Bug 1295680

Summary: [SELinux] Occasionally observing AVC's denied while running geo-rep automation
Product: Red Hat Enterprise Linux 7 Reporter: Rahul Hinduja <rhinduja>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: high    
Version: 7.2CC: ksrot, lvrabec, mgrepl, mjahoda, mmalik, plautrba, pprakash, pvrabec, rcyriac, rhinduja, snagar, ssekidde
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-71.el7 Doc Type: Bug Fix
Doc Text:
Previously, AVC denials messages were observed while running Red Hat Gluster Storage (RHGS) Geo-replication. The "dontaudit" rules for the Geo-replication has been added, and the AVC denials messages no longer appear.
 Story Points: ---
Clone Of:
: 1372182 (view as bug list) Environment:
Last Closed: 2016-11-04 02:39:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1372182    

Description Rahul Hinduja 2016-01-05 08:39:48 UTC 
Description of problem:
=======================

Upon completion of geo-replication gluster storage run, observed following AVC's:

type=AVC msg=audit(1451965501.485:873): avc:  denied  { getattr } for  pid=28188 comm="ps" path="/dev/tty1" dev="devtmpfs" ino=1043 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
type=AVC msg=audit(1451965501.485:874): avc:  denied  { getattr } for  pid=28188 comm="ps" path="/dev/tty1" dev="devtmpfs" ino=1043 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
type=AVC msg=audit(1451965501.485:875): avc:  denied  { getattr } for  pid=28188 comm="ps" path="/dev/tty1" dev="devtmpfs" ino=1043 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file

Though the automation runs are passed and no functionality loss has been observed. 

[root@dhcp46-96 ~]# ls -Z /dev/tty1
crw--w----. root tty system_u:object_r:tty_device_t:s0 /dev/tty1
[root@dhcp46-96 ~]# 


Version-Release number of selected component (if applicable):
=============================================================

[root@dhcp46-96 ~]# rpm -qa | grep selinux-policy
selinux-policy-targeted-3.13.1-60.el7.noarch
selinux-policy-3.13.1-60.el7.noarch
[root@dhcp46-96 ~]# 


Gluster Version:
================

glusterfs-3.7.5-13.el7rhgs.x86_64


How reproducible:
=================

Ran the same automation more than 5 times and observed this twice. Tried running the same scripts manually and didn't observe these AVC's.
Comment 2 Milos Malik 2016-01-05 10:12:29 UTC 
Does your scenario produce other AVCs in permissive mode?
Comment 3 Rahul Hinduja 2016-01-07 11:06:21 UTC 
Tried the same scenario's couple of times in permissive mode. The only AVC observed are: 

[root@localhost scripts]# grep -i "avc" /var/log/audit/audit.log 
type=USER_AVC msg=audit(1452083477.867:38800): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=46)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1452148794.569:40973): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=47)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
[root@localhost scripts]# 

[root@localhost scripts]# getenforce 
Permissive
[root@localhost scripts]# 


As mentioned in the description, the avc related to getattr for comm="ps" and path="/dev/tty1" were only observed twice in multiple tries of automation run. 

I will keep checking for avc in my regression run and will update if happened to see them again.
Comment 4 Miroslav Grepl 2016-01-11 08:42:22 UTC 
Did your tests work correctly?
Comment 5 Rahul Hinduja 2016-02-10 15:11:52 UTC 
(In reply to Miroslav Grepl from comment #4)
> Did your tests work correctly?

Hi Miroslav,

Since last month the same cases were run multiple times {4+} but only observed this issue with todays run as:

[root@dhcp37-206 ~]# grep -i "avc" /var/log/audit/audit.log 
type=USER_AVC msg=audit(1455088627.000:95342): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=17)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1455089581.718:95479): avc:  denied  { getattr } for  pid=28794 comm="ps" path="/dev/tty1" dev="devtmpfs" ino=1043 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
type=AVC msg=audit(1455089581.718:95480): avc:  denied  { getattr } for  pid=28794 comm="ps" path="/dev/tty1" dev="devtmpfs" ino=1043 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
type=AVC msg=audit(1455089581.718:95481): avc:  denied  { getattr } for  pid=28794 comm="ps" path="/dev/tty1" dev="devtmpfs" ino=1043 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
[root@dhcp37-206 ~]# 
[root@dhcp37-206 ~]# 
[root@dhcp37-206 ~]#  rpm -qa | grep selinux-policy 
selinux-policy-3.13.1-60.el7_2.3.noarch
selinux-policy-targeted-3.13.1-60.el7_2.3.noarch
[root@dhcp37-206 ~]# 
[root@dhcp37-206 ~]# getenforce 
Enforcing
[root@dhcp37-206 ~]# 

All my 34 tests are passed.
Comment 6 Rahul Hinduja 2016-02-12 11:18:25 UTC 
Another AVC's observed for the 2nd time in multiple runs of automation. This avc is observed on 2 node from 6 node cluster. 

[root@dhcp37-177 scripts]# grep -i "avc" /var/log/audit/audit.log 
type=USER_AVC msg=audit(1455194761.044:841): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1455198364.732:1356): avc:  denied  { read } for  pid=16732 comm="ldconfig" path="/var/lib/glusterd/geo-replication/master_10.70.37.52_slave" dev="dm-0" ino=149858 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1455198364.737:1357): avc:  denied  { read } for  pid=16734 comm="ldconfig" path="/var/lib/glusterd/geo-replication/master_10.70.37.52_slave" dev="dm-0" ino=149858 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=dir

Systems are cleaned as part of cleanup:

[root@dhcp37-177 glusterfs]# cat /var/log/audit/audit.log | audit2allow 


#============= ldconfig_t ==============
allow ldconfig_t glusterd_var_lib_t:dir read;
[root@dhcp37-177 glusterfs]# 

None of the automation cases failed and all files synced to slave. And all the files are accessible from client.
Comment 20 errata-xmlrpc 2016-11-04 02:39:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html