1160657 – AVC denial is seen when creating jbosseap/jbossews app

Bug 1160657 - AVC denial is seen when creating jbosseap/jbossews app

Summary: AVC denial is seen when creating jbosseap/jbossews app

Keywords:
Status:	CLOSED DUPLICATE of bug 1198780
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Containers
Sub Component:
Version:	2.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Brenton Leanhardt
QA Contact:	libra bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-11-05 10:38 UTC by Gaoyun Pei
Modified:	2015-03-23 14:08 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-23 14:08:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Gaoyun Pei 2014-11-05 10:38:12 UTC

Description of problem:
When creating jbosseap or jbossews app, avc denied message could be seen in /var/log/audit/audit.log.


Version-Release number of selected component (if applicable):
puddle 2.2/2014-11-04.3

ruby193-ruby-selinux-2.0.94-3.el6op.x86_64
rubygem-openshift-origin-container-selinux-0.10.1.0-1.el6op.noarch
selinux-policy-3.7.19-260.el6.noarch
selinux-policy-mls-3.7.19-260.el6.noarch
selinux-policy-targeted-3.7.19-260.el6.noarch

openshift-origin-node-util-1.30.3.2-1.el6op.noarch
ruby193-rubygem-systemu-2.5.2-2.el6op.noarch


How reproducible:
Always


Steps to Reproduce:
1.Create a jbosseap/jbossews app, monitor /var/log/audit/audit.log


Actual results:
...
type=AVC msg=audit(1415183595.288:4563): avc:  denied  { read } for  pid=7991 comm="java" name="if_inet6" dev=proc ino=4026532158 scontext=unconfined_u:system_r:openshift_t:s0:c5,c541 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1415183595.288:4564): avc:  denied  { read } for  pid=7991 comm="java" name="ipv6_route" dev=proc ino=4026532159 scontext=unconfined_u:system_r:openshift_t:s0:c5,c541 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1415183595.289:4565): avc:  denied  { read } for  pid=7991 comm="java" name="if_inet6" dev=proc ino=4026532158 scontext=unconfined_u:system_r:openshift_t:s0:c5,c541 tcontext=system_u:object_r:proc_net_t:s0 tclass=file


Expected results:
Should no avc denial

Additional info:

Comment 1 Jan Pazdziora 2015-03-23 09:38:04 UTC

For the record, I can see this with OSE 2.1 (no 2.2) as well.

Comment 3 Brenton Leanhardt 2015-03-23 12:54:24 UTC

I'm going to mark this as a duplicate of Bug 1198780.  Even though this one was created first the other is customer facing and we're working to have some resolution.  Ultimately the fix may need to be done in the JVM.

Comment 4 Brenton Leanhardt 2015-03-23 14:08:25 UTC


*** This bug has been marked as a duplicate of bug 1198780 ***

Note You need to log in before you can comment on or make changes to this bug.