Bug 974149 - MLS: install/upgrade of unbound-libs shows AVC
MLS: install/upgrade of unbound-libs shows AVC
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.0
All Linux
medium Severity medium
: beta
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-13 10:09 EDT by Miroslav Vadkerti
Modified: 2018-04-09 07:16 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-125.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 08:48:03 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Miroslav Vadkerti 2013-06-13 10:09:37 EDT
Description of problem:
# yum upgrade unbound-libs
[snip]
Running transaction
 Updating   : unbound-libs-1.4.20-9.el7.x86_64             1/2
runuser: System error
 Cleanup    : unbound-libs-1.4.20-8.el7.x86_64             2/2
[snip]

# ausearch -ts 15:04:47 -m avc -sv no
----
time->Thu Jun 13 15:04:55 2013
type=SYSCALL msg=audit(1371128695.213:17568): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=9 a3=7fff7d23e840 items=0 ppid=29143 pid=29145 auid=995 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=6 tty=pts0 comm="runuser" exe="/usr/sbin/runuser" subj=staff_u:system_r:rpm_script_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1371128695.213:17568): avc:  denied  { create } for  pid=29145 comm="runuser" scontext=staff_u:system_r:rpm_script_t:s0-s15:c0.c1023 tcontext=staff_u:system_r:rpm_script_t:s0-s15:c0.c1023 tclass=netlink_audit_socket
----

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-49.el7.noarch
unbound-libs-1.4.20-9.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. yum install unbound-libs or yum upgrade unbound-libs

Actual results:
runuser: System error and AVC

Expected results:
No error and no AVC

Additional info:
Comment 1 Miroslav Grepl 2013-06-14 01:58:34 EDT
commit 47a764b10bfd96a1b6200ebfd22806a9bbaf5af0
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Fri Jun 14 07:58:16 2013 +0200

    Allow runuser running as rpm_script_t to create netlink_audit socket
Comment 2 Milos Malik 2013-07-04 09:10:45 EDT
I still see "runuser: System error" message when upgrading via rpm -Uvh ...
Following AVC appeared:
----
type=SOCKADDR msg=audit(07/04/2013 14:40:50.309:10149) : saddr=netlink pid:0 
type=SYSCALL msg=audit(07/04/2013 14:40:50.309:10149) : arch=x86_64 syscall=sendto success=no exit=-13(Permission denied) a0=0x3 a1=0x7fff059aed50 a2=0x74 a3=0x0 items=0 ppid=6066 pid=6068 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=1 tty=tty1 comm=runuser exe=/usr/sbin/runuser subj=root:system_r:rpm_script_t:s0-s15:c0.c1023 key=(null) 
type=AVC msg=audit(07/04/2013 14:40:50.309:10149) : avc:  denied  { nlmsg_relay } for  pid=6068 
comm=runuser scontext=root:system_r:rpm_script_t:s0-s15:c0.c1023 tcontext=root:system_r:rpm_script_t:s0-s15:c0.c1023 tclass=netlink_audit_socket 
----
Comment 3 Milos Malik 2013-07-04 09:15:40 EDT
Forgot to mention: upgrade from unbound-libs-1.4.20-9.el7.x86_64 to unbound-libs-1.4.20-14.el7.x86_64
Comment 4 Miroslav Grepl 2013-07-12 05:30:35 EDT
Fixed.
Comment 5 Milos Malik 2013-08-05 09:24:03 EDT
Following AVC appeared during the installation of unbound-libs package. selinux-policy-mls-3.12.1-69.el7.noarch was present and the machine was in enforcing mode at the time:
----
type=SOCKADDR msg=audit(08/05/2013 13:21:31.395:904) : saddr=netlink pid:0 
type=SOCKETCALL msg=audit(08/05/2013 13:21:31.395:904) : nargs=6 a0=0x3 a1=0x3ffffeb3d34 a2=0x70 a3=0x0 a4=3ffffeb3d28 a5=c 
type=SYSCALL msg=audit(08/05/2013 13:21:31.395:904) : arch=s390x syscall=socketcall(sendto) success=yes exit=112 a0=0xb a1=0x3ffffeb3c48 a2=0x70 a3=0x0 items=0 ppid=3568 pid=3570 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=4 tty=pts0 comm=runuser exe=/usr/sbin/runuser subj=root:system_r:rpm_script_t:s0 key=(null) 
type=AVC msg=audit(08/05/2013 13:21:31.395:904) : avc:  denied  { audit_write } for  pid=3570 comm=runuser capability=audit_write  scontext=root:system_r:rpm_script_t:s0 tcontext=root:system_r:rpm_script_t:s0 tclass=capability 
----

Here is the relevant part of yum output:
Running transaction
  Installing : ldns-1.6.16-4.el7.s390x                                      1/3 
  Installing : unbound-libs-1.4.20-14.el7.s390x                             2/3 
runuser: System error
  Installing : libreswan-3.5-1.el7.s390x                                    3/3 
  Verifying  : unbound-libs-1.4.20-14.el7.s390x                             1/3 
  Verifying  : ldns-1.6.16-4.el7.s390x                                      2/3 
  Verifying  : libreswan-3.5-1.el7.s390x                                    3/3
Comment 10 Milos Malik 2014-01-20 04:11:31 EST
# rpm -qa systemd\*
systemd-sysv-207-12.el7.x86_64
systemd-207-12.el7.x86_64
systemd-libs-207-12.el7.x86_64
#

The machine was rebooted after systemd* downgrade.

Removal of unbound and unbound-libs packages produced following:
----
type=USER_AVC msg=audit(01/20/2014 10:06:18.080:473) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { disable } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl --no-reload disable unbound-keygen.service" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(01/20/2014 10:06:18.096:474) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { reload } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl daemon-reload" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(01/20/2014 10:06:18.099:475) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { reload } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl daemon-reload" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----

Installation of unbound and unbound-libs packages produced following:
----
type=USER_AVC msg=audit(01/20/2014 10:09:00.767:483) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { enable } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl preset unbound.service" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(01/20/2014 10:09:00.770:484) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { enable } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl preset unbound-keygen.service" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=SOCKADDR msg=audit(01/20/2014 10:09:00.672:482) : saddr=netlink pid:0 
type=SYSCALL msg=audit(01/20/2014 10:09:00.672:482) : arch=x86_64 syscall=sendto success=yes exit=112 a0=0x3 a1=0x7fff42bf1840 a2=0x70 a3=0x0 items=0 ppid=5879 pid=5881 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=runuser exe=/usr/sbin/runuser subj=root:system_r:rpm_script_t:s0 key=(null) 
type=AVC msg=audit(01/20/2014 10:09:00.672:482) : avc:  denied  { audit_write } for  pid=5881 comm=runuser capability=audit_write  scontext=root:system_r:rpm_script_t:s0 tcontext=root:system_r:rpm_script_t:s0 tclass=capability 
----
Comment 11 Milos Malik 2014-01-20 04:19:30 EST
# rpm -qa systemd\*
systemd-libs-207-11.el7.x86_64
systemd-207-11.el7.x86_64
systemd-sysv-207-11.el7.x86_64
#

The machine was rebooted after systemd* downgrade.

Removal of unbound and unbound-libs packages produced following:
----
type=USER_AVC msg=audit(01/20/2014 10:15:56.353:401) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { disable } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl --no-reload disable unbound.service" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(01/20/2014 10:15:56.361:402) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { disable } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl --no-reload disable unbound-keygen.service" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(01/20/2014 10:15:56.376:403) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { reload } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl daemon-reload" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(01/20/2014 10:15:56.378:404) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { reload } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl daemon-reload" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----

Installation of unbound and unbound-libs packages produced following:
----
type=USER_AVC msg=audit(01/20/2014 10:18:35.438:406) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { enable } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl preset unbound.service" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(01/20/2014 10:18:35.442:407) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { enable } for auid=root uid=root gid=root cmdline="/usr/bin/systemctl preset unbound-keygen.service" scontext=root:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=SOCKADDR msg=audit(01/20/2014 10:18:35.342:405) : saddr=netlink pid:0 
type=SYSCALL msg=audit(01/20/2014 10:18:35.342:405) : arch=x86_64 syscall=sendto success=yes exit=112 a0=0x3 a1=0x7fffd8d5b910 a2=0x70 a3=0x0 items=0 ppid=1063 pid=1065 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=runuser exe=/usr/sbin/runuser subj=root:system_r:rpm_script_t:s0 key=(null) 
type=AVC msg=audit(01/20/2014 10:18:35.342:405) : avc:  denied  { audit_write } for  pid=1065 comm=runuser capability=audit_write  scontext=root:system_r:rpm_script_t:s0 tcontext=root:system_r:rpm_script_t:s0 tclass=capability 
----
Comment 12 Milos Malik 2014-01-20 04:29:38 EST
Following versions of systemd were tested and the results are the same:
207-10.el7
207-11.el7
207-12.el7
207-13.el7
Comment 13 Miroslav Grepl 2014-01-20 05:11:21 EST
Milos,
could you add outputs of journactl with debug mode?
Comment 14 Milos Malik 2014-01-20 05:32:56 EST
Here is the output from journalctl produced by "yum remove unbound unbound-libs" and "yum install unbound unbound-libs" commands:

Jan 20 11:26:41 rhel70mls.localdomain systemd[1]: Setting log level to debug.
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Accepted connection on private bus.
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.DisableUnitFiles() on /org/freedesktop/systemd1
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux policy denies access.
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=disable path=(null) cmdline=/usr/bin/systemctl --no-reload disable unbound.service: -13
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Local.Disconnected() on /org/freedesktop/DBus/Local
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Accepted connection on private bus.
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.StopUnit() on /org/freedesktop/systemd1
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:object_r:named_unit_file_t:s0 tclass=service perm=stop path=/usr/lib/systemd/system/unbound.service cmdline=/usr/bin/systemctl stop unbound.service: 0
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Trying to enqueue job unbound.service/stop/replace
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Installed new job unbound.service/stop as 1114
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Enqueued job unbound.service/stop as 1114
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Job unbound.service/stop finished, result=done
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Stopped Unbound recursive Domain Name Server.
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound.service
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound-keygen.service
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting nss-lookup.target
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.GetUnit() on /org/freedesktop/systemd1
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Properties.Get() on /org/freedesktop/systemd1/unit/unbound_2eservice
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:object_r:named_unit_file_t:s0 tclass=service perm=status path=/usr/lib/systemd/system/unbound.service cmdline=/usr/bin/systemctl stop unbound.service: 0
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound-keygen.service
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting nss-lookup.target
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound.service
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Properties.Get() on /org/freedesktop/systemd1/unit/unbound_2eservice
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:object_r:named_unit_file_t:s0 tclass=service perm=status path=/usr/lib/systemd/system/unbound.service cmdline=/usr/bin/systemctl stop unbound.service: 0
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound-keygen.service
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting nss-lookup.target
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound.service
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Local.Disconnected() on /org/freedesktop/DBus/Local
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Accepted connection on private bus.
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.DisableUnitFiles() on /org/freedesktop/systemd1
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux policy denies access.
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=disable path=(null) cmdline=/usr/bin/systemctl --no-reload disable unbound-keygen.service: -13
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Local.Disconnected() on /org/freedesktop/DBus/Local
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Accepted connection on private bus.
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.StopUnit() on /org/freedesktop/systemd1
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:object_r:named_unit_file_t:s0 tclass=service perm=stop path=/usr/lib/systemd/system/unbound-keygen.service cmdline=/usr/bin/systemctl stop unbound-keygen.service: 0
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Trying to enqueue job unbound-keygen.service/stop/replace
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Installed new job unbound-keygen.service/stop as 1115
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Enqueued job unbound-keygen.service/stop as 1115
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Job unbound-keygen.service/stop finished, result=done
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Stopped Unbound Control Key And Certificate Generator.
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound-keygen.service
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound.service
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting nss-lookup.target
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.GetUnit() on /org/freedesktop/systemd1
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Properties.Get() on /org/freedesktop/systemd1/unit/unbound_2dkeygen_2eservice
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:object_r:named_unit_file_t:s0 tclass=service perm=status path=/usr/lib/systemd/system/unbound-keygen.service cmdline=/usr/bin/systemctl stop unbound-keygen.service: 0
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting nss-lookup.target
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound.service
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound-keygen.service
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Properties.Get() on /org/freedesktop/systemd1/unit/unbound_2dkeygen_2eservice
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:object_r:named_unit_file_t:s0 tclass=service perm=status path=/usr/lib/systemd/system/unbound-keygen.service cmdline=/usr/bin/systemctl stop unbound-keygen.service: 0
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting nss-lookup.target
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound.service
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Collecting unbound-keygen.service
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Local.Disconnected() on /org/freedesktop/DBus/Local
Jan 20 11:26:53 rhel70mls.localdomain yum[1556]: Erased: unbound-1.4.20-18.el7.x86_64
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Accepted connection on private bus.
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.Reload() on /org/freedesktop/systemd1
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux policy denies access.
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=reload path=(null) cmdline=/usr/bin/systemctl daemon-reload: -13
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Local.Disconnected() on /org/freedesktop/DBus/Local
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Accepted connection on private bus.
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.Reload() on /org/freedesktop/systemd1
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux policy denies access.
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=reload path=(null) cmdline=/usr/bin/systemctl daemon-reload: -13
Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Local.Disconnected() on /org/freedesktop/DBus/Local
Jan 20 11:26:53 rhel70mls.localdomain yum[1556]: Erased: unbound-libs-1.4.20-18.el7.x86_64
Jan 20 11:27:01 rhel70mls.localdomain crond[316]: ((null)) No SELinux security context (/etc/crontab)
Jan 20 11:27:01 rhel70mls.localdomain crond[316]: (root) FAILED (loading cron table)
Jan 20 11:27:01 rhel70mls.localdomain crond[316]: ((null)) No SELinux security context (/etc/cron.d/0hourly)
Jan 20 11:27:01 rhel70mls.localdomain crond[316]: (root) FAILED (loading cron table)
Jan 20 11:27:18 rhel70mls.localdomain runuser[1580]: PAM audit_log_acct_message() failed: Operation not permitted
Jan 20 11:27:18 rhel70mls.localdomain yum[1569]: Installed: unbound-libs-1.4.20-18.el7.x86_64
Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: Accepted connection on private bus.
Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.PresetUnitFiles() on /org/freedesktop/systemd1
Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: SELinux policy denies access.
Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=enable path=(null) cmdline=/usr/bin/systemctl preset unbound.service: -13
Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Local.Disconnected() on /org/freedesktop/DBus/Local
Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: Accepted connection on private bus.
Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.PresetUnitFiles() on /org/freedesktop/systemd1
Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: SELinux policy denies access.
Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=enable path=(null) cmdline=/usr/bin/systemctl preset unbound-keygen.service: -13
Jan 20 11:27:18 rhel70mls.localdomain yum[1569]: Installed: unbound-1.4.20-18.el7.x86_64
Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: Got D-Bus request: org.freedesktop.DBus.Local.Disconnected() on /org/freedesktop/DBus/Local
Comment 15 Miroslav Grepl 2014-01-20 05:52:47 EST
Ok, this makes sense

Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:object_r:named_unit_file_t:s0 tclass=service perm=status path=/usr/lib/systemd/system/unbound-keygen.service cmdline=/usr/bin/systemctl stop unbound-keygen.service: 0

Not sure about

Jan 20 11:27:18 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=enable path=(null) cmdline=/usr/bin/systemctl preset unbound.service: -13

Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=reload path=(null) cmdline=/usr/bin/systemctl daemon-reload: -13

Jan 20 11:26:53 rhel70mls.localdomain systemd[1]: SELinux access check scon=root:system_r:rpm_script_t:s0 tcon=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system perm=disable path=(null) cmdline=/usr/bin/systemctl --no-reload disable unbound-keygen.service: -13


"tclass=system"
Comment 16 Miroslav Grepl 2014-01-20 05:58:36 EST
Actually I am going to add fixes.
Comment 17 Miroslav Grepl 2014-01-20 06:03:47 EST
commit 815d7cc02dd8eed7162ce63fbae70961e142a3c5
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Jan 20 12:02:35 2014 +0100

    Allow unbound to handle unbound-keygen.service

commit 89fbc4d8f08f2ebb3e60749df2b08a8ba215d2f7
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Jan 20 12:01:12 2014 +0100

    Allow scriptlets to enable/disable services
Comment 20 Miroslav Grepl 2014-02-11 14:13:20 EST
commit b315bd258e8a684ec4345bc5f4fd828d80bd72d7
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue Feb 11 20:10:55 2014 +0100

    Addopt corenet rules for unbound-anchor to rpm_script_t

commit a88e70f8f5848b09bf36eb594bc9f8811f38264f
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue Feb 11 20:07:17 2014 +0100

    Allow runuser to send send audit messages
Comment 22 Ludek Smid 2014-06-13 08:48:03 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.