Bug 1401210

Summary: [RHVH 4.0.6] avc denied errors (system_dbusd_t) in audit.log after upgrade
Product: [oVirt] ovirt-node Reporter: cshao <cshao>
Component: Installation & UpdateAssignee: Fabian Deutsch <fdeutsch>
Status: CLOSED WORKSFORME QA Contact: cshao <cshao>
Severity: low Docs Contact:
Priority: medium    
Version: 4.0CC: bugs, cshao, dguo, huzhao, jiawu, qiyuan, rbarry, weiwang, yaniwang, ycui, yzhao
Target Milestone: ovirt-4.0.7Flags: rule-engine: ovirt-4.0.z+
ycui: testing_plan_complete?
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-18 11:07:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Node RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
/var/log; /tmp; sosreport none

Description cshao 2016-12-03 14:10:41 UTC 
Created attachment 1227675 [details]
/var/log; /tmp; sosreport

Description of problem:
[RHVH 4.0.6] avc denied errors (system_dbusd_t) in audit.log after upgrade

# imgbase layout
rhvh-4.0-0.20161116.0
 +- rhvh-4.0-0.20161116.0+1
rhvh-4.0-0.20161130.0
 +- rhvh-4.0-0.20161130.0+1

Version-Release number of selected component (if applicable):
redhat-virtualization-host-4.0-20161116.1
imgbased-0.8.10-0.1.el7ev.noarch

redhat-virtualization-host-4.0-20161130.0
imgbased-0.8.10-0.1.el7ev.noarch

How reproducible:
100%

Steps to Reproduce:
1. Install redhat-virtualization-host-4.0-20161116.1 via interactive anaconda.
2. Login RHVH and setup local repos
3. Upgrade RHVH from the old version to redhat-virtualization-host-4.0-20161130.0
4. Reboot and login the new build.
5. grep "avc:  denied" /var/log/audit/audit.log


Actual results:
After step5, avc denied errors (system_dbusd_t) in audit.log after upgrade

type=USER_AVC msg=audit(1480766795.927:120): pid=1132 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.2 spid=3866 tpid=1131 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:system_r:policykit_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1480766795.931:121): pid=1132 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.PolicyKit1.Authority member=RegisterAuthenticationAgentWithOptions dest=:1.2 spid=3866 tpid=1131 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:system_r:policykit_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1480766808.311:122): pid=1132 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.2 spid=4045 tpid=1131 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:system_r:policykit_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1480766808.311:123): pid=1132 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.PolicyKit1.Authority member=RegisterAuthenticationAgentWithOptions dest=:1.2 spid=4045 tpid=1131 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:system_r:policykit_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'


Expected results:
No avc denied errors in audit.log.

Additional info:
No such issue on clean RHVH(no update) 4.0.6 build.
Comment 1 Fabian Deutsch 2016-12-04 21:09:12 UTC 
Do these denials also appear with RHEL-H?
Comment 2 cshao 2016-12-05 08:42:39 UTC 
(In reply to Fabian Deutsch from comment #1)
> Do these denials also appear with RHEL-H?

No such issue on RHEL-H.
Comment 3 Ryan Barry 2016-12-06 16:08:50 UTC 
I can't reproduce this. Were any additional steps taken?
Comment 4 cshao 2016-12-07 08:38:00 UTC 
(In reply to Ryan Barry from comment #3)
> I can't reproduce this. Were any additional steps taken?

Hi Ryan, 

After double check, the registration step is must.

Let me correct the steps.
1. Install redhat-virtualization-host-4.0-20161116.1 via interactive anaconda.
2. Register RHVH to RHVM.
3. Login RHVH and setup local repos
4. Upgrade RHVH from the old version to redhat-virtualization-host-4.0-20161130.0
5. Reboot and login the new build.
6. grep "avc:  denied" /var/log/audit/audit.log

There will be another AVC bug occurred if we register to RHVM after the upgrade.
I will provide the details test steps and file a new bug.

Thanks.
Comment 5 Ryan Barry 2016-12-07 20:16:14 UTC 
I'm still not able to reproduce this. I'll put up a test build later today for QE verification.

Steps taken:

1. Install redhat-virtualization-host-4.0-20161116.1 via interactive anaconda.
2. Register RHVH to RHVM.
3. Login RHVH and setup local repos
4. Upgrade RHVH from the old version to redhat-virtualization-host-4.0-20161130.0
5. Reboot and login the new build.
6. grep "avc:  denied" /var/log/audit/audit.log

No messages.

I waited about 60 minutes before commenting here just to make sure nothing came up.

Were any other steps taken? Attaching to storage? Setting up networks? Adding VMs?
Comment 7 cshao 2016-12-13 11:25:24 UTC 
After two days testing, I can't reproduce this issue anymore.

Test scenarios 1:
1. Install RHVH old version.
2. Register RHVH to RHVM.
3. Attaching to storage
4. Adding VMs
5. Yum update to the latest RHVH.

Test result:
Pass without AVC error.


Test scenarios 2:
1. Install RHVH old version.
2. Yum update to the latest RHVH.
3. Register RHVH to RHVM.
4. Attaching to storage
5. Adding VMs

Test result:
Pass without AVC error.


Test scenarios 3:
1. Install RHVH old version.
2. Register RHVH to RHVM.
3. Attaching to storage
4. Adding VMs
5. Upgrade to the latest RHVH via RHVM.

Test result:
Pass without AVC error.


Test scenarios 4:
Repeat scenario 3 with bond+vlan env.

Test result:
Pass without AVC error.
Comment 8 Fabian Deutsch 2016-12-13 13:03:46 UTC 
Moving this out for now according to comment 7
Comment 9 Ying Cui 2017-01-16 14:31:56 UTC 
chen, could you take a look at this bug if we can not reproduce this bug on latest 4.0.z build and 4.1 build, we probably consider to close it.
Comment 10 cshao 2017-01-18 11:07:09 UTC 
(In reply to Ying Cui from comment #9)
> chen, could you take a look at this bug if we can not reproduce this bug on
> latest 4.0.z build and 4.1 build, we probably consider to close it.


After repeated testing, the bug can't be reproduce anymore on latest 4.0.z(redhat-virtualization-host-4.0-20170104.1 ) build and 4.1(redhat-virtualization-host-4.1-20160116.0) build.

So close this bug as WORKSFORME.

Fell free to re-open this bug if can reproduce it again in the future.