Bug 1485050

Summary: selinux avc denial for auditd on rawhide
Product: [Fedora] Fedora Reporter: Michael Nguyen <mnguyen>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: alex.ploumistos, amessina, awilliam, brunch875, carl, c.crispino8611, dominick.grift, dustymabe, dwalsh, extras-qa, jfrieben, jsmith.fedora, kmansoft, kparal, lsm5, lvrabec, mgrepl, miabbott, mikhail.v.gavrilov, plautrba, pmoore, prd-fedora, pwhalen, robatino, rxguy, ssekidde, stefan+redhatbugs, vondruch
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: AcceptedBlocker abrt_hash:6273a4068d4a412edf218f10c67e55f54ea074edf5acc8e0c9ce29d3e03e8f4b;
Fixed In Version: selinux-policy-3.13.1-277.fc28 selinux-policy-3.13.1-283.4.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1451379
: 1485055 (view as bug list) Environment:
Last Closed: 2017-09-30 06:50:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1451379    
Bug Blocks: 1396704, 1481454, 1485055    

Description Michael Nguyen 2017-08-24 22:12:52 UTC 
Description of problem:
The logs for Fedora Atomic Host Rawhide shows avc denials for auditd in the system logs.

Steps to reproduce:
1.  Boot any fedora atomic host
2.  ostree remote add --no-gpg-verify custom  https://kojipkgs.fedoraproject.org/atomic/rawhide/
3.  rpm-ostree rebase custom:fedora/rawhide/x86_64/atomic-host 55a65a66f736e7637a23ddb9b649546d7b4ea247c35e32f61047dc7882d08a93
4.  systemctl reboot
5.  Reconnect
6.  journalctl -b | grep avc

Additional Information:

Log Snip:
Aug 24 20:37:10 fedora.localdomain systemd-tmpfiles[664]: [/usr/lib/tmpfiles.d/var.conf:23] Duplicate line for path "/var/spool", ignoring.
Aug 24 20:37:10 fedora.localdomain systemd-tmpfiles[664]: "/home" already exists and is not a directory.
Aug 24 20:37:10 fedora.localdomain systemd-tmpfiles[664]: "/srv" already exists and is not a directory.
Aug 24 20:37:10 fedora.localdomain systemd-tmpfiles[664]: "/tmp" already exists and is not a directory.
Aug 24 20:37:10 fedora.localdomain systemd[1]: Started Create Volatile Files and Directories.
Aug 24 20:37:10 fedora.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-tmpfiles-setup comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 24 20:37:10 fedora.localdomain systemd[1]: Starting Security Auditing Service...
Aug 24 20:37:10 fedora.localdomain systemd[1]: Mounting RPC Pipe File System...
Aug 24 20:37:10 fedora.localdomain audit[669]: AVC avc:  denied  { map } for  pid=669 comm="auditd" path="/etc/audit/auditd.conf" dev="dm-0" ino=6296742 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=file permissive=0
Aug 24 20:37:10 fedora.localdomain audit[669]: SYSCALL arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=310 a2=1 a3=1 items=0 ppid=1 pid=669 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="auditd" exe="/usr/sbin/auditd" subj=system_u:system_r:auditd_t:s0 key=(null)
Aug 24 20:37:10 fedora.localdomain audit: PROCTITLE proctitle="/sbin/auditd"
Aug 24 20:37:10 fedora.localdomain systemd[1]: Mounted RPC Pipe File System.
Aug 24 20:37:10 fedora.localdomain auditd[674]: Started dispatcher: /sbin/audispd pid: 676
Aug 24 20:37:10 fedora.localdomain systemd[1]: Reached target rpc_pipefs.target.
Aug 24 20:37:10 fedora.localdomain audispd[676]: priority_boost_parser called with: 4
Aug 24 20:37:10 fedora.localdomain audispd[676]: max_restarts_parser called with: 10
Aug 24 20:37:10 fedora.localdomain audispd[676]: No plugins found, exiting
Aug 24 20:37:10 fedora.localdomain auditd[674]: dispatcher 676 reaped
Aug 24 20:37:10 fedora.localdomain audit: CONFIG_CHANGE audit_enabled=1 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=1
Aug 24 20:37:10 fedora.localdomain audit: CONFIG_CHANGE audit_pid=674 old=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=1
Aug 24 20:37:10 fedora.localdomain auditd[674]: Init complete, auditd 2.7.7 listening for events (startup state enable)
Aug 24 20:37:10 fedora.localdomain lvm[643]:   2 logical volume(s) in volume group "atomicos" now active

root@fedora ~]# rpm-ostree status
State: idle
Deployments:
● local-branch
                   Version: test1 (2017-08-24 20:36:41)
                    Commit: 503828feb1c22d433c1efdd577763d70ae6b610942dbab757391d7547e1fdd07

  local-branch
                   Version: Rawhide.20170824.n.0 (2017-08-24 14:35:23)
                    Commit: 55a65a66f736e7637a23ddb9b649546d7b4ea247c35e32f61047dc7882d08a93
[root@fedora ~]# rpm -qa selinux-policy
selinux-policy-3.13.1-275.fc28.noarch
Comment 1 Paul Whalen 2017-08-29 14:46:34 UTC 
Aug 29 10:30:15 localhost.localdomain audit[489]: AVC avc:  denied  { map } for  pid=489 comm="auditd" path="/etc/audit/auditd.conf" dev="dm-0" ino=272447 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=file permissive=0

Hit this with Fedora-27-20170827.n.0, selinux-policy-3.13.1-276.fc27. Added to the tracker.
Comment 2 Dusty Mabe 2017-09-11 19:43:15 UTC 
+1 seems fixed.
Comment 3 Fedora Update System 2017-09-22 09:51:08 UTC 
selinux-policy-3.13.1-283.4.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-1fd5e1aff6
Comment 4 Fedora Update System 2017-09-22 17:54:40 UTC 
selinux-policy-3.13.1-283.4.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-1fd5e1aff6
Comment 5 Fedora Update System 2017-09-30 06:50:03 UTC 
selinux-policy-3.13.1-283.4.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.