Bug 1402317

Summary: sshd_t denials in audit.log after upgrade
Product: [oVirt] ovirt-node Reporter: cshao <cshao>
Component: Installation & UpdateAssignee: Ryan Barry <rbarry>
Status: CLOSED WORKSFORME QA Contact: cshao <cshao>
Severity: low Docs Contact:
Priority: medium    
Version: 4.0CC: bugs, cshao, dguo, fdeutsch, fromani, huzhao, jiawu, mgoldboi, qiyuan, weiwang, yaniwang, ycui, yzhao
Target Milestone: ovirt-4.0.7Flags: rule-engine: ovirt-4.0.z+
mgoldboi: planning_ack+
fdeutsch: devel_ack+
cshao: testing_ack+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-18 11:06:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Node RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
/var/log; /tmp; sosreport none

Description cshao 2016-12-07 09:05:33 UTC 
Created attachment 1228939 [details]
/var/log; /tmp; sosreport

Description of problem:
sshd_t denials in audit.log after upgrade


# imgbase layout
rhvh-4.0-0.20160817.0
 +- rhvh-4.0-0.20160817.0+1
rhvh-4.0-0.20161206.0
 +- rhvh-4.0-0.20161206.0+1


Version-Release number of selected component (if applicable):
redhat-virtualization-host-4.0-20161206.0
imgbased-0.8.11-0.1.el7ev.noarch
selinux-policy-3.13.1-102.el7_3.7.noarch

How reproducible:
100%

Steps to Reproduce:
1. Install rhvh-4.0-0.20160817.0 (GA build) via interactive anaconda.
2. Login RHVH and setup local repos
3. Upgrade RHVH from the old version to redhat-virtualization-host-4.0-20161206.0
4. Reboot and login the new build.
5. Register RHVH to RHVM.
6. grep "avc:  denied" /var/log/audit/audit.log


Actual results:
sshd_t denials in audit.log after upgrade

type=AVC msg=audit(1481093835.835:378): avc:  denied  { name_bind } for  pid=5377 comm="sshd" src=2223 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ovirt_vmconsole_host_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1481094473.549:62): avc:  denied  { name_bind } for  pid=1523 comm="sshd" src=2223 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ovirt_vmconsole_host_port_t:s0 tclass=tcp_socket

Expected results:
No avc denied errors in audit.log.

Additional info:
No such issue on clean RHVH(no update) 4.0.6 build.
Comment 1 Ryan Barry 2016-12-07 22:36:45 UTC 
I also cannot reproduce this.

Steps taken:

Steps to Reproduce:
1. Install rhvh-4.0-0.20160817.0 (GA build) via interactive anaconda.
2. Login RHVH and setup local repos
3. Upgrade RHVH from the old version to redhat-virtualization-host-4.0-20161206.0
4. Reboot and login the new build.
5. Register RHVH to RHVM.
6. grep "avc:  denied" /var/log/audit/audit.log

No entries.

From audit.log, I also tried starting a VM. Still no entries.
Comment 2 Ying Cui 2016-12-08 10:06:01 UTC 
More explanation for GA build version in comment 0, it should be RHVH-4.0-20160822.8-RHVH-x86_64-dvd1.iso with redhat-virtualization-host-4.0-20160817.0.x86_64.liveimg.squashfs.
Comment 4 Fabian Deutsch 2016-12-13 09:44:41 UTC 
Moving this out because this bug can not be reproduced reliably.
Comment 5 Fabian Deutsch 2016-12-13 09:45:52 UTC 
Do you know the functional impact of this bug?
Comment 6 Francesco Romani 2016-12-13 09:46:59 UTC 
could you please report the two involved ovirt-vmconsole packages? E.g. upgrading from 1.0.1 to 1.0.4 ? We fixed issues like this not long ago.
Comment 7 cshao 2016-12-13 11:15:20 UTC 
(In reply to Fabian Deutsch from comment #5)
> Do you know the functional impact of this bug?

It seems no effect during my testing.


(In reply to Francesco Romani from comment #6)
> could you please report the two involved ovirt-vmconsole packages? E.g.
> upgrading from 1.0.1 to 1.0.4 ? We fixed issues like this not long ago.

# imgbase w
[INFO] You are on rhvh-4.0-0.20160817.0+1
# rpm -qa | grep ovirt-vmconsole
ovirt-vmconsole-1.0.4-1.el7ev.noarch

# imgbase w
[INFO] You are on rhvh-4.0-0.20161206.0+1
[root@dhcp-66-146-222 ~]# rpm -qa | grep ovirt-vmconsole
ovirt-vmconsole-1.0.4-1.el7ev.noarch
Comment 8 cshao 2016-12-13 11:24:39 UTC 
After two days testing, I can't reproduce this issue anymore.

Test scenarios 1:
1. Install RHVH old version.
2. Register RHVH to RHVM.
3. Attaching to storage
4. Adding VMs
5. Yum update to the latest RHVH.

Test result:
Pass without AVC error.


Test scenarios 2:
1. Install RHVH old version.
2. Yum update to the latest RHVH.
3. Register RHVH to RHVM.
4. Attaching to storage
5. Adding VMs

Test result:
Pass without AVC error.


Test scenarios 3:
1. Install RHVH old version.
2. Register RHVH to RHVM.
3. Attaching to storage
4. Adding VMs
5. Upgrade to the latest RHVH via RHVM.

Test result:
Pass without AVC error.


Test scenarios 4:
Repeat scenario 3 with bond+vlan env.

Test result:
Pass without AVC error.
Comment 9 Ying Cui 2017-01-16 14:31:39 UTC 
chen, could you take a look at this bug if we can not reproduce this bug on latest 4.0.z build and 4.1 build, we probably consider to close it.
Comment 10 cshao 2017-01-18 11:06:17 UTC 
(In reply to Ying Cui from comment #9)
> chen, could you take a look at this bug if we can not reproduce this bug on
> latest 4.0.z build and 4.1 build, we probably consider to close it.

After repeated testing, the bug can't be reproduce anymore on latest 4.0.z(redhat-virtualization-host-4.0-20170104.1 ) build and 4.1(redhat-virtualization-host-4.1-20160116.0) build.

So close this bug as WORKSFORME.

Fell free to re-open this bug if can reproduce it again in the future.