Bug 1134842
| Summary: | AVC denial is seen when creating or deleting app with vhost frontend | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Gaoyun Pei <gpei> |
| Component: | Containers | Assignee: | Brenton Leanhardt <bleanhar> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | libra bugs <libra-bugs> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 2.1.0 | CC: | jialiu, jokerman, libra-onpremise-devel, mmccomas |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-09-12 20:04:39 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** This bug has been marked as a duplicate of bug 1135617 *** I think bug 1135617 should be dup with this bug, but not this bug dup with bug 1135617. So I closed this bug as "CURRENTRELEASE". |
Description of problem: Setting up an ose env with vhost apache frontend, when creating or deleting apps, avc denied message could be seen in /var/log/audit/audit.log. This issue wound't happen when using mod_rewrite. Version-Release number of selected component (if applicable): puddle 2.1.z/2014-08-27.1 libselinux-devel-2.0.94-5.3.el6_4.1.x86_64 libselinux-utils-2.0.94-5.3.el6_4.1.x86_64 selinux-policy-mls-3.7.19-231.el6_5.3.noarch selinux-policy-targeted-3.7.19-231.el6_5.3.noarch selinux-policy-3.7.19-231.el6_5.3.noarch libselinux-python-2.0.94-5.3.el6_4.1.x86_64 libselinux-2.0.94-5.3.el6_4.1.x86_64 ruby193-ruby-selinux-2.0.94-3.el6op.x86_64 rubygem-openshift-origin-container-selinux-0.8.1.3-1.el6op.noarch How reproducible: Always Steps to Reproduce: 1.Create a app, monitor /var/log/audit/audit.log 2.Delete the app, monitor /var/log/audit/audit.log Actual results: 1. [root@broker ~]# tailf /var/log/audit/audit.log |grep avc type=AVC msg=audit(1409219937.686:1087): avc: denied { read } for pid=8007 comm="httpd" path="/tmp/systemu_broker.ose21z.example.com_4310_7989_0.9523721909265898_1/stdin" dev=dm-0 ino=208001 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:openshift_initrc_tmp_t:s0 tclass=file type=AVC msg=audit(1409219937.754:1088): avc: denied { read } for pid=8008 comm="httpd" path="/tmp/systemu_broker.ose21z.example.com_4310_7989_0.9523721909265898_1/stdin" dev=dm-0 ino=208001 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:openshift_initrc_tmp_t:s0 tclass=file type=AVC msg=audit(1409219937.754:1088): avc: denied { write } for pid=8008 comm="httpd" path="/tmp/systemu_broker.ose21z.example.com_4310_7989_0.9523721909265898_1/stdout" dev=dm-0 ino=208002 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:openshift_initrc_tmp_t:s0 tclass=file type=AVC msg=audit(1409219937.754:1088): avc: denied { write } for pid=8008 comm="httpd" path="/tmp/systemu_broker.ose21z.example.com_4310_7989_0.9523721909265898_1/stderr" dev=dm-0 ino=208003 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:openshift_initrc_tmp_t:s0 tclass=file ... 2. [root@broker ~]# tailf /var/log/audit/audit.log |grep avc type=AVC msg=audit(1409220008.558:1160): avc: denied { read } for pid=9596 comm="httpd" path="/tmp/systemu_broker.ose21z.example.com_4310_9578_0.12597337462036662_1/stdin" dev=dm-0 ino=207999 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:openshift_initrc_tmp_t:s0 tclass=file type=AVC msg=audit(1409220008.622:1161): avc: denied { read } for pid=9597 comm="httpd" path="/tmp/systemu_broker.ose21z.example.com_4310_9578_0.12597337462036662_1/stdin" dev=dm-0 ino=207999 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:openshift_initrc_tmp_t:s0 tclass=file type=AVC msg=audit(1409220008.622:1161): avc: denied { write } for pid=9597 comm="httpd" path="/tmp/systemu_broker.ose21z.example.com_4310_9578_0.12597337462036662_1/stdout" dev=dm-0 ino=208014 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:openshift_initrc_tmp_t:s0 tclass=file ... Expected results: Should no avc denial Additional info: