Bug 1209794 - foreman-debug to skip USER_AVC SELinux audit "denials"
Summary: foreman-debug to skip USER_AVC SELinux audit "denials"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Foreman Debug
Version: 6.1.0
Hardware: x86_64
OS: Linux
medium
medium vote
Target Milestone: Unspecified
Assignee: Lukas Zapletal
QA Contact: Corey Welton
URL: http://projects.theforeman.org/issues...
Whiteboard: Verified in Upstream
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-04-08 08:41 UTC by Pavel Moravec
Modified: 2019-09-25 20:50 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-27 08:50:29 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Foreman Issue Tracker 11560 None None None 2016-04-22 16:07:38 UTC
Red Hat Product Errata RHBA-2016:1500 normal SHIPPED_LIVE Red Hat Satellite 6.2 Base Libraries 2016-07-27 12:24:38 UTC

Description Pavel Moravec 2015-04-08 08:41:26 UTC
Description of problem:
foreman-debug checking for SELinux denials wrongly reports also USER_AVC records like below example. Those are logs of policy load and not real denials. foreman-debug then wrongly reports "DENIALS: 12" to stdout.


Version-Release number of selected component (if applicable):
foreman-debug-1.7.2.15-1.el7sat.noarch


How reproducible:
100%


Steps to Reproduce:
1. e.g. on freshly installed RHEL7.1 and Sat6.1 (most probably reproducible anywhere), run foreman-debug
2. Check it's output and selinux_denials.log it generates


Actual results:
foreman-debug output having:


 HOSTNAME: pmoravec-sat61.gsslab.brq.redhat.com
       OS: redhat
  RELEASE: Red Hat Enterprise Linux Server release 7.1 (Maipo)
  FOREMAN: 1.7.2
     RUBY: ruby 2.0.0p598 (2014-11-13) [x86_64-linux]
   PUPPET: 3.6.2
  DENIALS: 12


selinux_denials.log having 12 records like:
time->Wed Apr  8 09:31:02 2015
type=USER_AVC msg=audit(1428478262.651:1213): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=11)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'


Expected results:
foreman-debug output to have "DENIALS: 0"
selinux_denials.log without the USER_AVC logs


Additional info:
/me not sure what all audit logs could be of USER_AVC type, or if there could be also real denials. But definitely the above logs are not SELinux denials and should not be reported as such by foreman-debug.

Comment 2 Bryan Kearney 2015-08-25 18:48:55 UTC
Created redmine issue http://projects.theforeman.org/issues/11560 from this bug

Comment 3 Bryan Kearney 2015-08-25 18:54:05 UTC
Upstream bug component is Provisioning

Comment 4 Bryan Kearney 2015-08-26 18:02:17 UTC
Upstream bug component is Provisioning

Comment 5 Bryan Kearney 2015-08-26 18:29:00 UTC
Upstream bug component is Foreman Debug

Comment 6 Bryan Kearney 2015-08-27 20:03:38 UTC
Moving to POST since upstream bug http://projects.theforeman.org/issues/11560 has been closed
-------------
Lukas Zapletal
Applied in changeset commit:ee2d45d090b81b00586fcccfcb524ea3bc272839.

Comment 7 Tazim Kolhar 2015-10-21 09:27:26 UTC
*** This bug is verified in upstream.  This fix should eventually land in future downstream builds ***

Version Tested:
# rpm -qa  | grep foreman
nec-em17.rhts.eng.bos.redhat.com-foreman-client-1.0-1.noarch
foreman-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch
tfm-rubygem-hammer_cli_foreman_docker-0.0.3-4.el7.noarch
nec-em17.rhts.eng.bos.redhat.com-foreman-proxy-client-1.0-1.noarch
tfm-rubygem-hammer_cli_foreman-0.4.0-1.201510071112git33fd59b.el7.noarch
foreman-debug-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch
foreman-release-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch
foreman-postgresql-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch
foreman-vmware-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch
tfm-rubygem-foreman_hooks-0.3.9-1.el7.noarch
tfm-rubygem-foreman-tasks-0.7.6-1.fm1_10.el7.noarch
tfm-rubygem-hammer_cli_foreman_tasks-0.0.8-1.el7.noarch
tfm-rubygem-foreman_bootdisk-6.0.0-2.fm1_10.el7.noarch
foreman-release-scl-1-1.el7.x86_64
foreman-libvirt-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch
foreman-selinux-1.11.0-0.develop.201510071426git6234447.el7.noarch
foreman-ovirt-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch
tfm-rubygem-hammer_cli_foreman_bootdisk-0.1.3-3.el7.noarch
tfm-rubygem-foreman_gutterball-0.0.1-3.el7.noarch
nec-em17.rhts.eng.bos.redhat.com-foreman-proxy-1.0-2.noarch
tfm-rubygem-foreman_discovery-4.1.0-1.fm1_10.el7.noarch
tfm-rubygem-foreman_docker-1.4.1-2.fm1_10.el7.noarch
foreman-proxy-1.11.0-0.develop.201510120849git5f36f2e.el7.noarch
foreman-compute-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch
foreman-gce-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch

steps:
1. e.g. on freshly installed RHEL7.1 and Sat6.1 (most probably reproducible anywhere), run foreman-debug
2. Check it's output and selinux_denials.log it generates
# foreman-debug
Exporting tasks, this may take a few minutes.


 HOSTNAME: nec-em17.rhts.eng.bos.redhat.com
       OS: redhat
  RELEASE: Red Hat Enterprise Linux Server release 7.1 (Maipo)
  FOREMAN: 1.11.0-develop
     RUBY: ruby 2.0.0p598 (2014-11-13) [x86_64-linux]
   PUPPET: 3.8.3
  DENIALS: 0

selinux_denials.log without the USER_AVC logs
type=USER_END msg=audit(1445418059.465:10232): pid=9339 uid=0 auid=993 ses=1194 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="foreman" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1445418059.871:10233): pid=9340 uid=0 auid=993 ses=1193 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="foreman" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1445418059.872:10234): pid=9340 uid=0 auid=993 ses=1193 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="foreman" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_ACCT msg=audit(1445418061.880:10235): pid=9482 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_access,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1445418061.880:10236): pid=9482 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=LOGIN msg=audit(1445418061.880:10237): pid=9482 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 old-ses=4294967295 ses=1196 res=1
type=USER_START msg=audit(1445418061.888:10238): pid=9482 uid=0 auid=0 ses=1196 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1445418061.888:10239): pid=9482 uid=0 auid=0 ses=1196 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1445418061.908:10240): pid=9482 uid=0 auid=0 ses=1196 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1445418061.909:10241): pid=9482 uid=0 auid=0 ses=1196 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

Comment 8 Bryan Kearney 2015-11-13 19:03:15 UTC
Upstream bug assigned to lzap@redhat.com

Comment 12 errata-xmlrpc 2016-07-27 08:50:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1500


Note You need to log in before you can comment on or make changes to this bug.