Scenario: Printing a document to nearest (or just running nearest as cupsd_t). For each os.access(..) made by hiveconf.py (_check_write_access) to check whether a file is writable, two lines like this are printed to the audit log file. syscall=21 on the second line indicates an access call. Everything looks OK from a SELinux file context point of view, so there's nothing odd there. > type=AVC msg=audit(1409906549.883:6665): avc: denied { write } for pid=54979 comm="python-thinlinc" name="webaccess.hconf" dev="dm-0" ino=102197015 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file > type=SYSCALL msg=audit(1409906549.883:6665): arch=c000003e syscall=21 success=no exit=-13 a0=1fa2b60 a1=2 a2=7f61620dff88 a3=642e666e6f632f63 items=0 ppid=18452 pid=54979 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="python-thinlinc" exe="/usr/bin/python2.7" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) Pierre and I tried to understand why this happens only on RHEL 7 and not on Fedora, but could not figure it out. This needs more investigation.
http://oss.tresys.com/pipermail/refpolicy/2014-September/007391.html
Fixed in r29338 and r29339. Tester should verify this on both RHEL 7 and RHEL 6, as RHEL 6 has a too old kernel for the audit_access rule and we need to verify that the module still compiles there.
The autotest machines are having problems with this change. Need to have another look.
Turns out that we do not need the audit_access rule. Tagging the config files as etc_t instead of usr_t is enough to get rid of the noise. Fixed in r29343.
Verified that context is etc_t and that the AVC is not showing up on both RHEL6 and RHEL7. Using ThinLinc server build 4499.
