| Summary: | Seeing AVCs running katello on RHEL 6.1 | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Steve Reichard <sreichar> |
| Component: | Infrastructure | Assignee: | Lukas Zapletal <lzap> |
| Status: | CLOSED WORKSFORME | QA Contact: | Katello QA List <katello-qa-list> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 6.0.0 | CC: | bkearney, lzap, mmccune, scollier |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-03-28 16:21:02 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 747354 | ||
SELinux support is planned. SELinux is fully supported and tested. CLOSING as WORKSFORME. Individual issues with selinux can be filed as new bugs |
Description of problem: I am running katello in permissive mode. Periodically I will check for AVCs. This is a list of what I found. I did a restorecon -rv / and have seen at least one new AVC. root@cf-se1 www]# grep -i avc /var/log/audit/audit.log type=AVC msg=audit(1319295554.143:103022): avc: denied { name_connect } for pid=17214 comm="httpd" dest=5000 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1319314898.122:104223): avc: denied { name_connect } for pid=17305 comm="httpd" dest=5001 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1319338446.583:105676): avc: denied { name_connect } for pid=12070 comm="httpd" dest=5001 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1319349499.503:106367): avc: denied { name_connect } for pid=17305 comm="httpd" dest=5001 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1319354665.379:106700): avc: denied { name_connect } for pid=6411 comm="httpd" dest=5000 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1319354785.591:106707): avc: denied { name_connect } for pid=6409 comm="httpd" dest=5001 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1319381577.965:108358): avc: denied { name_connect } for pid=6411 comm="httpd" dest=5000 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1319397676.949:109355): avc: denied { name_connect } for pid=6410 comm="httpd" dest=5000 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1319418582.158:110640): avc: denied { name_connect } for pid=6412 comm="httpd" dest=5000 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1319432518.855:111511): avc: denied { name_connect } for pid=6411 comm="httpd" dest=5000 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1319440207.821:111992): avc: denied { name_connect } for pid=6411 comm="httpd" dest=5000 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1319447536.783:112443): avc: denied { name_connect } for pid=6414 comm="httpd" dest=5001 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1319463876.125:113446): avc: denied { name_connect } for pid=6415 comm="httpd" dest=5001 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1319470484.140:113855): avc: denied { name_connect } for pid=6410 comm="httpd" dest=5000 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1319470604.276:113863): avc: denied { name_connect } for pid=6415 comm="httpd" dest=5001 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1319475530.378:114164): avc: denied { name_connect } for pid=6411 comm="httpd" dest=5000 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket [root@cf-se1 www]# Version-Release number of selected component (if applicable): [root@cf-se1 ~]# /pub/scripts/post_install_configuration_scripts/cf-se-versions Red Hat Enterprise Linux Server release 6.1 (Santiago) Linux cf-se1.cloud.lab.eng.bos.redhat.com 2.6.32-131.17.1.el6.x86_64 #1 SMP Thu Sep 29 10:24:25 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux PyYAML-3.09-5.el6.x86_64 epel-release-6-5.noarch facter-1.6.0-2.el6.noarch js-1.70-12.el6.x86_64 mongodb-1.6.4-3.el6.x86_64 mongodb-server-1.6.4-3.el6.x86_64 puppet-2.6.6-1.el6.noarch pymongo-1.9-6.el6.x86_64 katello-0.1.93-1.git.1.ef6154d.el6.noarch katello-all-0.1.93-1.git.1.ef6154d.el6.noarch katello-cli-0.1.10-1.git.712.be6830e.el6.noarch katello-configure-0.1.6-1.git.5.76ba627.el6.noarch katello-repos-0.1.3-1.git.0.db2bd1d.el6.noarch [root@cf-se1 ~]# How reproducible: Unknown to exactly what I am doing to cause at this time. Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: