Bug 1778038
| Summary: | AVC denied errors (sendto) in audit.log after register to engine | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | cshao <cshao> | ||||
| Component: | redhat-virtualization-host | Assignee: | Nir Levy <nlevy> | ||||
| Status: | CLOSED DEFERRED | QA Contact: | cshao <cshao> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 4.3.7 | CC: | cshao, dholler, edwardh, lsvaty, mavital, michal.skrivanek, mtessun, nlevy, peyu, qiyuan, sbonazzo, shlei, weiwang, yaniwang, yturgema | ||||
| Target Milestone: | --- | Keywords: | ZStream | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 2000044 (view as bug list) | Environment: | |||||
| Last Closed: | 2020-06-08 15:17:30 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | Node | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 2000044 | ||||||
| Attachments: |
|
||||||
dhclient calls chronyc and it looks like dhclient runs in the virt_d context (instead of dhcpc_t), so chronyc will create its socket with virtd_t (instead of chronyd_var_run_t), so selinux will block it. This is the process from the reproducer: system_u:system_r:virtd_t:s0-s0:c0.c1023 root 28382 0.0 0.0 102896 2756 ? S<s Dec13 0:00 /sbin/dhclient -1 -q -lf /var/lib/dhclient/dhclient--ovirtmgmt.lease -pf /var/run/dhclient-ovirtmgmt.pid ovirtmgmt Calling chronyc manually will result in a proper context for the client socket: srw-rw-rw-. root root unconfined_u:object_r:chronyd_var_run_t:s0 chronyc.49154.sock Can you try this without dhcp ? Looks like systemctl restart network changed dhclient to dhcpc_t system_u:system_r:dhcpc_t:s0 root 51561 0.0 0.0 102896 2364 ? Ss 13:50 0:00 /sbin/dhclient -1 -q -lf /var/lib/dhclient/dhclient--ovirtmgmt.lease -pf /var/run/dhclient-ovirtmgmt.pid -H hp-bl460cg9-01 ovirtmgmt (In reply to Yuval Turgeman from comment #3) > dhclient calls chronyc and it looks like dhclient runs in the virt_d context > (instead of dhcpc_t), so chronyc will create its socket with virtd_t > (instead of chronyd_var_run_t), so selinux will block it. > > This is the process from the reproducer: > system_u:system_r:virtd_t:s0-s0:c0.c1023 root 28382 0.0 0.0 102896 2756 ? > S<s Dec13 0:00 /sbin/dhclient -1 -q -lf > /var/lib/dhclient/dhclient--ovirtmgmt.lease -pf > /var/run/dhclient-ovirtmgmt.pid ovirtmgmt > > Calling chronyc manually will result in a proper context for the client > socket: > srw-rw-rw-. root root unconfined_u:object_r:chronyd_var_run_t:s0 > chronyc.49154.sock > > Can you try this without dhcp ? No AVC denied errors after change to static network. I failed to reproduce, too. I installed RHVH-4.3-20191128.0-RHVH-x86_64-dvd1.iso downloaded from the access.redhat.com [1] two times in slightly different ways. cshao, are you able to reproduce on a second host? If so, would you share the relevant kickstart file to help me to reproduce? [1] https://access.redhat.com/downloads/content/415/ver=4.3/rhel---7/4.3/x86_64/product-software (In reply to Dominik Holler from comment #6) > I failed to reproduce, too. > I installed RHVH-4.3-20191128.0-RHVH-x86_64-dvd1.iso downloaded from the > access.redhat.com [1] two times in slightly different ways. > > cshao, are you able to reproduce on a second host? If so, would you share > the relevant kickstart file to help me to reproduce? > > [1] > https://access.redhat.com/downloads/content/415/ver=4.3/rhel---7/4.3/x86_64/ > product-software Yes, I can reproduce this issue on a second host, and install RHVH by ISO through anaconda GUI with default KS. timezone --utc Etc/UTC %pre cd /tmp rpm2cpio /run/install/repo/Packages/redhat-virtualization-host-image-update*|cpio -ivd squashfs=$(find|grep squashfs|grep -v meta) ln -s $squashfs /tmp/squashfs %end liveimg --url=file:///tmp/squashfs %post --erroronfail imgbase layout --init %end Update:
# imgbase w
You are on rhvh-4.3.9.2-0.20200226.0+1
# grep "avc: denied" /var/log/audit/audit.log
type=AVC msg=audit(1582796890.312:2779): avc: denied { sendto } for pid=1686 comm="chronyd" path="/run/chrony/chronyc.29803.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1582796891.314:2780): avc: denied { sendto } for pid=1686 comm="chronyd" path="/run/chrony/chronyc.29803.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1582796893.316:2781): avc: denied { sendto } for pid=1686 comm="chronyd" path="/run/chrony/chronyc.29803.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1582796897.327:2794): avc: denied { sendto } for pid=1686 comm="chronyd" path="/run/chrony/chronyc.29865.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1582796898.328:2802): avc: denied { sendto } for pid=1686 comm="chronyd" path="/run/chrony/chronyc.29865.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1582796900.331:2803): avc: denied { sendto } for pid=1686 comm="chronyd" path="/run/chrony/chronyc.29865.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1582796904.336:2816): avc: denied { sendto } for pid=1686 comm="chronyd" path="/run/chrony/chronyc.29916.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1582796905.337:2817): avc: denied { sendto } for pid=1686 comm="chronyd" path="/run/chrony/chronyc.29916.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1582796907.339:2830): avc: denied { sendto } for pid=1686 comm="chronyd" path="/run/chrony/chronyc.29916.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1582796911.346:2849): avc: denied { sendto } for pid=1686 comm="chronyd" path="/run/chrony/chronyc.30062.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1582796912.348:2850): avc: denied { sendto } for pid=1686 comm="chronyd" path="/run/chrony/chronyc.30062.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1582796914.350:2851): avc: denied { sendto } for pid=1686 comm="chronyd" path="/run/chrony/chronyc.30062.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
because of differences in RHEL 7 and 8, can you reproduce this in 4.4? I suppose not...but better ask than be sorry... (In reply to Michal Skrivanek from comment #11) > because of differences in RHEL 7 and 8, can you reproduce this in 4.4? I > suppose not...but better ask than be sorry... Yes, can reproduce with RHVH 4.4 as well, see bug https://bugzilla.redhat.com/show_bug.cgi?id=1779052 Update with the latest RHVH 4.3.10 build:
# imgbase w
You are on rhvh-4.3.10.1-0.20200422.0+1
# grep "avc: denied" /var/log/audit/audit.log
type=AVC msg=audit(1587612304.609:1844): avc: denied { sendto } for pid=1522 comm="chronyd" path="/run/chrony/chronyc.27109.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1587612305.630:1846): avc: denied { sendto } for pid=1522 comm="chronyd" path="/run/chrony/chronyc.27109.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1587612307.636:1847): avc: denied { sendto } for pid=1522 comm="chronyd" path="/run/chrony/chronyc.27109.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
Closing on 4.3, will fix in 4.4 with bug #1779052 |
Created attachment 1640571 [details] all log Description of problem: AVC denied errors (sendto) in audit.log after register to engine Version-Release number of selected component (if applicable): rhvh-4.3.7.0-0.20191128.0+1 How reproducible: 100% Steps to Reproduce: 1.RHVH-4.3-20191128.0-RHVH-x86_64-dvd1.iso installed successful. selinux in enforcing mode as default. 2. Register RHVH to engine. 3. Login to RHVH and run "grep "avc: denied" /var/log/audit/audit.log". Actual results: # grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1575006248.445:1940): avc: denied { sendto } for pid=3484 comm="chronyd" path="/run/chrony/chronyc.26131.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 Expected results: Additional info: