Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 912709

Summary: When create jenkins app, there will be some AVC message in audit.log
Product: OpenShift Container Platform Reporter: xjia <xjia>
Component: ContainersAssignee: Brenton Leanhardt <bleanhar>
Status: CLOSED ERRATA QA Contact: libra bugs <libra-bugs>
Severity: low Docs Contact:
Priority: low    
Version: 1.1.1CC: gpei, libra-onpremise-devel, lmeyer, pruan, xtian
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-09 18:59:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description xjia 2013-02-19 13:32:26 UTC 
Description of problem:
Create a jenkins app, see the log in /var/log/audit/audit.log on node.

Version-Release number of selected component (if applicable):
http://buildvm-devops.usersys.redhat.com/puddle/build/OpenShiftEnterprise/1.1.z/2013-02-18.3


How reproducible:
always

Steps to Reproduce:
1.Create a jenkins app 
rhc app create jenkins jenkins 
2. On node:  tailf /var/log/audit/audit.log | grep java


Actual results:
[root@node1 ~]# tailf /var/log/audit/audit.log | grep java
type=AVC msg=audit(1361280256.039:65402152): avc:  denied  { name_bind } for  pid=25490 comm="java" src=5353 scontext=system_u:system_r:openshift_t:s0:c0,c507 tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1361280256.039:65402152): arch=c000003e syscall=49 success=no exit=-13 a0=83 a1=7f6e7719e1e0 a2=10 a3=268 items=0 ppid=1 pid=25490 auid=4294967295 uid=507 gid=507 euid=507 suid=507 fsuid=507 egid=507 sgid=507 fsgid=507 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" subj=system_u:system_r:openshift_t:s0:c0,c507 key=(null)


Expected results:
No such info

Additional info:
Comment 2 Brenton Leanhardt 2013-02-19 14:33:06 UTC 
Does this denial actually cause a breakage from the user's perspective?
Comment 3 xjia 2013-02-21 13:14:02 UTC 
I only created jenkins app and access the app. No other things. 

But now, it doesn't exist. Don't know why.
Comment 4 Brenton Leanhardt 2013-02-21 13:57:57 UTC 
OK, we'll leave this at low severity but plan on fixing it with the next minor release.
Comment 5 Luke Meyer 2013-06-28 18:30:46 UTC 
I believe updated selinux-policy may have addressed this at least for OSE 1.2. Can you please test?
Comment 6 Gaoyun Pei 2013-07-01 05:13:10 UTC 
Test jenkins application on 1.2 RC2 puddle:
http://download.lab.bos.redhat.com/rel-eng/OpenShiftEnterprise/1.2/2013-06-26.3/

selinux-policy-targeted-3.7.19-195.el6_4.10.noarch
selinux-policy-3.7.19-195.el6_4.10.noarch

During the jenkins app creation and embedding process, there would not be any AVC denied message shown out, so this bug could be verified. 

But in the end of jenkins build, it would generate avc denial in audit.log, not sure whether it has any relationship with this bug, or it's another new bug.

Here's the reproduce step:
1. Create a php app and jenkins app, embed jenkins-client to php app

2. Make some changes in the php app git repo to trigger jenkins build

3. Monitoring the audit.log on the node, avc denial would be generated once the build action completed as "SUCCESS"
[root@node1 ~]# tailf /var/log/audit/audit.log |grep avc

type=AVC msg=audit(1372654405.272:100925): avc:  denied  { getattr } for  pid=29079 comm="java" path="/proc/mtrr" dev=proc ino=4026531957 scontext=unconfined_u:system_r:openshift_t:s0:c1,c382 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file
Comment 7 Gaoyun Pei 2013-07-01 05:48:57 UTC 
Move this bug to VERIVIED due to the related issue has been resolved.

About the new issue mentioned in Comment 6, do you think it is necessary to file a new bug to trace that?  Thanks!
Comment 8 Brenton Leanhardt 2013-07-01 17:36:56 UTC 
I vote we track the issue in Comment #6 as a new bug against 1.2.1.
Comment 9 Gaoyun Pei 2013-07-02 07:14:00 UTC 
A new bug was filed to track the new issue:
https://bugzilla.redhat.com/show_bug.cgi?id=980353

Thanks
Comment 11 errata-xmlrpc 2013-07-09 18:59:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1032.html