RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1016057 - there will be AVC denial in audit.log when jenkins build is finished
Summary: there will be AVC denial in audit.log when jenkins build is finished
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.5
Hardware: Unspecified
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 980353
TreeView+ depends on / blocked
 
Reported: 2013-10-07 12:19 UTC by Brenton Leanhardt
Modified: 2013-10-30 12:44 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 980353
Environment:
Last Closed: 2013-10-30 09:52:31 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Brenton Leanhardt 2013-10-07 12:19:04 UTC 
+++ This bug was initially created as a clone of Bug #980353 +++

Description of problem:
In the end of jenkins build, it would generate avc denial in audit.log on node.

Version-Release number of selected component (if applicable):
http://download.lab.bos.redhat.com/rel-eng/OpenShiftEnterprise/1.2/2013-06-26.3/
selinux-policy-targeted-3.7.19-195.el6_4.10.noarch
selinux-policy-3.7.19-195.el6_4.10.noarch

How reproducible:
Always

Steps to Reproduce:
1. Create a php app and jenkins app, embed jenkins-client to php app

2. Make some changes in the php app git repo to trigger jenkins build

3. Monitoring the audit.log on the node, avc denial would be generated once the build action completed as "SUCCESS"
[root@node1 ~]# tailf /var/log/audit/audit.log |grep avc

type=AVC msg=audit(1372654405.272:100925): avc:  denied  { getattr } for  pid=29079 comm="java" path="/proc/mtrr" dev=proc ino=4026531957 scontext=unconfined_u:system_r:openshift_t:s0:c1,c382 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file

Actual results:

Expected results:
No such message in the log

Additional info:

--- Additional comment from RHEL Product and Program Management on 2013-07-02 03:17:30 EDT ---

Since this issue was entered in bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

--- Additional comment from Brenton Leanhardt on 2013-09-11 11:53:09 EDT ---

Miroslav,

Would it be possible to allow processes running in Gears to read MTRR info?

require {
        type mtrr_device_t;
        type openshift_t;
        class file getattr;
}

#============= openshift_t ==============
allow openshift_t mtrr_device_t:file getattr;

This is fairly low severity for now so it could wait until RHEL 6.5.

--- Additional comment from Miroslav Grepl on 2013-09-30 08:51:41 EDT ---

Are you getting more AVC msgs in permissive mode?

--- Additional comment from Brenton Leanhardt on 2013-09-30 14:37:20 EDT ---

There are no additional AVC messages in permissive mode.

--- Additional comment from Miroslav Grepl on 2013-10-07 08:04:43 EDT ---

Could you open a new rhel6.5 bug?
Comment 2 Miroslav Grepl 2013-10-08 08:30:08 UTC 
If you add

require {
        type mtrr_device_t;
        type openshift_t;
        class file getattr;
}

#============= openshift_t ==============
dontaudit openshift_t mtrr_device_t:file getattr;


does it work?
Comment 3 Gaoyun Pei 2013-10-08 09:53:29 UTC 
Tried to add 

require {
        type mtrr_device_t;
        type openshift_t;
        class file getattr;
}

#============= openshift_t ==============
allow openshift_t mtrr_device_t:file getattr;

It works during the jenkins build

and 

require {
        type mtrr_device_t;
        type openshift_t;
        class file getattr;
}

#============= openshift_t ==============
dontaudit openshift_t mtrr_device_t:file getattr;

also works, it wouldn't generate any AVC denial during the operation.
Comment 4 Daniel Walsh 2013-10-09 14:27:15 UTC 
Probably should just add a dontaudit.
Comment 5 Miroslav Grepl 2013-10-30 09:52:31 UTC 
More fixes have been added during RHEL6.5 cycle related to openshift and this bug should be fixed. If no, please re-open the bug and it will be addressed in RHEL6.6.
Note You need to log in before you can comment on or make changes to this bug.