Bug 1230711

Summary: [SELinux] - AVC seen while running regression on RHSC managing RHEL7 nodes
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: RamaKasturi <knarra>
Component: rhscAssignee: Shubhendu Tripathi <shtripat>
Status: CLOSED ERRATA QA Contact: RamaKasturi <knarra>
Severity: unspecified Docs Contact:
Priority: urgent    
Version: rhgs-3.1CC: ltrilety, mmalik, nlevinki, pprakash, rhs-bugs, sabose, sgraf, vagarwal
Target Milestone: ---   
Target Release: RHGS 3.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-29.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-29 05:33:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1202842    

Description RamaKasturi 2015-06-11 12:37:34 UTC 
Description of problem:
I have seen following AVCS in /var/log/audit/audit.log when regression is run.

Version-Release number of selected component (if applicable):
gluster-nagios-common-0.2.0-2.el7rhgs.noarch
nagios-plugins-1.4.16-11.el7rhgs.x86_64
gluster-nagios-addons-0.2.2-1.el7rhgs.x86_64
nagios-common-3.5.1-6.el7.x86_64
nagios-plugins-ide_smart-1.4.16-11.el7rhgs.x86_64
nagios-plugins-procs-1.4.16-11.el7rhgs.x86_64

rpm -qa | grep selinux
selinux-policy-targeted-3.13.1-26.el7.noarch
libselinux-utils-2.2.2-6.el7.x86_64
libselinux-2.2.2-6.el7.x86_64
selinux-policy-3.13.1-26.el7.noarch
libselinux-python-2.2.2-6.el7.x86_64


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 RamaKasturi 2015-06-11 12:39:07 UTC 
#============= NetworkManager_t ==============
allow NetworkManager_t device_t:sock_file write;

#============= audisp_t ==============
allow audisp_t device_t:sock_file write;

#============= auditd_t ==============
allow auditd_t device_t:sock_file write;

#============= dhcpc_t ==============
allow dhcpc_t device_t:sock_file write;

#============= glusterd_t ==============
allow glusterd_t device_t:sock_file write;

#============= groupadd_t ==============
allow groupadd_t device_t:sock_file write;

#============= iscsid_t ==============
allow iscsid_t device_t:sock_file write;

#============= nrpe_t ==============
allow nrpe_t device_t:sock_file write;
allow nrpe_t self:capability dac_override;

#============= policykit_t ==============
allow policykit_t device_t:sock_file write;

#============= postfix_master_t ==============
allow postfix_master_t device_t:sock_file write;

#============= postfix_pickup_t ==============
allow postfix_pickup_t device_t:sock_file write;

#============= postfix_qmgr_t ==============
allow postfix_qmgr_t device_t:sock_file write;

#============= rhnsd_t ==============
allow rhnsd_t device_t:sock_file write;
allow rhnsd_t self:capability sys_tty_config;

#============= rpcbind_t ==============
allow rpcbind_t device_t:sock_file write;

#============= rpcd_t ==============
allow rpcd_t device_t:sock_file write;

#============= setsebool_t ==============
allow setsebool_t device_t:sock_file write;

#============= sshd_t ==============
allow sshd_t device_t:sock_file write;

#============= syslogd_t ==============
allow syslogd_t nagios_unconfined_plugin_exec_t:file execute;

#============= system_dbusd_t ==============
allow system_dbusd_t device_t:sock_file write;

#============= useradd_t ==============
allow useradd_t device_t:sock_file write;

#============= wdmd_t ==============
allow wdmd_t device_t:sock_file write;
allow wdmd_t self:capability sys_tty_config;
Comment 3 RamaKasturi 2015-06-11 12:44:40 UTC 
Attaching the audit logs from all the machines.


http://rhsqe-repo.lab.eng.blr.redhat.com/sosreports/rhsc/1230711/
Comment 4 Milos Malik 2015-06-11 14:52:01 UTC 
Following command does not cure all AVCs, but majority of them will not appear anyore:

# restorecon -v /dev/log
Comment 6 RamaKasturi 2015-06-12 07:03:03 UTC 
Hi Milos,

  Can you explain me on why do we need to do this manually? Does the selinux policy does not take care of it?

Thanks
kasturi.
Comment 7 Milos Malik 2015-06-12 07:13:56 UTC 
Hi kasturi,

my advice from comment#4 is bad. I gave it before I had time to investigate the problem. Deeper analysis showed that latest selinux-policy build introduced a regression. it's filed as BZ#1230932. The regression will be solved today by a new build of selinux-policy and manual changes won't be needed.
Comment 8 RamaKasturi 2015-06-12 07:27:15 UTC 
Thanks milos for the update.
Comment 9 RamaKasturi 2015-06-15 06:56:17 UTC 
Hi Milos,

   I am seeing some avcs while i check for the status of auditd in RHEL7.1. Can you please tell me if this is a known bug which is going to be fixed?

Jun 15 11:10:16 dhcp37-70.lab.eng.blr.redhat.com python[901]: SELinux is preventing /usr/sbin/sedispatch from write access on the sock_file log.
                                                              
                                                              *****  Plugin catchall (100. confidence) suggests   **************************...
Jun 15 11:10:17 dhcp37-70.lab.eng.blr.redhat.com python[901]: SELinux is preventing /usr/sbin/sedispatch from write access on the sock_file log.
                                                              
                                                              *****  Plugin catchall (100. confidence) suggests   **************************...
Jun 15 11:10:18 dhcp37-70.lab.eng.blr.redhat.com python[901]: SELinux is preventing /usr/sbin/sedispatch from write access on the sock_file log.
                                                              
                                                              *****  Plugin catchall (100. confidence) suggests   **************************...
Jun 15 11:10:19 dhcp37-70.lab.eng.blr.redhat.com python[901]: SELinux is preventing /usr/sbin/sedispatch from write access on the sock_file log.
                                                              
                                                              *****  Plugin catchall (100. confidence) suggests   **************************...
Jun 15 11:10:20 dhcp37-70.lab.eng.blr.redhat.com python[901]: SELinux is preventing /usr/sbin/sedispatch from write access on the sock_file log.
                                                              
                                                              *****  Plugin catchall (100. confidence) suggests   **************************...
Jun 15 11:10:21 dhcp37-70.lab.eng.blr.redhat.com python[901]: SELinux is preventing /usr/sbin/sedispatch from write access on the sock_file log.
                                                              
                                                              *****  Plugin catchall (100. confidence) suggests   **************************...
Jun 15 11:10:22 dhcp37-70.lab.eng.blr.redhat.com python[901]: SELinux is preventing /usr/sbin/sedispatch from write access on the sock_file log.
                                                              
                                                              *****  Plugin catchall (100. confidence) suggests   **************************...
Jun 15 11:10:23 dhcp37-70.lab.eng.blr.redhat.com python[901]: SELinux is preventing /usr/sbin/sedispatch from write access on the sock_file log.
                                                              
                                                              *****  Plugin catchall (100. confidence) suggests   **************************...
Jun 15 11:10:24 dhcp37-70.lab.eng.blr.redhat.com python[901]: SELinux is preventing /usr/sbin/sedispatch from write access on the sock_file log.
                                                              
                                                              *****  Plugin catchall (100. confidence) suggests   **************************...
Jun 15 11:10:25 dhcp37-70.lab.eng.blr.redhat.com python[901]: SELinux is preventing /usr/sbin/sedispatch from write access on the sock_file log.
                                                              
                                                              *****  Plugin catchall (100. confidence) suggests   **************************...
Hint: Some lines were ellipsized, use -l to show in full.

Thanks
kasturi
Comment 10 Milos Malik 2015-06-15 07:37:13 UTC 
Please install selinux-policy-3.13.1-27.el7. It fixes a regression introduced by selinux-policy-3.13.1-26.el7 (BZ#1230932). Majority of AVCs will not appear again.
Comment 15 RamaKasturi 2015-07-15 18:45:34 UTC 
Waiting on selinux build to verify this bug.
Comment 16 RamaKasturi 2015-07-20 10:21:06 UTC 
Verified with build selinux-policy-targeted-3.13.1-23.el7_1.10.noarch and selinux-policy-3.13.1-23.el7_1.10.noarch.

Following are the booleans set on RHSC+Nagios Server and on RHS nodes.

RHSC+Nagios Server:(RHEL6.7)
============================
 getsebool -a | grep nagios
logging_syslogd_run_nagios_plugins --> off
nagios_run_sudo --> on

RHGS Nodes:(RHEL7)
=========================
logging_syslogd_run_nagios_plugins --> on
nagios_run_pnp4nagios --> off
nagios_run_sudo --> on

No avs seen in audit.log

output from audit.log from both nodes:
=========================================

cat /var/log/audit/audit.log | audit2allow
Nothing to do

cat /var/log/audit/audit.log | audit2allow
Nothing to do
Comment 17 RamaKasturi 2015-07-20 13:15:26 UTC 
I have ran the regression and have put my results in comment 16. So clearing the need info on lubos.
Comment 18 errata-xmlrpc 2015-07-29 05:33:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-1494.html