Bug 1834275
| Summary: | AVC after node being deployed | ||
|---|---|---|---|
| Product: | [oVirt] ovirt-node | Reporter: | Sandro Bonazzola <sbonazzo> |
| Component: | General | Assignee: | Lev Veyde <lveyde> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | cshao <cshao> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | master | CC: | bugs, cshao, lsvaty, lveyde, mavital, peyu, qiyuan, sbonazzo, shlei, weiwang, yaniwang, zpytela |
| Target Milestone: | ovirt-4.4.6 | Keywords: | ZStream |
| Target Release: | --- | Flags: | sbonazzo:
ovirt-4.4?
sbonazzo: planning_ack? sbonazzo: devel_ack+ cshao: testing_ack+ |
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-05 05:35:59 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Node | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1759010, 1842897 | ||
| Bug Blocks: | |||
Hi Sandro, Which version you met this issue? Is the same bug with 1779052? Thanks. Test version:
ovirt-node-ng-installer-4.4.0-2020050620.el8.iso
# imgbase w
You are on ovirt-node-ng-4.4.0-0.20200506.0+1
# grep "avc: denied" /var/log/audit/audit.log
type=AVC msg=audit(1589256534.125:46): avc: denied { dac_override } for pid=2236 comm="firewalld" capability=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1589256551.079:66): avc: denied { write } for pid=5701 comm="NetworkManager" path="/var/tmp/dracut.PI4D1C/systemd-cat" dev="dm-9" ino=8389245 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:kdumpctl_tmp_t:s0 tclass=fifo_file permissive=0
QE can reproduce this issue.
Doesn't seem to cause harm functionality despite the denials. Lowering priority to medium and re-targeting to 4.4.3 Moving out to 4.5 due to capacity After some debugging and going into the selinux-policy code it looks like both should have been ready fixed upstream. The similar NetworkManager issue was fixed with the following patch: commit 4d471274fc9696898a0618cc7262dfc70fd73269 Author: Lukas Vrabec <lvrabec> Date: Wed Sep 25 13:37:57 2019 +0200 Dontaudit NetworkManager_t domain to write to kdump temp pipies BZ(1750428) Note the BZ#1750428. It was fixed in FC w/ selinux-policy-3.14.4-36.fc31 The firewalld issue was fixed with the following patch: commit 005292e1e2ccf823259eccb66dd9bdc2d37e0046 Author: Zdenek Pytela <zpytela> Date: Thu Dec 17 00:02:49 2020 +0100 Dontaudit firewalld dac_override capability The dac_override capability is raised when firewalld tries to create ~/.cache directory. The directory is not used any later though. Resolves: rhbz#1759010 Note the BZ#1759010. It was supposed to be fixed in selinux-policy-3.14.3-59.el8 Hi Zdenek, Can you please verify my findings and provide some details/ETA on when the fixes will be backported/provided d/s ? The firewalld denial is supposed fixed since selinux-policy-3.14.3-59.el8. The NetworkManager one is tracked in bz#1842897. The latest package version is selinux-policy-3.14.3-60.el8. (In reply to Zdenek Pytela from comment #9) > The firewalld denial is supposed fixed since selinux-policy-3.14.3-59.el8. > The NetworkManager one is tracked in bz#1842897. Fixed since selinux-policy-3.14.3-62.el8. > The latest package version is selinux-policy-3.14.3-60.el8. The latest package version is now selinux-policy-3.14.3-62.el8. Test version: ovirt-node-ng-installer-4.4.6-2021040814.el8.iso glusterfs-selinux-1.0-4.el8rhgs.noarch Test steps: 1. Install ovirt-node-ng-installer-4.4.6-2021040814.el8.iso successful. Selinux in enforcing mode as default. 2. Register to engine. 3. Login to node and run "grep "avc: denied" /var/log/audit/audit.log". Test result: No AVC denied errors in audit.log So the bug is fixed, change bug status to VERIFIED. This bugzilla is included in oVirt 4.4.6 release, published on May 4th 2021. Since the problem described in this bug report should be resolved in oVirt 4.4.6 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report. |
After adding a fresh Node to engine: ---- time->Mon May 11 11:12:18 2020 type=PROCTITLE msg=audit(1589195538.946:57): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D73002F7573722F7362696E2F6669726577616C6C64002D2D6E6F666F726B002D2D6E6F706964 type=SYSCALL msg=audit(1589195538.946:57): arch=c000003e syscall=83 success=no exit=-13 a0=55914b8edd20 a1=1c0 a2=55914b8fffa0 a3=2 items=0 ppid=1 pid=1799 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="firewalld" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:firewalld_t:s0 key=(null) type=AVC msg=audit(1589195538.946:57): avc: denied { dac_override } for pid=1799 comm="firewalld" capability=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability permissive=0 ---- time->Mon May 11 11:12:31 2020 type=PROCTITLE msg=audit(1589195551.309:77): proctitle=4E6574776F726B4D616E61676572002D2D76657273696F6E type=SYSCALL msg=audit(1589195551.309:77): arch=c000003e syscall=59 success=yes exit=0 a0=55ee342fd900 a1=55ee343c6290 a2=55ee3440dd40 a3=8 items=0 ppid=3148 pid=5211 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(1589195551.309:77): avc: denied { write } for pid=5211 comm="NetworkManager" path="/var/tmp/dracut.vUAbq2/systemd-cat" dev="dm-9" ino=8390915 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:kdumpctl_tmp_t:s0 tclass=fifo_file permissive=0