Bug 2020997

Summary: RHVH 4.4: There are AVC denied errors in audit.log after upgrade
Product: Red Hat Enterprise Virtualization Manager Reporter: peyu
Component: redhat-virtualization-hostAssignee: Yedidyah Bar David <didi>
Status: CLOSED DEFERRED QA Contact: cshao <cshao>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.4.9CC: amusil, cshao, lsvaty, lveyde, mavital, mburman, michal.skrivanek, mperina, mzamazal, nlevy, nsednev, peyu, qiyuan, sbonazzo, weiwang, yaniwang, zpytela
Target Milestone: ---Keywords: Regression, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1955415
: 2111410 (view as bug list) Environment:
Last Closed: 2022-08-10 12:21:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Node RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1955415, 1955461, 1955466, 2063871, 2082147, 2095184    
Bug Blocks: 2111410    

Comment 2 peyu 2021-11-08 04:06:17 UTC 
This issue occurred again when RHVH was upgraded from rhvh-4.4.8.1-0.20210903.0+1 to rhvh-4.4.9.2-0.20211104.0+1.
Comment 5 Michal Skrivanek 2022-04-25 12:42:15 UTC 
since these are platform's AVC denials it should probably be retested with RHEL 8.6. Do we have any results?
Comment 32 Zdenek Pytela 2022-08-01 14:30:26 UTC 
As momd seems to be the service, can you try

  # chcon -t virtd_exec_t /usr/sbin/momd

and reproduce again? This change will persist reboot, but not reinstallation.
Comment 43 Michal Skrivanek 2022-08-10 08:07:17 UTC 
so...everything works ok and we can close the bug, right?
Comment 44 Martin Perina 2022-08-10 12:21:59 UTC 
Mentioned AVC denials are raised during RHVH upgrade, where we have a custom way how to apply selinux updates due to differences between RHVH and RHELH. As those AVC denials are raised only during upgrade phase and the host is fully functional after reboot (which is the last phase of an upgrade), closing this bug as deferred, because we don't have enough resources to reimplement selinux update code in RHVH