Bug 1451974
Summary: | avc denied errors (logrotate) in audit.log after upgrade | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [oVirt] ovirt-node | Reporter: | Huijuan Zhao <huzhao> | ||||||||
Component: | Installation & Update | Assignee: | Yuval Turgeman <yturgema> | ||||||||
Status: | CLOSED WORKSFORME | QA Contact: | Huijuan Zhao <huzhao> | ||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | low | ||||||||||
Version: | 4.1 | CC: | bugs, cshao, dfediuck, dougsland, huzhao, leiwang, qiyuan, rbarry, sbonazzo, weiwang, yaniwang, ycui, yturgema | ||||||||
Target Milestone: | ovirt-4.3.2 | Flags: | rule-engine:
ovirt-4.3+
cshao: testing_ack+ |
||||||||
Target Release: | --- | ||||||||||
Hardware: | Unspecified | ||||||||||
OS: | Unspecified | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | imgbased-0.9.42-0.1.el7ev | Doc Type: | If docs needed, set a value | ||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2019-03-15 05:56:05 UTC | Type: | Bug | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | Node | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Description
Huijuan Zhao
2017-05-18 03:59:34 UTC
Created attachment 1279863 [details]
All logs(sosreport) on machine hp-dl385pg8-15
Created attachment 1279864 [details]
All logs(sosreport) on Dell machine
We can probably extend setfiles in osupdater to include /var also Is this still reproducible on current 4.1.3 builds (which include a number of selinux fixes?) (In reply to Ryan Barry from comment #4) > Is this still reproducible on current 4.1.3 builds (which include a number > of selinux fixes?) Yes, still encountered avc denied errors in audit.log after upgrade to rhvh-4.1-20170629.0. Test version: From: redhat-virtualization-host-4.0-20170307.0 To: redhat-virtualization-host-4.1-20170629.0 Test steps: Almost same as comment 0 Actual results: [root@hp-bl460cg9-01 ~]# grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1499060939.465:22): avc: denied { create } for pid=1863 comm="abrt-server" name="last-via-server" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=file type=AVC msg=audit(1499060939.603:24): avc: denied { write } for pid=1868 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-9" ino=659762 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=AVC msg=audit(1499061647.042:293): avc: denied { execute } for pid=36569 comm="cockpit-ws" name="cockpit-ssh" dev="dm-9" ino=656381 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file Thanks for the fast response. We know about the cockpit-ssh issue (which is related to "Other Options" not appearing -- we're waiting for the cockpit team to fix this). Douglas, can you look at the others? Actually, when I tested with different versions and different machines, there were different avc denied errors in audit.log after upgrade. I tested again with rhvh-4.1-0.20170706.0 in two different machines, the detailed info are as below: Test version: From: redhat-virtualization-host-4.0-20170307.0 To: redhat-virtualization-host-4.1-20170706.0 # imgbase layout rhvh-4.0-0.20170307.0 +- rhvh-4.0-0.20170307.0+1 rhvh-4.1-0.20170706.0 +- rhvh-4.1-0.20170706.0+1 Test steps: Same as comment 0 Actual results: 1. In machine 1(DELL machine), After step 5: [root@dhcp-10-16 ~]# grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1499912994.372:22): avc: denied { create } for pid=1469 comm="abrt-server" name="last-via-server" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=file type=AVC msg=audit(1499912994.648:23): avc: denied { write } for pid=1471 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-6" ino=39193719 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=AVC msg=audit(1499912994.653:24): avc: denied { write } for pid=1471 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-6" ino=39193719 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=AVC msg=audit(1499912994.659:25): avc: denied { write } for pid=1471 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-6" ino=39193719 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=AVC msg=audit(1499913062.692:176): avc: denied { write } for pid=24004 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-6" ino=39193719 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=AVC msg=audit(1499913062.693:177): avc: denied { write } for pid=24004 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-6" ino=39193719 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=AVC msg=audit(1499913062.693:178): avc: denied { write } for pid=24004 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-6" ino=39193719 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file 2. In machine 2(IBM server), after step 5: [root@ibm-x3650m5-04 ~]# grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1499915080.876:21): avc: denied { create } for pid=1771 comm="abrt-server" name="last-via-server" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=file type=AVC msg=audit(1499915081.173:22): avc: denied { write } for pid=1776 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-7" ino=33164336 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=AVC msg=audit(1499915081.191:23): avc: denied { write } for pid=1776 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-7" ino=33164336 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=AVC msg=audit(1499915081.199:24): avc: denied { write } for pid=1776 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-7" ino=33164336 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=AVC msg=audit(1499915102.838:75): avc: denied { read } for pid=3464 comm="iptables" name="xtables.lock" dev="tmpfs" ino=41912 scontext=system_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sosreport_var_run_t:s0 tclass=file type=AVC msg=audit(1499915102.844:76): avc: denied { read } for pid=3465 comm="ip6tables" name="xtables.lock" dev="tmpfs" ino=41912 scontext=system_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sosreport_var_run_t:s0 tclass=file type=AVC msg=audit(1499915130.706:150): avc: denied { write } for pid=21956 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-7" ino=33164336 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=AVC msg=audit(1499915130.707:151): avc: denied { write } for pid=21956 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-7" ino=33164336 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=AVC msg=audit(1499915130.708:152): avc: denied { write } for pid=21956 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-7" ino=33164336 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file Expected results: No avc denied errors in audit.log after upgrade. I will send the two ENVs info via email, please check if needed. Thanks! I can't reproduce this. Can you provide a another test system, please? (In reply to Ryan Barry from comment #8) > I can't reproduce this. Can you provide a another test system, please? Sure, I will send test system to you via email once reproduced. Still encountered avc denied errors after upgrade to redhat-virtualization-host-4.1-20170728.0. Test version: From: redhat-virtualization-host-4.0-20170307.1 To: redhat-virtualization-host-4.1-20170728.0 imgbased-0.9.36-0.1.el7ev.noarch # imgbase layout rhvh-4.0-0.20170307.0 +- rhvh-4.0-0.20170307.0+1 rhvh-4.1-0.20170728.0 +- rhvh-4.1-0.20170728.0+1 Test steps: 1. Install rhvh-4.0-0.20170307.0 2. Login rhvh-4.0, setup ntp # systemctl enable ntpd # systemctl start ntpd 3. Setup local repos and upgrade rhvh to rhvh-4.1-0.20170728.0 # yum update 4. Reboot and login new layer rhvh-4.1-0.20170728.0, check: # grep "avc: denied" /var/log/audit/audit.log Actual results: After step4, there are avc denied errors: [root@dhcp-10-16 ~]# grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1501574101.078:31): avc: denied { create } for pid=1344 comm="abrt-server" name="last-via-server" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=file type=AVC msg=audit(1501574101.436:33): avc: denied { write } for pid=1347 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-6" ino=47975226 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=AVC msg=audit(1501574101.441:34): avc: denied { write } for pid=1347 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-6" ino=47975226 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=AVC msg=audit(1501574101.442:35): avc: denied { write } for pid=1347 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-6" ino=47975226 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=AVC msg=audit(1501574172.109:197): avc: denied { write } for pid=27448 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-6" ino=47975226 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=AVC msg=audit(1501574172.110:198): avc: denied { write } for pid=27448 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-6" ino=47975226 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=AVC msg=audit(1501574172.111:199): avc: denied { write } for pid=27448 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-6" ino=47975226 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file Already sent the test system to you via email, please check it, thanks! Still encountered avc denied errors after upgrade to redhat-virtualization-host-4.1-20170816.2. Test version: From: redhat-virtualization-host-4.1-20170808.0 To: redhat-virtualization-host-4.1-20170816.2 imgbased-0.9.47-0.1.el7ev.noarch # imgbase layout rhvh-4.1-0.20170808.0 +- rhvh-4.1-0.20170808.0+1 rhvh-4.1-0.20170817.0 +- rhvh-4.1-0.20170817.0+1 Test steps: 1. Install rhvh-4.1-0.20170808.0 2. Setup local repos and upgrade rhvh to rhvh-4.1-0.20170817.0 # yum update 3. Reboot and login new layer rhvh-4.1-0.20170817.0, check: # grep "avc: denied" /var/log/audit/audit.log Actual results: After step3, there are avc denied errors: # grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1502953404.336:192): avc: denied { entrypoint } for pid=10987 comm="runcon" path="/usr/sbin/chroot" dev="dm-4" ino=2628846 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1502953404.341:193): avc: denied { sys_chroot } for pid=10987 comm="chroot" capability=18 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability So this bug is not fixed completely, I will change the status to ASSIGNED. Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release. Created attachment 1314604 [details] Comment 11: All logs(sosreport, imgbased.log, /var/log) from host This is a different bug, which seems to be from imgbased (either setfiles_t or one of the rpm %post scripts) Still a denial, but I'd expect that this occurs while the upgrade is happening. It seems like we'll need a rule to allow type transitions to chroot_t... Hi, I managed to recreate this, setfiles is not failing on these avc denials. We need to relabel some files on the new image, and we do that by adding the setfiles_t domain into permissive (semanage permissive -a setfiles_t), chrooting and running setfiles. If setfiles doesn't work, the upgrade process should fail (will miss boot entry, and post script would fail). This isn't the case, since the upgrade seems to finish correctly. What we're seeing here is simply what would fail if setfiles_t was in enforcing mode and not permissive. So I think it's ok - what happens when you reboot to the new image ? Is everything working, or more avc denials occur ? (In reply to Yuval Turgeman from comment #16) > Hi, I managed to recreate this, setfiles is not failing on these avc > denials. We need to relabel some files on the new image, and we do that by > adding the setfiles_t domain into permissive (semanage permissive -a > setfiles_t), chrooting and running setfiles. > If setfiles doesn't work, the upgrade process should fail (will miss boot > entry, and post script would fail). This isn't the case, since the upgrade > seems to finish correctly. > What we're seeing here is simply what would fail if setfiles_t was in > enforcing mode and not permissive. So I think it's ok - what happens when > you reboot to the new image ? Is everything working, or more avc denials > occur ? Seems normal when reboot to the new image, the basic functions work well. But actually, there are different avc denied errors randomly. I encountered other avc errors when reproduce this issue according to comment 11. # grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1503998323.879:451): avc: denied { sendto } for pid=1078 comm="chronyd" path="/run/chrony/chronyc.9994.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=AVC msg=audit(1503998807.392:519): avc: denied { entrypoint } for pid=32674 comm="runcon" path="/usr/sbin/chroot" dev="dm-4" ino=41950365 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1503998807.401:520): avc: denied { sys_chroot } for pid=32674 comm="chroot" capability=18 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability I will send ENV info to you via email. Postponing to 4.2.0 and lowering priority as per comment #17 Is this still reproducible? If so, can you provide steps? I'm mostly interested in whether registration to engine is required to reproduce. Yes, Ryan. Can still encounter this issue, but not every time. And the avc errors type maybe different. In my testing, I added the host to engine, then encountered this issue. Test version: # imgbase layout rhvh-4.1-0.20171101.0 +- rhvh-4.1-0.20171101.0+1 rhvh-4.2.0.6-0.20180104.0 +- rhvh-4.2.0.6-0.20180104.0+1 The avc denied errors looks like below: ---------------------------------------------------- type=AVC msg=audit(1515415139.863:393): avc: denied { sendto } for pid=988 comm="chronyd" path="/run/chrony/chronyc.28447.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=AVC msg=audit(1515415141.865:394): avc: denied { sendto } for pid=988 comm="chronyd" path="/run/chrony/chronyc.28447.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=AVC msg=audit(1515415145.879:395): avc: denied { sendto } for pid=988 comm="chronyd" path="/run/chrony/chronyc.28465.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=AVC msg=audit(1515415146.880:396): avc: denied { sendto } for pid=988 comm="chronyd" path="/run/chrony/chronyc.28465.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=AVC msg=audit(1515415148.883:397): avc: denied { sendto } for pid=988 comm="chronyd" path="/run/chrony/chronyc.28465.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=AVC msg=audit(1515415152.888:398): avc: denied { sendto } for pid=988 comm="chronyd" path="/run/chrony/chronyc.28485.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=AVC msg=audit(1515415153.889:405): avc: denied { sendto } for pid=988 comm="chronyd" path="/run/chrony/chronyc.28485.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=AVC msg=audit(1515415155.891:407): avc: denied { sendto } for pid=988 comm="chronyd" path="/run/chrony/chronyc.28485.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=AVC msg=audit(1515415159.897:408): avc: denied { sendto } for pid=988 comm="chronyd" path="/run/chrony/chronyc.28505.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=AVC msg=audit(1515415160.899:409): avc: denied { sendto } for pid=988 comm="chronyd" path="/run/chrony/chronyc.28505.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=AVC msg=audit(1515415162.901:410): avc: denied { sendto } for pid=988 comm="chronyd" path="/run/chrony/chronyc.28505.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=AVC msg=audit(1515415530.029:462): avc: denied { entrypoint } for pid=14449 comm="runcon" path="/usr/sbin/chroot" dev="dm-3" ino=9444622 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1515415530.043:463): avc: denied { sys_chroot } for pid=14449 comm="chroot" capability=18 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1515415545.199:464): avc: denied { sys_chroot } for pid=14455 comm="chroot" capability=18 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1515415545.436:465): avc: denied { entrypoint } for pid=14456 comm="runcon" path="/usr/sbin/chroot" dev="dm-3" ino=9444622 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file type=USER_AVC msg=audit(1515415684.390:474): pid=974 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.72 spid=31640 tpid=31638 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=AVC msg=audit(1515415693.760:475): avc: denied { write } for pid=31649 comm="groupadd" path="/dev/null" dev="tmpfs" ino=80302 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_script_tmpfs_t:s0 tclass=chr_file type=AVC msg=audit(1515415693.773:477): avc: denied { write } for pid=31650 comm="useradd" path="/dev/null" dev="tmpfs" ino=80302 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_script_tmpfs_t:s0 tclass=chr_file type=AVC msg=audit(1515415695.232:479): avc: denied { search } for pid=31640 comm="systemd-machine" name="31639" dev="proc" ino=79517 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=dir type=AVC msg=audit(1515415695.232:479): avc: denied { read } for pid=31640 comm="systemd-machine" name="cgroup" dev="proc" ino=81183 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=file type=AVC msg=audit(1515415695.232:479): avc: denied { open } for pid=31640 comm="systemd-machine" path="/proc/31639/cgroup" dev="proc" ino=81183 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=file type=AVC msg=audit(1515415695.233:480): avc: denied { getattr } for pid=31640 comm="systemd-machine" path="/proc/31639/cgroup" dev="proc" ino=81183 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=file, not null --------------------------------------------- Update: Did not encounter this issue when upgrade from rhvh-4.0 to rhvh-4.1 with the same machine as comment 20. Test version: From: rhvh-4.0-20170307.1 To: rhvh-4.1-20171228.0 I wasn't able to reproduce last week. Registration to engine necessary? Yes, it is also probability appearance in my testing, better to register to engine. re-targeting to 4.3.1 since this BZ has not been proposed as blocker for 4.3.0. If you think this bug should block 4.3.0 please re-target and set blocker flag. Moving to 4.3.2 not being identified as blocker for 4.3.1 Still encountered "avc denied" issue in rhvh-4.3.0.5-0.20190225.0 # imgbase layout rhvh-4.2.4.3-0.20180622.0 +- rhvh-4.2.4.3-0.20180622.0+1 rhvh-4.3.0.5-0.20190225.0 +- rhvh-4.3.0.5-0.20190225.0+1 # imgbase w You are on rhvh-4.3.0.5-0.20190225.0+1 # grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1551159644.494:1170): avc: denied { sendto } for pid=1111 comm="chronyd" path="/run/chrony/chronyc.23946.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=AVC msg=audit(1551159645.496:1171): avc: denied { sendto } for pid=1111 comm="chronyd" path="/run/chrony/chronyc.23946.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=AVC msg=audit(1551159647.498:1173): avc: denied { sendto } for pid=1111 comm="chronyd" path="/run/chrony/chronyc.23946.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=AVC msg=audit(1551159651.507:1179): avc: denied { sendto } for pid=1111 comm="chronyd" path="/run/chrony/chronyc.23984.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=AVC msg=audit(1551159652.508:1191): avc: denied { sendto } for pid=1111 comm="chronyd" path="/run/chrony/chronyc.23984.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=AVC msg=audit(1551159654.511:1212): avc: denied { sendto } for pid=1111 comm="chronyd" path="/run/chrony/chronyc.23984.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=AVC msg=audit(1551159658.516:1225): avc: denied { sendto } for pid=1111 comm="chronyd" path="/run/chrony/chronyc.24096.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=AVC msg=audit(1551159659.518:1226): avc: denied { sendto } for pid=1111 comm="chronyd" path="/run/chrony/chronyc.24096.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=AVC msg=audit(1551159661.520:1227): avc: denied { sendto } for pid=1111 comm="chronyd" path="/run/chrony/chronyc.24096.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=AVC msg=audit(1551160503.353:1634): avc: denied { entrypoint } for pid=1154 comm="runcon" path="/usr/sbin/chroot" dev="dm-4" ino=31464695 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1551160503.355:1635): avc: denied { sys_chroot } for pid=1154 comm="chroot" capability=18 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability Thanks, please keep in mind that the denials for runcon and chroot are ok, i'll handle the chronyd issue Yuval please check if this got fixed in last rebuild I couldn't reproduce this on RHVH-4.3-20190313.3-RHVH-x86_64-dvd1.iso - can you please check ? I can not 100% reproduce it on RHVH-4.3-20190313.3-RHVH-x86_64-dvd1.iso. Actually just as Comment 20 said, only can encounter it sometimes, and the error type maybe different on different versions. Test version: rhvh-4.2.8.3-0.20190219.0 +- rhvh-4.2.8.3-0.20190219.0+1 rhvh-4.3.0.5-0.20190313.0 +- rhvh-4.3.0.5-0.20190313.0+1 I tested it manually just now and did not reproduce it. But in automation log, still encountered it. The avc denied errors looks like below: ---------------------------------------------------- type=AVC msg=audit(1552543388.102:1269): avc: denied { sendto } for pid=4040 comm="chronyd" path="/run/chrony/chronyc.26104.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552543389.103:1271): avc: denied { sendto } for pid=4040 comm="chronyd" path="/run/chrony/chronyc.26104.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552543391.105:1272): avc: denied { sendto } for pid=4040 comm="chronyd" path="/run/chrony/chronyc.26104.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552543395.124:1291): avc: denied { sendto } for pid=4040 comm="chronyd" path="/run/chrony/chronyc.26169.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552543396.126:1298): avc: denied { sendto } for pid=4040 comm="chronyd" path="/run/chrony/chronyc.26169.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552543398.131:1299): avc: denied { sendto } for pid=4040 comm="chronyd" path="/run/chrony/chronyc.26169.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552543402.133:1336): avc: denied { sendto } for pid=4040 comm="chronyd" path="/run/chrony/chronyc.26264.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552543403.135:1337): avc: denied { sendto } for pid=4040 comm="chronyd" path="/run/chrony/chronyc.26264.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552543405.137:1338): avc: denied { sendto } for pid=4040 comm="chronyd" path="/run/chrony/chronyc.26264.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552543409.144:1340): avc: denied { sendto } for pid=4040 comm="chronyd" path="/run/chrony/chronyc.26269.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552543410.146:1341): avc: denied { sendto } for pid=4040 comm="chronyd" path="/run/chrony/chronyc.26269.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552543412.148:1342): avc: denied { sendto } for pid=4040 comm="chronyd" path="/run/chrony/chronyc.26269.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552543416.155:1343): avc: denied { sendto } for pid=4040 comm="chronyd" path="/run/chrony/chronyc.26274.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552543417.156:1344): avc: denied { sendto } for pid=4040 comm="chronyd" path="/run/chrony/chronyc.26274.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552543419.158:1345): avc: denied { sendto } for pid=4040 comm="chronyd" path="/run/chrony/chronyc.26274.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552543423.166:1361): avc: denied { sendto } for pid=4040 comm="chronyd" path="/run/chrony/chronyc.26409.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552543424.167:1362): avc: denied { sendto } for pid=4040 comm="chronyd" path="/run/chrony/chronyc.26409.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552543426.169:1363): avc: denied { sendto } for pid=4040 comm="chronyd" path="/run/chrony/chronyc.26409.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552543430.175:1364): avc: denied { sendto } for pid=4040 comm="chronyd" path="/run/chrony/chronyc.26419.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552543431.176:1371): avc: denied { sendto } for pid=4040 comm="chronyd" path="/run/chrony/chronyc.26419.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552543433.178:1372): avc: denied { sendto } for pid=4040 comm="chronyd" path="/run/chrony/chronyc.26419.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552543834.487:1537): avc: denied { entrypoint } for pid=32057 comm="runcon" path="/usr/sbin/chroot" dev="dm-4" ino=3677759 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 type=AVC msg=audit(1552543834.491:1538): avc: denied { sys_chroot } for pid=32057 comm="chroot" capability=18 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability permissive=1 type=USER_AVC msg=audit(1552543894.465:1549): pid=3973 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.163 spid=32125 tpid=32123 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=AVC msg=audit(1552543902.998:1554): avc: denied { write } for pid=32132 comm="groupadd" path="/dev/null" dev="tmpfs" ino=131509 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_script_tmpfs_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1552543903.014:1556): avc: denied { write } for pid=32133 comm="useradd" path="/dev/null" dev="tmpfs" ino=131509 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_script_tmpfs_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1552543904.422:1559): avc: denied { search } for pid=32125 comm="systemd-machine" name="32124" dev="proc" ino=131279 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=dir permissive=1 type=AVC msg=audit(1552543904.422:1559): avc: denied { read } for pid=32125 comm="systemd-machine" name="cgroup" dev="proc" ino=132510 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=file permissive=1 type=AVC msg=audit(1552543904.422:1559): avc: denied { open } for pid=32125 comm="systemd-machine" path="/proc/32124/cgroup" dev="proc" ino=132510 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=file permissive=1 type=AVC msg=audit(1552543904.424:1560): avc: denied { getattr } for pid=32125 comm="systemd-machine" path="/proc/32124/cgroup" dev="proc" ino=132510 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=file permissive=1, not null ------------------------------------------------------------- I will check more later. Can you please describe the exact steps to reproduce ? I think you're seeing denials from 4.2.8 (In reply to Yuval Turgeman from comment #31) > Can you please describe the exact steps to reproduce ? I think you're seeing > denials from 4.2.8 You are right, after double check, the "chronyc" denials were from 4.2.8. qiyuan monitored the automation machine before and after upgrade, both had the "chronyc" denials. I tested it manually with another machine following the exact same steps as automation scripts, both before and after upgrade had the "chronyc" denials. Test version: # imgbase layout rhvh-4.2.8.3-0.20190219.0 +- rhvh-4.2.8.3-0.20190219.0+1 rhvh-4.3.0.5-0.20190313.0 +- rhvh-4.3.0.5-0.20190313.0+1 Test steps: 1. Install rhvh-4.2.8.3-0.20190219.0 2. Install http in rhvh: #yum install http 3. Register rhvh-4.2.8.3 to rhvm-4.2.7.5 4. Check "#grep "avc: denied" /var/log/audit/audit.log" 5. Upgrade rhvh-4.2 to rhvh-4.3: #yum update 6. Login rhvh-4.3, check "#grep "avc: denied" /var/log/audit/audit.log" Test results: 1. After step 4, the output is below: # grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1552625707.134:1074): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2567.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625708.135:1098): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2567.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625710.137:1099): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2567.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625714.149:1118): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2676.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625715.150:1119): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2676.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625717.152:1138): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2676.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625721.158:1139): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2720.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625722.159:1141): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2720.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625724.161:1142): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2720.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625728.166:1143): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2726.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625729.168:1144): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2726.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625731.170:1145): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2726.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625735.175:1146): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2728.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625736.177:1147): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2728.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625738.179:1148): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2728.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625742.184:1149): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2729.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625743.185:1155): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2729.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625745.187:1156): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2729.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625749.192:1157): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2732.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625750.194:1158): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2732.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625752.196:1159): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2732.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 2. After step 6, the output is below: # grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1552625707.134:1074): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2567.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625708.135:1098): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2567.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625710.137:1099): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2567.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625714.149:1118): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2676.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625715.150:1119): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2676.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625717.152:1138): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2676.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625721.158:1139): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2720.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625722.159:1141): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2720.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625724.161:1142): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2720.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625728.166:1143): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2726.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625729.168:1144): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2726.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625731.170:1145): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2726.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625735.175:1146): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2728.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625736.177:1147): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2728.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625738.179:1148): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2728.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625742.184:1149): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2729.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625743.185:1155): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2729.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625745.187:1156): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2729.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625749.192:1157): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2732.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625750.194:1158): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2732.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552625752.196:1159): avc: denied { sendto } for pid=13105 comm="chronyd" path="/run/chrony/chronyc.2732.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1552627763.506:1336): avc: denied { entrypoint } for pid=8368 comm="runcon" path="/usr/sbin/chroot" dev="dm-4" ino=119020782 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 type=AVC msg=audit(1552627763.509:1337): avc: denied { sys_chroot } for pid=8368 comm="chroot" capability=18 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability permissive=1 type=AVC msg=audit(1552627769.740:1338): avc: denied { sys_chroot } for pid=8370 comm="chroot" capability=18 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability permissive=1 So according to Comment 27, closing the bug. |