Bug 968344

Summary: pam_cgroup and pam_namespace AVC denials with Openshift Enterprise 1.2 Candidate
Product: Red Hat Enterprise Linux 6 Reporter: Jason DeTiberus <jdetiber>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Michal Trunecka <mtruneck>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: dwalsh, ebenes, jpazdziora, lnovich, mmalik, mtruneck
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-202.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1004824 (view as bug list) Environment:
Last Closed: 2013-11-21 10:29:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 966876, 1004824    
Attachments:
Description Flags
Patch against selinux-policy-3.7.19-200 none

Description Jason DeTiberus 2013-05-29 13:46:06 UTC 
Created attachment 754385 [details]
Patch against selinux-policy-3.7.19-200

Description of problem:
AVC denials when SSHing into an Openshift Enterprise Node.

Version-Release number of selected component (if applicable):
Openshift Enterprise 1.2 Candidate 
selinux-policy-3.7.19-200.el6.noarch

How reproducible:
Every time

Steps to Reproduce:
1. Install and Configure Openshift Enterprise 1.2 from the latest puddle
2. SSH into a gear
3.

Actual results:
type=AVC msg=audit(1369383282.771:1078): avc:  denied  { search } for  pid=1065 comm="sshd" name="cgroup" dev=dm-0 ino=786433 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1369383282.771:1078): avc:  denied  { write } for  pid=1065 comm="sshd" name="tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1369383282.771:1078): avc:  denied  { open } for  pid=1065 comm="sshd" name="tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1369383282.772:1079): avc:  denied  { getattr } for  pid=1065 comm="sshd" path="/cgroup/cpu/openshift/519f215b6892df8985000065/tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1369383283.171:1080): avc:  denied  { getattr } for  pid=1071 comm="oo-namespace-in" path="/var/lib/openshift/519f215b6892df8985000065/.env/CARTRIDGE_VERSION_2" dev=dm-0 ino=1056888 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:openshift_var_lib_t:s0 tclass=file

Expected results:
No AVC denials

Additional info:
Comment 1 Daniel Walsh 2013-06-04 20:44:36 UTC 
Looks like this is fixed in selinux-policy-3.7.19-202.el6
Comment 3 Miroslav Grepl 2013-06-10 06:35:58 UTC 
Yes, it has been added.
Comment 10 errata-xmlrpc 2013-11-21 10:29:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html