audit log AVC messages stop after setting SELinux to enforcing mode

cherdt · Post by **cherdt** » 2018/01/04 15:50:52

I have multiple systems where SELinux is currently in permissive mode. I have a Nagios server checking various things on these hosts, including the mail queue, via NRPE running via xinetd.

The audit logs report several AVC messages:

Code: Select all

type=AVC msg=audit(1515014658.505:430144): avc:  denied  { ioctl } for  pid=91728 comm="check_mailq" path="socket:[11196285]" dev="sockfs" ino=11196285 scontext=system_u:system_r:nagios_mail_plugin_t:s0-s0:c0.c1023 tcontext=system_u:system_r:inetd_t:s0-s0:c0.c1023 tclass=tcp_socket
type=AVC msg=audit(1515014658.532:430145): avc:  denied  { getattr } for  pid=91729 comm="mailq" path="socket:[11196285]" dev="sockfs" ino=11196285 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:inetd_t:s0-s0:c0.c1023 tclass=tcp_socket
type=AVC msg=audit(1515014658.539:430146): avc:  denied  { getattr } for  pid=91729 comm="postqueue" path="socket:[11196285]" dev="sockfs" ino=11196285 scontext=system_u:system_r:postfix_postqueue_t:s0-s0:c0.c1023 tcontext=system_u:system_r:inetd_t:s0-s0:c0.c1023 tclass=tcp_socket

Then I set SELinux to enforcing mode to see what would break:

Code: Select all

sudo setenforce 1

Nothing appears to have broken, the hosts are responding to the NRPE checks as expected, and no new AVC messages appear in the logs. This is a mystery to me, I would have assumed that the same AVC messages would appear in both modes and that SELinux would block the actions in enforcing mode.

Everything is working -- I shouldn't complain! -- but there's clearly something I don't understand about SELinux and the AVC messages.