Bug 968344
Summary: | pam_cgroup and pam_namespace AVC denials with Openshift Enterprise 1.2 Candidate | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Jason DeTiberus <jdetiber> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED ERRATA | QA Contact: | Michal Trunecka <mtruneck> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 6.4 | CC: | dwalsh, ebenes, jpazdziora, lnovich, mmalik, mtruneck | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.7.19-202.el6 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 1004824 (view as bug list) | Environment: | |||||
Last Closed: | 2013-11-21 10:29:34 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 966876, 1004824 | ||||||
Attachments: |
|
Looks like this is fixed in selinux-policy-3.7.19-202.el6 Yes, it has been added. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html |
Created attachment 754385 [details] Patch against selinux-policy-3.7.19-200 Description of problem: AVC denials when SSHing into an Openshift Enterprise Node. Version-Release number of selected component (if applicable): Openshift Enterprise 1.2 Candidate selinux-policy-3.7.19-200.el6.noarch How reproducible: Every time Steps to Reproduce: 1. Install and Configure Openshift Enterprise 1.2 from the latest puddle 2. SSH into a gear 3. Actual results: type=AVC msg=audit(1369383282.771:1078): avc: denied { search } for pid=1065 comm="sshd" name="cgroup" dev=dm-0 ino=786433 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir type=AVC msg=audit(1369383282.771:1078): avc: denied { write } for pid=1065 comm="sshd" name="tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file type=AVC msg=audit(1369383282.771:1078): avc: denied { open } for pid=1065 comm="sshd" name="tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file type=AVC msg=audit(1369383282.772:1079): avc: denied { getattr } for pid=1065 comm="sshd" path="/cgroup/cpu/openshift/519f215b6892df8985000065/tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file type=AVC msg=audit(1369383283.171:1080): avc: denied { getattr } for pid=1071 comm="oo-namespace-in" path="/var/lib/openshift/519f215b6892df8985000065/.env/CARTRIDGE_VERSION_2" dev=dm-0 ino=1056888 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:openshift_var_lib_t:s0 tclass=file Expected results: No AVC denials Additional info: