Bug 1282860
Summary: | oddjobd stopped by SELinux policy with interaction with syslog | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Robert Patt-Corner <robert.patt-corner> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.7 | CC: | dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, robert.patt-corner, ssekidde |
Target Milestone: | rc | Flags: | robert.patt-corner:
needinfo-
|
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-02 17:27:13 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Robert Patt-Corner
2015-11-17 16:22:52 UTC
Based on the rules recommended by audit2why / audit2allow, it seems that some files / directories on your machine are mislabeled. There shouldn't be any default_t labels. Could you find out, which processes are running as initrc_t? Apparently, oddjobd wants to communicate via D-bus with one of those processes. Could you collect AVCs and attach them here? It will help us to resolve the problems you see. Here you go (see below). On collecting AVCs, I'm not too familiar with SELinux, and a concrete suggestion or example might help me send what is needed. The processes below containing 'opscode' are various Chef processes... [root@egt-labs-prod-mu-master ~]# ps axZ | grep initrc_t system_u:system_r:initrc_t:s0 847 ? S 0:13 /opt/opscode/embedded/service/opscode-chef-mover/erts-5.10.4/bin/epmd -daemon system_u:system_r:initrc_t:s0 2223 ? Ss 5:01 /usr/sbin/nagios -d /etc/nagios/nagios.cfg system_u:system_r:initrc_t:s0 2232 ? S 2:12 /usr/sbin/nagios -d /etc/nagios/nagios.cfg unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3444 pts/0 S+ 0:00 grep initrc_t system_u:system_r:initrc_t:s0 15160 ? Ss 0:11 /opt/opscode/embedded/service/bookshelf/lib/exec-1.0+build.149.refb3548d6/priv/x86_64-unknown-linux-gnu/exec-port -n system_u:system_r:initrc_t:s0 15277 ? Ss 0:05 inet_gethost 4 system_u:system_r:initrc_t:s0 15305 ? S 0:02 inet_gethost 4 system_u:system_r:initrc_t:s0 15478 ? Ss 0:07 inet_gethost 4 system_u:system_r:initrc_t:s0 15479 ? S 0:02 inet_gethost 4 system_u:system_r:initrc_t:s0 15501 ? Ss 0:00 inet_gethost 4 system_u:system_r:initrc_t:s0 15504 ? S 0:00 inet_gethost 4 system_u:system_r:initrc_t:s0 15557 ? Ssl 0:00 ruby /opt/opscode/embedded/service/opscode-erchef/lib/chef_objects-12.2.0/priv/depselector_rb/depselector.rb system_u:system_r:initrc_t:s0 15569 ? Ssl 0:00 ruby /opt/opscode/embedded/service/opscode-erchef/lib/chef_objects-12.2.0/priv/depselector_rb/depselector.rb system_u:system_r:initrc_t:s0 15583 ? Ssl 0:00 ruby /opt/opscode/embedded/service/opscode-erchef/lib/chef_objects-12.2.0/priv/depselector_rb/depselector.rb system_u:system_r:initrc_t:s0 15623 ? Ssl 0:00 ruby /opt/opscode/embedded/service/opscode-erchef/lib/chef_objects-12.2.0/priv/depselector_rb/depselector.rb system_u:system_r:initrc_t:s0 15651 ? Ssl 0:05 ruby /opt/opscode/embedded/service/opscode-erchef/lib/chef_objects-12.2.0/priv/depselector_rb/depselector.rb system_u:system_r:initrc_t:s0 15699 ? Ss 0:00 inet_gethost 4 system_u:system_r:initrc_t:s0 15700 ? S 0:00 inet_gethost 4 unconfined_u:system_r:initrc_t:s0 20267 ? Ssl 26:41 /usr/lib/jvm/java/bin/java -Dcom.sun.akuma.Daemon=daemonized -Djava.awt.headless=true -DJENKINS_HOME=/home/jenkins -jar /usr/lib/jenkins/jenkins.war --logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war --daemon --httpPort=8080 --httpListenAddress=0.0.0.0 --ajp13Port=8009 --debug=5 --handlerCountMax=100 --handlerCountMaxIdle=20 --prefix=/jenkins # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today Hi, What is state of this issue? Could you reproduce it and attach output from comment#4 ? Thank you. Red Hat Enterprise Linux version 6 is entering the Production 2 phase of its lifetime and this bug doesn't meet the criteria for it, i.e. only high severity issues will be fixed. Please see https://access.redhat.com/support/policy/updates/errata/ for further information. Feel free to clone this bug to RHEL-7 if it is still a problem for you. |