Bug 1209794
| Summary: | foreman-debug to skip USER_AVC SELinux audit "denials" | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Pavel Moravec <pmoravec> |
| Component: | Foreman Debug | Assignee: | Lukas Zapletal <lzap> |
| Status: | CLOSED ERRATA | QA Contact: | Corey Welton <cwelton> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.1.0 | CC: | bbuckingham, cwelton, sthirugn |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| URL: | http://projects.theforeman.org/issues/11560 | ||
| Whiteboard: | Verified in Upstream | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-07-27 08:50:29 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Created redmine issue http://projects.theforeman.org/issues/11560 from this bug Upstream bug component is Provisioning Upstream bug component is Provisioning Upstream bug component is Foreman Debug Moving to POST since upstream bug http://projects.theforeman.org/issues/11560 has been closed ------------- Lukas Zapletal Applied in changeset commit:ee2d45d090b81b00586fcccfcb524ea3bc272839. *** This bug is verified in upstream. This fix should eventually land in future downstream builds ***
Version Tested:
# rpm -qa | grep foreman
nec-em17.rhts.eng.bos.redhat.com-foreman-client-1.0-1.noarch
foreman-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch
tfm-rubygem-hammer_cli_foreman_docker-0.0.3-4.el7.noarch
nec-em17.rhts.eng.bos.redhat.com-foreman-proxy-client-1.0-1.noarch
tfm-rubygem-hammer_cli_foreman-0.4.0-1.201510071112git33fd59b.el7.noarch
foreman-debug-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch
foreman-release-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch
foreman-postgresql-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch
foreman-vmware-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch
tfm-rubygem-foreman_hooks-0.3.9-1.el7.noarch
tfm-rubygem-foreman-tasks-0.7.6-1.fm1_10.el7.noarch
tfm-rubygem-hammer_cli_foreman_tasks-0.0.8-1.el7.noarch
tfm-rubygem-foreman_bootdisk-6.0.0-2.fm1_10.el7.noarch
foreman-release-scl-1-1.el7.x86_64
foreman-libvirt-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch
foreman-selinux-1.11.0-0.develop.201510071426git6234447.el7.noarch
foreman-ovirt-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch
tfm-rubygem-hammer_cli_foreman_bootdisk-0.1.3-3.el7.noarch
tfm-rubygem-foreman_gutterball-0.0.1-3.el7.noarch
nec-em17.rhts.eng.bos.redhat.com-foreman-proxy-1.0-2.noarch
tfm-rubygem-foreman_discovery-4.1.0-1.fm1_10.el7.noarch
tfm-rubygem-foreman_docker-1.4.1-2.fm1_10.el7.noarch
foreman-proxy-1.11.0-0.develop.201510120849git5f36f2e.el7.noarch
foreman-compute-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch
foreman-gce-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch
steps:
1. e.g. on freshly installed RHEL7.1 and Sat6.1 (most probably reproducible anywhere), run foreman-debug
2. Check it's output and selinux_denials.log it generates
# foreman-debug
Exporting tasks, this may take a few minutes.
HOSTNAME: nec-em17.rhts.eng.bos.redhat.com
OS: redhat
RELEASE: Red Hat Enterprise Linux Server release 7.1 (Maipo)
FOREMAN: 1.11.0-develop
RUBY: ruby 2.0.0p598 (2014-11-13) [x86_64-linux]
PUPPET: 3.8.3
DENIALS: 0
selinux_denials.log without the USER_AVC logs
type=USER_END msg=audit(1445418059.465:10232): pid=9339 uid=0 auid=993 ses=1194 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="foreman" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1445418059.871:10233): pid=9340 uid=0 auid=993 ses=1193 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="foreman" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1445418059.872:10234): pid=9340 uid=0 auid=993 ses=1193 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="foreman" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_ACCT msg=audit(1445418061.880:10235): pid=9482 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_access,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1445418061.880:10236): pid=9482 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=LOGIN msg=audit(1445418061.880:10237): pid=9482 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 old-ses=4294967295 ses=1196 res=1
type=USER_START msg=audit(1445418061.888:10238): pid=9482 uid=0 auid=0 ses=1196 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1445418061.888:10239): pid=9482 uid=0 auid=0 ses=1196 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1445418061.908:10240): pid=9482 uid=0 auid=0 ses=1196 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1445418061.909:10241): pid=9482 uid=0 auid=0 ses=1196 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Upstream bug assigned to lzap Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1500 |
Description of problem: foreman-debug checking for SELinux denials wrongly reports also USER_AVC records like below example. Those are logs of policy load and not real denials. foreman-debug then wrongly reports "DENIALS: 12" to stdout. Version-Release number of selected component (if applicable): foreman-debug-1.7.2.15-1.el7sat.noarch How reproducible: 100% Steps to Reproduce: 1. e.g. on freshly installed RHEL7.1 and Sat6.1 (most probably reproducible anywhere), run foreman-debug 2. Check it's output and selinux_denials.log it generates Actual results: foreman-debug output having: HOSTNAME: pmoravec-sat61.gsslab.brq.redhat.com OS: redhat RELEASE: Red Hat Enterprise Linux Server release 7.1 (Maipo) FOREMAN: 1.7.2 RUBY: ruby 2.0.0p598 (2014-11-13) [x86_64-linux] PUPPET: 3.6.2 DENIALS: 12 selinux_denials.log having 12 records like: time->Wed Apr 8 09:31:02 2015 type=USER_AVC msg=audit(1428478262.651:1213): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=11) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Expected results: foreman-debug output to have "DENIALS: 0" selinux_denials.log without the USER_AVC logs Additional info: /me not sure what all audit logs could be of USER_AVC type, or if there could be also real denials. But definitely the above logs are not SELinux denials and should not be reported as such by foreman-debug.