Bug 1112173

Summary:

sshd_t / var_log_t denials in audit.log

Product:

Red Hat Enterprise Virtualization Manager

Reporter:

Ying Cui <ycui>

Component:

ovirt-node

Assignee:

Douglas Schilling Landgraf <dougsland>

Status:

CLOSED ERRATA

QA Contact:

Virtualization Bugs <virt-bugs>

Severity:

high

Docs Contact:

Priority:

high

Version:

3.4.0

CC:

cshao, fdeutsch, gklein, gouyang, hadong, huiwa, iheim, leiwang, yaniwang, ycui

Target Milestone:

---

Target Release:

3.5.0

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

node

Fixed In Version:

rhev-hypervisor6-6.6-20141218.0.iso rhev-hypervisor7-7.0-20141218.0.iso

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2015-02-11 20:59:16 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

Node

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

Bug Blocks:

1123329, 1142923, 1147536, 1156165, 1164308, 1164311

Attachments:

Description	Flags
audit.log	none
rhevh7-1006-audit.log	none

Description Ying Cui 2014-06-23 09:33:37 UTC

Description of problem:
After RHEVH installed,there are AVC denied errors in audit.log.

Version:
Red Hat Enterprise Virtualization Hypervisor release 6.5 (20140618.0.el6ev)
ovirt-node-3.0.1-18.el6_5.10.noarch
selinux-policy-3.7.19-231.el6_5.3.noarch

How reproducible:
Always.

Steps to Reproduce:
1.RHEV-H installed successful. selinux in enforcing mode as default.
2.Login to rhevh,

# grep "avc:  denied" /var/log/audit/audit.log  
type=AVC msg=audit(1403511143.852:28066): avc:  denied  { write } for  pid=30664 comm="sshd" name="lastlog" dev=dm-8 ino=36 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file


  
Actual results:
AVC msgs in audit.log

Expected results:
No avc denied errors in audit.log.


Additional info:

Comment 1 Douglas Schilling Landgraf 2014-07-29 21:53:30 UTC

Moving to POST, next rebase should resolve this report.

Comment 3 cshao 2014-09-28 06:57:03 UTC

Test version:
rhev-hypervisor7-7.0-20140926.0.iso
ovirt-node-3.1.0-0.17.20140925git29c3403.el7.noarch

This issue is still exist in rhev-hypervisor7-7.0-20140926.0.iso.
So change the status from ON_QA to Assigned.

Comment 4 Fabian Deutsch 2014-09-29 08:35:21 UTC

Chen, could you please attach /var/log/audit/audit.log

Comment 5 cshao 2014-09-29 09:13:57 UTC

Created attachment 942241 [details]
audit.log

Upload audit.log

Comment 6 Douglas Schilling Landgraf 2014-09-29 14:26:15 UTC

(In reply to shaochen from comment #5)
> Created attachment 942241 [details]
> audit.log
> 
> Upload audit.log

Hi shaochen,

Thanks for the audit.log
I do believe we got a different report here, would be nice for next time open a different bug.

I can see:
#1)
type=AVC msg=audit(1411981667.351:981): avc:  denied  { search } for  pid=3081 comm="sanlock" name="/" dev="dm-9" ino=2 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir

Should be resolved: 
ovirt.te: sanlock_t auditd_log_t:dir
http://gerrit.ovirt.org/#/c/33447/

#2)
type=AVC msg=audit(1411981667.526:986): avc:  denied  { search } for  pid=3112 comm=72733A6D61696E20513A526567 name="/" dev="dm-9" ino=2 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir

Should be resolved:
selinux: More additional rules for el7
http://gerrit.ovirt.org/#/c/33412/

Comment 7 Fabian Deutsch 2014-09-29 14:31:43 UTC

Because of the nature of SELinux denials will always come up over time.

So, please to not re-open this bug or set it to FailedQA, but please open a new bug for each denial you are seeing, otherwise we'll never be able to close down this bug.

Comment 8 cshao 2014-09-30 03:29:16 UTC

Thank you for reminding, I will report new bug for different avc report next time.

Thanks!

Comment 9 cshao 2014-10-08 10:15:45 UTC

Test version:
rhev-hypervisor7-7.0-20141006.0.el7ev
ovirt-node-3.1.0-0.20.20141006gitc421e04.el7.noarch
selinux-policy-3.12.1-153.el7_0.11.noarch

Test steps:
1.RHEV-H installed successful. selinux in enforcing mode as default.
2.Login to rhevh,

# grep "avc:  denied" /var/log/audit/audit.log 
type=AVC msg=audit(1412762736.026:1743): avc:  denied  { getattr } for  pid=4627 comm="sshd" path="/var/log/lastlog" dev="dm-11" ino=35 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s0 tclass=file
type=AVC msg=audit(1412762736.026:1744): avc:  denied  { write } for  pid=4627 comm="sshd" name="wtmp" dev="dm-11" ino=34 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s0 tclass=file
type=AVC msg=audit(1412762736.026:1745): avc:  denied  { getattr } for  pid=4627 comm="sshd" path="/var/log/lastlog" dev="dm-11" ino=35 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s0 tclass=file


Still met sshd AVC denied errors in audit.log.
So change bug status to ASSIGNED.

Comment 10 cshao 2014-10-08 10:16:42 UTC

Created attachment 944924 [details]
rhevh7-1006-audit.log

Comment 11 Fabian Deutsch 2014-10-09 13:28:19 UTC

(In reply to shaochen from comment #9)
> Test version:
> rhev-hypervisor7-7.0-20141006.0.el7ev
> ovirt-node-3.1.0-0.20.20141006gitc421e04.el7.noarch
> selinux-policy-3.12.1-153.el7_0.11.noarch
> 
> Test steps:
> 1.RHEV-H installed successful. selinux in enforcing mode as default.
> 2.Login to rhevh,
> 
> # grep "avc:  denied" /var/log/audit/audit.log 
> type=AVC msg=audit(1412762736.026:1743): avc:  denied  { getattr } for 
> pid=4627 comm="sshd" path="/var/log/lastlog" dev="dm-11" ino=35
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:auditd_log_t:s0 tclass=file
> type=AVC msg=audit(1412762736.026:1744): avc:  denied  { write } for 
> pid=4627 comm="sshd" name="wtmp" dev="dm-11" ino=34
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:auditd_log_t:s0 tclass=file
> type=AVC msg=audit(1412762736.026:1745): avc:  denied  { getattr } for 
> pid=4627 comm="sshd" path="/var/log/lastlog" dev="dm-11" ino=35
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:auditd_log_t:s0 tclass=file
> 
> 
> Still met sshd AVC denied errors in audit.log.
> So change bug status to ASSIGNED.

This denial is covered in bug 1128065 and related to a different cause.

Comment 12 Ying Cui 2015-01-21 11:43:13 UTC

The bug description sshd_t/var_log_t denials did not exist on the following build.
rhev-hypervisor7-7.0-20150114.0
ovirt-node-3.2.1-4.el7.noarch

rhev-hypervisor6-6.6-20150114.0
ovirt-node-3.2.1-4.el6.noarch

for another denial on sshd, we already reported new bug 1184341 to trace detail.

Comment 14 errata-xmlrpc 2015-02-11 20:59:16 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-0160.html