Hello, Environment: RHEL 7.2 with all the latest fixes. The server has the Check_MK agent (check-mk-agent-1.2.6p16-3.el7.x86_64 from EPEL) installed, and the mk_postgres module has been activated by symlinking /usr/share/check-mk-agent/available-plugins/mk_postgres to /usr/share/check-mk-agent/plugins/mk_postgres The agent plugin's code may be viewed here: http://git.mathias-kettner.de/git/?p=check_mk.git;a=blob;f=agents/plugins/ mk_postgres;h=8333eee316a99e634394aee4f3048b6becc56d69;hb=c33010ba2d24c8b81c4e6221f3cd61bade7e7d9e PostgreSQL version: rh-postgresql94-postgresql 9.4.6-1.el7.x86_64 (from RHEL 7's software collections). Trouble: The Check_MK agent reponse becomes very slow when the mk_postgres agent plugin is activated -- to the extend that checks time out, causing monitoring alerts and missing monitoring data. Meanwhile, in /var/log/audit/audit.log: type=USER_AVC msg=audit(1462018794.424:153): pid=704 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0- s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.19 spid=925 tpid=2851 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:inetd_child_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' The AVC denials pop up when the mk_postgres agent plugin performs a "su" to "postgres". Changing the script to use "runuser" instead of "su" does not help. I've found two different ways to fix this; the latter seems best: 1. Stop the dbus.service and dbus.socket services. But this results in a subsequent flood of messages like: Apr 29 21:48:12 hostname su: pam_systemd(su-l:session): Failed to connect to system bus: Connection refused 2. Add the following SELinux module: --------------------------------------- module inetd_dbus 1.0; require { type systemd_logind_t; type inetd_child_t; class dbus send_msg; } #============= systemd_logind_t ============== allow systemd_logind_t inetd_child_t:dbus send_msg; --------------------------------------- I wonder if the above SELinux module could become part of the main SELinux policy? If so, should I open a Bugzilla request for xinetd, dbus, or SELinux? -- Regards, Troels Arvin -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx