Bug 1184398

Summary: plymouthd denials in audit.log
Product: Red Hat Enterprise Virtualization Manager Reporter: Ying Cui <ycui>
Component: ovirt-nodeAssignee: Douglas Schilling Landgraf <dougsland>
Status: CLOSED ERRATA QA Contact: Ying Cui <ycui>
Severity: high Docs Contact:
Priority: high    
Version: 3.6.0CC: cshao, fdeutsch, gklein, huiwa, leiwang, lsurette, yaniwang, ycui, ykaul
Target Milestone: ovirt-3.6.0-rc   
Target Release: 3.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-node-3.3.0-0.4.20150906git14a6024.el7ev Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-09 14:25:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Node RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1270177    
Bug Blocks:    
Attachments:
Description Flags
audit.log
none
varlog.tar.gz
none
sosreport none

Description Ying Cui 2015-01-21 10:04:15 UTC 
Description of problem:
After RHEVH installed, there are plymouthd denials in audit.log.

Version:
rhev-hypervisor7-7.0-20150114.0
ovirt-node-3.2.1-4.el7.noarch
and
# cat /etc/system-release
Red Hat Enterprise Virtualization Hypervisor release 7.0 (20150119.0.1.el7ev)
# rpm -q ovirt-node
ovirt-node-3.2.1-5.el7.noarch


How reproducible:
Always.

Steps to Reproduce:
Note: there is one method to reproduce this bug 100%.
1. RHEV-H installed successful. selinux in enforcing mode as default.
2. Login to rhevh
3. Register RHEVH to RHEVM
4. Upgrade RHEVH to itself via RHEVM
5. After upgrade, login rhevh, and F2 to shell

# grep "avc:  denied" /var/log/audit/audit.log|grep plymouthd
type=AVC msg=audit(1421813717.969:476): avc:  denied  { search } for  pid=17132 comm="plymouthd" name="etc" dev="tmpfs" ino=15101 scontext=system_u:system_rlymouthd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1421813717.969:477): avc:  denied  { search } for  pid=17132 comm="plymouthd" name="etc" dev="tmpfs" ino=15101 scontext=system_u:system_rlymouthd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1421813717.970:481): avc:  denied  { search } for  pid=17150 comm="plymouthd" name="etc" dev="tmpfs" ino=15101 scontext=system_u:system_rlymouthd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1421813717.970:482): avc:  denied  { search } for  pid=17150 comm="plymouthd" name="etc" dev="tmpfs" ino=15101 scontext=system_u:system_rlymouthd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1421813717.971:483): avc:  denied  { search } for  pid=17150 comm="plymouthd" name="etc" dev="tmpfs" ino=15101 scontext=system_u:system_rlymouthd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1421813717.971:484): avc:  denied  { search } for  pid=17150 comm="plymouthd" name="etc" dev="tmpfs" ino=15101 scontext=system_u:system_rlymouthd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1421813717.971:485): avc:  denied  { setattr } for pid=17150 comm="plymouthd" name="0" dev="devpts" ino=3 scontext=system_u:system_rlymouthd_t:s0 tcontext=system_u:object_revpts_t:s0 tclass=chr_file
  
Actual results:
plymouthd AVC msgs in audit.log

Expected results:
No such avc denied errors in audit.log.
Comment 1 Ying Cui 2015-01-21 10:06:47 UTC 
Created attachment 982238 [details]
audit.log
Comment 2 Ying Cui 2015-01-21 10:07:15 UTC 
Created attachment 982239 [details]
varlog.tar.gz
Comment 3 Ying Cui 2015-01-21 10:08:40 UTC 
Created attachment 982240 [details]
sosreport
Comment 4 Ying Cui 2015-01-21 10:11:09 UTC 
Because it is related selinux and security, not sure whether we need to fix it on rhev 3.5.0 or rhev 3.5.0-1 or zstream.

# rpm -q selinux-policy
selinux-policy-3.12.1-153.el7_0.13.noarch
Comment 5 Fabian Deutsch 2015-01-21 10:36:03 UTC 
The denial is related to plymouth (and thus no functional effect on the core functionality), so I would not consider it for 3.5.0, but for a z-stream to address the denials.
Comment 6 Fabian Deutsch 2015-05-27 14:44:21 UTC 
No function impact, moving it out to 3.6.
Comment 8 Ying Cui 2015-10-12 06:25:03 UTC 
with the bug 1270177, we have to partial test this bug without upgrade.

Tested pass on the following steps on build:
# rpm -qa ovirt-node
ovirt-node-3.3.0-0.13.20151008git03eefb5.el7ev.noarch
# cat /etc/rhev-hypervisor-release 
Red Hat Enterprise Virtualization Hypervisor release 7.2 (20151009.0.el7ev)

1. TUI RHEV-H installed successful. selinux in enforcing mode as default.
2. Login to rhevh

# grep "avc:  denied" /var/log/audit/audit.log|grep plymouthd

no such avc denied in autit.log.

We need to check this bug as bug description steps after the bug 1270177 fix.
Comment 9 yileye 2015-10-28 04:10:45 UTC 
I have reproduced this bug via ycui‘ s steps in rhev-hypervisor7-7.0-20150114.0.

Test Version:
rhev-hypervisor7-7.2-20151025.0.el7ev
ovirt-node-3.3.0-0.18.20151022git82dc52c.el7ev.noarch

Test steps:
Note: there is one method to reproduce this bug 100%.
1. RHEV-H 7-7.2-20151009.0 installed successful. selinux in enforcing mode as default.
2. Login to rhevh
3. Register RHEVH to RHEVM 3.6.0-0.18.el6
4. Upgrade RHEVH to rhev-hypervisor7-7.2-20151025.0.el7ev via RHEVM
5. After upgrade, login rhevh, and F2 to shell
# grep "avc:  denied" /var/log/audit/audit.log|grep plymouthd

Test result:
no such avc denied in autit.log.

So this issue is fixed in ovirt-node-3.3.0-0.18.20151022git82dc52c.el7ev.noarch
now. Change the status to Verified.
Comment 10 Fabian Deutsch 2015-11-03 15:06:20 UTC 
Setting to VERIFIED according to comment 9
Comment 12 errata-xmlrpc 2016-03-09 14:25:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0378.html