1112173 – sshd_t / var_log_t denials in audit.log

Bug 1112173 - sshd_t / var_log_t denials in audit.log

Summary: sshd_t / var_log_t denials in audit.log

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-node
Sub Component:
Version:	3.4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	3.5.0
Assignee:	Douglas Schilling Landgraf
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:	node
Depends On:
Blocks:	1123329 rhev3.5beta rhev35betablocker 1156165 rhev35rcblocker rhev35gablocker
TreeView+	depends on / blocked

Reported:	2014-06-23 09:33 UTC by Ying Cui
Modified:	2016-02-10 20:11 UTC (History)
CC List:	10 users (show)
Fixed In Version:	rhev-hypervisor6-6.6-20141218.0.iso rhev-hypervisor7-7.0-20141218.0.iso
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-02-11 20:59:16 UTC
oVirt Team:	Node
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
audit.log (2.98 MB, text/plain) 2014-09-29 09:13 UTC, cshao	no flags	Details
rhevh7-1006-audit.log (962.21 KB, text/plain) 2014-10-08 10:16 UTC, cshao	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2015:0160	normal	SHIPPED_LIVE	ovirt-node bug fix and enhancement update	2015-02-12 01:34:52 UTC
oVirt gerrit	30242	None	None	None	Never
oVirt gerrit	33412	None	None	None	Never
oVirt gerrit	33447	None	None	None	Never

Description Ying Cui 2014-06-23 09:33:37 UTC

Description of problem:
After RHEVH installed,there are AVC denied errors in audit.log.

Version:
Red Hat Enterprise Virtualization Hypervisor release 6.5 (20140618.0.el6ev)
ovirt-node-3.0.1-18.el6_5.10.noarch
selinux-policy-3.7.19-231.el6_5.3.noarch

How reproducible:
Always.

Steps to Reproduce:
1.RHEV-H installed successful. selinux in enforcing mode as default.
2.Login to rhevh,

# grep "avc:  denied" /var/log/audit/audit.log  
type=AVC msg=audit(1403511143.852:28066): avc:  denied  { write } for  pid=30664 comm="sshd" name="lastlog" dev=dm-8 ino=36 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file


  
Actual results:
AVC msgs in audit.log

Expected results:
No avc denied errors in audit.log.


Additional info:

Comment 1 Douglas Schilling Landgraf 2014-07-29 21:53:30 UTC

Moving to POST, next rebase should resolve this report.

Comment 3 cshao 2014-09-28 06:57:03 UTC

Test version:
rhev-hypervisor7-7.0-20140926.0.iso
ovirt-node-3.1.0-0.17.20140925git29c3403.el7.noarch

This issue is still exist in rhev-hypervisor7-7.0-20140926.0.iso.
So change the status from ON_QA to Assigned.

Comment 4 Fabian Deutsch 2014-09-29 08:35:21 UTC

Chen, could you please attach /var/log/audit/audit.log

Comment 5 cshao 2014-09-29 09:13:57 UTC

Created attachment 942241 [details]
audit.log

Upload audit.log

Comment 6 Douglas Schilling Landgraf 2014-09-29 14:26:15 UTC

(In reply to shaochen from comment #5)
> Created attachment 942241 [details]
> audit.log
> 
> Upload audit.log

Hi shaochen,

Thanks for the audit.log
I do believe we got a different report here, would be nice for next time open a different bug.

I can see:
#1)
type=AVC msg=audit(1411981667.351:981): avc:  denied  { search } for  pid=3081 comm="sanlock" name="/" dev="dm-9" ino=2 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir

Should be resolved: 
ovirt.te: sanlock_t auditd_log_t:dir
http://gerrit.ovirt.org/#/c/33447/

#2)
type=AVC msg=audit(1411981667.526:986): avc:  denied  { search } for  pid=3112 comm=72733A6D61696E20513A526567 name="/" dev="dm-9" ino=2 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir

Should be resolved:
selinux: More additional rules for el7
http://gerrit.ovirt.org/#/c/33412/

Comment 7 Fabian Deutsch 2014-09-29 14:31:43 UTC

Because of the nature of SELinux denials will always come up over time.

So, please to not re-open this bug or set it to FailedQA, but please open a new bug for each denial you are seeing, otherwise we'll never be able to close down this bug.

Comment 8 cshao 2014-09-30 03:29:16 UTC

Thank you for reminding, I will report new bug for different avc report next time.

Thanks!

Comment 9 cshao 2014-10-08 10:15:45 UTC

Test version:
rhev-hypervisor7-7.0-20141006.0.el7ev
ovirt-node-3.1.0-0.20.20141006gitc421e04.el7.noarch
selinux-policy-3.12.1-153.el7_0.11.noarch

Test steps:
1.RHEV-H installed successful. selinux in enforcing mode as default.
2.Login to rhevh,

# grep "avc:  denied" /var/log/audit/audit.log 
type=AVC msg=audit(1412762736.026:1743): avc:  denied  { getattr } for  pid=4627 comm="sshd" path="/var/log/lastlog" dev="dm-11" ino=35 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s0 tclass=file
type=AVC msg=audit(1412762736.026:1744): avc:  denied  { write } for  pid=4627 comm="sshd" name="wtmp" dev="dm-11" ino=34 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s0 tclass=file
type=AVC msg=audit(1412762736.026:1745): avc:  denied  { getattr } for  pid=4627 comm="sshd" path="/var/log/lastlog" dev="dm-11" ino=35 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s0 tclass=file


Still met sshd AVC denied errors in audit.log.
So change bug status to ASSIGNED.

Comment 10 cshao 2014-10-08 10:16:42 UTC

Created attachment 944924 [details]
rhevh7-1006-audit.log

Comment 11 Fabian Deutsch 2014-10-09 13:28:19 UTC

(In reply to shaochen from comment #9)
> Test version:
> rhev-hypervisor7-7.0-20141006.0.el7ev
> ovirt-node-3.1.0-0.20.20141006gitc421e04.el7.noarch
> selinux-policy-3.12.1-153.el7_0.11.noarch
> 
> Test steps:
> 1.RHEV-H installed successful. selinux in enforcing mode as default.
> 2.Login to rhevh,
> 
> # grep "avc:  denied" /var/log/audit/audit.log 
> type=AVC msg=audit(1412762736.026:1743): avc:  denied  { getattr } for 
> pid=4627 comm="sshd" path="/var/log/lastlog" dev="dm-11" ino=35
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:auditd_log_t:s0 tclass=file
> type=AVC msg=audit(1412762736.026:1744): avc:  denied  { write } for 
> pid=4627 comm="sshd" name="wtmp" dev="dm-11" ino=34
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:auditd_log_t:s0 tclass=file
> type=AVC msg=audit(1412762736.026:1745): avc:  denied  { getattr } for 
> pid=4627 comm="sshd" path="/var/log/lastlog" dev="dm-11" ino=35
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:auditd_log_t:s0 tclass=file
> 
> 
> Still met sshd AVC denied errors in audit.log.
> So change bug status to ASSIGNED.

This denial is covered in bug 1128065 and related to a different cause.

Comment 12 Ying Cui 2015-01-21 11:43:13 UTC

The bug description sshd_t/var_log_t denials did not exist on the following build.
rhev-hypervisor7-7.0-20150114.0
ovirt-node-3.2.1-4.el7.noarch

rhev-hypervisor6-6.6-20150114.0
ovirt-node-3.2.1-4.el6.noarch

for another denial on sshd, we already reported new bug 1184341 to trace detail.

Comment 14 errata-xmlrpc 2015-02-11 20:59:16 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-0160.html

Note You need to log in before you can comment on or make changes to this bug.