1184398 – plymouthd denials in audit.log

Bug 1184398 - plymouthd denials in audit.log

Summary: plymouthd denials in audit.log

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-node
Sub Component:
Version:	3.6.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	ovirt-3.6.0-rc
Target Release:	3.6.0
Assignee:	Douglas Schilling Landgraf
QA Contact:	Ying Cui
Docs Contact:
URL:
Whiteboard:
Depends On:	1270177
Blocks:
TreeView+	depends on / blocked

Reported:	2015-01-21 10:04 UTC by Ying Cui
Modified:	2016-03-09 14:25 UTC (History)
CC List:	9 users (show)
Fixed In Version:	ovirt-node-3.3.0-0.4.20150906git14a6024.el7ev
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-03-09 14:25:33 UTC
oVirt Team:	Node
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
audit.log (201.57 KB, text/plain) 2015-01-21 10:06 UTC, Ying Cui	no flags	Details
varlog.tar.gz (162.80 KB, application/x-gzip) 2015-01-21 10:07 UTC, Ying Cui	no flags	Details
sosreport (4.89 MB, application/x-xz) 2015-01-21 10:08 UTC, Ying Cui	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:0378	normal	SHIPPED_LIVE	ovirt-node bug fix and enhancement update for RHEV 3.6	2016-03-09 19:06:36 UTC
oVirt gerrit	39458	master	MERGED	ovirt.te: entry for plymouthd_t	Never
oVirt gerrit	40338	ovirt-3.5	ABANDONED	ovirt.te: entry for plymouthd_t	Never

Description Ying Cui 2015-01-21 10:04:15 UTC

Description of problem:
After RHEVH installed, there are plymouthd denials in audit.log.

Version:
rhev-hypervisor7-7.0-20150114.0
ovirt-node-3.2.1-4.el7.noarch
and
# cat /etc/system-release
Red Hat Enterprise Virtualization Hypervisor release 7.0 (20150119.0.1.el7ev)
# rpm -q ovirt-node
ovirt-node-3.2.1-5.el7.noarch


How reproducible:
Always.

Steps to Reproduce:
Note: there is one method to reproduce this bug 100%.
1. RHEV-H installed successful. selinux in enforcing mode as default.
2. Login to rhevh
3. Register RHEVH to RHEVM
4. Upgrade RHEVH to itself via RHEVM
5. After upgrade, login rhevh, and F2 to shell

# grep "avc:  denied" /var/log/audit/audit.log|grep plymouthd
type=AVC msg=audit(1421813717.969:476): avc:  denied  { search } for  pid=17132 comm="plymouthd" name="etc" dev="tmpfs" ino=15101 scontext=system_u:system_rlymouthd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1421813717.969:477): avc:  denied  { search } for  pid=17132 comm="plymouthd" name="etc" dev="tmpfs" ino=15101 scontext=system_u:system_rlymouthd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1421813717.970:481): avc:  denied  { search } for  pid=17150 comm="plymouthd" name="etc" dev="tmpfs" ino=15101 scontext=system_u:system_rlymouthd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1421813717.970:482): avc:  denied  { search } for  pid=17150 comm="plymouthd" name="etc" dev="tmpfs" ino=15101 scontext=system_u:system_rlymouthd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1421813717.971:483): avc:  denied  { search } for  pid=17150 comm="plymouthd" name="etc" dev="tmpfs" ino=15101 scontext=system_u:system_rlymouthd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1421813717.971:484): avc:  denied  { search } for  pid=17150 comm="plymouthd" name="etc" dev="tmpfs" ino=15101 scontext=system_u:system_rlymouthd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1421813717.971:485): avc:  denied  { setattr } for pid=17150 comm="plymouthd" name="0" dev="devpts" ino=3 scontext=system_u:system_rlymouthd_t:s0 tcontext=system_u:object_revpts_t:s0 tclass=chr_file
  
Actual results:
plymouthd AVC msgs in audit.log

Expected results:
No such avc denied errors in audit.log.

Comment 1 Ying Cui 2015-01-21 10:06:47 UTC

Created attachment 982238 [details]
audit.log

Comment 2 Ying Cui 2015-01-21 10:07:15 UTC

Created attachment 982239 [details]
varlog.tar.gz

Comment 3 Ying Cui 2015-01-21 10:08:40 UTC

Created attachment 982240 [details]
sosreport

Comment 4 Ying Cui 2015-01-21 10:11:09 UTC

Because it is related selinux and security, not sure whether we need to fix it on rhev 3.5.0 or rhev 3.5.0-1 or zstream.

# rpm -q selinux-policy
selinux-policy-3.12.1-153.el7_0.13.noarch

Comment 5 Fabian Deutsch 2015-01-21 10:36:03 UTC

The denial is related to plymouth (and thus no functional effect on the core functionality), so I would not consider it for 3.5.0, but for a z-stream to address the denials.

Comment 6 Fabian Deutsch 2015-05-27 14:44:21 UTC

No function impact, moving it out to 3.6.

Comment 8 Ying Cui 2015-10-12 06:25:03 UTC

with the bug 1270177, we have to partial test this bug without upgrade.

Tested pass on the following steps on build:
# rpm -qa ovirt-node
ovirt-node-3.3.0-0.13.20151008git03eefb5.el7ev.noarch
# cat /etc/rhev-hypervisor-release 
Red Hat Enterprise Virtualization Hypervisor release 7.2 (20151009.0.el7ev)

1. TUI RHEV-H installed successful. selinux in enforcing mode as default.
2. Login to rhevh

# grep "avc:  denied" /var/log/audit/audit.log|grep plymouthd

no such avc denied in autit.log.

We need to check this bug as bug description steps after the bug 1270177 fix.

Comment 9 yileye 2015-10-28 04:10:45 UTC

I have reproduced this bug via ycui‘ s steps in rhev-hypervisor7-7.0-20150114.0.

Test Version:
rhev-hypervisor7-7.2-20151025.0.el7ev
ovirt-node-3.3.0-0.18.20151022git82dc52c.el7ev.noarch

Test steps:
Note: there is one method to reproduce this bug 100%.
1. RHEV-H 7-7.2-20151009.0 installed successful. selinux in enforcing mode as default.
2. Login to rhevh
3. Register RHEVH to RHEVM 3.6.0-0.18.el6
4. Upgrade RHEVH to rhev-hypervisor7-7.2-20151025.0.el7ev via RHEVM
5. After upgrade, login rhevh, and F2 to shell
# grep "avc:  denied" /var/log/audit/audit.log|grep plymouthd

Test result:
no such avc denied in autit.log.

So this issue is fixed in ovirt-node-3.3.0-0.18.20151022git82dc52c.el7ev.noarch
now. Change the status to Verified.

Comment 10 Fabian Deutsch 2015-11-03 15:06:20 UTC

Setting to VERIFIED according to comment 9

Comment 12 errata-xmlrpc 2016-03-09 14:25:33 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0378.html

Note You need to log in before you can comment on or make changes to this bug.