Bug 973984
Summary: | Produce "AVC" log in many situations such as create scaleable app or embed postgresql | ||
---|---|---|---|
Product: | OpenShift Online | Reporter: | xjia <xjia> |
Component: | Containers | Assignee: | Rob Millner <rmillner> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | libra bugs <libra-bugs> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 2.x | CC: | bmeng, mfisher, pmorie, xtian |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-06-24 14:54:16 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
xjia
2013-06-13 08:25:26 UTC
The Postgres AVC error, the scalable app AVC error, and the Jenkins AVC error are all separate bugs. Postgres is trying to bind to address 127.0.0.1, forbidden in OpenShift. Jenkins is trying to bind to port 33848, forbidden in OpenShift. The scalable app issue appears to be a file descriptor being inherited by a child process across an SELinux transition (running the ip command inside of openshift-port-proxy-cfg). Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/207c4676ae97061860ad4315d2c65df1b062047f Bug 973984 - Inheriting the lock file FDs was causing AVC denials. The ip command issue was fixed in the above commit. In the version of php installed on OpenShift, there is no way to turn off statistics collector and no way to tell it to bind to another IP address. Its just going to generate that message every time. Sorry, make that "postgresql", not "php". The joys of multitasking. Jenkins has no configuration option to disable trying to bind to or send multicast packets on UDP port 33848. We're just going to have to live with the AVC denial. Of the three issues reported: The scalable app issue: fixed in the above commit. Jenkins: cannot be fixed. Postgres: cannot be fixed. According to Rob's comment, check the scalable app issue on devenv_3368, tailf /var/log/audit/audit.log |grep AVC during creating scalable app. No AVE denial generated. Move bug to verified. |