| Summary: | AVC denials on QCI Sat6 system | ||
|---|---|---|---|
| Product: | Red Hat Quickstart Cloud Installer | Reporter: | Thom Carlin <tcarlin> |
| Component: | Installation - Satellite | Assignee: | John Matthews <jmatthew> |
| Status: | NEW --- | QA Contact: | Sudhir Mallamprabhakara <smallamp> |
| Severity: | medium | Docs Contact: | Dan Macpherson <dmacpher> |
| Priority: | unspecified | ||
| Version: | 1.0 | CC: | bthurber, jmatthew, jmontleo, qci-bugzillas, stbenjam, tcarlin |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 1212602 | ||
Thom can you please retest with a current compose? I'd like to ensure this hasn't been fixed before cloning it for the Satellite team to resolve. For QCI 1.2:
type=AVC msg=audit(1468254134.028:345): avc: denied { create } for pid=8706 comm="gdm-session-wor" name=".cache" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
and
restorecon reset /var/lib/candlepin/hornetq context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/candlepin/hornetq/journal context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/candlepin/hornetq/journal/server.lock context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/candlepin/hornetq/journal/hornetq-data-1.hq context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/candlepin/hornetq/journal/hornetq-data-2.hq context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/candlepin/hornetq/bindings context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/candlepin/hornetq/bindings/hornetq-bindings-1.bindings context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/candlepin/hornetq/bindings/hornetq-bindings-2.bindings context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/candlepin/hornetq/largemsgs context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /usr/share/foreman/config/hooks context system_u:object_r:bin_t:s0->system_u:object_r:foreman_hook_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/nokogiri-1.6.6.2 context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/nokogiri-1.6.6.2/gem.build_complete context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/nokogiri-1.6.6.2/nokogiri context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/ruby-libvirt-0.5.2 context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/ruby-libvirt-0.5.2/gem.build_complete context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/passenger-4.0.18 context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/passenger-4.0.18/gem.build_complete context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/passenger-4.0.18/native context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/passenger-4.0.18/agents context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/passenger-4.0.18/agents/PassengerHelperAgent context system_u:object_r:usr_t:s0->system_u:object_r:passenger_exec_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/passenger-4.0.18/agents/PassengerLoggingAgent context system_u:object_r:usr_t:s0->system_u:object_r:passenger_exec_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/passenger-4.0.18/agents/PassengerWatchdog context system_u:object_r:usr_t:s0->system_u:object_r:passenger_exec_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/passenger-4.0.18/agents/SpawnPreparer context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/qpid_messaging-0.30.0 context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/qpid_messaging-0.30.0/gem.build_complete context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/ffi-1.4.0 context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/ffi-1.4.0/gem.build_complete context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/pg-0.15.1 context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/pg-0.15.1/gem.build_complete context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/var/log/passenger-analytics context system_u:object_r:usr_t:s0->system_u:object_r:passenger_log_t:s0
restorecon reset /opt/theforeman/tfm/root/var/run context system_u:object_r:usr_t:s0->system_u:object_r:var_run_t:s0
restorecon reset /opt/theforeman/tfm/root/var/run/rubygem-passenger context system_u:object_r:usr_t:s0->system_u:object_r:var_run_t:s0
restorecon reset /dev/shm/pulse-shm-<<number>> context system_u:object_r:user_tmp_t:s0->system_u:object_r:user_tmpfs_t:s0
restorecon reset /sys/fs/cgroup context system_u:object_r:tmpfs_t:s0->system_u:object_r:cgroup_t:s0
restorecon set context /sys/fs/cgroup->system_u:object_r:cgroup_t:s0 failed:'Read-only file system'
restorecon reset /etc/foreman context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/database.yml context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/email.yaml context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/foreman-debug.conf context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/logging.yaml context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/plugins context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/plugins/foreman-tasks.yaml context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/plugins/fusor.yaml context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/plugins/katello context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/plugins/katello.yaml context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/settings.yaml context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/encryption_key.rb context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/client_cert.pem context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/client_key.pem context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/proxy_ca.pem context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /root/.pki context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:home_cert_t:s0
restorecon reset /root/.pki/nssdb context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:home_cert_t:s0
There are some obvious exceptions, but most of this looks like it's related to stuff packaged as part of Satellite or created as a result of running foreman-installer. Satellite doesn't have any process that reads candlepin.log, this is coming from Fusor: ./server/app/controllers/fusor/api/v21/deployments_controller.rb: when 'candlepin_log' ./server/app/controllers/fusor/api/v21/deployments_controller.rb: when 'candlepin_log' ./server/app/controllers/fusor/api/v21/deployments_controller.rb: File.join(dir, 'var/log/candlepin/candlepin.log') |
Description of problem: AVC denials for Satellite 6 system (6.1.7) Version-Release number of selected component (if applicable): TP2 RC2 How reproducible: Believe 100% Steps to Reproduce: 1. Install Sat 6 using QCI ISO 2. Log in to run launch-fusor-installer 3. grep denied /var/log/audit/audit.log Actual results: type=AVC msg=audit(x.y:z): avc: denied { create } for pid=12944 comm="gdm-session-wor" name=".cache" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir type=AVC msg=audit(x.y:z): avc: denied { read } for pid=27284 comm="tail" name="candlepin.log" dev="sda3" ino=2803330 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:tomcat_log_t:s0 tclass=file type=AVC msg=audit(x.y:z): avc: denied { read } for pid=27284 comm="tail" name="candlepin.log" dev="sda3" ino=2803330 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:tomcat_log_t:s0 tclass=file Expected results: No AVC denials Additional info: Diagnostics after error: ll -Z /var/log/candlepin/candlepin.log -rw-r--r--. tomcat tomcat system_u:object_r:tomcat_log_t:s0 /var/log/candlepin/candlepin.log restorecon -RFvv . restorecon reset /var/log/candlepin/cpdb.log context unconfined_u:object_r:var_log_t:s0->system_u:object_r:var_log_t:s0 restorecon reset /var/log/candlepin/cpinit.log context unconfined_u:object_r:var_log_t:s0->system_u:object_r:var_log_t:s0 restorecon reset /var/log/candlepin/candlepin.log context system_u:object_r:tomcat_log_t:s0->system_u:object_r:var_log_t:s0 restorecon reset /var/log/candlepin/error.log context system_u:object_r:tomcat_log_t:s0->system_u:object_r:var_log_t:s0 restorecon reset /var/log/candlepin/audit.log context system_u:object_r:tomcat_log_t:s0->system_u:object_r:var_log_t:s0 Note that candlepin.log (and friends) change from tomcat_log_t to var_log_t