Bug 1955415

Summary: RHVH 4.4: There are AVC denied errors in audit.log after upgrade
Product: Red Hat Enterprise Virtualization Manager Reporter: peyu
Component: redhat-virtualization-hostAssignee: Lev Veyde <lveyde>
Status: CLOSED ERRATA QA Contact: peyu
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.4.6CC: cshao, lsvaty, lveyde, mavital, nlevy, nsednev, peyu, qiyuan, sbonazzo, shlei, weiwang, yaniwang
Target Milestone: ovirt-4.4.7Keywords: Regression, ZStream
Target Release: 4.4.7   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: imgbased-1.2.20 redhat-virtualization-host-4.4.7-20210624.0.el8_4 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2020997 (view as bug list) Environment:
Last Closed: 2021-07-22 15:07:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Node RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1955461, 1955466    
Bug Blocks: 2020997, 2111410    
Attachments:
Description Flags
/var/log none

Description peyu 2021-04-30 04:50:44 UTC 
Created attachment 1777571 [details]
/var/log

Description of problem:
After RHVH is upgraded to the latest 4.4.6, there are AVC denied errors in audit.log

Version-Release number of selected component (if applicable):
RHVM: 4.4.6.5-0.17.el8ev
RHVH: redhat-virtualization-host-4.4.6-20210426.0.el8_4

How reproducible
100%

Steps to Reproduce:
1. Install RHVH-4.4-20210331.0-RHVH-x86_64-dvd1.iso
2. Add host to RHVM
3. Login to host, setup local repos and point to "redhat-virtualization-host-4.4.6-20210426.0.el8_4"
4. Remove audit.log before upgrade
   # mv /var/log/audit/audit.log /var/log/audit/audit.log.bak
5. Upgrade the host via RHVM
6. Check avc denied info in audit.log after upgrade
   # grep 'avc:  denied' /var/log/audit/audit.log

Actual results:
There are AVC denied errors in audit.log
~~~~~~
# grep 'avc:  denied' /var/log/audit/audit.log
type=AVC msg=audit(1619768225.841:76): avc:  denied  { create } for  pid=1969 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
type=AVC msg=audit(1619768225.841:77): avc:  denied  { create } for  pid=1969 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
type=AVC msg=audit(1619753841.383:100): avc:  denied  { write } for  pid=5708 comm="NetworkManager" path="/var/tmp/dracut.bN9njs/systemd-cat" dev="dm-8" ino=12583537 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:kdumpctl_tmp_t:s0 tclass=fifo_file permissive=0
~~~~~~

Expected results:
After upgrade, there is no AVC denied error in audit.log 

Additional info:
Comment 1 peyu 2021-04-30 04:54:25 UTC 
Additional info:
~~~~~~~~
# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

# imgbase w
You are on rhvh-4.4.6.1-0.20210426.0+1

# imgbase layout
rhvh-4.4.5.4-0.20210330.0
 +- rhvh-4.4.5.4-0.20210330.0+1
rhvh-4.4.6.1-0.20210426.0
 +- rhvh-4.4.6.1-0.20210426.0+1
~~~~~~~~
Comment 2 Sandro Bonazzola 2021-04-30 07:44:10 UTC 
Opened bug #1955461 to cover the gluster related denials.
Comment 3 Sandro Bonazzola 2021-04-30 07:52:34 UTC 
Opened bug #1955466 to track the remaining denials.
Comment 14 peyu 2021-05-10 01:28:45 UTC 
I replaced the audit.log file and rebooted the host again, but the "avc:  denied" errors still appeared in the new audit.log.
Comment 15 Lev Veyde 2021-05-10 08:31:41 UTC 
(In reply to peyu from comment #14)
> I replaced the audit.log file and rebooted the host again, but the "avc: 
> denied" errors still appeared in the new audit.log.

Can I access the system?
Comment 16 peyu 2021-05-10 08:53:07 UTC 
Sure, the information will be sent to you via Google chat.
Comment 24 peyu 2021-05-17 01:37:05 UTC 
Send you the information of the system/machine via google chat.
Comment 25 Ritesh Chikatwar 2021-05-25 07:47:35 UTC 
*** Bug 1955428 has been marked as a duplicate of this bug. ***
Comment 28 peyu 2021-06-04 07:14:44 UTC 
pending on the new 4.4.7 build to verify it
Comment 29 Lev Veyde 2021-06-10 09:43:06 UTC 
*** Bug 1955466 has been marked as a duplicate of this bug. ***
Comment 31 peyu 2021-06-25 04:00:22 UTC 
QE verified this bug on "redhat-virtualization-host-4.4.7-20210624.0.el8_4".

Test version:
RHVH: redhat-virtualization-host-4.4.7-20210624.0.el8_4
RHVM: 4.4.6.8-0.1.el8ev

Steps to Reproduce:
1. Install RHVH-4.4-20210615.0-RHVH-x86_64-dvd1.iso
2. Add host to RHVM
3. Login to host, setup local repos and point to "redhat-virtualization-host-4.4.7-20210624.0.el8_4"
4. Remove audit.log before upgrade
   # mv /var/log/audit/audit.log /var/log/audit/audit.log.bak
5. Upgrade the host via RHVM
6. Check avc denied info in audit.log after upgrade
   # grep 'avc:  denied' /var/log/audit/audit.log

Test results:
RHVH upgrade is successful. After upgrade, there is no "AVC denied" error in audit.log.

Will move the bug Status to "VIRIFIED".
Comment 36 errata-xmlrpc 2021-07-22 15:07:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat Virtualization Host security and bug fix update [ovirt-4.4.7]), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2736