Description of problem: After RHEVH installed,there are AVC denied errors in audit.log. Version: Red Hat Enterprise Virtualization Hypervisor release 6.5 (20140618.0.el6ev) ovirt-node-3.0.1-18.el6_5.10.noarch selinux-policy-3.7.19-231.el6_5.3.noarch How reproducible: Always. Steps to Reproduce: 1.RHEV-H installed successful. selinux in enforcing mode as default. 2.Login to rhevh, # grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1403511143.852:28066): avc: denied { write } for pid=30664 comm="sshd" name="lastlog" dev=dm-8 ino=36 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file Actual results: AVC msgs in audit.log Expected results: No avc denied errors in audit.log. Additional info:
Moving to POST, next rebase should resolve this report.
Test version: rhev-hypervisor7-7.0-20140926.0.iso ovirt-node-3.1.0-0.17.20140925git29c3403.el7.noarch This issue is still exist in rhev-hypervisor7-7.0-20140926.0.iso. So change the status from ON_QA to Assigned.
Chen, could you please attach /var/log/audit/audit.log
Created attachment 942241 [details] audit.log Upload audit.log
(In reply to shaochen from comment #5) > Created attachment 942241 [details] > audit.log > > Upload audit.log Hi shaochen, Thanks for the audit.log I do believe we got a different report here, would be nice for next time open a different bug. I can see: #1) type=AVC msg=audit(1411981667.351:981): avc: denied { search } for pid=3081 comm="sanlock" name="/" dev="dm-9" ino=2 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir Should be resolved: ovirt.te: sanlock_t auditd_log_t:dir http://gerrit.ovirt.org/#/c/33447/ #2) type=AVC msg=audit(1411981667.526:986): avc: denied { search } for pid=3112 comm=72733A6D61696E20513A526567 name="/" dev="dm-9" ino=2 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir Should be resolved: selinux: More additional rules for el7 http://gerrit.ovirt.org/#/c/33412/
Because of the nature of SELinux denials will always come up over time. So, please to not re-open this bug or set it to FailedQA, but please open a new bug for each denial you are seeing, otherwise we'll never be able to close down this bug.
Thank you for reminding, I will report new bug for different avc report next time. Thanks!
Test version: rhev-hypervisor7-7.0-20141006.0.el7ev ovirt-node-3.1.0-0.20.20141006gitc421e04.el7.noarch selinux-policy-3.12.1-153.el7_0.11.noarch Test steps: 1.RHEV-H installed successful. selinux in enforcing mode as default. 2.Login to rhevh, # grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1412762736.026:1743): avc: denied { getattr } for pid=4627 comm="sshd" path="/var/log/lastlog" dev="dm-11" ino=35 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s0 tclass=file type=AVC msg=audit(1412762736.026:1744): avc: denied { write } for pid=4627 comm="sshd" name="wtmp" dev="dm-11" ino=34 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s0 tclass=file type=AVC msg=audit(1412762736.026:1745): avc: denied { getattr } for pid=4627 comm="sshd" path="/var/log/lastlog" dev="dm-11" ino=35 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s0 tclass=file Still met sshd AVC denied errors in audit.log. So change bug status to ASSIGNED.
Created attachment 944924 [details] rhevh7-1006-audit.log
(In reply to shaochen from comment #9) > Test version: > rhev-hypervisor7-7.0-20141006.0.el7ev > ovirt-node-3.1.0-0.20.20141006gitc421e04.el7.noarch > selinux-policy-3.12.1-153.el7_0.11.noarch > > Test steps: > 1.RHEV-H installed successful. selinux in enforcing mode as default. > 2.Login to rhevh, > > # grep "avc: denied" /var/log/audit/audit.log > type=AVC msg=audit(1412762736.026:1743): avc: denied { getattr } for > pid=4627 comm="sshd" path="/var/log/lastlog" dev="dm-11" ino=35 > scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:auditd_log_t:s0 tclass=file > type=AVC msg=audit(1412762736.026:1744): avc: denied { write } for > pid=4627 comm="sshd" name="wtmp" dev="dm-11" ino=34 > scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:auditd_log_t:s0 tclass=file > type=AVC msg=audit(1412762736.026:1745): avc: denied { getattr } for > pid=4627 comm="sshd" path="/var/log/lastlog" dev="dm-11" ino=35 > scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:auditd_log_t:s0 tclass=file > > > Still met sshd AVC denied errors in audit.log. > So change bug status to ASSIGNED. This denial is covered in bug 1128065 and related to a different cause.
The bug description sshd_t/var_log_t denials did not exist on the following build. rhev-hypervisor7-7.0-20150114.0 ovirt-node-3.2.1-4.el7.noarch rhev-hypervisor6-6.6-20150114.0 ovirt-node-3.2.1-4.el6.noarch for another denial on sshd, we already reported new bug 1184341 to trace detail.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-0160.html