David Sugar via refpolicy f3e0a751db label /etc/mcelog/mcelog.setup correctly (for RHEL) ... I am seeing the following denials when mcelog.service is attempting to execute /etc/mcelog/mcelog.setup (on RHEL 7). It should be labeled bin_t. Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.859:28): avc: denied { execute } for pid=626 comm="(og.setup)" name="mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.859:28): avc: denied { read open } for pid=626 comm="(og.setup)" path="/etc/mcelog/mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.859:28): avc: denied { execute_no_trans } for pid=626 comm="(og.setup)" path="/etc/mcelog/mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file Sep 21 02:45:50 localhost audit: type=SYSCALL msg=audit(1505961383.859:28): arch=c000003e syscall=59 success=yes exit=0 a0=55a0ddd00260 a1=55a0ddcd1be0 a2=55a0ddd02e90 a3=3 items=3 ppid=1 pid=626 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mcelog.setup" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null) Sep 21 02:45:50 localhost audit: type=EXECVE msg=audit(1505961383.859:28): argc=2 a0="/bin/sh" a1="/etc/mcelog/mcelog.setup" Sep 21 02:45:50 localhost audit: type=PATH msg=audit(1505961383.859:28): item=0 name="/etc/mcelog/mcelog.setup" inode=718731 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:mcelog_etc_t:s0 objtype=NORMAL Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.862:29): avc: denied { ioctl } for pid=626 comm="mcelog.setup" path="/etc/mcelog/mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file Sep 21 02:45:50 localhost audit: type=SYSCALL msg=audit(1505961383.862:29): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7ffec57f28f0 a3=7ffec57f2690 items=0 ppid=1 pid=626 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mcelog.setup" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null) Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.867:30): avc: denied { getattr } for pid=626 comm="mcelog.setup" path="/etc/mcelog/mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file Sep 21 02:45:50 localhost audit: type=SYSCALL msg=audit(1505961383.867:30): arch=c000003e syscall=5 success=yes exit=0 a0=ff a1=7ffec57f2890 a2=7ffec57f2890 a3=7ffec57f25a0 items=0 ppid=1 pid=626 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mcelog.setup" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null) Signed-off-by: Dave Sugar <dsugar@tresys.com>		2017-09-23 14:30:35 -04:00
..
corecommands.fc	label /etc/mcelog/mcelog.setup correctly (for RHEL)	2017-09-23 14:30:35 -04:00
corecommands.if	Remove deprecated interfaces older than one year old.	2017-08-06 17:03:17 -04:00
corecommands.te	corecommands, xserver, systemd, userdomain: Version bumps.	2017-09-17 11:11:18 -04:00
corenetwork.fc	Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker.	2017-02-04 15:19:35 -05:00
corenetwork.if.in	Separate read and write interface for tun_tap_device_t	2017-09-06 10:59:34 -04:00
corenetwork.if.m4	refpolicy: Infiniband pkeys and endports	2017-05-24 19:23:18 -04:00
corenetwork.te.in	Remove complement and wildcard in allow rules.	2017-08-13 16:21:44 -04:00
corenetwork.te.m4	refpolicy: Infiniband pkeys and endports	2017-05-24 19:23:18 -04:00
devices.fc	Update for Xen 4.7	2017-08-06 11:19:29 -04:00
devices.if	Grant all permissions neccessary for Xorg and basic X clients	2017-09-13 18:40:24 -04:00
devices.te	Module version bumps.	2017-09-13 18:58:07 -04:00
domain.fc
domain.if	remove trailing whitespaces	2016-12-06 13:45:13 +01:00
domain.te	Remove complement and wildcard in allow rules.	2017-08-13 16:21:44 -04:00
files.fc	Misc fc changes from Russell Coker.	2017-04-06 17:00:28 -04:00
files.if	Allow sysadm to map all non auth files	2017-09-13 18:40:24 -04:00
files.te	Module version bumps.	2017-09-13 18:58:07 -04:00
filesystem.fc	Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker.	2017-02-04 15:19:35 -05:00
filesystem.if	init: allow systemd to relabel /dev and /run	2017-09-11 20:03:31 -04:00
filesystem.te	Several module version bumps.	2017-09-11 20:34:13 -04:00
kernel.fc	Add fc for /sys/kernel/debug as debugfs_t	2015-05-06 09:49:40 -04:00
kernel.if	Remove deprecated interfaces older than one year old.	2017-08-06 17:03:17 -04:00
kernel.te	Remove complement and wildcard in allow rules.	2017-08-13 16:21:44 -04:00
mcs.fc
mcs.if	remove trailing whitespaces	2016-12-06 13:45:13 +01:00
mcs.te	Bump module versions for release.	2013-04-24 16:14:52 -04:00
metadata.xml
mls.fc
mls.if	Remove deprecated interfaces older than one year old.	2017-08-06 17:03:17 -04:00
mls.te	remove trailing whitespaces	2016-12-06 13:45:13 +01:00
selinux.fc
selinux.if	Remove deprecated interfaces older than one year old.	2017-08-06 17:03:17 -04:00
selinux.te	Remove complement and wildcard in allow rules.	2017-08-13 16:21:44 -04:00
storage.fc	Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker.	2017-02-04 15:19:35 -05:00
storage.if	Fix interface descriptions when duplicate ones are found	2016-01-19 00:17:34 +01:00
storage.te	Remove complement and wildcard in allow rules.	2017-08-13 16:21:44 -04:00
terminal.fc	Misc fc changes from Russell Coker.	2017-04-06 17:00:28 -04:00
terminal.if	terminal: Rename term_create_devpts.	2017-09-11 20:03:58 -04:00
terminal.te	Several module version bumps.	2017-09-11 20:34:13 -04:00
ubac.fc
ubac.if
ubac.te