Bug 1112173
Summary: | sshd_t / var_log_t denials in audit.log | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Ying Cui <ycui> | ||||||
Component: | ovirt-node | Assignee: | Douglas Schilling Landgraf <dougsland> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> | ||||||
Severity: | high | Docs Contact: | |||||||
Priority: | high | ||||||||
Version: | 3.4.0 | CC: | cshao, fdeutsch, gklein, gouyang, hadong, huiwa, iheim, leiwang, yaniwang, ycui | ||||||
Target Milestone: | --- | ||||||||
Target Release: | 3.5.0 | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | node | ||||||||
Fixed In Version: | rhev-hypervisor6-6.6-20141218.0.iso rhev-hypervisor7-7.0-20141218.0.iso | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2015-02-11 20:59:16 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | Node | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 1123329, 1142923, 1147536, 1156165, 1164308, 1164311 | ||||||||
Attachments: |
|
Description
Ying Cui
2014-06-23 09:33:37 UTC
Moving to POST, next rebase should resolve this report. Test version: rhev-hypervisor7-7.0-20140926.0.iso ovirt-node-3.1.0-0.17.20140925git29c3403.el7.noarch This issue is still exist in rhev-hypervisor7-7.0-20140926.0.iso. So change the status from ON_QA to Assigned. Chen, could you please attach /var/log/audit/audit.log Created attachment 942241 [details]
audit.log
Upload audit.log
(In reply to shaochen from comment #5) > Created attachment 942241 [details] > audit.log > > Upload audit.log Hi shaochen, Thanks for the audit.log I do believe we got a different report here, would be nice for next time open a different bug. I can see: #1) type=AVC msg=audit(1411981667.351:981): avc: denied { search } for pid=3081 comm="sanlock" name="/" dev="dm-9" ino=2 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir Should be resolved: ovirt.te: sanlock_t auditd_log_t:dir http://gerrit.ovirt.org/#/c/33447/ #2) type=AVC msg=audit(1411981667.526:986): avc: denied { search } for pid=3112 comm=72733A6D61696E20513A526567 name="/" dev="dm-9" ino=2 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir Should be resolved: selinux: More additional rules for el7 http://gerrit.ovirt.org/#/c/33412/ Because of the nature of SELinux denials will always come up over time. So, please to not re-open this bug or set it to FailedQA, but please open a new bug for each denial you are seeing, otherwise we'll never be able to close down this bug. Thank you for reminding, I will report new bug for different avc report next time. Thanks! Test version: rhev-hypervisor7-7.0-20141006.0.el7ev ovirt-node-3.1.0-0.20.20141006gitc421e04.el7.noarch selinux-policy-3.12.1-153.el7_0.11.noarch Test steps: 1.RHEV-H installed successful. selinux in enforcing mode as default. 2.Login to rhevh, # grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1412762736.026:1743): avc: denied { getattr } for pid=4627 comm="sshd" path="/var/log/lastlog" dev="dm-11" ino=35 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s0 tclass=file type=AVC msg=audit(1412762736.026:1744): avc: denied { write } for pid=4627 comm="sshd" name="wtmp" dev="dm-11" ino=34 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s0 tclass=file type=AVC msg=audit(1412762736.026:1745): avc: denied { getattr } for pid=4627 comm="sshd" path="/var/log/lastlog" dev="dm-11" ino=35 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s0 tclass=file Still met sshd AVC denied errors in audit.log. So change bug status to ASSIGNED. Created attachment 944924 [details]
rhevh7-1006-audit.log
(In reply to shaochen from comment #9) > Test version: > rhev-hypervisor7-7.0-20141006.0.el7ev > ovirt-node-3.1.0-0.20.20141006gitc421e04.el7.noarch > selinux-policy-3.12.1-153.el7_0.11.noarch > > Test steps: > 1.RHEV-H installed successful. selinux in enforcing mode as default. > 2.Login to rhevh, > > # grep "avc: denied" /var/log/audit/audit.log > type=AVC msg=audit(1412762736.026:1743): avc: denied { getattr } for > pid=4627 comm="sshd" path="/var/log/lastlog" dev="dm-11" ino=35 > scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:auditd_log_t:s0 tclass=file > type=AVC msg=audit(1412762736.026:1744): avc: denied { write } for > pid=4627 comm="sshd" name="wtmp" dev="dm-11" ino=34 > scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:auditd_log_t:s0 tclass=file > type=AVC msg=audit(1412762736.026:1745): avc: denied { getattr } for > pid=4627 comm="sshd" path="/var/log/lastlog" dev="dm-11" ino=35 > scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:auditd_log_t:s0 tclass=file > > > Still met sshd AVC denied errors in audit.log. > So change bug status to ASSIGNED. This denial is covered in bug 1128065 and related to a different cause. The bug description sshd_t/var_log_t denials did not exist on the following build. rhev-hypervisor7-7.0-20150114.0 ovirt-node-3.2.1-4.el7.noarch rhev-hypervisor6-6.6-20150114.0 ovirt-node-3.2.1-4.el6.noarch for another denial on sshd, we already reported new bug 1184341 to trace detail. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-0160.html |