Bug 1305325
| Summary: | AVC seen with during ipa-server upgrade test execution | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Nikhil Dehadrai <ndehadra> | ||||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Stefan Kremen <skremen> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 7.2 | CC: | lvrabec, mgrepl, mmalik, ndehadra, plautrba, pvrabec, skremen, ssekidde | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | selinux-policy-3.13.1-80.el7 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | |||||||||
| : | 1331450 (view as bug list) | Environment: | |||||||
| Last Closed: | 2016-11-04 02:42:12 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1331450 | ||||||||
| Attachments: |
|
||||||||
Created attachment 1121844 [details]
AVC Error -7.2.up2 upgrade testing
Created attachment 1121857 [details]
AVC Error -7.2.up2 upgrade testing (dirsrv_off)
Is it possible that AVCs appeared before the selinux-policy = 3.13.1-60.el7_2.3 was installed?
# rpm -qa selinux\*
selinux-policy-targeted-3.13.1-60.el7_2.3.noarch
selinux-policy-sandbox-3.13.1-60.el7_2.3.noarch
selinux-policy-devel-3.13.1-60.el7_2.3.noarch
selinux-policy-doc-3.13.1-60.el7_2.3.noarch
selinux-policy-3.13.1-60.el7_2.3.noarch
selinux-policy-minimum-3.13.1-60.el7_2.3.noarch
selinux-policy-mls-3.13.1-60.el7_2.3.noarch
# sesearch -s systemd_logind_t -c dir -p mounton -A -C
Found 2 semantic av rules:
allow systemd_logind_t user_tmp_t : dir { getattr mounton search open } ;
allow systemd_logind_t user_tmp_type : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename mounton add_name remove_name reparent search rmdir open } ;
#
Let's wait for an explanation from the developers. Either the AVC has something to do with mount points or I don't know why it appeared. We need to back port fixes from Fedora. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html |
Description of problem: AVC seen with during ipa-server upgrade test execution. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-60.el7_2.3.noarch How reproducible: Always Steps to Reproduce: 1. Setup IPA server for ipa-upgrade test suite execution on beaker. 2. Make sure latest repo links are set correctly for test execution. 3. Initiate automation for ipa-upgrade test suite on beaker. 4. Actual results: ---- Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 02/05/2016 07:04:47 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.yQZBCl 2>&1' ---- time->Fri Feb 5 07:07:46 2016 type=PATH msg=audit(1454674066.635:677): item=0 name="/run/user/0" inode=85673 dev=00:12 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 objtype=NORMAL type=CWD msg=audit(1454674066.635:677): cwd="/" type=SYSCALL msg=audit(1454674066.635:677): arch=c000003e syscall=165 success=no exit=-13 a0=7f58a0477290 a1=7f58a18b63a0 a2=7f58a0477290 a3=6 items=1 ppid=1 pid=29819 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null) type=AVC msg=audit(1454674066.635:677): avc: denied { mounton } for pid=29819 comm="systemd-logind" path="/run/user/0" dev="tmpfs" ino=85673 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir ---- time->Fri Feb 5 07:07:46 2016 type=PATH msg=audit(1454674066.635:678): item=0 name="/run/user/0" inode=104499 dev=00:12 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 objtype=NORMAL type=CWD msg=audit(1454674066.635:678): cwd="/" type=SYSCALL msg=audit(1454674066.635:678): arch=c000003e syscall=165 success=no exit=-13 a0=7f58a0477290 a1=7f58a18b2e70 a2=7f58a0477290 a3=6 items=1 ppid=1 pid=29819 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null) type=AVC msg=audit(1454674066.635:678): avc: denied { mounton } for pid=29819 comm="systemd-logind" path="/run/user/0" dev="tmpfs" ino=104499 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir ---- Expected results: No AVC messages should be found Additional info: 1. This error was observed while performing automation upgrade testing from RHEL 7.0 > RHEL 7.2.z (up2). 2. Also refer attachment for more logs.