Description of problem: foreman-debug checking for SELinux denials wrongly reports also USER_AVC records like below example. Those are logs of policy load and not real denials. foreman-debug then wrongly reports "DENIALS: 12" to stdout. Version-Release number of selected component (if applicable): foreman-debug-1.7.2.15-1.el7sat.noarch How reproducible: 100% Steps to Reproduce: 1. e.g. on freshly installed RHEL7.1 and Sat6.1 (most probably reproducible anywhere), run foreman-debug 2. Check it's output and selinux_denials.log it generates Actual results: foreman-debug output having: HOSTNAME: pmoravec-sat61.gsslab.brq.redhat.com OS: redhat RELEASE: Red Hat Enterprise Linux Server release 7.1 (Maipo) FOREMAN: 1.7.2 RUBY: ruby 2.0.0p598 (2014-11-13) [x86_64-linux] PUPPET: 3.6.2 DENIALS: 12 selinux_denials.log having 12 records like: time->Wed Apr 8 09:31:02 2015 type=USER_AVC msg=audit(1428478262.651:1213): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=11) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Expected results: foreman-debug output to have "DENIALS: 0" selinux_denials.log without the USER_AVC logs Additional info: /me not sure what all audit logs could be of USER_AVC type, or if there could be also real denials. But definitely the above logs are not SELinux denials and should not be reported as such by foreman-debug.
Created redmine issue http://projects.theforeman.org/issues/11560 from this bug
Upstream bug component is Provisioning
Upstream bug component is Foreman Debug
Moving to POST since upstream bug http://projects.theforeman.org/issues/11560 has been closed ------------- Lukas Zapletal Applied in changeset commit:ee2d45d090b81b00586fcccfcb524ea3bc272839.
*** This bug is verified in upstream. This fix should eventually land in future downstream builds *** Version Tested: # rpm -qa | grep foreman nec-em17.rhts.eng.bos.redhat.com-foreman-client-1.0-1.noarch foreman-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch tfm-rubygem-hammer_cli_foreman_docker-0.0.3-4.el7.noarch nec-em17.rhts.eng.bos.redhat.com-foreman-proxy-client-1.0-1.noarch tfm-rubygem-hammer_cli_foreman-0.4.0-1.201510071112git33fd59b.el7.noarch foreman-debug-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch foreman-release-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch foreman-postgresql-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch foreman-vmware-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch tfm-rubygem-foreman_hooks-0.3.9-1.el7.noarch tfm-rubygem-foreman-tasks-0.7.6-1.fm1_10.el7.noarch tfm-rubygem-hammer_cli_foreman_tasks-0.0.8-1.el7.noarch tfm-rubygem-foreman_bootdisk-6.0.0-2.fm1_10.el7.noarch foreman-release-scl-1-1.el7.x86_64 foreman-libvirt-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch foreman-selinux-1.11.0-0.develop.201510071426git6234447.el7.noarch foreman-ovirt-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch tfm-rubygem-hammer_cli_foreman_bootdisk-0.1.3-3.el7.noarch tfm-rubygem-foreman_gutterball-0.0.1-3.el7.noarch nec-em17.rhts.eng.bos.redhat.com-foreman-proxy-1.0-2.noarch tfm-rubygem-foreman_discovery-4.1.0-1.fm1_10.el7.noarch tfm-rubygem-foreman_docker-1.4.1-2.fm1_10.el7.noarch foreman-proxy-1.11.0-0.develop.201510120849git5f36f2e.el7.noarch foreman-compute-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch foreman-gce-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch steps: 1. e.g. on freshly installed RHEL7.1 and Sat6.1 (most probably reproducible anywhere), run foreman-debug 2. Check it's output and selinux_denials.log it generates # foreman-debug Exporting tasks, this may take a few minutes. HOSTNAME: nec-em17.rhts.eng.bos.redhat.com OS: redhat RELEASE: Red Hat Enterprise Linux Server release 7.1 (Maipo) FOREMAN: 1.11.0-develop RUBY: ruby 2.0.0p598 (2014-11-13) [x86_64-linux] PUPPET: 3.8.3 DENIALS: 0 selinux_denials.log without the USER_AVC logs type=USER_END msg=audit(1445418059.465:10232): pid=9339 uid=0 auid=993 ses=1194 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="foreman" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_DISP msg=audit(1445418059.871:10233): pid=9340 uid=0 auid=993 ses=1193 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="foreman" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_END msg=audit(1445418059.872:10234): pid=9340 uid=0 auid=993 ses=1193 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="foreman" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_ACCT msg=audit(1445418061.880:10235): pid=9482 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_access,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_ACQ msg=audit(1445418061.880:10236): pid=9482 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=LOGIN msg=audit(1445418061.880:10237): pid=9482 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 old-ses=4294967295 ses=1196 res=1 type=USER_START msg=audit(1445418061.888:10238): pid=9482 uid=0 auid=0 ses=1196 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_REFR msg=audit(1445418061.888:10239): pid=9482 uid=0 auid=0 ses=1196 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_DISP msg=audit(1445418061.908:10240): pid=9482 uid=0 auid=0 ses=1196 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_END msg=audit(1445418061.909:10241): pid=9482 uid=0 auid=0 ses=1196 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Upstream bug assigned to lzap
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1500