Bug 1104251
Summary: | `hammer ping` generates lot of SELinux AVCs | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Jan Hutař <jhutar> |
Component: | SELinux | Assignee: | Lukas Zapletal <lzap> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Kedar Bidarkar <kbidarka> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | Nightly | CC: | bbuckingham, bkearney, cwelton, jmontleo, kbidarka |
Target Milestone: | Unspecified | Keywords: | Triaged |
Target Release: | Unused | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
URL: | http://projects.theforeman.org/issues/5930 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-09-11 12:18:39 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Hutař
2014-06-03 15:55:08 UTC
Output in comment #0 was from system with SELinux in Enforcing. Adding output on system with SELinux in Permissive as well: # hammer ping; hammer ping type=AVC msg=audit(1401811222.957:4874): avc: denied { getattr } for pid=27187 comm="service" path="/etc/rc.d/init.d/katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file type=SYSCALL msg=audit(1401811222.957:4874): arch=c000003e syscall=4 success=yes exit=0 a0=22e3290 a1=7fffe9996170 a2=7fffe9996170 a3=8 items=0 ppid=14901 pid=27187 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="service" exe="/bin/bash" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1401811222.957:4875): avc: denied { execute } for pid=27191 comm="env" name="katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file type=AVC msg=audit(1401811222.957:4875): avc: denied { read open } for pid=27191 comm="env" name="katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file type=AVC msg=audit(1401811222.957:4875): avc: denied { execute_no_trans } for pid=27191 comm="env" path="/etc/rc.d/init.d/katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file type=SYSCALL msg=audit(1401811222.957:4875): arch=c000003e syscall=59 success=yes exit=0 a0=7fff01f07d53 a1=7fff01f06218 a2=887060 a3=ffffff00 items=0 ppid=27187 pid=27191 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="katello-jobs" exe="/bin/bash" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1401811222.959:4876): avc: denied { ioctl } for pid=27191 comm="katello-jobs" path="/etc/rc.d/init.d/katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file type=SYSCALL msg=audit(1401811222.959:4876): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fff7b037f80 a3=4 items=0 ppid=27187 pid=27191 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="katello-jobs" exe="/bin/bash" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1401811222.963:4877): avc: denied { execute } for pid=27193 comm="katello-jobs" name="consoletype" dev=dm-0 ino=1703944 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file type=AVC msg=audit(1401811222.963:4877): avc: denied { read open } for pid=27193 comm="katello-jobs" name="consoletype" dev=dm-0 ino=1703944 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file type=AVC msg=audit(1401811222.963:4877): avc: denied { execute_no_trans } for pid=27193 comm="katello-jobs" path="/sbin/consoletype" dev=dm-0 ino=1703944 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file type=SYSCALL msg=audit(1401811222.963:4877): arch=c000003e syscall=59 success=yes exit=0 a0=f85990 a1=f859f0 a2=f85a20 a3=10 items=0 ppid=27192 pid=27193 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="consoletype" exe="/sbin/consoletype" subj=system_u:system_r:passenger_t:s0 key=(null) candlepin: Status: ok Server Response: Duration: 32ms candlepin_auth: Status: ok Server Response: Duration: 34ms pulp: Status: ok Server Response: Duration: 19ms pulp_auth: Status: ok Server Response: Duration: 23ms elasticsearch: Status: ok Server Response: Duration: 43ms katello_jobs: Status: ok Server Response: Duration: 67ms type=AVC msg=audit(1401811229.804:4883): avc: denied { name_connect } for pid=14925 comm="ruby" dest=9200 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1401811229.804:4883): arch=c000003e syscall=42 success=no exit=-111 a0=11 a1=7fc6b857e690 a2=1c a3=ff00 items=0 ppid=1 pid=14925 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null) candlepin: Status: ok Server Response: Duration: 54ms candlepin_auth: Status: ok Server Response: Duration: 69ms pulp: Status: ok Server Response: Duration: 31ms pulp_auth: Status: ok Server Response: Duration: 42ms elasticsearch: Status: ok Server Response: Duration: 21ms katello_jobs: Status: ok Server Response: Duration: 134ms # rpm -qa | grep selinux | sort candlepin-selinux-0.9.7-1.el6_5.noarch foreman-selinux-1.6.0-3.el6sat.noarch libselinux-2.0.94-5.3.el6_4.1.x86_64 libselinux-devel-2.0.94-5.3.el6_4.1.x86_64 libselinux-python-2.0.94-5.3.el6_4.1.x86_64 libselinux-ruby-2.0.94-5.3.el6_4.1.x86_64 libselinux-utils-2.0.94-5.3.el6_4.1.x86_64 pulp-selinux-2.4.0-0.18.beta.el6sat.noarch selinux-policy-3.7.19-231.el6.noarch selinux-policy-targeted-3.7.19-231.el6.noarch Moving to POST since upstream bug http://projects.theforeman.org/issues/5930 has been closed From a system in permissive mode, with sat6-GA-snap4 we get no AVC or SYSCALL denial messages. [root@xxx ~]# hammer -u admin -p changeme -v organization add-subnet --id=1 --subnet-id=1 [root@xxx ~]# tail -f /var/log/audit/audit.log | grep -e AVC -e SYSCALL --color & [1] 21922 [root@xxxx ~]# hammer ping [Foreman] password for admin: candlepin: Status: ok Server Response: Duration: 35ms candlepin_auth: Status: ok Server Response: Duration: 42ms pulp: Status: ok Server Response: Duration: 192ms pulp_auth: Status: ok Server Response: Duration: 21ms elasticsearch: Status: ok Server Response: Duration: 101ms katello_jobs: Status: ok Server Response: Duration: 38ms As per Kedar's idea tested in Enforcing as well (Satellite-6.0.4-RHEL-6-20140806.0 + selinux-policy-targeted-3.7.19-231.el6.noarch) and no AVCs observed. This was delivered with Satellite 6.0 which was released on 10 September 2014. |