Hi Lukas, managed to get AVC messages (via 'ausearch -m AVC,USER_AVC -ts 13:00:00'and sealert) after running in permissive mode. they dont show up when running in enforcing mode in both staff_u and unconfined_u contexts. Ive attached them below and Thanks again.: ---- time->Mon Dec 18 13:29:03 2017 type=USER_AVC msg=audit(1513596543.356:255916): pid=28357 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received setenforce notice (enforcing=0) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' ---- time->Mon Dec 18 13:29:09 2017 type=PROCTITLE msg=audit(1513596549.118:255918): proctitle=7375646F002D69 type=PATH msg=audit(1513596549.118:255918): item=0 name="/var/lib/google-authenticator/chira" inode=7968602 dev=00:29 mode=0100400 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:var_auth_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1513596549.118:255918): cwd="/etc/pam.d" type=SYSCALL msg=audit(1513596549.118:255918): arch=c000003e syscall=257 success=yes exit=8 a0=ffffffffffffff9c a1=55c7fa1703f0 a2=0 a3=0 items=1 ppid=5833 pid=5878 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=0 sgid=1000 fsgid=0 tty=pts5 ses=2 comm="sudo" exe="/usr/bin/sudo" subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1513596549.118:255918): avc: denied { open } for pid=5878 comm="sudo" path="/var/lib/google-authenticator/chira" dev="dm-1" ino=7968602 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:var_auth_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513596549.118:255918): avc: denied { read } for pid=5878 comm="sudo" name="chira" dev="dm-1" ino=7968602 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:var_auth_t:s0 tclass=file permissive=1 ---- time->Mon Dec 18 13:29:09 2017 type=PROCTITLE msg=audit(1513596549.119:255919): proctitle=7375646F002D69 type=SYSCALL msg=audit(1513596549.119:255919): arch=c000003e syscall=5 success=yes exit=0 a0=8 a1=7ffd51788270 a2=7ffd51788270 a3=0 items=0 ppid=5833 pid=5878 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=0 sgid=1000 fsgid=0 tty=pts5 ses=2 comm="sudo" exe="/usr/bin/sudo" subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1513596549.119:255919): avc: denied { getattr } for pid=5878 comm="sudo" path="/var/lib/google-authenticator/chira" dev="dm-1" ino=7968602 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:var_auth_t:s0 tclass=file permissive=1 ---- time->Mon Dec 18 13:29:40 2017 type=PROCTITLE msg=audit(1513596580.903:256063): proctitle=7375646F002D69 type=PATH msg=audit(1513596580.903:256063): item=4 name="/var/lib/google-authenticator/chira" inode=7979347 dev=00:29 mode=0100400 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:var_auth_t:s0 nametype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1513596580.903:256063): item=3 name="/var/lib/google-authenticator/chira" inode=7968602 dev=00:29 mode=0100400 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:var_auth_t:s0 nametype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1513596580.903:256063): item=2 name="/var/lib/google-authenticator/chira~" inode=7979347 dev=00:29 mode=0100400 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:var_auth_t:s0 nametype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1513596580.903:256063): item=1 name="/var/lib/google-authenticator/" inode=7704905 dev=00:29 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:var_auth_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1513596580.903:256063): item=0 name="/var/lib/google-authenticator/" inode=7704905 dev=00:29 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:var_auth_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1513596580.903:256063): cwd="/etc/pam.d" type=SYSCALL msg=audit(1513596580.903:256063): arch=c000003e syscall=82 success=yes exit=0 a0=55c7fa18d7c0 a1=55c7fa1703f0 a2=9c a3=100 items=5 ppid=5833 pid=5878 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=0 sgid=1000 fsgid=0 tty=pts5 ses=2 comm="sudo" exe="/usr/bin/sudo" subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 key="delete" type=AVC msg=audit(1513596580.903:256063): avc: denied { unlink } for pid=5878 comm="sudo" name="chira" dev="dm-1" ino=7968602 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:var_auth_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513596580.903:256063): avc: denied { rename } for pid=5878 comm="sudo" name="chira~" dev="dm-1" ino=7979347 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:var_auth_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513596580.903:256063): avc: denied { remove_name } for pid=5878 comm="sudo" name="chira~" dev="dm-1" ino=7979347 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:var_auth_t:s0 tclass=dir permissive=1 ---- time->Mon Dec 18 13:29:40 2017 type=PROCTITLE msg=audit(1513596580.678:256062): proctitle=7375646F002D69 type=PATH msg=audit(1513596580.678:256062): item=1 name="/var/lib/google-authenticator/chira~" inode=7979347 dev=00:29 mode=0100400 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:var_auth_t:s0 nametype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1513596580.678:256062): item=0 name="/var/lib/google-authenticator/" inode=7704905 dev=00:29 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:var_auth_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1513596580.678:256062): cwd="/etc/pam.d" type=SYSCALL msg=audit(1513596580.678:256062): arch=c000003e syscall=257 success=yes exit=8 a0=ffffffffffffff9c a1=55c7fa18d7c0 a2=202c1 a3=100 items=2 ppid=5833 pid=5878 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=0 sgid=1000 fsgid=0 tty=pts5 ses=2 comm="sudo" exe="/usr/bin/sudo" subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1513596580.678:256062): avc: denied { write } for pid=5878 comm="sudo" path="/var/lib/google-authenticator/chira~" dev="dm-1" ino=7979347 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:var_auth_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513596580.678:256062): avc: denied { create } for pid=5878 comm="sudo" name="chira~" scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:var_auth_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513596580.678:256062): avc: denied { add_name } for pid=5878 comm="sudo" name="chira~" scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:var_auth_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1513596580.678:256062): avc: denied { write } for pid=5878 comm="sudo" name="google-authenticator" dev="dm-1" ino=7704905 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:var_auth_t:s0 tclass=dir permissive=1 ---- time->Mon Dec 18 13:29:50 2017 type=PROCTITLE msg=audit(1513596590.104:256082): proctitle=7375646F002D69 type=PATH msg=audit(1513596590.104:256082): item=0 name="/var/lib/google-authenticator/chira" inode=7979347 dev=00:29 mode=0100400 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:var_auth_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1513596590.104:256082): cwd="/etc/pam.d" type=SYSCALL msg=audit(1513596590.104:256082): arch=c000003e syscall=257 success=yes exit=8 a0=ffffffffffffff9c a1=55db60e0c3f0 a2=0 a3=0 items=1 ppid=5767 pid=5968 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=0 sgid=1000 fsgid=0 tty=pts3 ses=2 comm="sudo" exe="/usr/bin/sudo" subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1513596590.104:256082): avc: denied { open } for pid=5968 comm="sudo" path="/var/lib/google-authenticator/chira" dev="dm-1" ino=7979347 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:var_auth_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513596590.104:256082): avc: denied { read } for pid=5968 comm="sudo" name="chira" dev="dm-1" ino=7979347 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:var_auth_t:s0 tclass=file permissive=1 ---- time->Mon Dec 18 13:29:50 2017 type=PROCTITLE msg=audit(1513596590.105:256083): proctitle=7375646F002D69 type=SYSCALL msg=audit(1513596590.105:256083): arch=c000003e syscall=5 success=yes exit=0 a0=8 a1=7fffc0dfa310 a2=7fffc0dfa310 a3=0 items=0 ppid=5767 pid=5968 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=0 sgid=1000 fsgid=0 tty=pts3 ses=2 comm="sudo" exe="/usr/bin/sudo" subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1513596590.105:256083): avc: denied { getattr } for pid=5968 comm="sudo" path="/var/lib/google-authenticator/chira" dev="dm-1" ino=7979347 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:var_auth_t:s0 tclass=file permissive=1 ---- time->Mon Dec 18 13:30:06 2017 type=PROCTITLE msg=audit(1513596606.992:256226): proctitle=7375646F002D69 type=PATH msg=audit(1513596606.992:256226): item=1 name="/var/lib/google-authenticator/chira~" inode=7979376 dev=00:29 mode=0100400 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:var_auth_t:s0 nametype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1513596606.992:256226): item=0 name="/var/lib/google-authenticator/" inode=7704905 dev=00:29 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:var_auth_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1513596606.992:256226): cwd="/etc/pam.d" type=SYSCALL msg=audit(1513596606.992:256226): arch=c000003e syscall=257 success=yes exit=8 a0=ffffffffffffff9c a1=55db60e298b0 a2=202c1 a3=100 items=2 ppid=5767 pid=5968 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=0 sgid=1000 fsgid=0 tty=pts3 ses=2 comm="sudo" exe="/usr/bin/sudo" subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1513596606.992:256226): avc: denied { write } for pid=5968 comm="sudo" path="/var/lib/google-authenticator/chira~" dev="dm-1" ino=7979376 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:var_auth_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513596606.992:256226): avc: denied { create } for pid=5968 comm="sudo" name="chira~" scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:var_auth_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513596606.992:256226): avc: denied { add_name } for pid=5968 comm="sudo" name="chira~" scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:var_auth_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1513596606.992:256226): avc: denied { write } for pid=5968 comm="sudo" name="google-authenticator" dev="dm-1" ino=7704905 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:var_auth_t:s0 tclass=dir permissive=1 ---- time->Mon Dec 18 13:30:07 2017 type=PROCTITLE msg=audit(1513596607.149:256227): proctitle=7375646F002D69 type=PATH msg=audit(1513596607.149:256227): item=4 name="/var/lib/google-authenticator/chira" inode=7979376 dev=00:29 mode=0100400 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:var_auth_t:s0 nametype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1513596607.149:256227): item=3 name="/var/lib/google-authenticator/chira" inode=7979347 dev=00:29 mode=0100400 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:var_auth_t:s0 nametype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1513596607.149:256227): item=2 name="/var/lib/google-authenticator/chira~" inode=7979376 dev=00:29 mode=0100400 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:var_auth_t:s0 nametype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1513596607.149:256227): item=1 name="/var/lib/google-authenticator/" inode=7704905 dev=00:29 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:var_auth_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1513596607.149:256227): item=0 name="/var/lib/google-authenticator/" inode=7704905 dev=00:29 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:var_auth_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1513596607.149:256227): cwd="/etc/pam.d" type=SYSCALL msg=audit(1513596607.149:256227): arch=c000003e syscall=82 success=yes exit=0 a0=55db60e298b0 a1=55db60e0c3f0 a2=a5 a3=100 items=5 ppid=5767 pid=5968 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=0 sgid=1000 fsgid=0 tty=pts3 ses=2 comm="sudo" exe="/usr/bin/sudo" subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 key="delete" type=AVC msg=audit(1513596607.149:256227): avc: denied { unlink } for pid=5968 comm="sudo" name="chira" dev="dm-1" ino=7979347 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:var_auth_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513596607.149:256227): avc: denied { rename } for pid=5968 comm="sudo" name="chira~" dev="dm-1" ino=7979376 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:var_auth_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513596607.149:256227): avc: denied { remove_name } for pid=5968 comm="sudo" name="chira~" dev="dm-1" ino=7979376 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:var_auth_t:s0 tclass=dir permissive=1 _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx