Bug 623566

Summary:	capture problems emerged during reservesys [beaker doesn't catch AVC denial]
Product:	[Retired] Beaker	Reporter:	Petr Sklenar <psklenar>
Component:	beah	Assignee:	Bill Peck <bpeck>
Status:	CLOSED CURRENTRELEASE	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	0.5	CC:	bpeck, dcallagh, jpazdziora, kbaker, mcsontos, rmancy, satqe-list, slukasik
Target Milestone:	future_maint	Keywords:	FutureFeature
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Enhancement
Doc Text:		Story Points:	---
Clone Of:
Clones:	623952 (view as bug list)		Environment:
Last Closed:	2012-10-04 04:52:36 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	545868

Description Petr Sklenar 2010-08-12 07:40:44 UTC

Description of problem:
I have one test which cause avc denial but beaker doesn't recorded

Version-Release number of selected component (if applicable):
beaker.engineering.redhat.com
Version - 0.5.53 

How reproducible:
deterministic

Steps to Reproduce:
1. schedule one same test causing avc denial on many machines
2. one will pass and other will fail
  
Actual results:
beaker doesn't catch a avc denial

Expected results:
beaker have to record it

Additional info:
beaker says pass but there is avc denial:
https://beaker.engineering.redhat.com/jobs/11637

denial is:

      Beaker Test information:
                         HOSTNAME=tyan-gt24-07.rhts.eng.bos.redhat.com
                            JOBID=11637
                         RECIPEID=21462
                    RESULT_SERVER=127.0.0.1:7090
                           DISTRO=RHEL5-Server-U5
                     ARCHITECTURE=x86_64
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
[root@tyan-gt24-07 ~]# cat /var/log/audit/audit.log | grep den
type=AVC msg=audit(1281512936.256:18): avc:  denied  { read write } for  pid=3778 comm="ifconfig" path="socket:[11811]" dev=sockfs ino=11811 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket
type=AVC msg=audit(1281512936.256:18): avc:  denied  { read append } for  pid=3778 comm="ifconfig" path="/var/beah/journals/beakerlc.journal" dev=dm-0 ino=4228414 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1281512936.412:19): avc:  denied  { read write } for  pid=3779 comm="ifconfig" path="socket:[12064]" dev=sockfs ino=12064 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket
type=AVC msg=audit(1281513938.365:114): avc:  denied  { getattr } for  pid=19429 comm="osa-dispatcher" path="/etc/krb5.conf" dev=dm-0 ino=17105499 scontext=system_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file
[root@tyan-gt24-07 ~]# date
Thu Aug 12 03:36:01 EDT 2010


beaker says fail which is OK
https://beaker.engineering.redhat.com/jobs/11716

Comment 2 Marian Csontos 2010-08-12 14:18:40 UTC

Does not look like a too serious problem to me:

Try strftime("%Y%m%d-%H%M%S", 1281512936)
20100811-094856

So this happened long after your task has finished - see console:

  08/11/10 03:49:14  JobID:11637 Test:/distribution/install Response:1
  08/11/10 03:49:14  testID:270934 start:
  08/11/10 03:49:21  testID:270934 finish:
  08/11/10 03:49:33  JobID:11637 Test:/CoreOS/Spacewalk/Installer/Sanity/Whole-installation/SW-nightly-PostgreSQL-porkchop Response:1
  08/11/10 03:49:33  testID:270935 start:
  [-- MARK -- Wed Aug 11 03:50:00 2010] 
  [-- MARK -- Wed Aug 11 03:55:00 2010] 
  [-- MARK -- Wed Aug 11 04:00:00 2010] 
  [-- MARK -- Wed Aug 11 04:05:00 2010] 
  08/11/10 04:05:55  testID:270935 finish:
  08/11/10 04:06:06  JobID:11637 Test:/distribution/reservesys Response:1
  08/11/10 04:06:06  testID:270936 start:
  08/11/10 04:06:06  JobID:11637 Test:/distribution/reservesys Response:1
   INIT: version 2.86 reloading 
  [-- MARK -- Wed Aug 11 04:10:00 2010] 
  [-- MARK -- Wed Aug 11 04:15:00 2010] 

So the AVC warning was risen well after your task has finished...
I expect you were running some test manually while machine was reservesys'ed.

Would you expect task to report the future warning as well? ;-)

I will (one day) add AVC reporting to reservesys...

Comment 3 Petr Sklenar 2010-08-12 15:33:52 UTC

There is job https://beaker.engineering.redhat.com/jobs/11637
and test /CoreOS/Spacewalk/Installer/Sanity/Whole-installation/SW-nightly-PostgreSQL-porkchop caused AVC denial not me during reservesys.

Look at job https://beaker.engineering.redhat.com/jobs/11716 for the same avc which was catched by beaker.

I looked into machine when /distribution/reservesys was running, then recipe was manually canceled.

> So the AVC warning was risen well after your task has finished...

Is it possible that AVC appears when /CoreOS/Spacewalk/Installer/Sanity/Whole-installation/SW-nightly-PostgreSQL-porkchop was finished due to slow setroubleshooter or something like that? 

> Would you expect task to report the future warning as well? ;-)
yes, please can you implement :) ?

Comment 4 Marian Csontos 2010-08-13 06:47:55 UTC

Yes, I saw the test which fails, but I presume selinux reports denials with correct timestamp and will rely on it unless there is a BZ attached here.

I do not think setroubleshooter has anything to do with it: IIUC it is only processing the logged event... And it is unlikely 5+ hour delay would be caused by slow setroubleshooter.

More likely there is a RHN process running in the background (osa-dispatcher is my hot candidate) triggering an action (cron or own mechanism) which results in AVC denial:

type=AVC msg=audit(1281513938.365:114): avc:  denied  { getattr } for 
pid=19429 comm="osa-dispatcher" path="/etc/krb5.conf" dev=dm-0 ino=17105499
scontext=system_u:system_r:osa_dispatcher_t:s0
tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file

The remaining denials are mine. There is no policy for harness at the moment, so it is not a surprise...

Comment 5 Jan Pazdziora 2010-08-13 07:29:41 UTC

(In reply to comment #2)
> Does not look like a too serious problem to me:
> 
> Try strftime("%Y%m%d-%H%M%S", 1281512936)
> 20100811-094856
> 
> So this happened long after your task has finished - see console:
> 
>   08/11/10 03:49:14  JobID:11637 Test:/distribution/install Response:1
>   08/11/10 03:49:14  testID:270934 start:
>   08/11/10 03:49:21  testID:270934 finish:
>   08/11/10 03:49:33  JobID:11637

Please repeat the computation with timezones taken into account.

Comment 8 Bill Peck 2012-09-04 17:26:40 UTC

This should be solved now.  We clear the avc log between each test run now.

Comment 9 Dan Callaghan 2012-10-04 04:52:36 UTC

Assuming this is fixed now.

Comment 10 Jan Pazdziora 2012-10-04 07:11:01 UTC

Could we change NOTABUG to CURRENTRELEASE?

Comment 11 Dan Callaghan 2012-10-07 22:35:37 UTC

Sure, resolution changed, though I don't see that it makes much difference to anything...