Bug 953624

Summary: cron job will generate avc denied message when selinux-policy-targeted-3.7.19-195.el6_4.1.noarch is installed on node.
Product: OKD Reporter: Luke Meyer <lmeyer>
Component: ContainersAssignee: Mrunal Patel <mpatel>
Status: CLOSED NOTABUG QA Contact: libra bugs <libra-bugs>
Severity: medium Docs Contact:
Priority: high    
Version: 2.xCC: jialiu, libra-onpremise-devel, lmeyer, mgrepl
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 915701 Environment:
Last Closed: 2013-04-18 20:56:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Luke Meyer 2013-04-18 17:18:16 UTC 
+++ This bug was initially created as a clone of Bug #915701 +++

Description of problem:
After update selinux-policy to latest version (selinux-policy-3.7.19-195.el6_4.1.noarch), openshift cron job generated avc denied message.

Version-Release number of selected component (if applicable):
1.1.z/2013-02-20.1


How reproducible:
Always

Steps to Reproduce:
1.Install RHEL6.4 system, it installed selinux-policy-3.7.19-195.el6.noarch.
2.Setup node env on this system
3./etc/cron.minutely/openshift-facts will be executed every min, and monitor audit.log to make sure there is no avc denied message generated by this cron job.
4.Update selinux-policy to latest version (selinux-policy-3.7.19-195.el6_4.1.noarch).
# yum update selinux-policy
5.Monitor audit.log.
  
Actual results:
cron job will generate avc denied message.
# grep denied /var/log/audit/audit.log*|grep cron
/var/log/audit/audit.log.1:type=AVC msg=audit(1361875921.479:776343667): avc:  denied  { read } for  pid=13799 comm="ruby" name="localtime" dev=dm-0 ino=130732 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=file
/var/log/audit/audit.log.1:type=AVC msg=audit(1361875922.270:776344837): avc:  denied  { read } for  pid=13799 comm="ruby" name="localtime" dev=dm-0 ino=130732 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=file

Expected results:
cron job should not generate this avc denied message.

Additional info:
See original bug. This blocks correct recording of active gear count. It didn't seem to apply Online before, but now I am seeing it in today's Online devenv.
Comment 1 Mrunal Patel 2013-04-18 19:22:04 UTC 
This is the policy I generated for all the denials in cron:


module mycron5 1.0;

require {
        type http_port_t;
        type openshift_cron_t;
        type openshift_var_lib_t;
        class capability { dac_read_search dac_override };
        class tcp_socket name_connect;
        class lnk_file { read getattr };
}

#============= openshift_cron_t ==============

#!!!! This avc is allowed in the current policy
allow openshift_cron_t http_port_t:tcp_socket name_connect;

#!!!! This avc is allowed in the current policy
allow openshift_cron_t openshift_var_lib_t:lnk_file { read getattr };

#!!!! This avc is allowed in the current policy
allow openshift_cron_t self:capability { dac_read_search dac_override };

It looks like we need to back port the selinux-policy fix for RHEL 6.5
mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=915701
Comment 2 Luke Meyer 2013-04-18 19:57:07 UTC 
(In reply to comment #1)

> #!!!! This avc is allowed in the current policy
> allow openshift_cron_t self:capability { dac_read_search dac_override };

That should handle it in enterprise. Still, I'm seeing this sort of thing in my devenv:

type=SYSCALL msg=audit(1366314722.558:150825): arch=c000003e syscall=6 success=no exit=-13 a0=25384f0 a1=7fffb236d850 a2
=7fffb236d850 a3=2 items=0 ppid=5679 pid=5682 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) 
ses=1080 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 key=
(null)
type=AVC msg=audit(1366314722.558:150826): avc:  denied  { dac_override } for  pid=5682 comm="ruby" capability=1  sconte
xt=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tclass=c
apability
type=AVC msg=audit(1366314722.558:150826): avc:  denied  { dac_read_search } for  pid=5682 comm="ruby" capability=2  sco
ntext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tclas
s=capability
type=SYSCALL msg=audit(1366314722.558:150826): arch=c000003e syscall=6 success=no exit=-13 a0=25384f0 a1=7fffb236d850 a2=7fffb236d850 a3=2 items=0 ppid=5679 pid=5682 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1080 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366314722.558:150827): avc:  denied  { read } for  pid=5682 comm="ruby" name="test-ci48411115" dev=xvde2 ino=2246 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:openshift_var_lib_t:s0 tclass=lnk_file

for that, audit2allow says:
#============= openshift_cron_t ==============
allow openshift_cron_t openshift_var_lib_t:lnk_file read;

Not sure what is missing.
Comment 3 Mrunal Patel 2013-04-18 20:56:37 UTC 
Closing this for now since both Luke and I did not see this issue in latest devenvs. We could re-open this bug if we see the issue.