Bug 1443632
| Summary: | AVC denials observed during test suite runs - net_admin, getattr | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Miloš Prchlík <mprchlik> | ||||||||
| Component: | pcp | Assignee: | Lukas Berk <lberk> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | Miloš Prchlík <mprchlik> | ||||||||
| Severity: | unspecified | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | 7.4 | CC: | brolley, fche, lberk, mgoodwin, nathans | ||||||||
| Target Milestone: | rc | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | pcp-3.11.8-4.el7 | Doc Type: | If docs needed, set a value | ||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2017-08-01 18:31:43 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
Created attachment 1272668 [details]
/mnt/qa/scratch/mprchlik/enforcing.txt
/var/log/audit/audit.log
Created attachment 1272669 [details]
denials found in permissive mode
Created attachment 1272671 [details]
denials found in enforcing mode
Verified with build pcp-3.11.8-7.el7 - the AVC denials reported in this bug don't appear anymore, as far as I can tell (there are other types, reported in other bugs, making the whole search a bit messy...). Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1968 |
Description of problem: Many AVC denials pop up during (sanity) run of pcp's upstream test suite on RHEL-7.4 box, mostly referencing net_admin and getattr on many different files. See attachments for full list of observed denials (dumped by ausearch command bellow). Version-Release number of selected component (if applicable): pcp-3.11.8-3.el7 selinux-policy-3.13.1-136.el7.noarch How reproducible: Steps to Reproduce: From our "how to test selinux" howto: # service auditd restart # setenforce 1 # restorecon -Rv /etc /run /var # START_DATE_TIME=`date "+%m/%d/%Y %T"` # ./check -s -g sanity # ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME} I also used `setenforce 0` and re-ran the test suite. Actual results: Expected results: Additional info: