc34f374380655b3-ssh_config" scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1366141603.242:2280): avc:  denied  { write } for  pid=11284 comm="ipa-client-inst" name="sysrestore" dev="sda1" ino=786953 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1366141603.247:2281): arch=c000003e syscall=59 success=yes exit=0 a0=4584b40 a1=4435960 a2=43fdf50 a3=11 items=0 ppid=11284 pid=11942 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141603.247:2281): avc:  denied  { execute_no_trans } for  pid=11942 comm="ipa-client-inst" path="/usr/sbin/sshd" dev="sda1" ino=1713138 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sshd_exec_t:s0 tclass=file
type=AVC msg=audit(1366141603.247:2281): avc:  denied  { read open } for  pid=11942 comm="ipa-client-inst" path="/usr/sbin/sshd" dev="sda1" ino=1713138 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sshd_exec_t:s0 tclass=file
type=AVC msg=audit(1366141603.247:2281): avc:  denied  { execute } for  pid=11942 comm="ipa-client-inst" name="sshd" dev="sda1" ino=1713138 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sshd_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1366141603.253:2282): arch=c000003e syscall=116 success=yes exit=0 a0=0 a1=0 a2=7fff70a5d968 a3=7fe1a9d042e0 items=0 ppid=11284 pid=11942 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141603.253:2282): avc:  denied  { setgid } for  pid=11942 comm="sshd" capability=6  scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1366141603.254:2283): arch=c000003e syscall=2 success=yes exit=3 a0=7fe1ace18cd0 a1=0 a2=0 a3=0 items=0 ppid=11284 pid=11942 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141603.254:2283): avc:  denied  { open } for  pid=11942 comm="sshd" path="/etc/ssh/ssh_host_rsa_key" dev="sda1" ino=150871 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sshd_key_t:s0 tclass=file
type=AVC msg=audit(1366141603.254:2283): avc:  denied  { read } for  pid=11942 comm="sshd" name="ssh_host_rsa_key" dev="sda1" ino=150871 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sshd_key_t:s0 tclass=file
type=SYSCALL msg=audit(1366141603.254:2284): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff70a5cd90 a2=7fff70a5cd90 a3=0 items=0 ppid=11284 pid=11942 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141603.254:2284): avc:  denied  { getattr } for  pid=11942 comm="sshd" path="/etc/ssh/ssh_host_rsa_key" dev="sda1" ino=150871 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sshd_key_t:s0 tclass=file
type=SYSCALL msg=audit(1366141603.256:2285): arch=c000003e syscall=4 success=yes exit=0 a0=457dbb0 a1=7fff6f318b40 a2=7fff6f318b40 a3=7379732f646d6574 items=0 ppid=11259 pid=11284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366141603.256:2285): avc:  denied  { getattr } for  pid=11284 comm="ipa-client-inst" path="/usr/lib/systemd/system/sshd.service" dev="sda1" ino=1839211 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file

Comment 1 Stef Walter 2013-04-16 20:01:31 UTC
I also get tons of this in /var/log/messages:

Apr 16 21:58:41 localhost audispd: queue is full - dropping event
Apr 16 21:58:41 localhost audispd: queue is full - dropping event
Apr 16 21:58:41 localhost audispd: queue is full - dropping event
Apr 16 21:58:41 localhost audispd: queue is full - dropping event
Apr 16 21:58:41 localhost audispd: queue is full - dropping event
Apr 16 21:58:41 localhost audispd: queue is full - dropping event
Apr 16 21:58:41 localhost audispd: queue is full - dropping event
Apr 16 21:58:41 localhost audispd: queue is full - dropping event
Apr 16 21:58:41 localhost audispd: queue is full - dropping event
Apr 16 21:58:41 localhost audispd: queue is full - dropping event

Comment 2 Stef Walter 2013-04-16 20:52:25 UTC
Created attachment 736546 [details]
More AVC's after joining/leaving domains multiple times

Comment 3 Daniel Walsh 2013-04-16 21:18:01 UTC
c081ef1633556c5c5a630df6e30202b345a8be53 fixes this in git, but realmd really needs to be an unconfined domain, and we need to make sure that when it is done setting up the environment all the files it created are labeled correctly.

Comment 4 Stef Walter 2013-04-17 14:05:28 UTC
Patrik got this output after running restorecon -R -v -n /

restorecon:  Warning no default label for /mnt/sysimage/home
restorecon:  Warning no default label for /var/lib/nfs/rpc_pipefs
restorecon:  Warning no default label for /tmp/krb5cc_0
restorecon:  Warning no default label for /tmp/.Test-unix
restorecon:  Warning no default label for /tmp/.XIM-unix
restorecon:  Warning no default label for /run/iprdump.pid
restorecon:  Warning no default label for /run/iprinit.pid
restorecon:  Warning no default label for /run/iprupdate.pid
restorecon:  Warning no default label for /run/lvmetad.pid
restorecon:  Warning no default label for /run/lock/subsys
restorecon:  Warning no default label for /run/lock/subsys/iprdump
restorecon:  Warning no default label for /run/lock/subsys/iprupdate
restorecon:  Warning no default label for /run/lock/subsys/iprinit
restorecon:  Warning no default label for /run/initramfs
restorecon:  Warning no default label for /run/initramfs/.need_shutdown
restorecon:  Warning no default label for /sys/fs/cgroup/cpuacct
restorecon:  Warning no default label for /sys/fs/cgroup/cpu
restorecon:  Warning no default label for /dev/mqueue
restorecon:  Warning no default label for /dev/pts/0
restorecon:  Warning no default label for /dev/pts/ptmx
restorecon reset /etc/machine-id context
system_u:object_r:etc_t:s0->system_u:object_r:machineid_t:s0
restorecon reset /etc/vconsole.conf context
system_u:object_r:etc_runtime_t:s0->system_u:object_r:locale_t:s0
restorecon reset /etc/udev/hwdb.bin context
unconfined_u:object_r:net_conf_t:s0->unconfined_u:object_r:etc_t:s0
restorecon reset /etc/pam.d/postlogin-ac context
system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/pam.d/smartcard-auth-ac context
system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/pam.d/fingerprint-auth-ac context
system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/pam.d/system-auth-ac context
system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/pam.d/password-auth-ac context
system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/mail/access.db context
system_u:object_r:etc_aliases_t:s0->system_u:object_r:etc_mail_t:s0
restorecon reset /etc/mail/domaintable.db context
system_u:object_r:etc_aliases_t:s0->system_u:object_r:etc_mail_t:s0
restorecon reset /etc/mail/virtusertable.db context
system_u:object_r:etc_aliases_t:s0->system_u:object_r:etc_mail_t:s0
restorecon reset /etc/mail/mailertable.db context
system_u:object_r:etc_aliases_t:s0->system_u:object_r:etc_mail_t:s0

Comment 5 Tomas Dolezal 2013-04-19 12:18:25 UTC
after successfully joining realm, there are some selinux errors:

# grep realmd /var/log/audit/audit.log
type=USER_AVC msg=audit(1366371060.807:504): pid=423 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.43 spid=1993 tpid=2015 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=SELINUX_ERR msg=audit(1366371065.497:505): security_compute_sid:  invalid context system_u:system_r:authconfig_t:s0-s0:c0.c1023 for scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:authconfig_exec_t:s0 tclass=process
type=SELINUX_ERR msg=audit(1366371073.524:603): security_compute_sid:  invalid context system_u:system_r:authconfig_t:s0-s0:c0.c1023 for scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:authconfig_exec_t:s0 tclass=process

Comment 6 Daniel Walsh 2013-04-19 14:16:27 UTC
Ok I updated policy to handle the SELINUX_ERR, and most of the mislabeled.

I am interested in how these etc_runtime_t files are being created?  This should only be created by a initrc_t script at boot time.

I would like to know if they are there before realmd joins the domain or only afterwards.

Comment 7 Fedora Update System 2013-05-03 12:44:31 UTC
selinux-policy-3.12.1-39.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-39.fc19

Comment 8 Fedora Update System 2013-05-03 15:19:44 UTC
Package selinux-policy-3.12.1-39.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-39.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-7338/selinux-policy-3.12.1-39.fc19
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2013-05-04 18:53:47 UTC
Package selinux-policy-3.12.1-40.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-40.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-7338/selinux-policy-3.12.1-40.fc19
then log in and leave karma (feedback).

Comment 10 Stef Walter 2013-06-12 16:05:44 UTC
This is now in Fedora 19.


Note You need to log in before you can comment on or make changes to this bug.