Hello,
With the new way certmongers restarts services, we hit several AVC due to the pkill calls:
type=AVC msg=audit(1553153141.509:3368): avc: denied { getattr } for pid=19269 comm="pkill" path="/proc/2" dev="proc" ino=12381 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1553153141.509:3369): avc: denied { search } for pid=19269 comm="pkill" name="2" dev="proc" ino=12381 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1553153141.509:3369): avc: denied { read } for pid=19269 comm="pkill" name="status" dev="proc" ino=12992 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553153141.509:3369): avc: denied { open } for pid=19269 comm="pkill" path="/proc/2/status" dev="proc" ino=12992 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=file permissive=1
Would be best to move to $container_cli kill <container> instead.
Cheers,
C.
Fix proposed to branch: master /review. openstack. org/645080
Review: https:/