Bug 1184398 - plymouthd denials in audit.log
Summary: plymouthd denials in audit.log
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-node
Version: 3.6.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ovirt-3.6.0-rc
: 3.6.0
Assignee: Douglas Schilling Landgraf
QA Contact: Ying Cui
URL:
Whiteboard:
Depends On: 1270177
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-01-21 10:04 UTC by Ying Cui
Modified: 2016-03-09 14:25 UTC (History)
9 users (show)

Fixed In Version: ovirt-node-3.3.0-0.4.20150906git14a6024.el7ev
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-03-09 14:25:33 UTC
oVirt Team: Node
Target Upstream Version:


Attachments (Terms of Use)
audit.log (201.57 KB, text/plain)
2015-01-21 10:06 UTC, Ying Cui
no flags Details
varlog.tar.gz (162.80 KB, application/x-gzip)
2015-01-21 10:07 UTC, Ying Cui
no flags Details
sosreport (4.89 MB, application/x-xz)
2015-01-21 10:08 UTC, Ying Cui
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0378 normal SHIPPED_LIVE ovirt-node bug fix and enhancement update for RHEV 3.6 2016-03-09 19:06:36 UTC
oVirt gerrit 39458 master MERGED ovirt.te: entry for plymouthd_t Never
oVirt gerrit 40338 ovirt-3.5 ABANDONED ovirt.te: entry for plymouthd_t Never

Description Ying Cui 2015-01-21 10:04:15 UTC
Description of problem:
After RHEVH installed, there are plymouthd denials in audit.log.

Version:
rhev-hypervisor7-7.0-20150114.0
ovirt-node-3.2.1-4.el7.noarch
and
# cat /etc/system-release
Red Hat Enterprise Virtualization Hypervisor release 7.0 (20150119.0.1.el7ev)
# rpm -q ovirt-node
ovirt-node-3.2.1-5.el7.noarch


How reproducible:
Always.

Steps to Reproduce:
Note: there is one method to reproduce this bug 100%.
1. RHEV-H installed successful. selinux in enforcing mode as default.
2. Login to rhevh
3. Register RHEVH to RHEVM
4. Upgrade RHEVH to itself via RHEVM
5. After upgrade, login rhevh, and F2 to shell

# grep "avc:  denied" /var/log/audit/audit.log|grep plymouthd
type=AVC msg=audit(1421813717.969:476): avc:  denied  { search } for  pid=17132 comm="plymouthd" name="etc" dev="tmpfs" ino=15101 scontext=system_u:system_rlymouthd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1421813717.969:477): avc:  denied  { search } for  pid=17132 comm="plymouthd" name="etc" dev="tmpfs" ino=15101 scontext=system_u:system_rlymouthd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1421813717.970:481): avc:  denied  { search } for  pid=17150 comm="plymouthd" name="etc" dev="tmpfs" ino=15101 scontext=system_u:system_rlymouthd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1421813717.970:482): avc:  denied  { search } for  pid=17150 comm="plymouthd" name="etc" dev="tmpfs" ino=15101 scontext=system_u:system_rlymouthd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1421813717.971:483): avc:  denied  { search } for  pid=17150 comm="plymouthd" name="etc" dev="tmpfs" ino=15101 scontext=system_u:system_rlymouthd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1421813717.971:484): avc:  denied  { search } for  pid=17150 comm="plymouthd" name="etc" dev="tmpfs" ino=15101 scontext=system_u:system_rlymouthd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1421813717.971:485): avc:  denied  { setattr } for pid=17150 comm="plymouthd" name="0" dev="devpts" ino=3 scontext=system_u:system_rlymouthd_t:s0 tcontext=system_u:object_revpts_t:s0 tclass=chr_file
  
Actual results:
plymouthd AVC msgs in audit.log

Expected results:
No such avc denied errors in audit.log.

Comment 1 Ying Cui 2015-01-21 10:06:47 UTC
Created attachment 982238 [details]
audit.log

Comment 2 Ying Cui 2015-01-21 10:07:15 UTC
Created attachment 982239 [details]
varlog.tar.gz

Comment 3 Ying Cui 2015-01-21 10:08:40 UTC
Created attachment 982240 [details]
sosreport

Comment 4 Ying Cui 2015-01-21 10:11:09 UTC
Because it is related selinux and security, not sure whether we need to fix it on rhev 3.5.0 or rhev 3.5.0-1 or zstream.

# rpm -q selinux-policy
selinux-policy-3.12.1-153.el7_0.13.noarch

Comment 5 Fabian Deutsch 2015-01-21 10:36:03 UTC
The denial is related to plymouth (and thus no functional effect on the core functionality), so I would not consider it for 3.5.0, but for a z-stream to address the denials.

Comment 6 Fabian Deutsch 2015-05-27 14:44:21 UTC
No function impact, moving it out to 3.6.

Comment 8 Ying Cui 2015-10-12 06:25:03 UTC
with the bug 1270177, we have to partial test this bug without upgrade.

Tested pass on the following steps on build:
# rpm -qa ovirt-node
ovirt-node-3.3.0-0.13.20151008git03eefb5.el7ev.noarch
# cat /etc/rhev-hypervisor-release 
Red Hat Enterprise Virtualization Hypervisor release 7.2 (20151009.0.el7ev)

1. TUI RHEV-H installed successful. selinux in enforcing mode as default.
2. Login to rhevh

# grep "avc:  denied" /var/log/audit/audit.log|grep plymouthd

no such avc denied in autit.log.

We need to check this bug as bug description steps after the bug 1270177 fix.

Comment 9 yileye 2015-10-28 04:10:45 UTC
I have reproduced this bug via ycui‘ s steps in rhev-hypervisor7-7.0-20150114.0.

Test Version:
rhev-hypervisor7-7.2-20151025.0.el7ev
ovirt-node-3.3.0-0.18.20151022git82dc52c.el7ev.noarch

Test steps:
Note: there is one method to reproduce this bug 100%.
1. RHEV-H 7-7.2-20151009.0 installed successful. selinux in enforcing mode as default.
2. Login to rhevh
3. Register RHEVH to RHEVM 3.6.0-0.18.el6
4. Upgrade RHEVH to rhev-hypervisor7-7.2-20151025.0.el7ev via RHEVM
5. After upgrade, login rhevh, and F2 to shell
# grep "avc:  denied" /var/log/audit/audit.log|grep plymouthd

Test result:
no such avc denied in autit.log.

So this issue is fixed in ovirt-node-3.3.0-0.18.20151022git82dc52c.el7ev.noarch
now. Change the status to Verified.

Comment 10 Fabian Deutsch 2015-11-03 15:06:20 UTC
Setting to VERIFIED according to comment 9

Comment 12 errata-xmlrpc 2016-03-09 14:25:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0378.html


Note You need to log in before you can comment on or make changes to this bug.