Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1469823

Summary: OSP11 -undercloud on RHEL 7.4: avc: denied { setpgid } for pid=26143 comm="keepalived" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=process
Product: Red Hat OpenStack Reporter: Marius Cornea <mcornea>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED ERRATA QA Contact: Udi Shkalim <ushkalim>
Severity: urgent Docs Contact:
Priority: high    
Version: 11.0 (Ocata)CC: bperkins, dbecker, emacchi, mburns, mgrepl, morazi, rhallise, rhel-osp-director-maint, sclewis, srevivo
Target Milestone: z2Keywords: Triaged, ZStream
Target Release: 11.0 (Ocata)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.8.9-0.1.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-13 21:50:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit log
none
audit log none

Description Marius Cornea 2017-07-11 22:07:08 UTC 
Description of problem:
After OSP11 to OSP12 undercloud upgrade /var/log/audit/audit.log keeps logging keepalived related avc denials.

Version-Release number of selected component (if applicable):
libselinux-utils-2.5-11.el7.x86_64
openstack-selinux-0.8.8-0.20170622195307.74ddc0e.el7ost.noarch
libselinux-2.5-11.el7.x86_64
selinux-policy-3.13.1-166.el7.noarch
libselinux-python-2.5-11.el7.x86_64
container-selinux-2.19-2.1.el7.noarch
libselinux-ruby-2.5-11.el7.x86_64
selinux-policy-targeted-3.13.1-166.el7.noarch


How reproducible:
100%

Steps to Reproduce:
1. Deploy OSP11
2. Upgrade undercloud to OSP12

Actual results:
/var/log/audit/audit.log keeps logging keepalived related avc denials.

Expected results:
/var/log/audit/audit.log should be clean of denials.

Additional info:
Attaching audit.log
Comment 1 Marius Cornea 2017-07-11 22:08:21 UTC 
Created attachment 1296544 [details]
audit log
Comment 2 Marius Cornea 2017-07-11 22:11:33 UTC 
Created attachment 1296546 [details]
audit log
Comment 3 Marius Cornea 2017-07-11 22:39:33 UTC 
Checking the audit log it looks that this error is there from the beginning so it's most probably not related to upgrade at all but to OSP11 deployment on RHEL 7.4
Comment 4 Marius Cornea 2017-07-12 12:40:58 UTC 
I can confirm the denials are there from OSP11 undercloud deployment, it's not related to upgrade.
Comment 5 Lon Hohberger 2017-08-01 13:19:55 UTC 
https://github.com/redhat-openstack/openstack-selinux/commit/bd843a705122ec58bee5bbd2c13509f21822747e
Comment 8 Lon Hohberger 2017-09-01 16:21:31 UTC 
Access for the reported AVC is allowed on 0.8.9-0.1
Comment 10 errata-xmlrpc 2017-09-13 21:50:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2722