Bug 973984
| Summary: | Produce "AVC" log in many situations such as create scaleable app or embed postgresql | ||
|---|---|---|---|
| Product: | OpenShift Online | Reporter: | xjia <xjia> |
| Component: | Containers | Assignee: | Rob Millner <rmillner> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | libra bugs <libra-bugs> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 2.x | CC: | bmeng, mfisher, pmorie, xtian |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-06-24 14:54:16 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The Postgres AVC error, the scalable app AVC error, and the Jenkins AVC error are all separate bugs. Postgres is trying to bind to address 127.0.0.1, forbidden in OpenShift. Jenkins is trying to bind to port 33848, forbidden in OpenShift. The scalable app issue appears to be a file descriptor being inherited by a child process across an SELinux transition (running the ip command inside of openshift-port-proxy-cfg). Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/207c4676ae97061860ad4315d2c65df1b062047f Bug 973984 - Inheriting the lock file FDs was causing AVC denials. The ip command issue was fixed in the above commit. In the version of php installed on OpenShift, there is no way to turn off statistics collector and no way to tell it to bind to another IP address. Its just going to generate that message every time. Sorry, make that "postgresql", not "php". The joys of multitasking. Jenkins has no configuration option to disable trying to bind to or send multicast packets on UDP port 33848. We're just going to have to live with the AVC denial. Of the three issues reported: The scalable app issue: fixed in the above commit. Jenkins: cannot be fixed. Postgres: cannot be fixed. According to Rob's comment, check the scalable app issue on devenv_3368, tailf /var/log/audit/audit.log |grep AVC during creating scalable app. No AVE denial generated. Move bug to verified. |
Description of problem: Embeding postgresql to app: type=AVC msg=audit(1371108807.011:125020): avc: denied { node_bind } for pid=20323 comm="postgres" saddr=127.0.0.1 scontext=unconfined_u:system_r:openshift_t:s0:c0,c501 tcontext=system_u:object_r:node_t:s0:c1023 tclass=udp_socket Create any scalable app: type=AVC msg=audit(1371108286.933:124718): avc: denied { write } for pid=14049 comm="ip" path="/var/run/openshift-port-proxy.lock" dev=xvde2 ino=263811 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openshift_var_run_t:s0 tclass=file type=AVC msg=audit(1371108286.933:124718): avc: denied { write } for pid=14049 comm="ip" path="/var/run/openshift-port-proxy-reload.lock" dev=xvde2 ino=263812 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openshift_var_run_t:s0 tclass=file Create jenkins app: type=AVC msg=audit(1371110993.863:125630): avc: denied { node_bind } for pid=5811 comm="java" src=33848 scontext=unconfined_u:system_r:openshift_t:s0:c0,c504 tcontext=system_u:object_r:node_t:s0:c1023 tclass=udp_socket Maybe I didn't cover all the situation, but seems all of these are caused by the same reason. "c1023". Version-Release number of selected component (if applicable): devenv_3355 How reproducible: always Steps to Reproduce: 1. SSH into node, and tail -F /var/log/audit/audit.log | grep AVC 2. Create any app and embed postgresql sto this app Actual results: 1.type=AVC msg=audit(1371108807.011:125020): avc: denied { node_bind } for pid=20323 comm="postgres" saddr=127.0.0.1 scontext=unconfined_u:system_r:openshift_t:s0:c0,c501 tcontext=system_u:object_r:node_t:s0:c1023 tclass=udp_socket Expected results: No such error. Additional info: