Bug 1584551
| Summary: | avc denied errors (runcon & chroot) in audit.log after upgrade | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [oVirt] ovirt-node | Reporter: | cshao <cshao> | ||||
| Component: | Installation & Update | Assignee: | Ryan Barry <rbarry> | ||||
| Status: | CLOSED CANTFIX | QA Contact: | cshao <cshao> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 4.2 | CC: | bugs, cshao, huzhao, qiyuan, weiwang, yaniwang, ycui, yturgema | ||||
| Target Milestone: | ovirt-4.3.0 | Flags: | rule-engine:
ovirt-4.3+
cshao: testing_ack+ |
||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-11-25 09:29:06 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | Node | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Chen, we put setfiles_t in permissive when we relabel the new fs, so I'm afraid this warning can't be avoided. The other alternative we have is to skip relabelling during the update and touch /.autorelabel, but that solution was declined, so I'm closing this for now, feel free to reopen if you think it's needed. |
Created attachment 1446141 [details] all log Description of problem: avc denied errors (runcon & chroot) in audit.log after upgrade # grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1527749715.399:183): avc: denied { entrypoint } for pid=15266 comm="runcon" path="/usr/sbin/chroot" dev="dm-4" ino=663192 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1527749715.409:184): avc: denied { sys_chroot } for pid=15266 comm="chroot" capability=18 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1527750986.099:205): avc: denied { entrypoint } for pid=10360 comm="runcon" path="/usr/sbin/chroot" dev="dm-8" ino=792682 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1527750986.166:206): avc: denied { sys_chroot } for pid=10360 comm="chroot" capability=18 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability # imgbase layout # imgbase layout rhvh-4.2-0.20180410.0 +- rhvh-4.2-0.20180410.0+1 rhvh-4.2.3.0-0.20180530.0 +- rhvh-4.2.3.0-0.20180530.0+1 Version-Release number of selected component (if applicable): a. rhvh-4.1-0.20180314.0 b. rhvh-4.1-0.20180410.0 c. redhat-virtualization-host-4.2-20180530.1 imgbased-1.0.17-0.1.el7ev.noarch How reproducible: 50% Steps to Reproduce: 1. Install rhvh-4.1-0.20180314.0 via interactive anaconda. 2. Login RHVH, yum upgrade to rhvh-4.1-0.20180410.0 3. Reboot 4. Login RHVH, setup local repos and update to redhat-virtualization-host-4.2-20180530.1 # yum update 5. Reboot and login the new build 6. # grep "avc: denied" /var/log/audit/audit.log Actual results: avc denied errors (runcon & chroot) in audit.log after upgrade Excepted results: After step6, there should be no avc error.