Bug 1637416
| Summary: | RHVH 4.2.7: AVC denied errors (getattr) in audit.log after register to engine | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | cshao <cshao> | ||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 7.6 | CC: | bugs, cshao, huzhao, lvrabec, mmalik, msekleta, omosnace, plautrba, qiyuan, ralston, rmetrich, salmy, sbonazzo, ssekidde, toneata, vmojzis, weiwang, yaniwang, ycui, yturgema, zpytela | ||||
| Target Milestone: | rc | Keywords: | Regression, ZStream | ||||
| Target Release: | 7.6 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1645271 (view as bug list) | Environment: | |||||
| Last Closed: | 2019-08-06 12:52:32 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1645271, 1653106 | ||||||
| Attachments: |
|
||||||
It looks like a platform bug - does this happen on RHEL-H as well ? (In reply to Yuval Turgeman from comment #1) > It looks like a platform bug - does this happen on RHEL-H as well ? Yes, but there are a few differences on RHEL-H. # grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1539331410.911:1741): avc: denied { sendto } for pid=1565 comm="chronyd" path="/run/chrony/chronyc.20590.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket Ok I've just reproduced this on a RHEL system - it is indeed a platform bug, to reproduce this, you need to install the operating system with /var/log/audit mounted on a separate partition, then you will start seeing those denials. Is this a known issue ? Still met this issue with RHVH 4.2.7 async build If /var/log/audit is a separate filesystem, simply installing the sysstat package will also show the problem. From BZ#1649077: $ ausearch -m avc -ts today | audit2allow #============= sysstat_t ============== allow sysstat_t auditd_log_t:dir getattr; Note that the RHEL7 STIG requires /var/log/audit to be a separate filesystem: https://stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-72063 Therefore, all sites that must run STIG-compliant RHEL7 hosts are going to be bitten by this. At least for now, we're only seeing this for sysstat_t, so we've rolled another tunable into our local policy to permit us to work around the issue: ## <desc> ## <p> ## Work around auditd_log_t denials (BZ#1637416). ## </p> ## </desc> gen_tunable(local_custom_auditd_log_getattr, true) gen_require(` type auditd_log_t; type sysstat_t; class dir { getattr }; ') tunable_policy(`local_custom_auditd_log_getattr',` allow sysstat_t auditd_log_t:dir getattr; ') *** Bug 1649077 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2127 |
Created attachment 1491997 [details] all log Description of problem: After register to engine, there are AVC denied errors (getattr) in audit.log. Version-Release number of selected component (if applicable): RHVH-4.2-20181004.3-RHVH-x86_64-dvd1.iso imgbased-1.0.25-1.el7ev.noarch selinux-policy-3.13.1-229.el7.noarch How reproducible: 80% Steps to Reproduce: 1. RHVH-4.2-20181004.3-RHVH-x86_64-dvd1.iso installed successful. selinux in enforcing mode as default. 2. Register RHVH to RHVM. 3. Login to RHVH. # grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1539074401.555:1207): avc: denied { getattr } for pid=29850 comm="sadc" path="/var/log/audit" dev="dm-6" ino=2 scontext=system_u:system_r:sysstat_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir permissive=0 Actual results: AVC denied error msgs in audit.log Expected results: No avc denied errors in audit.log. Additional info: