[gentoo-hardened] SELinux Policy Difficulties

Alex Brandt Mon, 17 Sep 2012 16:31:35 -0700

Hey Sven,

Thanks for all the help you've provided so far.  I've hit a snag that I can't 
see the answer even though I'm sure it's something silly.  I'm writing a 
policy for the openstack guest agent (specifically my rewrite of the agent).  
The agent code can be found on github: 
https://github.com/alunduil/singularity, and the policy can be found on github 
as well: https://github.com/alunduil/alunduil-overlay/tree/master/sec-
policy/selinux-openstack-guest-agent/files/2.20120215


If you have time (I know you're busy this month), I'd love any suggestions you 
can provide on this policy but the problem I'm facing right now is that it 
doesn't want to start due to the following error in Enforcing mode:

singularity-selinux ~ # /etc/init.d/singularity start
Authenticating root.
Password: 
 * Starting singularity ...
/usr/bin/singularity: 'eselect python show' printed unrecognized value ''
 * start-stop-daemon: failed to start `/usr/bin/singularity'
 * Failed to start singularity                                                  
                                            
[ !! ]
 * ERROR: singularity failed to start

The audit log is attached as enforcing-failed-start.audit.log.

The audit log for Permissive mode is also attached as permissive-succeeded-
start.audit.log.

These logs were created with dontaudit off.

Any guidance you can provide would be greatly appreciated.  If you need 
anymore information; please, let me know.  Thanks in advance.

Sincerely,

-- 
Alex Brandt
Sales Engineer for Rackspace, RHCE
http://www.alunduil.com

type=DAEMON_ROTATE msg=audit(1347923814.653:1688): auditd sending auid=0 pid=5231 subj=root:sysadm_r:sysadm_t
type=AVC msg=audit(1347923817.326:619): avc:  denied  { rlimitinh } for  pid=5233 comm="singularity" ipaddr=72.191.11.121 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:run_init_t tclass=process
type=AVC msg=audit(1347923817.326:619): avc:  denied  { siginh } for  pid=5233 comm="singularity" ipaddr=72.191.11.121 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:run_init_t tclass=process
type=AVC msg=audit(1347923817.326:619): avc:  denied  { noatsecure } for  pid=5233 comm="singularity" ipaddr=72.191.11.121 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:run_init_t tclass=process
type=SYSCALL msg=audit(1347923817.326:619): arch=c000003e syscall=59 success=yes exit=0 a0=398b7d9ed60 a1=398b7d75400 a2=398b7d716b0 a3=8 items=4 ppid=5114 pid=5233 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=121 comm="singularity" exe="/bin/bash" subj=root:sysadm_r:run_init_t key=(null)
type=EXECVE msg=audit(1347923817.326:619): argc=4 a0="/bin/sh" a1="/sbin/runscript" a2="/etc/init.d/singularity" a3="start"
type=EXECVE msg=audit(1347923817.326:619): argc=3 a0="/bin/sh" a1="/sbin/runscript" a2="/etc/init.d/singularity"
type=EXECVE msg=audit(1347923817.326:619): argc=2 a0="/bin/sh" a1="/sbin/runscript"
type=CWD msg=audit(1347923817.326:619):  cwd="/root"
type=PATH msg=audit(1347923817.326:619): item=0 name="/etc/init.d/singularity" inode=33032 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:initrc_exec_t
type=PATH msg=audit(1347923817.326:619): item=1 name=(null) inode=632612 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t
type=PATH msg=audit(1347923817.326:619): item=2 name=(null) inode=626612 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shell_exec_t
type=PATH msg=audit(1347923817.326:619): item=3 name=(null) inode=624663 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t
type=AVC msg=audit(1347923817.333:620): avc:  denied  { getattr } for  pid=5233 comm="singularity" path="/root" dev="xvda1" ino=425985 ipaddr=72.191.11.121 scontext=root:sysadm_r:run_init_t tcontext=root:object_r:user_home_dir_t tclass=dir
type=AVC msg=audit(1347923817.336:621): avc:  denied  { read } for  pid=5233 comm="rc" name="profile.env" dev="xvda1" ino=32776 ipaddr=72.191.11.121 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:etc_runtime_t tclass=file
type=AVC msg=audit(1347923817.336:622): avc:  denied  { search } for  pid=5233 comm="rc" name="openrc" dev="tmpfs" ino=43 ipaddr=72.191.11.121 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:initrc_state_t tclass=dir
type=AVC msg=audit(1347923817.336:623): avc:  denied  { search } for  pid=5233 comm="rc" name="openrc" dev="tmpfs" ino=43 ipaddr=72.191.11.121 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:initrc_state_t tclass=dir
type=AVC msg=audit(1347923817.336:624): avc:  denied  { search } for  pid=5233 comm="rc" name="openrc" dev="tmpfs" ino=43 ipaddr=72.191.11.121 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:initrc_state_t tclass=dir
type=AVC msg=audit(1347923817.353:625): avc:  denied  { rlimitinh } for  pid=5234 comm="unix_chkpwd" ipaddr=72.191.11.121 scontext=root:sysadm_r:run_init_t tcontext=root:sysadm_r:chkpwd_t tclass=process
type=AVC msg=audit(1347923817.353:625): avc:  denied  { siginh } for  pid=5234 comm="unix_chkpwd" ipaddr=72.191.11.121 scontext=root:sysadm_r:run_init_t tcontext=root:sysadm_r:chkpwd_t tclass=process
type=AVC msg=audit(1347923817.353:625): avc:  denied  { noatsecure } for  pid=5234 comm="unix_chkpwd" ipaddr=72.191.11.121 scontext=root:sysadm_r:run_init_t tcontext=root:sysadm_r:chkpwd_t tclass=process
type=SYSCALL msg=audit(1347923817.353:625): arch=c000003e syscall=59 success=yes exit=0 a0=726e76809c98 a1=782461edd0d0 a2=726e76a11048 a3=726e78ccc9d0 items=2 ppid=5233 pid=5234 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=121 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=root:sysadm_r:chkpwd_t key=(null)
type=EXECVE msg=audit(1347923817.353:625): argc=3 a0="/sbin/unix_chkpwd" a1="root" a2="nullok"
type=CWD msg=audit(1347923817.353:625):  cwd="/"
type=PATH msg=audit(1347923817.353:625): item=0 name="/sbin/unix_chkpwd" inode=262250 dev=ca:01 mode=0104711 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:chkpwd_exec_t
type=PATH msg=audit(1347923817.353:625): item=1 name=(null) inode=624663 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t
type=AVC msg=audit(1347923817.356:626): avc:  denied  { search } for  pid=5234 comm="unix_chkpwd" name="/" dev="sysfs" ino=1 ipaddr=72.191.11.121 scontext=root:sysadm_r:chkpwd_t tcontext=system_u:object_r:sysfs_t tclass=dir
type=SYSCALL msg=audit(1347923817.356:626): arch=c000003e syscall=137 success=no exit=-13 a0=7042f686e007 a1=7a50cbc44130 a2=fffffffffff55eab a3=7a50cbc440a0 items=1 ppid=5233 pid=5234 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=121 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=root:sysadm_r:chkpwd_t key=(null)
type=CWD msg=audit(1347923817.356:626):  cwd="/"
type=PATH msg=audit(1347923817.356:626): item=0 name="/sys/fs/selinux"
type=AVC msg=audit(1347923817.356:627): avc:  denied  { getattr } for  pid=5234 comm="unix_chkpwd" name="/" dev="selinuxfs" ino=1 ipaddr=72.191.11.121 scontext=root:sysadm_r:chkpwd_t tcontext=system_u:object_r:security_t tclass=filesystem
type=SYSCALL msg=audit(1347923817.356:627): arch=c000003e syscall=137 success=no exit=-13 a0=7042f686e00e a1=7a50cbc44130 a2=0 a3=7a50cbc440a0 items=1 ppid=5233 pid=5234 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=121 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=root:sysadm_r:chkpwd_t key=(null)
type=CWD msg=audit(1347923817.356:627):  cwd="/"
type=PATH msg=audit(1347923817.356:627): item=0 name="/selinux" inode=1 dev=00:0c mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:security_t
type=AVC msg=audit(1347923817.356:628): avc:  denied  { search } for  pid=5234 comm="unix_chkpwd" name="/" dev="sysfs" ino=1 ipaddr=72.191.11.121 scontext=root:sysadm_r:chkpwd_t tcontext=system_u:object_r:sysfs_t tclass=dir
type=SYSCALL msg=audit(1347923817.356:628): arch=c000003e syscall=137 success=no exit=-13 a0=f16b2854e8a a1=7a50cbc44130 a2=9 a3=736678756e696c65 items=1 ppid=5233 pid=5234 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=121 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=root:sysadm_r:chkpwd_t key=(null)
type=CWD msg=audit(1347923817.356:628):  cwd="/"
type=PATH msg=audit(1347923817.356:628): item=0 name="/sys/fs/selinux"
type=AVC msg=audit(1347923819.516:629): avc:  denied  { rlimitinh } for  pid=5235 comm="unix_chkpwd" ipaddr=72.191.11.121 scontext=root:sysadm_r:run_init_t tcontext=root:sysadm_r:chkpwd_t tclass=process
type=AVC msg=audit(1347923819.516:629): avc:  denied  { siginh } for  pid=5235 comm="unix_chkpwd" ipaddr=72.191.11.121 scontext=root:sysadm_r:run_init_t tcontext=root:sysadm_r:chkpwd_t tclass=process
type=AVC msg=audit(1347923819.516:629): avc:  denied  { noatsecure } for  pid=5235 comm="unix_chkpwd" ipaddr=72.191.11.121 scontext=root:sysadm_r:run_init_t tcontext=root:sysadm_r:chkpwd_t tclass=process
type=SYSCALL msg=audit(1347923819.516:629): arch=c000003e syscall=59 success=yes exit=0 a0=726e76809c98 a1=782461edd070 a2=726e76a11048 a3=726e78ccc9d0 items=2 ppid=5233 pid=5235 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=121 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=root:sysadm_r:chkpwd_t key=(null)
type=EXECVE msg=audit(1347923819.516:629): argc=3 a0="/sbin/unix_chkpwd" a1="root" a2="nullok"
type=CWD msg=audit(1347923819.516:629):  cwd="/"
type=PATH msg=audit(1347923819.516:629): item=0 name="/sbin/unix_chkpwd" inode=262250 dev=ca:01 mode=0104711 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:chkpwd_exec_t
type=PATH msg=audit(1347923819.516:629): item=1 name=(null) inode=624663 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t
type=AVC msg=audit(1347923819.519:630): avc:  denied  { search } for  pid=5235 comm="unix_chkpwd" name="/" dev="sysfs" ino=1 ipaddr=72.191.11.121 scontext=root:sysadm_r:chkpwd_t tcontext=system_u:object_r:sysfs_t tclass=dir
type=SYSCALL msg=audit(1347923819.519:630): arch=c000003e syscall=137 success=no exit=-13 a0=680ed1482007 a1=7058a34b8400 a2=fffffffffff55eab a3=7058a34b8370 items=1 ppid=5233 pid=5235 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=121 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=root:sysadm_r:chkpwd_t key=(null)
type=CWD msg=audit(1347923819.519:630):  cwd="/"
type=PATH msg=audit(1347923819.519:630): item=0 name="/sys/fs/selinux"
type=AVC msg=audit(1347923819.519:631): avc:  denied  { getattr } for  pid=5235 comm="unix_chkpwd" name="/" dev="selinuxfs" ino=1 ipaddr=72.191.11.121 scontext=root:sysadm_r:chkpwd_t tcontext=system_u:object_r:security_t tclass=filesystem
type=SYSCALL msg=audit(1347923819.519:631): arch=c000003e syscall=137 success=no exit=-13 a0=680ed148200e a1=7058a34b8400 a2=0 a3=7058a34b8370 items=1 ppid=5233 pid=5235 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=121 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=root:sysadm_r:chkpwd_t key=(null)
type=CWD msg=audit(1347923819.519:631):  cwd="/"
type=PATH msg=audit(1347923819.519:631): item=0 name="/selinux" inode=1 dev=00:0c mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:security_t
type=AVC msg=audit(1347923819.523:632): avc:  denied  { search } for  pid=5235 comm="unix_chkpwd" name="/" dev="sysfs" ino=1 ipaddr=72.191.11.121 scontext=root:sysadm_r:chkpwd_t tcontext=system_u:object_r:sysfs_t tclass=dir
type=SYSCALL msg=audit(1347923819.523:632): arch=c000003e syscall=137 success=no exit=-13 a0=a37f775ebca a1=7058a34b8400 a2=9 a3=736678756e696c65 items=1 ppid=5233 pid=5235 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=121 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=root:sysadm_r:chkpwd_t key=(null)
type=CWD msg=audit(1347923819.523:632):  cwd="/"
type=PATH msg=audit(1347923819.523:632): item=0 name="/sys/fs/selinux"
type=AVC msg=audit(1347923819.543:633): avc:  denied  { rlimitinh } for  pid=5233 comm="open_init_pty" ipaddr=72.191.11.121 scontext=root:sysadm_r:run_init_t tcontext=system_u:system_r:initrc_t tclass=process
type=AVC msg=audit(1347923819.543:633): avc:  denied  { siginh } for  pid=5233 comm="open_init_pty" ipaddr=72.191.11.121 scontext=root:sysadm_r:run_init_t tcontext=system_u:system_r:initrc_t tclass=process
type=AVC msg=audit(1347923819.543:633): avc:  denied  { noatsecure } for  pid=5233 comm="open_init_pty" ipaddr=72.191.11.121 scontext=root:sysadm_r:run_init_t tcontext=system_u:system_r:initrc_t tclass=process
type=SYSCALL msg=audit(1347923819.543:633): arch=c000003e syscall=59 success=yes exit=0 a0=726e77884a80 a1=782461ee08d8 a2=596afbdd4c0 a3=745f637274696e items=2 ppid=5114 pid=5233 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=121 comm="open_init_pty" exe="/usr/sbin/open_init_pty" subj=system_u:system_r:initrc_t key=(null)
type=EXECVE msg=audit(1347923819.543:633): argc=3 a0="runscript" a1="/etc/init.d/singularity" a2="start"
type=CWD msg=audit(1347923819.543:633):  cwd="/"
type=PATH msg=audit(1347923819.543:633): item=0 name="/usr/sbin/open_init_pty" inode=560529 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:initrc_exec_t
type=PATH msg=audit(1347923819.543:633): item=1 name=(null) inode=624663 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t
type=AVC msg=audit(1347923819.676:634): avc:  denied  { rlimitinh } for  pid=5246 comm="singularity" ipaddr=72.191.11.121 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:openstack_guest_agent_t tclass=process
type=AVC msg=audit(1347923819.676:634): avc:  denied  { siginh } for  pid=5246 comm="singularity" ipaddr=72.191.11.121 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:openstack_guest_agent_t tclass=process
type=AVC msg=audit(1347923819.676:634): avc:  denied  { noatsecure } for  pid=5246 comm="singularity" ipaddr=72.191.11.121 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:openstack_guest_agent_t tclass=process
type=SYSCALL msg=audit(1347923819.676:634): arch=c000003e syscall=59 success=yes exit=0 a0=7546989cb393 a1=7546989cb0d8 a2=f9fe804e230 a3=7546989cb580 items=3 ppid=5245 pid=5246 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=121 comm="singularity" exe="/bin/env" subj=system_u:system_r:openstack_guest_agent_t key=(null)
type=EXECVE msg=audit(1347923819.676:634): argc=7 a0="/usr/bin/env" a1="python" a2="/usr/bin/singularity" a3="daemon" a4="--configuration" a5="/etc/singularity" a6="start"
type=EXECVE msg=audit(1347923819.676:634): argc=5 a0="/usr/bin/env" a1="python" a2="/usr/bin/singularity" a3="daemon" a4="--configuration"
type=CWD msg=audit(1347923819.676:634):  cwd="/"
type=PATH msg=audit(1347923819.676:634): item=0 name="/usr/bin/singularity" inode=566723 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:openstack_guest_agent_exec_t
type=PATH msg=audit(1347923819.676:634): item=1 name=(null) inode=634819 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t
type=PATH msg=audit(1347923819.676:634): item=2 name=(null) inode=624663 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t
type=AVC msg=audit(1347923819.683:635): avc:  denied  { search } for  pid=5246 comm="python" name="env.d" dev="xvda1" ino=32783 ipaddr=72.191.11.121 scontext=system_u:system_r:openstack_guest_agent_t tcontext=system_u:object_r:etc_runtime_t tclass=dir
type=AVC msg=audit(1347923819.776:636): avc:  denied  { search } for  pid=5246 comm="singularity" name="root" dev="xvda1" ino=425985 ipaddr=72.191.11.121 scontext=system_u:system_r:openstack_guest_agent_t tcontext=root:object_r:user_home_dir_t tclass=dir
type=AVC msg=audit(1347923819.783:637): avc:  denied  { read } for  pid=5246 comm="singularity" name="localtime" dev="xvda1" ino=36052 ipaddr=72.191.11.121 scontext=system_u:system_r:openstack_guest_agent_t tcontext=system_u:object_r:locale_t tclass=file
type=AVC msg=audit(1347923819.783:638): avc:  denied  { read } for  pid=5246 comm="singularity" name="localtime" dev="xvda1" ino=36052 ipaddr=72.191.11.121 scontext=system_u:system_r:openstack_guest_agent_t tcontext=system_u:object_r:locale_t tclass=file
type=AVC msg=audit(1347923819.829:639): avc:  denied  { search } for  pid=5250 comm="eselect" name="root" dev="xvda1" ino=425985 ipaddr=72.191.11.121 scontext=system_u:system_r:openstack_guest_agent_t tcontext=root:object_r:user_home_dir_t tclass=dir
type=AVC msg=audit(1347923819.846:640): avc:  denied  { search } for  pid=5251 comm="eselect" name="env.d" dev="xvda1" ino=32783 ipaddr=72.191.11.121 scontext=system_u:system_r:openstack_guest_agent_t tcontext=system_u:object_r:etc_runtime_t tclass=dir
type=AVC msg=audit(1347923819.883:641): avc:  denied  { search } for  pid=5256 comm="cgroup-release-" name="var" dev="xvda1" ino=524289 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:var_t tclass=dir
type=SYSCALL msg=audit(1347923819.883:641): arch=c000003e syscall=42 success=no exit=-13 a0=0 a1=790e23d1e740 a2=6e a3=74a5a82c2610 items=0 ppid=50 pid=5256 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cgroup-release-" exe="/bin/bash" subj=system_u:system_r:kernel_t key=(null)
type=SOCKADDR msg=audit(1347923819.883:641): saddr=01002F7661722F72756E2F6E7363642F736F636B657400004000000000000000A8A41A000000000000000000400038000B00400044004300060000000500000040000000000000004000000000000000400000000000000068020000000000006802000000000000080000000000
type=AVC msg=audit(1347923819.883:642): avc:  denied  { search } for  pid=5256 comm="cgroup-release-" name="var" dev="xvda1" ino=524289 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:var_t tclass=dir
type=SYSCALL msg=audit(1347923819.883:642): arch=c000003e syscall=42 success=no exit=-13 a0=0 a1=790e23d1e8f0 a2=6e a3=74a5a82c2610 items=0 ppid=50 pid=5256 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cgroup-release-" exe="/bin/bash" subj=system_u:system_r:kernel_t key=(null)
type=SOCKADDR msg=audit(1347923819.883:642): saddr=01002F7661722F72756E2F6E7363642F736F636B657400000066A1A8DBE3B95CA05C2CCF2B0900004118F5A7A5740000000056AA30514BE9E0B09ACE2B09000000ECD1230E79000008000000000000000300000000000000E85E2CCF2B0900000000000000000000E85E2CCF2B09
type=AVC msg=audit(1347923819.883:643): avc:  denied  { read } for  pid=5256 comm="cgroup-release-" name="nsswitch.conf" dev="xvda1" ino=625032 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:etc_t tclass=file
type=AVC msg=audit(1347923819.886:644): avc:  denied  { read } for  pid=5256 comm="cgroup-release-" name="nsswitch.conf" dev="xvda1" ino=625032 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:etc_t tclass=file
type=AVC msg=audit(1347923819.886:645): avc:  denied  { read } for  pid=5256 comm="cgroup-release-" name="passwd" dev="xvda1" ino=33215 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:etc_t tclass=file
type=AVC msg=audit(1347923819.886:646): avc:  denied  { read } for  pid=5256 comm="cgroup-release-" name="passwd" dev="xvda1" ino=33215 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:etc_t tclass=file
type=AVC msg=audit(1347923819.886:647): avc:  denied  { search } for  pid=5256 comm="cgroup-release-" name="/" dev="cgroup" ino=1197 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:cgroup_t tclass=dir

type=DAEMON_ROTATE msg=audit(1347924080.546:1689): auditd sending auid=0 pid=5324 subj=root:sysadm_r:sysadm_t
type=AVC msg=audit(1347924090.656:682): avc:  denied  { rlimitinh } for  pid=5339 comm="singularity" ipaddr=72.191.11.121 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:openstack_guest_agent_t tclass=process
type=AVC msg=audit(1347924090.656:682): avc:  denied  { siginh } for  pid=5339 comm="singularity" ipaddr=72.191.11.121 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:openstack_guest_agent_t tclass=process
type=AVC msg=audit(1347924090.656:682): avc:  denied  { noatsecure } for  pid=5339 comm="singularity" ipaddr=72.191.11.121 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:openstack_guest_agent_t tclass=process
type=SYSCALL msg=audit(1347924090.656:682): arch=c000003e syscall=59 success=yes exit=0 a0=7fcff01ccc66 a1=7fcff01cc968 a2=e733a326b40 a3=7fcff01cd104 items=3 ppid=5338 pid=5339 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=125 comm="singularity" exe="/bin/env" subj=system_u:system_r:openstack_guest_agent_t key=(null)
type=EXECVE msg=audit(1347924090.656:682): argc=7 a0="/usr/bin/env" a1="python" a2="/usr/bin/singularity" a3="daemon" a4="--configuration" a5="/etc/singularity" a6="start"
type=EXECVE msg=audit(1347924090.656:682): argc=5 a0="/usr/bin/env" a1="python" a2="/usr/bin/singularity" a3="daemon" a4="--configuration"
type=CWD msg=audit(1347924090.656:682):  cwd="/"
type=PATH msg=audit(1347924090.656:682): item=0 name="/usr/bin/singularity" inode=566723 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:openstack_guest_agent_exec_t
type=PATH msg=audit(1347924090.656:682): item=1 name=(null) inode=634819 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t
type=PATH msg=audit(1347924090.656:682): item=2 name=(null) inode=624663 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t
type=AVC msg=audit(1347924090.703:683): avc:  denied  { read } for  pid=5339 comm="singularity" name="localtime" dev="xvda1" ino=36052 ipaddr=72.191.11.121 scontext=system_u:system_r:openstack_guest_agent_t tcontext=system_u:object_r:locale_t tclass=file
type=AVC msg=audit(1347924090.703:683): avc:  denied  { open } for  pid=5339 comm="singularity" name="localtime" dev="xvda1" ino=36052 ipaddr=72.191.11.121 scontext=system_u:system_r:openstack_guest_agent_t tcontext=system_u:object_r:locale_t tclass=file
type=AVC msg=audit(1347924090.703:684): avc:  denied  { getattr } for  pid=5339 comm="singularity" path="/etc/localtime" dev="xvda1" ino=36052 ipaddr=72.191.11.121 scontext=system_u:system_r:openstack_guest_agent_t tcontext=system_u:object_r:locale_t tclass=file

signature.asc
Description: This is a digitally signed message part.

[gentoo-hardened] SELinux Policy Difficulties

Reply via email to