Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1160657

Summary: AVC denial is seen when creating jbosseap/jbossews app
Product: OpenShift Container Platform Reporter: Gaoyun Pei <gpei>
Component: ContainersAssignee: Brenton Leanhardt <bleanhar>
Status: CLOSED DUPLICATE QA Contact: libra bugs <libra-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.2.0CC: jokerman, jpazdziora, libra-onpremise-devel, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-23 14:08:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gaoyun Pei 2014-11-05 10:38:12 UTC 
Description of problem:
When creating jbosseap or jbossews app, avc denied message could be seen in /var/log/audit/audit.log.


Version-Release number of selected component (if applicable):
puddle 2.2/2014-11-04.3

ruby193-ruby-selinux-2.0.94-3.el6op.x86_64
rubygem-openshift-origin-container-selinux-0.10.1.0-1.el6op.noarch
selinux-policy-3.7.19-260.el6.noarch
selinux-policy-mls-3.7.19-260.el6.noarch
selinux-policy-targeted-3.7.19-260.el6.noarch

openshift-origin-node-util-1.30.3.2-1.el6op.noarch
ruby193-rubygem-systemu-2.5.2-2.el6op.noarch


How reproducible:
Always


Steps to Reproduce:
1.Create a jbosseap/jbossews app, monitor /var/log/audit/audit.log


Actual results:
...
type=AVC msg=audit(1415183595.288:4563): avc:  denied  { read } for  pid=7991 comm="java" name="if_inet6" dev=proc ino=4026532158 scontext=unconfined_u:system_r:openshift_t:s0:c5,c541 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1415183595.288:4564): avc:  denied  { read } for  pid=7991 comm="java" name="ipv6_route" dev=proc ino=4026532159 scontext=unconfined_u:system_r:openshift_t:s0:c5,c541 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1415183595.289:4565): avc:  denied  { read } for  pid=7991 comm="java" name="if_inet6" dev=proc ino=4026532158 scontext=unconfined_u:system_r:openshift_t:s0:c5,c541 tcontext=system_u:object_r:proc_net_t:s0 tclass=file


Expected results:
Should no avc denial

Additional info:
Comment 1 Jan Pazdziora (Red Hat) 2015-03-23 09:38:04 UTC 
For the record, I can see this with OSE 2.1 (no 2.2) as well.
Comment 3 Brenton Leanhardt 2015-03-23 12:54:24 UTC 
I'm going to mark this as a duplicate of Bug 1198780.  Even though this one was created first the other is customer facing and we're working to have some resolution.  Ultimately the fix may need to be done in the JVM.
Comment 4 Brenton Leanhardt 2015-03-23 14:08:25 UTC 

*** This bug has been marked as a duplicate of bug 1198780 ***