Bug 1127284
Summary: | various SELinux AVCs when installing capsule | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Jan Hutař <jhutar> |
Component: | SELinux | Assignee: | Lukas Zapletal <lzap> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Kedar Bidarkar <kbidarka> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.0.3 | CC: | bkearney, inecas, kbidarka, sthirugn |
Target Milestone: | Unspecified | Keywords: | Triaged |
Target Release: | Unused | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-09-11 12:22:47 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Hutař
2014-08-06 14:18:27 UTC
With latest snap and build I don't see any problems, except the following harmless denial which is a file handler leak in puppet (we will mask this denial for Satellite 6.1): time->Wed Aug 27 09:15:56 2014 type=SYSCALL msg=audit(1409145356.680:172): arch=c000003e syscall=59 success=yes exit=0 a0=3366d00 a1=16d4d30 a2=0 a3=12 items=0 ppid=4708 pid=4725 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="load_policy" exe="/sbin/load_policy" subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1409145356.680:172): avc: denied { write } for pid=4725 comm="load_policy" path="/tmp/puppet20140827-4300-1q7kni7-0" dev=vda1 ino=263067 scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(1409145356.680:172): avc: denied { write } for pid=4725 comm="load_policy" path="/tmp/puppet20140827-4300-1q7kni7-0" dev=vda1 ino=263067 scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file foreman-selinux-1.6.0.9-1.el6sat.noarch Putting this to ON_QA. If this fails verification, please provide: getenforce semodule -l | grep foreman ps axuwZ ausearch -m AVC -m USER_AVC foreman-selinux-relabel -nv *** Bug 1111567 has been marked as a duplicate of this bug. *** Tested with Sat6-GA-snap7 on RHEL7. No SELinux AVCs seen when installing capsule. Installed Packages candlepin-0.9.23-1.el7.noarch candlepin-common-1.0.1-1.el7.noarch candlepin-guice-3.0-2_redhat_1.el7.noarch candlepin-scl-1-5.el7.noarch candlepin-scl-quartz-2.1.5-6.el7.noarch candlepin-scl-rhino-1.7R3-3.el7.noarch candlepin-scl-runtime-1-5.el7.noarch candlepin-selinux-0.9.23-1.el7.noarch candlepin-tomcat-0.9.23-1.el7.noarch elasticsearch-0.90.10-6.el7sat.noarch katello-1.5.0-30.el7sat.noarch katello-certs-tools-1.5.6-1.el7sat.noarch katello-default-ca-1.0-1.noarch katello-installer-0.0.64-1.el7sat.noarch katello-server-ca-1.0-1.noarch pulp-katello-0.3-4.el7sat.noarch pulp-nodes-common-2.4.1-0.5.rc1.el7sat.noarch pulp-nodes-parent-2.4.1-0.5.rc1.el7sat.noarch pulp-puppet-plugins-2.4.1-0.5.rc1.el7sat.noarch pulp-puppet-tools-2.4.1-0.5.rc1.el7sat.noarch pulp-rpm-plugins-2.4.1-0.6.beta.el7sat.noarch pulp-selinux-2.4.1-0.5.rc1.el7sat.noarch pulp-server-2.4.1-0.5.rc1.el7sat.noarch python-gofer-qpid-1.3.0-1.el7sat.noarch python-isodate-0.5.0-1.pulp.el7sat.noarch python-kombu-3.0.15-12.pulp.el7sat.noarch python-pulp-bindings-2.4.1-0.5.rc1.el7sat.noarch python-pulp-common-2.4.1-0.5.rc1.el7sat.noarch python-pulp-puppet-common-2.4.1-0.5.rc1.el7sat.noarch python-pulp-rpm-common-2.4.1-0.6.beta.el7sat.noarch python-qpid-0.22-15.el7.noarch python-qpid-qmf-0.22-37.el7.x86_64 qpid-cpp-client-0.22-42.el7.x86_64 qpid-cpp-server-0.22-42.el7.x86_64 qpid-cpp-server-linearstore-0.22-42.el7.x86_64 qpid-java-client-0.22-7.el7.noarch qpid-java-common-0.22-7.el7.noarch qpid-proton-c-0.7-2.el7.x86_64 qpid-qmf-0.22-37.el7.x86_64 qpid-tools-0.22-13.el7.noarch ruby193-rubygem-katello-1.5.0-86.el7sat.noarch rubygem-hammer_cli_katello-0.0.4-14.el7sat.noarch rubygem-smart_proxy_pulp-1.0.1-1.1.el7sat.noarch [root@zzzz ~]# rpm -qav | grep -i selinux selinux-policy-targeted-3.12.1-153.el7.noarch pulp-selinux-2.4.1-0.5.rc1.el7sat.noarch candlepin-selinux-0.9.23-1.el7.noarch selinux-policy-3.12.1-153.el7.noarch libselinux-2.2.2-6.el7.x86_64 libselinux-ruby-2.2.2-6.el7.x86_64 libselinux-utils-2.2.2-6.el7.x86_64 libselinux-python-2.2.2-6.el7.x86_64 foreman-selinux-1.6.0.14-1.el7sat.noarch This was delivered with Satellite 6.0 which was released on 10 September 2014. |