Bug 862263
| Summary: | "selinux denials" check of stscleint-cloud-plugin may not find SELinux denials if setroubleshoot is not installed or its service is disabled | ||
|---|---|---|---|
| Product: | Red Hat Certification Program | Reporter: | Satoru SATOH <ssato> |
| Component: | redhat-certification-cloud | Assignee: | sankarshan <sankarshan> |
| Status: | CLOSED EOL | QA Contact: | Swati Goswami <swgoswam> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 1.0 | CC: | sgupta, swgoswam |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-10-26 13:05:21 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 873112 | ||
I've looked at the corresponding code in ccp-client and it's also the same [1].
Add to this, to search /var/log/messages for SELinux AVC denials is just
wrong in RHEL 7.
[1] selinux_denials() in
usr/lib/python2.7/site-packages/rhcert/suites/cloud/selinux_checks.py
in ccp-client-2.0-1.el7.
|
Description of problem: There is a code in stsclient-2.0-3:/usr/lib/python2.6/site-packages/stsclient_cloud_plugin/security.py such as: def selinux_denials(): """Check for SELinux denials and capture raw output from sealert Returns "" if no denial otherwise sealert output for denial. """ alerts = [] output = "" try: alerts = re.findall(r"^.*setroubleshoot:.*(sealert\s-l\s.*)", \ open("/var/log/messages", 'r').read(), \ re.MULTILINE) ... It doesn't seem worthwhile to grep 'setroubleshoot' in /var/log/messages if setroubleshoot is not installed in CCP guest images. And this (setroubleshoot is not installed) may be common in RHEL server systems. IMHO, it should be better to check if audit service is enabled *and* grep 'avc: denied' from /var/log/audit/audit.log (or utilize ausearch or whatever similar dedicated tools) as typical SELinux denial message looks like the following: type=AVC msg=audit(1348570890.401:721): avc: denied { execute } for pid=27481 comm="restorecon" path="/usr/lib64/libselinux.so.1" dev="tmpfs"... Version-Release number of selected component (if applicable): stsclient{,-cloud-plugin}-2.0-3 Actual results: I cannot find SELinux denials if setroubleshoot is not installed or its service is disabled. Expected results: It can find SELinux denials. Additional info: Past log (/var/log/messages.*) may be candidate to search SELinux denials for