Hi Lukas, ausearch shows only irrelevant logs from other processes but, apart from me playing around with runcon, nothing regarding smokeping: --%snip%-- ---- time->Wed Apr 24 11:43:39 2019 type=PROCTITLE msg=audit(1556099019.516:249260): proctitle=72756E636F6E002D7400736D6F6B6570696E675F74002D720073797374656D5F72006964 type=PATH msg=audit(1556099019.516:249260): item=0 name="/usr/bin/id" inode=7818 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 objtype=NORMAL cap_fp= 0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1556099019.516:249260): cwd="/root" type=SYSCALL msg=audit(1556099019.516:249260): arch=c000003e syscall=59 success=no exit=-13 a0=7ffd17daa993 a1=7ffd17daabd0 a2=7ffd17daabe0 a3=7ffd17daa4a0 items=1 ppid=26931 pid=132 01 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5004 comm="runcon" exe="/usr/bin/runcon" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key =(null) type=AVC msg=audit(1556099019.516:249260): avc: denied { entrypoint } for pid=13201 comm="runcon" path="/usr/bin/id" dev="dm-1" ino=7818 scontext=unconfined_u:system_r:smokeping_t :s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 ---- time->Wed Apr 24 11:45:25 2019 type=PROCTITLE msg=audit(1556099125.154:249313): proctitle=72756E636F6E002D7400736D6F6B6570696E675F74002D720073797374656D5F72006C73002F7661722F6C69622F736D6F6B6570696E672F7272642F666 F6F type=PATH msg=audit(1556099125.154:249313): item=0 name="/usr/bin/ls" inode=7824 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 objtype=NORMAL cap_fp= 0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1556099125.154:249313): cwd="/root" type=SYSCALL msg=audit(1556099125.154:249313): arch=c000003e syscall=59 success=no exit=-13 a0=7ffc3f10e103 a1=7ffc3f10e340 a2=7ffc3f10e358 a3=7ffc3f10dc20 items=1 ppid=26931 pid=141 85 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5004 comm="runcon" exe="/usr/bin/runcon" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key =(null) type=AVC msg=audit(1556099125.154:249313): avc: denied { entrypoint } for pid=14185 comm="runcon" path="/usr/bin/ls" dev="dm-1" ino=7824 scontext=unconfined_u:system_r:smokeping_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 --%snip%-- Also I do not have any dontaudit rules for smokeping_t that would hide the log events in question. - Philippe _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx