Bug 1104251
| Summary: | `hammer ping` generates lot of SELinux AVCs | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Jan Hutař <jhutar> |
| Component: | SELinux | Assignee: | Lukas Zapletal <lzap> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Kedar Bidarkar <kbidarka> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | Nightly | CC: | bbuckingham, bkearney, cwelton, jmontleo, kbidarka |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| URL: | http://projects.theforeman.org/issues/5930 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-09-11 12:18:39 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Output in comment #0 was from system with SELinux in Enforcing. Adding output on system with SELinux in Permissive as well: # hammer ping; hammer ping type=AVC msg=audit(1401811222.957:4874): avc: denied { getattr } for pid=27187 comm="service" path="/etc/rc.d/init.d/katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file type=SYSCALL msg=audit(1401811222.957:4874): arch=c000003e syscall=4 success=yes exit=0 a0=22e3290 a1=7fffe9996170 a2=7fffe9996170 a3=8 items=0 ppid=14901 pid=27187 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="service" exe="/bin/bash" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1401811222.957:4875): avc: denied { execute } for pid=27191 comm="env" name="katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file type=AVC msg=audit(1401811222.957:4875): avc: denied { read open } for pid=27191 comm="env" name="katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file type=AVC msg=audit(1401811222.957:4875): avc: denied { execute_no_trans } for pid=27191 comm="env" path="/etc/rc.d/init.d/katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file type=SYSCALL msg=audit(1401811222.957:4875): arch=c000003e syscall=59 success=yes exit=0 a0=7fff01f07d53 a1=7fff01f06218 a2=887060 a3=ffffff00 items=0 ppid=27187 pid=27191 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="katello-jobs" exe="/bin/bash" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1401811222.959:4876): avc: denied { ioctl } for pid=27191 comm="katello-jobs" path="/etc/rc.d/init.d/katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file type=SYSCALL msg=audit(1401811222.959:4876): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fff7b037f80 a3=4 items=0 ppid=27187 pid=27191 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="katello-jobs" exe="/bin/bash" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1401811222.963:4877): avc: denied { execute } for pid=27193 comm="katello-jobs" name="consoletype" dev=dm-0 ino=1703944 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file type=AVC msg=audit(1401811222.963:4877): avc: denied { read open } for pid=27193 comm="katello-jobs" name="consoletype" dev=dm-0 ino=1703944 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file type=AVC msg=audit(1401811222.963:4877): avc: denied { execute_no_trans } for pid=27193 comm="katello-jobs" path="/sbin/consoletype" dev=dm-0 ino=1703944 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file type=SYSCALL msg=audit(1401811222.963:4877): arch=c000003e syscall=59 success=yes exit=0 a0=f85990 a1=f859f0 a2=f85a20 a3=10 items=0 ppid=27192 pid=27193 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="consoletype" exe="/sbin/consoletype" subj=system_u:system_r:passenger_t:s0 key=(null) candlepin: Status: ok Server Response: Duration: 32ms candlepin_auth: Status: ok Server Response: Duration: 34ms pulp: Status: ok Server Response: Duration: 19ms pulp_auth: Status: ok Server Response: Duration: 23ms elasticsearch: Status: ok Server Response: Duration: 43ms katello_jobs: Status: ok Server Response: Duration: 67ms type=AVC msg=audit(1401811229.804:4883): avc: denied { name_connect } for pid=14925 comm="ruby" dest=9200 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1401811229.804:4883): arch=c000003e syscall=42 success=no exit=-111 a0=11 a1=7fc6b857e690 a2=1c a3=ff00 items=0 ppid=1 pid=14925 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null) candlepin: Status: ok Server Response: Duration: 54ms candlepin_auth: Status: ok Server Response: Duration: 69ms pulp: Status: ok Server Response: Duration: 31ms pulp_auth: Status: ok Server Response: Duration: 42ms elasticsearch: Status: ok Server Response: Duration: 21ms katello_jobs: Status: ok Server Response: Duration: 134ms # rpm -qa | grep selinux | sort candlepin-selinux-0.9.7-1.el6_5.noarch foreman-selinux-1.6.0-3.el6sat.noarch libselinux-2.0.94-5.3.el6_4.1.x86_64 libselinux-devel-2.0.94-5.3.el6_4.1.x86_64 libselinux-python-2.0.94-5.3.el6_4.1.x86_64 libselinux-ruby-2.0.94-5.3.el6_4.1.x86_64 libselinux-utils-2.0.94-5.3.el6_4.1.x86_64 pulp-selinux-2.4.0-0.18.beta.el6sat.noarch selinux-policy-3.7.19-231.el6.noarch selinux-policy-targeted-3.7.19-231.el6.noarch Moving to POST since upstream bug http://projects.theforeman.org/issues/5930 has been closed From a system in permissive mode, with sat6-GA-snap4 we get no AVC or SYSCALL denial messages.
[root@xxx ~]# hammer -u admin -p changeme -v organization add-subnet --id=1 --subnet-id=1
[root@xxx ~]# tail -f /var/log/audit/audit.log | grep -e AVC -e SYSCALL --color &
[1] 21922
[root@xxxx ~]# hammer ping
[Foreman] password for admin:
candlepin:
Status: ok
Server Response: Duration: 35ms
candlepin_auth:
Status: ok
Server Response: Duration: 42ms
pulp:
Status: ok
Server Response: Duration: 192ms
pulp_auth:
Status: ok
Server Response: Duration: 21ms
elasticsearch:
Status: ok
Server Response: Duration: 101ms
katello_jobs:
Status: ok
Server Response: Duration: 38ms
As per Kedar's idea tested in Enforcing as well (Satellite-6.0.4-RHEL-6-20140806.0 + selinux-policy-targeted-3.7.19-231.el6.noarch) and no AVCs observed. This was delivered with Satellite 6.0 which was released on 10 September 2014. |
Description of problem: Command `hammer ping` generates lot of SELinux AVCs Version-Release number of selected component (if applicable): Satellite-6.0.3-RHEL-6-20140529.0 How reproducible: sometimes Steps to Reproduce: 1. # tail -f /var/log/audit/audit.log | grep -e AVC -e SYSCALL --color & 2. # hammer ping type=AVC msg=audit(1401810620.485:4502): avc: denied { getattr } for pid=19983 comm="service" path="/etc/rc.d/init.d/katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file type=SYSCALL msg=audit(1401810620.485:4502): arch=c000003e syscall=4 success=yes exit=0 a0=c84290 a1=7fffbcdf5f20 a2=7fffbcdf5f20 a3=8 items=0 ppid=14901 pid=19983 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="service" exe="/bin/bash" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1401810620.486:4503): avc: denied { execute } for pid=19987 comm="env" name="katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file type=AVC msg=audit(1401810620.486:4503): avc: denied { read open } for pid=19987 comm="env" name="katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file type=AVC msg=audit(1401810620.486:4503): avc: denied { execute_no_trans } for pid=19987 comm="env" path="/etc/rc.d/init.d/katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file type=SYSCALL msg=audit(1401810620.486:4503): arch=c000003e syscall=59 success=yes exit=0 a0=7fff90befd53 a1=7fff90beef38 a2=11ad060 a3=ffffff00 items=0 ppid=19983 pid=19987 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="katello-jobs" exe="/bin/bash" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1401810620.487:4504): avc: denied { ioctl } for pid=19987 comm="katello-jobs" path="/etc/rc.d/init.d/katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file type=SYSCALL msg=audit(1401810620.487:4504): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fffd16d8df0 a3=4 items=0 ppid=19983 pid=19987 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="katello-jobs" exe="/bin/bash" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1401810620.487:4505): avc: denied { execute } for pid=19989 comm="katello-jobs" name="consoletype" dev=dm-0 ino=1703944 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file type=AVC msg=audit(1401810620.487:4505): avc: denied { read open } for pid=19989 comm="katello-jobs" name="consoletype" dev=dm-0 ino=1703944 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file type=AVC msg=audit(1401810620.487:4505): avc: denied { execute_no_trans } for pid=19989 comm="katello-jobs" path="/sbin/consoletype" dev=dm-0 ino=1703944 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file type=SYSCALL msg=audit(1401810620.487:4505): arch=c000003e syscall=59 success=yes exit=0 a0=d26990 a1=d269f0 a2=d26a20 a3=10 items=0 ppid=19988 pid=19989 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="consoletype" exe="/sbin/consoletype" subj=system_u:system_r:passenger_t:s0 key=(null) candlepin: Status: ok Server Response: Duration: 22ms candlepin_auth: Status: ok Server Response: Duration: 36ms pulp: Status: ok Server Response: Duration: 11ms pulp_auth: Status: ok Server Response: Duration: 28ms elasticsearch: Status: ok Server Response: Duration: 25ms katello_jobs: Status: ok Server Response: Duration: 25ms Actual results: See above Expected results: No AVCs should be generated