[root@amphora-a61d0e97-d68f-4246-9f84-b2aae7ed7560 system]# sealert -a /var/log/audit/audit.log 25% done'list' object has no attribute 'split' 45% done 47% done'NoneType' object is not iterable 100% done found 38 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/haproxy from read access on the file haproxy.cfg. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow haproxy to have read access on the haproxy.cfg file Then you need to change the label on haproxy.cfg Do # semanage fcontext -a -t FILE_TYPE 'haproxy.cfg' where FILE_TYPE is one of the following: NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_run_t, admin_crontab_tmp_t, afs_cache_t, alsa_tmp_t, amanda_tmp_t, antivirus_tmp_t, apcupsd_tmp_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_tmp_t, auditadm_sudo_tmp_t, automount_tmp_t, awstats_tmp_t, bacula_tmp_t, bin_t, bitlbee_tmp_t, bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_tmp_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t, bugzilla_tmp_t, cardmgr_dev_t, ccs_tmp_t, cdcc_tmp_t, cert_t, chrome_sandbox_tmp_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t, cluster_conf_t, cluster_tmp_t, cluster_var_lib_t, cluster_var_log_t, cluster_var_run_t, cobbler_tmp_t, cockpit_tmp_t, collectd_script_tmp_t, colord_tmp_t, comsat_tmp_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, conman_tmp_t, couchdb_tmp_t, cpu_online_t, crack_tmp_t, crond_tmp_t, crontab_tmp_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_tmp_t, cyphesis_tmp_t, cyrus_tmp_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dbusd_etc_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_tmp_t, deltacloudd_tmp_t, devicekit_tmp_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_tmp_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, dlm_controld_var_log_t, dnssec_trigger_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, drbd_tmp_t, etc_runtime_t, etc_t, exim_tmp_t, fail2ban_tmp_t, fail2ban_var_lib_t, fenced_tmp_t, fenced_var_log_t, file_context_t, firewalld_tmp_t, firewallgui_tmp_t, foghorn_var_log_t, fonts_cache_t, fonts_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, games_tmpfs_t, gconf_tmp_t, geoclue_tmp_t, getty_tmp_t, gfs_controld_var_log_t, git_script_tmp_t, gkeyringd_tmp_t, glance_registry_tmp_t, glance_tmp_t, glusterd_tmp_t, gpg_agent_tmp_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpm_tmp_t, groupd_var_log_t, gssd_tmp_t, haproxy_exec_t, haproxy_tmpfs_t, haproxy_var_lib_t, haproxy_var_log_t, haproxy_var_run_t, hostname_etc_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, inetd_child_tmp_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, ipsec_tmp_t, iptables_tmp_t, iscsi_tmp_t, kadmind_tmp_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keystone_tmp_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, krb5_conf_t, krb5_host_rcache_t, krb5kdc_tmp_t, ktalkd_tmp_t, l2tpd_tmp_t, ld_so_cache_t, ld_so_t, ldconfig_tmp_t, lib_t, livecd_tmp_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mdadm_tmp_t, mediawiki_tmp_t, mock_tmp_t, mojomojo_tmp_t, mongod_tmp_t, mount_tmp_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_tmp_t, mozilla_tmpfs_t, mpd_tmp_t, mplayer_tmpfs_t, mscan_tmp_t, munin_script_tmp_t, munin_tmp_t, mysqld_tmp_t, nagios_eventhandler_plugin_tmp_t, nagios_openshift_plugin_tmp_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_tmp_t, net_conf_t, netutils_tmp_t, neutron_tmp_t, nova_tmp_t, ntop_tmp_t, ntpd_tmp_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t, nut_upsmon_tmp_t, nx_server_tmp_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_tmp_t, openvpn_tmp_t, openvswitch_tmp_t, openwsman_tmp_t, pam_timestamp_tmp_t, passenger_tmp_t, passwd_file_t, pcp_tmp_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, piranha_web_tmp_t, pkcs_slotd_tmp_t, pki_tomcat_tmp_t, podsleuth_tmp_t, podsleuth_tmpfs_t, policykit_tmp_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_tmp_t, pppd_tmp_t, prelink_exec_t, prelink_tmp_t, prelude_lml_tmp_t, proc_t, procmail_tmp_t, prosody_tmp_t, psad_tmp_t, pulseaudio_tmpfs_t, puppet_tmp_t, puppetmaster_tmp_t, qdiskd_var_log_t, qpidd_tmp_t, racoon_tmp_t, realmd_tmp_t, rhev_agentd_tmp_t, rhsmcertd_tmp_t, ricci_tmp_t, rlogind_tmp_t, rpcbind_tmp_t, rpm_script_tmp_t, rpm_tmp_t, rsync_tmp_t, rtas_errd_tmp_t, samba_etc_t, samba_net_tmp_t, samba_var_t, sblim_tmp_t, secadm_sudo_tmp_t, sectool_tmp_t, selinux_munin_plugin_tmp_t, semanage_tmp_t, sendmail_tmp_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, sge_tmp_t, shell_exec_t, shorewall_tmp_t, slapd_tmp_t, smbd_tmp_t, smoltclient_tmp_t, smsd_tmp_t, snort_tmp_t, sosreport_tmp_t, soundd_tmp_t, spamc_tmp_t, spamd_tmp_t, speech-dispatcher_tmp_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_tmp_t, ssh_keygen_tmp_t, ssh_tmpfs_t, sssd_public_t, sssd_var_lib_t, staff_sudo_tmp_t, stapserver_tmp_t, stunnel_tmp_t, svirt_tmp_t, svnserve_tmp_t, swat_tmp_t, swift_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, syslogd_tmp_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_dbusd_var_lib_t, system_mail_tmp_t, system_munin_plugin_tmp_t, tcpd_tmp_t, telepathy_gabble_tmp_t, telepathy_idle_tmp_t, telepathy_logger_tmp_t, telepathy_mission_control_tmp_t, telepathy_msn_tmp_t, telepathy_salut_tmp_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, textrel_shlib_t, tgtd_tmp_t, thumb_tmp_t, tmp_t, tomcat_tmp_t, tuned_tmp_t, tvtime_tmp_t, tvtime_tmpfs_t, udev_tmp_t, uml_tmp_t, uml_tmpfs_t, unconfined_munin_plugin_tmp_t, update_modules_tmp_t, user_cron_spool_t, user_fonts_t, user_mail_tmp_t, user_tmp_t, usr_t, uucpd_tmp_t, var_spool_t, varnishd_tmp_t, virt_qemu_ga_tmp_t, virt_tmp_t, vmtools_tmp_t, vmware_host_tmp_t, vmware_tmp_t, vmware_tmpfs_t, vpnc_tmp_t, w3c_validator_tmp_t, webadm_tmp_t, webalizer_tmp_t, wireshark_tmp_t, wireshark_tmpfs_t, xauth_tmp_t, xend_tmp_t, xenstored_tmp_t, xserver_tmpfs_t, ypbind_tmp_t, ypserv_tmp_t, zabbix_tmp_t, zarafa_deliver_tmp_t, zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_var_lib_t, zebra_tmp_t. Then execute: restorecon -v 'haproxy.cfg' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that haproxy should be allowed read access on the haproxy.cfg file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep haproxy /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:haproxy_t:s0 Target Context unconfined_u:object_r:var_lib_t:s0 Target Objects haproxy.cfg [ file ] Source haproxy Source Path /usr/sbin/haproxy Port Host Source RPM Packages haproxy-1.5.14-3.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 76 First Seen 2016-11-29 09:30:57 UTC Last Seen 2016-11-30 11:20:12 UTC Local ID 2359695b-d311-475a-93cc-1392a47000a1 Raw Audit Messages type=AVC msg=audit(1480504812.308:197): avc: denied { read } for pid=1032 comm="haproxy" name="haproxy.cfg" dev="vda1" ino=1048719 scontext=system_u:system_r:haproxy_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1480504812.308:197): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff34b5bf56 a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=1032 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=haproxy exe=/usr/sbin/haproxy subj=system_u:system_r:haproxy_t:s0 key=(null) Hash: haproxy,haproxy_t,var_lib_t,file,read -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/haproxy from getattr access on the file /var/lib/octavia/d842c875-6fea-49cd-ac49-9aa82d12237c/haproxy.cfg. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow haproxy to have getattr access on the haproxy.cfg file Then you need to change the label on /var/lib/octavia/d842c875-6fea-49cd-ac49-9aa82d12237c/haproxy.cfg Do # semanage fcontext -a -t FILE_TYPE '/var/lib/octavia/d842c875-6fea-49cd-ac49-9aa82d12237c/haproxy.cfg' where FILE_TYPE is one of the following: NetworkManager_log_t, NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_log_t, abrt_var_run_t, acct_data_t, admin_crontab_tmp_t, afs_logfile_t, aide_log_t, alsa_tmp_t, amanda_log_t, amanda_tmp_t, antivirus_log_t, antivirus_tmp_t, apcupsd_log_t, apcupsd_tmp_t, apmd_log_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_log_t, asterisk_tmp_t, auditadm_sudo_tmp_t, auth_cache_t, automount_tmp_t, awstats_tmp_t, bacula_log_t, bacula_tmp_t, bin_t, bitlbee_log_t, bitlbee_tmp_t, bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_tmp_t, boinc_log_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t, bugzilla_tmp_t, calamaris_log_t, callweaver_log_t, canna_log_t, cardmgr_dev_t, ccs_tmp_t, ccs_var_lib_t, ccs_var_log_t, cdcc_tmp_t, cert_t, certmaster_var_log_t, cfengine_log_t, cgred_log_t, checkpc_log_t, chrome_sandbox_tmp_t, chronyd_var_log_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_log_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t, cloud_log_t, cluster_conf_t, cluster_tmp_t, cluster_var_lib_t, cluster_var_log_t, cluster_var_run_t, cobbler_tmp_t, cobbler_var_log_t, cockpit_tmp_t, collectd_script_tmp_t, colord_tmp_t, comsat_tmp_t, condor_log_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, conman_log_t, conman_tmp_t, consolekit_log_t, couchdb_log_t, couchdb_tmp_t, cpu_online_t, crack_tmp_t, cron_log_t, crond_tmp_t, crontab_tmp_t, ctdbd_log_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_log_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_tmp_t, cyphesis_log_t, cyphesis_tmp_t, cyrus_tmp_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dbusd_etc_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_log_t, ddclient_tmp_t, deltacloudd_log_t, deltacloudd_tmp_t, denyhosts_var_log_t, devicekit_tmp_t, devicekit_var_log_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_snmp_var_log_t, dirsrv_tmp_t, dirsrv_var_log_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, dlm_controld_var_log_t, dnsmasq_var_log_t, dnssec_trigger_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, dovecot_var_log_t, drbd_tmp_t, dspam_log_t, etc_runtime_t, etc_t, evtchnd_var_log_t, exim_log_t, exim_tmp_t, fail2ban_log_t, fail2ban_tmp_t, fail2ban_var_lib_t, faillog_t, fenced_tmp_t, fenced_var_log_t, fetchmail_log_t, file_context_t, fingerd_log_t, firewalld_tmp_t, firewalld_var_log_t, firewallgui_tmp_t, foghorn_var_log_t, fonts_cache_t, fonts_t, fsadm_log_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, games_tmpfs_t, gconf_tmp_t, gear_log_t, geoclue_tmp_t, getty_log_t, getty_tmp_t, gfs_controld_var_log_t, git_script_tmp_t, gkeyringd_tmp_t, glance_log_t, glance_registry_tmp_t, glance_tmp_t, glusterd_log_t, glusterd_tmp_t, gpg_agent_tmp_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpm_tmp_t, groupd_var_log_t, gssd_tmp_t, haproxy_exec_t, haproxy_tmpfs_t, haproxy_var_lib_t, haproxy_var_log_t, haproxy_var_run_t, hostname_etc_t, httpd_log_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, icecast_log_t, inetd_child_tmp_t, inetd_log_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, initrc_var_log_t, innd_log_t, ipsec_log_t, ipsec_tmp_t, iptables_tmp_t, iscsi_log_t, iscsi_tmp_t, iwhd_log_t, jetty_log_t, jockey_var_log_t, kadmind_log_t, kadmind_tmp_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keystone_log_t, keystone_tmp_t, kismet_log_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, krb5_conf_t, krb5_host_rcache_t, krb5kdc_log_t, krb5kdc_tmp_t, ksmtuned_log_t, ktalkd_log_t, ktalkd_tmp_t, l2tpd_tmp_t, lastlog_t, ld_so_cache_t, ld_so_t, ldconfig_tmp_t, lib_t, livecd_tmp_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_log_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mcelog_log_t, mdadm_log_t, mdadm_tmp_t, mediawiki_tmp_t, minidlna_log_t, mirrormanager_log_t, mock_tmp_t, mojomojo_tmp_t, mongod_log_t, mongod_tmp_t, motion_log_t, mount_tmp_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_tmp_t, mozilla_tmpfs_t, mpd_log_t, mpd_tmp_t, mplayer_tmpfs_t, mrtg_log_t, mscan_tmp_t, munin_log_t, munin_script_tmp_t, munin_tmp_t, mysqld_log_t, mysqld_tmp_t, mythtv_var_log_t, nagios_eventhandler_plugin_tmp_t, nagios_log_t, nagios_openshift_plugin_tmp_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_log_t, named_tmp_t, net_conf_t, netutils_tmp_t, neutron_log_t, neutron_tmp_t, nova_log_t, nova_tmp_t, nscd_log_t, ntop_tmp_t, ntpd_log_t, ntpd_tmp_t, numad_var_log_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t, nut_upsmon_tmp_t, nx_server_tmp_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_log_t, openshift_tmp_t, opensm_log_t, openvpn_status_t, openvpn_tmp_t, openvpn_var_log_t, openvswitch_log_t, openvswitch_tmp_t, openwsman_log_t, openwsman_tmp_t, osad_log_t, pam_timestamp_tmp_t, passenger_log_t, passenger_tmp_t, passwd_file_t, pcp_log_t, pcp_tmp_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, piranha_log_t, piranha_web_tmp_t, pkcs_slotd_tmp_t, pki_ra_log_t, pki_tomcat_log_t, pki_tomcat_tmp_t, pki_tps_log_t, plymouthd_var_log_t, podsleuth_tmp_t, podsleuth_tmpfs_t, policykit_tmp_t, polipo_log_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_log_t, postgresql_tmp_t, pppd_log_t, pppd_tmp_t, pptp_log_t, prelink_exec_t, prelink_log_t, prelink_tmp_t, prelude_lml_tmp_t, prelude_log_t, privoxy_log_t, proc_t, procmail_log_t, procmail_tmp_t, prosody_log_t, prosody_tmp_t, psad_tmp_t, psad_var_log_t, pulseaudio_tmpfs_t, puppet_log_t, puppet_tmp_t, puppetmaster_tmp_t, pyicqt_log_t, qdiskd_var_log_t, qpidd_tmp_t, rabbitmq_var_log_t, racoon_tmp_t, radiusd_log_t, realmd_tmp_t, redis_log_t, rhev_agentd_log_t, rhev_agentd_tmp_t, rhsmcertd_log_t, rhsmcertd_tmp_t, ricci_modcluster_var_log_t, ricci_tmp_t, ricci_var_log_t, rkhunter_var_lib_t, rlogind_tmp_t, rpcbind_tmp_t, rpm_log_t, rpm_script_tmp_t, rpm_tmp_t, rsync_log_t, rsync_tmp_t, rtas_errd_log_t, rtas_errd_tmp_t, samba_etc_t, samba_log_t, samba_net_tmp_t, samba_var_t, sanlock_log_t, sblim_tmp_t, secadm_sudo_tmp_t, sectool_tmp_t, sectool_var_log_t, selinux_munin_plugin_tmp_t, semanage_tmp_t, sendmail_log_t, sendmail_tmp_t, sensord_log_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, setroubleshoot_var_log_t, sge_tmp_t, shell_exec_t, shorewall_log_t, shorewall_tmp_t, slapd_log_t, slapd_tmp_t, slpd_log_t, smbd_tmp_t, smoltclient_tmp_t, smsd_log_t, smsd_tmp_t, snapperd_log_t, snmpd_log_t, snort_log_t, snort_tmp_t, sosreport_tmp_t, soundd_tmp_t, spamc_tmp_t, spamd_log_t, spamd_tmp_t, speech-dispatcher_log_t, speech-dispatcher_tmp_t, squid_log_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_tmp_t, ssh_keygen_tmp_t, ssh_tmpfs_t, sssd_public_t, sssd_var_lib_t, sssd_var_log_t, staff_sudo_tmp_t, stapserver_log_t, stapserver_tmp_t, stunnel_tmp_t, svirt_tmp_t, svnserve_tmp_t, swat_tmp_t, swift_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, syslogd_tmp_t, sysstat_log_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_dbusd_var_lib_t, system_mail_tmp_t, system_munin_plugin_tmp_t, tcpd_tmp_t, telepathy_gabble_tmp_t, telepathy_idle_tmp_t, telepathy_logger_tmp_t, telepathy_mission_control_tmp_t, telepathy_msn_tmp_t, telepathy_salut_tmp_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, textrel_shlib_t, tgtd_tmp_t, thin_aeolus_configserver_log_t, thin_log_t, thumb_tmp_t, tmp_t, tomcat_log_t, tomcat_tmp_t, tor_var_log_t, tuned_log_t, tuned_tmp_t, tvtime_tmp_t, tvtime_tmpfs_t, udev_tmp_t, ulogd_var_log_t, uml_tmp_t, uml_tmpfs_t, unconfined_munin_plugin_tmp_t, update_modules_tmp_t, user_cron_spool_t, user_fonts_t, user_home_t, user_mail_tmp_t, user_tmp_t, usr_t, uucpd_log_t, uucpd_tmp_t, var_log_t, var_spool_t, varnishd_tmp_t, varnishlog_log_t, vdagent_log_t, virt_log_t, virt_qemu_ga_log_t, virt_qemu_ga_tmp_t, virt_tmp_t, vmtools_tmp_t, vmware_host_tmp_t, vmware_log_t, vmware_tmp_t, vmware_tmpfs_t, vpnc_tmp_t, w3c_validator_tmp_t, watchdog_log_t, webadm_tmp_t, webalizer_tmp_t, winbind_log_t, wireshark_tmp_t, wireshark_tmpfs_t, wtmp_t, xauth_tmp_t, xdm_log_t, xend_tmp_t, xend_var_log_t, xenstored_tmp_t, xenstored_var_log_t, xferlog_t, xserver_log_t, xserver_tmpfs_t, ypbind_tmp_t, ypserv_tmp_t, zabbix_log_t, zabbix_tmp_t, zarafa_deliver_log_t, zarafa_deliver_tmp_t, zarafa_gateway_log_t, zarafa_ical_log_t, zarafa_indexer_log_t, zarafa_indexer_tmp_t, zarafa_monitor_log_t, zarafa_server_log_t, zarafa_server_tmp_t, zarafa_spooler_log_t, zarafa_var_lib_t, zebra_log_t, zebra_tmp_t, zoneminder_log_t. Then execute: restorecon -v '/var/lib/octavia/d842c875-6fea-49cd-ac49-9aa82d12237c/haproxy.cfg' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that haproxy should be allowed getattr access on the haproxy.cfg file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep haproxy /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:haproxy_t:s0 Target Context unconfined_u:object_r:var_lib_t:s0 Target Objects /var/lib/octavia/d842c875-6fea-49cd- ac49-9aa82d12237c/haproxy.cfg [ file ] Source haproxy Source Path /usr/sbin/haproxy Port Host Source RPM Packages haproxy-1.5.14-3.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-11-29 11:35:31 UTC Last Seen 2016-11-29 11:42:10 UTC Local ID 90b78931-30b2-46af-8848-8d1e0002fbac Raw Audit Messages type=AVC msg=audit(1480419730.318:451): avc: denied { getattr } for pid=3473 comm="haproxy" path="/var/lib/octavia/d842c875-6fea-49cd-ac49-9aa82d12237c/haproxy.cfg" dev="vda1" ino=1048719 scontext=system_u:system_r:haproxy_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1480419730.318:451): arch=x86_64 syscall=fstat success=yes exit=0 a0=3 a1=7ffda19de1e0 a2=7ffda19de1e0 a3=0 items=0 ppid=1 pid=3473 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=haproxy exe=/usr/sbin/haproxy subj=system_u:system_r:haproxy_t:s0 key=(null) Hash: haproxy,haproxy_t,var_lib_t,file,getattr -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/ip from mounton access on the directory /run/netns. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ip should be allowed mounton access on the netns directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep ip /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context unconfined_u:object_r:ifconfig_var_run_t:s0 Target Objects /run/netns [ dir ] Source ip Source Path /usr/sbin/ip Port Host Source RPM Packages iproute-3.10.0-54.el7_2.1.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-11-29 11:35:31 UTC Last Seen 2016-11-29 11:35:31 UTC Local ID ecfafc6c-1b56-4000-b831-ab892df16aec Raw Audit Messages type=AVC msg=audit(1480419331.914:410): avc: denied { mounton } for pid=3334 comm="ip" path="/run/netns" dev="tmpfs" ino=19521 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:ifconfig_var_run_t:s0 tclass=dir type=SYSCALL msg=audit(1480419331.914:410): arch=x86_64 syscall=mount success=yes exit=0 a0=440854 a1=43b3aa a2=43c5ad a3=104000 items=0 ppid=1 pid=3334 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ip exe=/usr/sbin/ip subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: ip,ifconfig_t,ifconfig_var_run_t,dir,mounton -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/ip from mounton access on the directory /. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ip should be allowed mounton access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep ip /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:object_r:root_t:s0 Target Objects / [ dir ] Source ip Source Path /usr/sbin/ip Port Host Source RPM Packages iproute-3.10.0-54.el7_2.1.x86_64 Target RPM Packages filesystem-3.2-20.el7.x86_64 Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-11-29 11:35:32 UTC Last Seen 2016-11-30 11:48:06 UTC Local ID c5aa405a-f370-4abe-bd88-f5d238795049 Raw Audit Messages type=AVC msg=audit(1480506486.436:381): avc: denied { mounton } for pid=2422 comm="ip" path="/" dev="vda1" ino=2 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir type=SYSCALL msg=audit(1480506486.436:381): arch=x86_64 syscall=mount success=yes exit=0 a0=440854 a1=43b421 a2=43c5ad a3=84000 items=0 ppid=1 pid=2422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ip exe=/usr/sbin/ip subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: ip,ifconfig_t,root_t,dir,mounton -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/ip from mounton access on the directory /sys. ***** Plugin restorecon (94.8 confidence) suggests ************************ If you want to fix the label. /sys default label should be sysfs_t. Then you can run restorecon. Do # /sbin/restorecon -v /sys ***** Plugin catchall_labels (5.21 confidence) suggests ******************* If you want to allow ip to have mounton access on the sys directory Then you need to change the label on /sys Do # semanage fcontext -a -t FILE_TYPE '/sys' where FILE_TYPE is one of the following: sysfs_t. Then execute: restorecon -v '/sys' ***** Plugin catchall (1.44 confidence) suggests ************************** If you believe that ip should be allowed mounton access on the sys directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep ip /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:object_r:unlabeled_t:s0 Target Objects /sys [ dir ] Source ip Source Path /usr/sbin/ip Port Host Source RPM Packages iproute-3.10.0-54.el7_2.1.x86_64 Target RPM Packages filesystem-3.2-20.el7.x86_64 Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-11-29 11:35:32 UTC Last Seen 2016-11-30 11:48:06 UTC Local ID 313e7a2b-f7e1-4e0a-ba19-7e62a1d6e109 Raw Audit Messages type=AVC msg=audit(1480506486.482:382): avc: denied { mounton } for pid=2422 comm="ip" path="/sys" dev="vda1" ino=533873 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir type=SYSCALL msg=audit(1480506486.482:382): arch=x86_64 syscall=mount success=yes exit=0 a0=7ffc84c68f87 a1=4436fe a2=44371e a3=0 items=0 ppid=1 pid=2422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ip exe=/usr/sbin/ip subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: ip,ifconfig_t,unlabeled_t,dir,mounton -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/ip from mounton access on the directory /etc/sysconfig. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow ip to have mounton access on the sysconfig directory Then you need to change the label on /etc/sysconfig Do # semanage fcontext -a -t FILE_TYPE '/etc/sysconfig' where FILE_TYPE is one of the following: sysfs_t. Then execute: restorecon -v '/etc/sysconfig' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that ip should be allowed mounton access on the sysconfig directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep ip /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:object_r:etc_t:s0 Target Objects /etc/sysconfig [ dir ] Source ip Source Path /usr/sbin/ip Port Host Source RPM Packages iproute-3.10.0-54.el7_2.1.x86_64 Target RPM Packages filesystem-3.2-20.el7.x86_64 Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-11-29 11:35:32 UTC Last Seen 2016-11-30 11:48:06 UTC Local ID 5e01e7be-65aa-4c33-b54e-75714d2ea5f4 Raw Audit Messages type=AVC msg=audit(1480506486.546:383): avc: denied { mounton } for pid=2422 comm="ip" path="/etc/sysconfig" dev="vda1" ino=325 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir type=SYSCALL msg=audit(1480506486.546:383): arch=x86_64 syscall=mount success=yes exit=0 a0=7ffc84c66610 a1=7ffc84c67610 a2=43c5ad a3=1000 items=0 ppid=1 pid=2422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ip exe=/usr/sbin/ip subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: ip,ifconfig_t,etc_t,dir,mounton -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/sysctl from getattr access on the filesystem /sys. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sysctl should be allowed getattr access on the sys filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sysctl /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:object_r:sysfs_t:s0 Target Objects /sys [ filesystem ] Source sysctl Source Path /usr/sbin/sysctl Port Host Source RPM Packages procps-ng-3.3.10-5.el7_2.x86_64 Target RPM Packages filesystem-3.2-20.el7.x86_64 Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 3 First Seen 2016-11-29 11:35:32 UTC Last Seen 2016-11-30 11:48:06 UTC Local ID 731929dd-cb6e-438a-8eea-1d4612ed62ee Raw Audit Messages type=AVC msg=audit(1480506486.867:384): avc: denied { getattr } for pid=2422 comm="sysctl" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1480506486.867:384): arch=x86_64 syscall=statfs success=yes exit=0 a0=7f5ecf66bc6a a1=7ffc80da5100 a2=fffffffffff47648 a3=7ffc80da4e10 items=0 ppid=1 pid=2422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sysctl exe=/usr/sbin/sysctl subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: sysctl,ifconfig_t,sysfs_t,filesystem,getattr -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/sysctl from write access on the file sysrq. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sysctl should be allowed write access on the sysrq file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sysctl /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:object_r:sysctl_kernel_t:s0 Target Objects sysrq [ file ] Source sysctl Source Path /usr/sbin/sysctl Port Host Source RPM Packages procps-ng-3.3.10-5.el7_2.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 3 First Seen 2016-11-29 11:35:32 UTC Last Seen 2016-11-30 11:48:07 UTC Local ID 3b4da95e-df50-4501-971d-cb0fd2e3263b Raw Audit Messages type=AVC msg=audit(1480506487.82:385): avc: denied { write } for pid=2422 comm="sysctl" name="sysrq" dev="proc" ino=7574 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file type=SYSCALL msg=audit(1480506487.82:385): arch=x86_64 syscall=open success=yes exit=EINTR a0=1c4a3c0 a1=241 a2=1b6 a3=24 items=0 ppid=1 pid=2422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sysctl exe=/usr/sbin/sysctl subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: sysctl,ifconfig_t,sysctl_kernel_t,file,write -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/sysctl from getattr access on the file /proc/sys/fs/protected_hardlinks. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sysctl should be allowed getattr access on the protected_hardlinks file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sysctl /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:object_r:proc_security_t:s0 Target Objects /proc/sys/fs/protected_hardlinks [ file ] Source sysctl Source Path /usr/sbin/sysctl Port Host Source RPM Packages procps-ng-3.3.10-5.el7_2.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 3 First Seen 2016-11-29 11:35:32 UTC Last Seen 2016-11-30 11:48:07 UTC Local ID f330c00c-a48f-483f-90a5-2cd61572d735 Raw Audit Messages type=AVC msg=audit(1480506487.131:386): avc: denied { getattr } for pid=2422 comm="sysctl" path="/proc/sys/fs/protected_hardlinks" dev="proc" ino=7591 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file type=SYSCALL msg=audit(1480506487.131:386): arch=x86_64 syscall=stat success=yes exit=0 a0=1c4a6b0 a1=7ffc80da2ee0 a2=7ffc80da2ee0 a3=1c4a6cf items=0 ppid=1 pid=2422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sysctl exe=/usr/sbin/sysctl subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: sysctl,ifconfig_t,proc_security_t,file,getattr -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/sysctl from write access on the file protected_hardlinks. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sysctl should be allowed write access on the protected_hardlinks file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sysctl /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:object_r:proc_security_t:s0 Target Objects protected_hardlinks [ file ] Source sysctl Source Path /usr/sbin/sysctl Port Host Source RPM Packages procps-ng-3.3.10-5.el7_2.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 3 First Seen 2016-11-29 11:35:32 UTC Last Seen 2016-11-30 11:48:07 UTC Local ID db6bc096-4261-4145-b68c-5c25c7938aa8 Raw Audit Messages type=AVC msg=audit(1480506487.132:387): avc: denied { write } for pid=2422 comm="sysctl" name="protected_hardlinks" dev="proc" ino=7591 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file type=AVC msg=audit(1480506487.132:387): avc: denied { open } for pid=2422 comm="sysctl" path="/proc/sys/fs/protected_hardlinks" dev="proc" ino=7591 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file type=SYSCALL msg=audit(1480506487.132:387): arch=x86_64 syscall=open success=yes exit=EINTR a0=1c4a6b0 a1=241 a2=1b6 a3=24 items=0 ppid=1 pid=2422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sysctl exe=/usr/sbin/sysctl subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: sysctl,ifconfig_t,proc_security_t,file,write -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/sysctl from getattr access on the file /proc/sys/fs/file-max. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sysctl should be allowed getattr access on the file-max file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sysctl /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:object_r:sysctl_fs_t:s0 Target Objects /proc/sys/fs/file-max [ file ] Source sysctl Source Path /usr/sbin/sysctl Port Host Source RPM Packages procps-ng-3.3.10-5.el7_2.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 3 First Seen 2016-11-29 11:35:32 UTC Last Seen 2016-11-30 11:48:07 UTC Local ID d863693a-796a-4442-9cde-38004ec4e8fd Raw Audit Messages type=AVC msg=audit(1480506487.178:388): avc: denied { getattr } for pid=2422 comm="sysctl" path="/proc/sys/fs/file-max" dev="proc" ino=11019 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file type=SYSCALL msg=audit(1480506487.178:388): arch=x86_64 syscall=stat success=yes exit=0 a0=1c4a660 a1=7ffc80da2ee0 a2=7ffc80da2ee0 a3=2 items=0 ppid=1 pid=2422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sysctl exe=/usr/sbin/sysctl subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: sysctl,ifconfig_t,sysctl_fs_t,file,getattr -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/sysctl from write access on the file file-max. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sysctl should be allowed write access on the file-max file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sysctl /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:object_r:sysctl_fs_t:s0 Target Objects file-max [ file ] Source sysctl Source Path /usr/sbin/sysctl Port Host Source RPM Packages procps-ng-3.3.10-5.el7_2.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 3 First Seen 2016-11-29 11:35:32 UTC Last Seen 2016-11-30 11:48:07 UTC Local ID dadc5696-37ea-4369-992a-711fcaeea30f Raw Audit Messages type=AVC msg=audit(1480506487.178:389): avc: denied { write } for pid=2422 comm="sysctl" name="file-max" dev="proc" ino=11019 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file type=AVC msg=audit(1480506487.178:389): avc: denied { open } for pid=2422 comm="sysctl" path="/proc/sys/fs/file-max" dev="proc" ino=11019 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file type=SYSCALL msg=audit(1480506487.178:389): arch=x86_64 syscall=open success=yes exit=EINTR a0=1c4a660 a1=241 a2=1b6 a3=24 items=0 ppid=1 pid=2422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sysctl exe=/usr/sbin/sysctl subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: sysctl,ifconfig_t,sysctl_fs_t,file,write -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/haproxy-systemd-wrapper from execute access on the file haproxy-systemd-wrapper. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that haproxy-systemd-wrapper should be allowed execute access on the haproxy-systemd-wrapper file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep haproxy-systemd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:object_r:haproxy_exec_t:s0 Target Objects haproxy-systemd-wrapper [ file ] Source haproxy-systemd Source Path /usr/sbin/haproxy-systemd-wrapper Port Host Source RPM Packages haproxy-1.5.14-3.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 3 First Seen 2016-11-29 11:35:36 UTC Last Seen 2016-11-30 11:48:11 UTC Local ID 0c8a43f6-0d01-4aec-aac3-5ecea1e4851a Raw Audit Messages type=AVC msg=audit(1480506491.751:394): avc: denied { execute } for pid=2451 comm="ip" name="haproxy-systemd-wrapper" dev="vda1" ino=535064 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:haproxy_exec_t:s0 tclass=file type=AVC msg=audit(1480506491.751:394): avc: denied { read open } for pid=2451 comm="ip" path="/usr/sbin/haproxy-systemd-wrapper" dev="vda1" ino=535064 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:haproxy_exec_t:s0 tclass=file type=AVC msg=audit(1480506491.751:394): avc: denied { execute_no_trans } for pid=2451 comm="ip" path="/usr/sbin/haproxy-systemd-wrapper" dev="vda1" ino=535064 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:haproxy_exec_t:s0 tclass=file type=SYSCALL msg=audit(1480506491.751:394): arch=x86_64 syscall=execve success=yes exit=0 a0=7ffce0530ebf a1=7ffce0530c08 a2=7ffce0530c48 a3=7ffce05307d0 items=0 ppid=1 pid=2451 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=haproxy-systemd exe=/usr/sbin/haproxy-systemd-wrapper subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: haproxy-systemd,ifconfig_t,haproxy_exec_t,file,execute -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/haproxy from using the dac_override capability. ***** Plugin dac_override (91.4 confidence) suggests ********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. ***** Plugin catchall (9.59 confidence) suggests ************************** If you believe that haproxy should have the dac_override capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep haproxy /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:system_r:ifconfig_t:s0 Target Objects Unknown [ capability ] Source haproxy Source Path /usr/sbin/haproxy Port Host Source RPM Packages haproxy-1.5.14-3.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-11-29 11:35:36 UTC Last Seen 2016-11-29 11:35:36 UTC Local ID 3675559e-a208-4a79-8811-ca9520b6299c Raw Audit Messages type=AVC msg=audit(1480419336.962:422): avc: denied { dac_override } for pid=3366 comm="haproxy" capability=1 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability type=AVC msg=audit(1480419336.962:422): avc: denied { read } for pid=3366 comm="haproxy" name="haproxy.cfg" dev="vda1" ino=1048715 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1480419336.962:422): avc: denied { open } for pid=3366 comm="haproxy" path="/var/lib/octavia/d842c875-6fea-49cd-ac49-9aa82d12237c/haproxy.cfg" dev="vda1" ino=1048715 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1480419336.962:422): arch=x86_64 syscall=open success=yes exit=ESRCH a0=7ffe252daed7 a1=0 a2=1b6 a3=24 items=0 ppid=3363 pid=3366 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=haproxy exe=/usr/sbin/haproxy subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: haproxy,ifconfig_t,ifconfig_t,capability,dac_override -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/haproxy from using the fowner capability. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that haproxy should have the fowner capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep haproxy /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:system_r:ifconfig_t:s0 Target Objects Unknown [ capability ] Source haproxy Source Path /usr/sbin/haproxy Port Host Source RPM Packages haproxy-1.5.14-3.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-11-29 11:35:37 UTC Last Seen 2016-11-29 11:35:37 UTC Local ID 52d28a75-c864-407d-972b-09c07b79f66d Raw Audit Messages type=AVC msg=audit(1480419337.15:424): avc: denied { fowner } for pid=3366 comm="haproxy" capability=3 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability type=AVC msg=audit(1480419337.15:424): avc: denied { write } for pid=3366 comm="haproxy" name="octavia" dev="vda1" ino=22116 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=AVC msg=audit(1480419337.15:424): avc: denied { add_name } for pid=3366 comm="haproxy" name="d842c875-6fea-49cd-ac49-9aa82d12237c.sock" dev="vda1" ino=763 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=AVC msg=audit(1480419337.15:424): avc: denied { link } for pid=3366 comm="haproxy" name="d842c875-6fea-49cd-ac49-9aa82d12237c.sock" dev="vda1" ino=763 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file type=SYSCALL msg=audit(1480419337.15:424): arch=x86_64 syscall=link success=yes exit=0 a0=7f37ecae81f2 a1=7ffe252d7cc0 a2=7ffe252d7d03 a3=0 items=0 ppid=3363 pid=3366 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=haproxy exe=/usr/sbin/haproxy subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: haproxy,ifconfig_t,ifconfig_t,capability,fowner -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/haproxy from create access on the sock_file d842c875-6fea-49cd-ac49-9aa82d12237c.sock.3477.tmp. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that haproxy should be allowed create access on the d842c875-6fea-49cd-ac49-9aa82d12237c.sock.3477.tmp sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep haproxy /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects d842c875-6fea-49cd-ac49-9aa82d12237c.sock.3477.tmp [ sock_file ] Source haproxy Source Path /usr/sbin/haproxy Port Host Source RPM Packages haproxy-1.5.14-3.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-11-29 11:35:37 UTC Last Seen 2016-11-29 11:42:12 UTC Local ID dd3c2f8f-472f-44c0-9a4b-8932a085fbc9 Raw Audit Messages type=AVC msg=audit(1480419732.891:457): avc: denied { create } for pid=3477 comm="haproxy" name="d842c875-6fea-49cd-ac49-9aa82d12237c.sock.3477.tmp" scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file type=SYSCALL msg=audit(1480419732.891:457): arch=x86_64 syscall=bind success=yes exit=0 a0=4 a1=7ffffff257d0 a2=6e a3=1 items=0 ppid=3414 pid=3477 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=haproxy exe=/usr/sbin/haproxy subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: haproxy,ifconfig_t,var_lib_t,sock_file,create -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/haproxy from setattr access on the sock_file 2c699b77-3983-4d40-a425-cbad188f2067.sock.2454.tmp. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that haproxy should be allowed setattr access on the 2c699b77-3983-4d40-a425-cbad188f2067.sock.2454.tmp sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep haproxy /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects 2c699b77-3983-4d40-a425-cbad188f2067.sock.2454.tmp [ sock_file ] Source haproxy Source Path /usr/sbin/haproxy Port Host Source RPM Packages haproxy-1.5.14-3.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 3 First Seen 2016-11-29 11:35:37 UTC Last Seen 2016-11-30 11:48:12 UTC Local ID 58dd5572-afe1-478a-ab0b-77dcdf854ee4 Raw Audit Messages type=AVC msg=audit(1480506492.331:398): avc: denied { setattr } for pid=2454 comm="haproxy" name="2c699b77-3983-4d40-a425-cbad188f2067.sock.2454.tmp" dev="vda1" ino=714 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file type=SYSCALL msg=audit(1480506492.331:398): arch=x86_64 syscall=chmod success=yes exit=0 a0=7fff6dcde3b0 a1=1b6 a2=6e a3=1 items=0 ppid=2451 pid=2454 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=haproxy exe=/usr/sbin/haproxy subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: haproxy,ifconfig_t,var_lib_t,sock_file,setattr -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/haproxy from remove_name access on the directory 2c699b77-3983-4d40-a425-cbad188f2067.sock.2454.tmp. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that haproxy should be allowed remove_name access on the 2c699b77-3983-4d40-a425-cbad188f2067.sock.2454.tmp directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep haproxy /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects 2c699b77-3983-4d40-a425-cbad188f2067.sock.2454.tmp [ dir ] Source haproxy Source Path /usr/sbin/haproxy Port Host Source RPM Packages haproxy-1.5.14-3.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 3 First Seen 2016-11-29 11:35:37 UTC Last Seen 2016-11-30 11:48:12 UTC Local ID bac0900e-23e9-4db2-8777-6092c6cd3e8b Raw Audit Messages type=AVC msg=audit(1480506492.333:399): avc: denied { remove_name } for pid=2454 comm="haproxy" name="2c699b77-3983-4d40-a425-cbad188f2067.sock.2454.tmp" dev="vda1" ino=714 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=AVC msg=audit(1480506492.333:399): avc: denied { rename } for pid=2454 comm="haproxy" name="2c699b77-3983-4d40-a425-cbad188f2067.sock.2454.tmp" dev="vda1" ino=714 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file type=SYSCALL msg=audit(1480506492.333:399): arch=x86_64 syscall=rename success=yes exit=0 a0=7fff6dcde3b0 a1=7f6bfc1081f2 a2=1e a3=7fff6dcde338 items=0 ppid=2451 pid=2454 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=haproxy exe=/usr/sbin/haproxy subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: haproxy,ifconfig_t,var_lib_t,dir,remove_name -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/haproxy from name_bind access on the tcp_socket port 80. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that haproxy should be allowed name_bind access on the port 80 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep haproxy /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:object_r:http_port_t:s0 Target Objects port 80 [ tcp_socket ] Source haproxy Source Path /usr/sbin/haproxy Port 80 Host Source RPM Packages haproxy-1.5.14-3.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 3 First Seen 2016-11-29 11:35:37 UTC Last Seen 2016-11-30 11:48:12 UTC Local ID aa7ce066-6780-448a-bc6f-340a4be91be5 Raw Audit Messages type=AVC msg=audit(1480506492.336:400): avc: denied { name_bind } for pid=2454 comm="haproxy" src=80 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1480506492.336:400): avc: denied { net_bind_service } for pid=2454 comm="haproxy" capability=10 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability type=SYSCALL msg=audit(1480506492.336:400): arch=x86_64 syscall=bind success=yes exit=0 a0=5 a1=7f6bfc111cf0 a2=10 a3=7f6bfbcad7fc items=0 ppid=2451 pid=2454 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=haproxy exe=/usr/sbin/haproxy subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: haproxy,ifconfig_t,http_port_t,tcp_socket,name_bind -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/haproxy from listen access on the tcp_socket port None. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow system to run with NIS Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. You can read 'ifconfig_selinux' man page for more details. Do setsebool -P nis_enabled 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that haproxy should be allowed listen access on the port None tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep haproxy /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:system_r:ifconfig_t:s0 Target Objects port None [ tcp_socket ] Source haproxy Source Path /usr/sbin/haproxy Port Host Source RPM Packages haproxy-1.5.14-3.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 3 First Seen 2016-11-29 11:35:37 UTC Last Seen 2016-11-30 11:48:12 UTC Local ID a5943ed1-742a-4ee2-99be-bde6a6e3e538 Raw Audit Messages type=AVC msg=audit(1480506492.346:401): avc: denied { listen } for pid=2454 comm="haproxy" laddr=10.0.0.26 lport=80 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1480506492.346:401): arch=x86_64 syscall=listen success=yes exit=0 a0=5 a1=7d0 a2=1e a3=7fff6dce0378 items=0 ppid=2451 pid=2454 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=haproxy exe=/usr/sbin/haproxy subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: haproxy,ifconfig_t,ifconfig_t,tcp_socket,listen -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/haproxy from write access on the directory d842c875-6fea-49cd-ac49-9aa82d12237c. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that haproxy should be allowed write access on the d842c875-6fea-49cd-ac49-9aa82d12237c directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep haproxy /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context unconfined_u:object_r:var_lib_t:s0 Target Objects d842c875-6fea-49cd-ac49-9aa82d12237c [ dir ] Source haproxy Source Path /usr/sbin/haproxy Port Host Source RPM Packages haproxy-1.5.14-3.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-11-29 11:35:37 UTC Last Seen 2016-11-29 11:37:43 UTC Local ID 7c16c0a9-ac58-462d-93a3-8d5eebf45c5f Raw Audit Messages type=AVC msg=audit(1480419463.426:448): avc: denied { write } for pid=3417 comm="haproxy" name="d842c875-6fea-49cd-ac49-9aa82d12237c" dev="vda1" ino=1048714 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir type=AVC msg=audit(1480419463.426:448): avc: denied { remove_name } for pid=3417 comm="haproxy" name="d842c875-6fea-49cd-ac49-9aa82d12237c.pid" dev="vda1" ino=1048723 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir type=AVC msg=audit(1480419463.426:448): avc: denied { unlink } for pid=3417 comm="haproxy" name="d842c875-6fea-49cd-ac49-9aa82d12237c.pid" dev="vda1" ino=1048723 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1480419463.426:448): arch=x86_64 syscall=unlink success=yes exit=0 a0=7f0ab2507990 a1=0 a2=0 a3=3 items=0 ppid=3414 pid=3417 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=haproxy exe=/usr/sbin/haproxy subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: haproxy,ifconfig_t,var_lib_t,dir,write -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/haproxy from using the setgid capability. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that haproxy should have the setgid capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep haproxy /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:system_r:ifconfig_t:s0 Target Objects Unknown [ capability ] Source haproxy Source Path /usr/sbin/haproxy Port Host Source RPM Packages haproxy-1.5.14-3.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-11-29 11:35:37 UTC Last Seen 2016-11-30 11:48:12 UTC Local ID ffbb6698-5c56-463f-a41d-6b13456c650c Raw Audit Messages type=AVC msg=audit(1480506492.374:403): avc: denied { setgid } for pid=2454 comm="haproxy" capability=6 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability type=SYSCALL msg=audit(1480506492.374:403): arch=x86_64 syscall=setgid success=yes exit=0 a0=3e9 a1=15 a2=7f6bfbc97285 a3=7f6bf99c22e0 items=0 ppid=2451 pid=2454 auid=4294967295 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm=haproxy exe=/usr/sbin/haproxy subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: haproxy,ifconfig_t,ifconfig_t,capability,setgid -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/haproxy from using the setuid capability. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that haproxy should have the setuid capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep haproxy /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:system_r:ifconfig_t:s0 Target Objects Unknown [ capability ] Source haproxy Source Path /usr/sbin/haproxy Port Host Source RPM Packages haproxy-1.5.14-3.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-11-29 11:35:37 UTC Last Seen 2016-11-30 11:48:12 UTC Local ID 642c7b01-389a-4fea-9f0e-9bcd4e8ed39a Raw Audit Messages type=AVC msg=audit(1480506492.374:404): avc: denied { setuid } for pid=2454 comm="haproxy" capability=7 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability type=SYSCALL msg=audit(1480506492.374:404): arch=x86_64 syscall=setuid success=yes exit=0 a0=63 a1=15 a2=7f6bfbc97285 a3=7f6bf99c22e0 items=0 ppid=2451 pid=2454 auid=4294967295 uid=99 gid=1001 euid=99 suid=99 fsuid=99 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm=haproxy exe=/usr/sbin/haproxy subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: haproxy,ifconfig_t,ifconfig_t,capability,setuid -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/haproxy from write access on the sock_file 2c699b77-3983-4d40-a425-cbad188f2067.sock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that haproxy should be allowed write access on the 2c699b77-3983-4d40-a425-cbad188f2067.sock sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep haproxy /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects 2c699b77-3983-4d40-a425-cbad188f2067.sock [ sock_file ] Source haproxy Source Path /usr/sbin/haproxy Port Host Source RPM Packages haproxy-1.5.14-3.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 3 First Seen 2016-11-29 11:35:37 UTC Last Seen 2016-11-30 11:48:12 UTC Local ID d2636c32-75af-4f33-b675-b972be861647 Raw Audit Messages type=AVC msg=audit(1480506492.404:405): avc: denied { write } for pid=2454 comm="haproxy" name="2c699b77-3983-4d40-a425-cbad188f2067.sock" dev="vda1" ino=714 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file type=SYSCALL msg=audit(1480506492.404:405): arch=x86_64 syscall=connect success=no exit=EPROTOTYPE a0=4 a1=7fff6dce03e0 a2=6e a3=2 items=0 ppid=2451 pid=2454 auid=4294967295 uid=99 gid=1001 euid=99 suid=99 fsuid=99 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm=haproxy exe=/usr/sbin/haproxy subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: haproxy,ifconfig_t,var_lib_t,sock_file,write -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/haproxy from link access on the sock_file d842c875-6fea-49cd-ac49-9aa82d12237c.sock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that haproxy should be allowed link access on the d842c875-6fea-49cd-ac49-9aa82d12237c.sock sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep haproxy /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects d842c875-6fea-49cd-ac49-9aa82d12237c.sock [ sock_file ] Source haproxy Source Path /usr/sbin/haproxy Port Host Source RPM Packages haproxy-1.5.14-3.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-11-29 11:37:43 UTC Last Seen 2016-11-29 11:37:43 UTC Local ID 4c576c7d-7714-4d61-8c79-3400de5b4fb7 Raw Audit Messages type=AVC msg=audit(1480419463.389:445): avc: denied { link } for pid=3417 comm="haproxy" name="d842c875-6fea-49cd-ac49-9aa82d12237c.sock" dev="vda1" ino=766 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file type=SYSCALL msg=audit(1480419463.389:445): arch=x86_64 syscall=link success=yes exit=0 a0=7f0ab24fd1f2 a1=7ffcf0b4bfc0 a2=7ffcf0b4c003 a3=0 items=0 ppid=3414 pid=3417 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=haproxy exe=/usr/sbin/haproxy subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: haproxy,ifconfig_t,var_lib_t,sock_file,link -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/haproxy from unlink access on the sock_file d842c875-6fea-49cd-ac49-9aa82d12237c.sock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that haproxy should be allowed unlink access on the d842c875-6fea-49cd-ac49-9aa82d12237c.sock sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep haproxy /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects d842c875-6fea-49cd-ac49-9aa82d12237c.sock [ sock_file ] Source haproxy Source Path /usr/sbin/haproxy Port Host Source RPM Packages haproxy-1.5.14-3.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-11-29 11:37:43 UTC Last Seen 2016-11-29 11:37:43 UTC Local ID b5adda6d-9fab-465c-b359-f0b195bda2ce Raw Audit Messages type=AVC msg=audit(1480419463.394:446): avc: denied { unlink } for pid=3417 comm="haproxy" name="d842c875-6fea-49cd-ac49-9aa82d12237c.sock" dev="vda1" ino=766 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file type=SYSCALL msg=audit(1480419463.394:446): arch=x86_64 syscall=rename success=yes exit=0 a0=7ffcf0b4afc0 a1=7f0ab24fd1f2 a2=1e a3=7ffcf0b4af48 items=0 ppid=3414 pid=3417 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=haproxy exe=/usr/sbin/haproxy subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: haproxy,ifconfig_t,var_lib_t,sock_file,unlink -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/haproxy from add_name access on the directory d842c875-6fea-49cd-ac49-9aa82d12237c.pid. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that haproxy should be allowed add_name access on the d842c875-6fea-49cd-ac49-9aa82d12237c.pid directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep haproxy /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context unconfined_u:object_r:var_lib_t:s0 Target Objects d842c875-6fea-49cd-ac49-9aa82d12237c.pid [ dir ] Source haproxy Source Path /usr/sbin/haproxy Port Host Source RPM Packages haproxy-1.5.14-3.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-11-29 11:37:43 UTC Last Seen 2016-11-29 11:37:43 UTC Local ID e4ffa7ce-3b60-4bd6-ba13-5fcc2c96f6ff Raw Audit Messages type=AVC msg=audit(1480419463.427:449): avc: denied { add_name } for pid=3417 comm="haproxy" name="d842c875-6fea-49cd-ac49-9aa82d12237c.pid" scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1480419463.427:449): arch=x86_64 syscall=open success=yes exit=E2BIG a0=7f0ab2507990 a1=241 a2=1a4 a3=3 items=0 ppid=3414 pid=3417 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=haproxy exe=/usr/sbin/haproxy subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: haproxy,ifconfig_t,var_lib_t,dir,add_name -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/haproxy-systemd-wrapper from read access on the file haproxy.cfg. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that haproxy-systemd-wrapper should be allowed read access on the haproxy.cfg file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep haproxy-systemd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects haproxy.cfg [ file ] Source haproxy-systemd Source Path /usr/sbin/haproxy-systemd-wrapper Port Host Source RPM Packages haproxy-1.5.14-3.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 3 First Seen 2016-11-29 11:42:12 UTC Last Seen 2016-11-30 11:48:12 UTC Local ID 19890571-37f2-4a8e-a964-db84f5eb06a3 Raw Audit Messages type=AVC msg=audit(1480506492.274:395): avc: denied { read } for pid=2454 comm="haproxy" name="haproxy.cfg" dev="vda1" ino=1048719 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1480506492.274:395): avc: denied { open } for pid=2454 comm="haproxy" path="/var/lib/octavia/2c699b77-3983-4d40-a425-cbad188f2067/haproxy.cfg" dev="vda1" ino=1048719 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1480506492.274:395): arch=x86_64 syscall=open success=yes exit=ESRCH a0=7fff6dce1ed7 a1=0 a2=1b6 a3=24 items=0 ppid=2451 pid=2454 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=haproxy exe=/usr/sbin/haproxy subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: haproxy-systemd,ifconfig_t,var_lib_t,file,read -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/haproxy-systemd-wrapper from getattr access on the file /var/lib/octavia/2c699b77-3983-4d40-a425-cbad188f2067/haproxy.cfg. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that haproxy-systemd-wrapper should be allowed getattr access on the haproxy.cfg file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep haproxy-systemd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib/octavia/2c699b77-3983-4d40-a425-cbad188f2 067/haproxy.cfg [ file ] Source haproxy-systemd Source Path /usr/sbin/haproxy-systemd-wrapper Port Host Source RPM Packages haproxy-1.5.14-3.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 3 First Seen 2016-11-29 11:42:12 UTC Last Seen 2016-11-30 11:48:12 UTC Local ID 7b15f770-02cc-4f42-a89a-1d69fe48480b Raw Audit Messages type=AVC msg=audit(1480506492.278:396): avc: denied { getattr } for pid=2454 comm="haproxy" path="/var/lib/octavia/2c699b77-3983-4d40-a425-cbad188f2067/haproxy.cfg" dev="vda1" ino=1048719 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1480506492.278:396): arch=x86_64 syscall=fstat success=yes exit=0 a0=3 a1=7fff6dcdf7f0 a2=7fff6dcdf7f0 a3=0 items=0 ppid=2451 pid=2454 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=haproxy exe=/usr/sbin/haproxy subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: haproxy-systemd,ifconfig_t,var_lib_t,file,getattr -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/haproxy from write access on the directory octavia. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that haproxy should be allowed write access on the octavia directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep haproxy /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects octavia [ dir ] Source haproxy Source Path /usr/sbin/haproxy Port Host Source RPM Packages haproxy-1.5.14-3.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-11-29 11:42:12 UTC Last Seen 2016-11-30 11:48:12 UTC Local ID b4914d32-12f0-4efb-89fe-c6556f9a35a3 Raw Audit Messages type=AVC msg=audit(1480506492.328:397): avc: denied { write } for pid=2454 comm="haproxy" name="octavia" dev="vda1" ino=22116 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=AVC msg=audit(1480506492.328:397): avc: denied { add_name } for pid=2454 comm="haproxy" name="2c699b77-3983-4d40-a425-cbad188f2067.sock.2454.tmp" scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=AVC msg=audit(1480506492.328:397): avc: denied { create } for pid=2454 comm="haproxy" name="2c699b77-3983-4d40-a425-cbad188f2067.sock.2454.tmp" scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file type=SYSCALL msg=audit(1480506492.328:397): arch=x86_64 syscall=bind success=yes exit=0 a0=4 a1=7fff6dcde340 a2=6e a3=1 items=0 ppid=2451 pid=2454 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=haproxy exe=/usr/sbin/haproxy subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: haproxy,ifconfig_t,var_lib_t,dir,write -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/haproxy from unlink access on the file d842c875-6fea-49cd-ac49-9aa82d12237c.pid. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that haproxy should be allowed unlink access on the d842c875-6fea-49cd-ac49-9aa82d12237c.pid file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep haproxy /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects d842c875-6fea-49cd-ac49-9aa82d12237c.pid [ file ] Source haproxy Source Path /usr/sbin/haproxy Port Host Source RPM Packages haproxy-1.5.14-3.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-11-29 11:42:12 UTC Last Seen 2016-11-29 11:42:12 UTC Local ID ca8f57ee-3c05-4e2d-8ff8-591356932f0f Raw Audit Messages type=AVC msg=audit(1480419732.905:461): avc: denied { unlink } for pid=3477 comm="haproxy" name="d842c875-6fea-49cd-ac49-9aa82d12237c.pid" dev="vda1" ino=1048723 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1480419732.905:461): arch=x86_64 syscall=unlink success=yes exit=0 a0=7f185f837120 a1=0 a2=0 a3=3 items=0 ppid=3414 pid=3477 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=haproxy exe=/usr/sbin/haproxy subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: haproxy,ifconfig_t,var_lib_t,file,unlink -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/haproxy from create access on the file 2c699b77-3983-4d40-a425-cbad188f2067.pid. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that haproxy should be allowed create access on the 2c699b77-3983-4d40-a425-cbad188f2067.pid file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep haproxy /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects 2c699b77-3983-4d40-a425-cbad188f2067.pid [ file ] Source haproxy Source Path /usr/sbin/haproxy Port Host Source RPM Packages haproxy-1.5.14-3.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-11-29 11:42:12 UTC Last Seen 2016-11-30 11:48:12 UTC Local ID b711d9bd-66dd-421c-8323-15521518f3cc Raw Audit Messages type=AVC msg=audit(1480506492.352:402): avc: denied { create } for pid=2454 comm="haproxy" name="2c699b77-3983-4d40-a425-cbad188f2067.pid" scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1480506492.352:402): avc: denied { write } for pid=2454 comm="haproxy" path="/var/lib/octavia/2c699b77-3983-4d40-a425-cbad188f2067/2c699b77-3983-4d40-a425-cbad188f2067.pid" dev="vda1" ino=1048723 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1480506492.352:402): arch=x86_64 syscall=open success=yes exit=E2BIG a0=7f6bfc112990 a1=241 a2=1a4 a3=3 items=0 ppid=2451 pid=2454 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=haproxy exe=/usr/sbin/haproxy subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: haproxy,ifconfig_t,var_lib_t,file,create -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/haproxy from using the kill capability. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that haproxy should have the kill capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep haproxy /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:system_r:ifconfig_t:s0 Target Objects Unknown [ capability ] Source haproxy Source Path /usr/sbin/haproxy Port Host Source RPM Packages haproxy-1.5.14-3.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-11-29 11:42:12 UTC Last Seen 2016-11-30 09:59:26 UTC Local ID 6c84ffce-2845-4c05-b4f5-585ffea8d114 Raw Audit Messages type=AVC msg=audit(1480499966.530:681): avc: denied { kill } for pid=3414 comm="haproxy-systemd" capability=5 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability type=SYSCALL msg=audit(1480499966.530:681): arch=x86_64 syscall=kill success=yes exit=0 a0=d96 a1=2 a2=7f11d6884a00 a3=0 items=0 ppid=1 pid=3414 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=haproxy-systemd exe=/usr/sbin/haproxy-systemd-wrapper subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: haproxy,ifconfig_t,ifconfig_t,capability,kill -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/haproxy from getattr access on the file /var/lib/octavia/2c699b77-3983-4d40-a425-cbad188f2067/haproxy.cfg. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that haproxy should be allowed getattr access on the haproxy.cfg file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep haproxy /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:haproxy_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib/octavia/2c699b77-3983-4d40-a425-cbad188f2 067/haproxy.cfg [ file ] Source haproxy Source Path /usr/sbin/haproxy Port Host Source RPM Packages haproxy-1.5.14-3.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal Platform Linux amphora- a61d0e97-d68f-4246-9f84-b2aae7ed7560.novalocal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-11-30 11:48:05 UTC Last Seen 2016-11-30 11:48:05 UTC Local ID c0981e79-d0d3-4a96-b99c-74c820635ba7 Raw Audit Messages type=AVC msg=audit(1480506485.133:379): avc: denied { getattr } for pid=2415 comm="haproxy" path="/var/lib/octavia/2c699b77-3983-4d40-a425-cbad188f2067/haproxy.cfg" dev="vda1" ino=1048719 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1480506485.133:379): arch=x86_64 syscall=fstat success=yes exit=0 a0=3 a1=7ffe90b82a90 a2=7ffe90b82a90 a3=0 items=0 ppid=1 pid=2415 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=haproxy exe=/usr/sbin/haproxy subj=system_u:system_r:haproxy_t:s0 key=(null) Hash: haproxy,haproxy_t,var_lib_t,file,getattr [root@amphora-a61d0e97-d68f-4246-9f84-b2aae7ed7560 system]# [root@amphora-a61d0e97-d68f-4246-9f84-b2aae7ed7560 system]# [root@amphora-a61d0e97-d68f-4246-9f84-b2aae7ed7560 system]# cat /var/log/audit/audit.log | audit2allow -R require { type ifconfig_t; type haproxy_t; type haproxy_exec_t; type var_lib_t; type ifconfig_var_run_t; type sysctl_fs_t; type proc_security_t; type sysctl_kernel_t; type etc_t; class capability { setuid kill setgid fowner net_bind_service dac_override }; class tcp_socket listen; class dir mounton; class file { execute read create execute_no_trans write getattr unlink open }; class sock_file { rename write link setattr create unlink }; } #============= haproxy_t ============== allow haproxy_t var_lib_t:file { read getattr open }; #============= ifconfig_t ============== allow ifconfig_t etc_t:dir mounton; allow ifconfig_t haproxy_exec_t:file { read execute open execute_no_trans }; allow ifconfig_t ifconfig_var_run_t:dir mounton; allow ifconfig_t proc_security_t:file { write getattr open }; allow ifconfig_t self:capability { setuid kill setgid fowner net_bind_service dac_override }; #!!!! This avc can be allowed using the boolean 'nis_enabled' allow ifconfig_t self:tcp_socket listen; allow ifconfig_t sysctl_fs_t:file { write getattr open }; allow ifconfig_t sysctl_kernel_t:file write; allow ifconfig_t var_lib_t:file { write getattr read create unlink open }; allow ifconfig_t var_lib_t:sock_file { rename write link setattr create unlink }; corenet_tcp_bind_http_port(ifconfig_t) dev_getattr_sysfs_fs(ifconfig_t) files_filetrans_system_db_named_files(ifconfig_t) files_mounton_isid(ifconfig_t) files_mounton_rootfs(ifconfig_t)