Bug 1209794 – foreman-debug to skip USER_AVC SELinux audit "denials"

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1209794 - foreman-debug to skip USER_AVC SELinux audit "denials"

Summary:	foreman-debug to skip USER_AVC SELinux audit "denials"

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Satellite 6
Classification:	Red Hat
Component:	Foreman Debug (Show other bugs)
Sub Component:
Version:	6.1.0
Hardware:	x86_64 Linux

Priority	medium Severity medium (vote)
Target Milestone:	Beta
Target Release:	Unused
Assigned To:	Lukas Zapletal
QA Contact:	Corey Welton
Docs Contact:

URL:	http://projects.theforeman.org/issues...
Whiteboard:	Verified in Upstream
Keywords:	Triaged

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2015-04-08 04:41 EDT by Pavel Moravec
Modified:	2016-07-27 04:50 EDT (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-07-27 04:50:29 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	11560	None	None	None	2016-04-22 12:07 EDT
Red Hat Product Errata	RHBA-2016:1500	normal	SHIPPED_LIVE	Red Hat Satellite 6.2 Base Libraries	2016-07-27 08:24:38 EDT

Groups: None (edit)

Description Pavel Moravec 2015-04-08 04:41:26 EDT

Description of problem:
foreman-debug checking for SELinux denials wrongly reports also USER_AVC records like below example. Those are logs of policy load and not real denials. foreman-debug then wrongly reports "DENIALS: 12" to stdout.


Version-Release number of selected component (if applicable):
foreman-debug-1.7.2.15-1.el7sat.noarch


How reproducible:
100%


Steps to Reproduce:
1. e.g. on freshly installed RHEL7.1 and Sat6.1 (most probably reproducible anywhere), run foreman-debug
2. Check it's output and selinux_denials.log it generates


Actual results:
foreman-debug output having:


 HOSTNAME: pmoravec-sat61.gsslab.brq.redhat.com
       OS: redhat
  RELEASE: Red Hat Enterprise Linux Server release 7.1 (Maipo)
  FOREMAN: 1.7.2
     RUBY: ruby 2.0.0p598 (2014-11-13) [x86_64-linux]
   PUPPET: 3.6.2
  DENIALS: 12


selinux_denials.log having 12 records like:
time->Wed Apr  8 09:31:02 2015
type=USER_AVC msg=audit(1428478262.651:1213): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=11)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'


Expected results:
foreman-debug output to have "DENIALS: 0"
selinux_denials.log without the USER_AVC logs


Additional info:
/me not sure what all audit logs could be of USER_AVC type, or if there could be also real denials. But definitely the above logs are not SELinux denials and should not be reported as such by foreman-debug.

Comment 2 Bryan Kearney 2015-08-25 14:48:55 EDT

Created redmine issue http://projects.theforeman.org/issues/11560 from this bug

Comment 3 Bryan Kearney 2015-08-25 14:54:05 EDT

Upstream bug component is Provisioning

Comment 4 Bryan Kearney 2015-08-26 14:02:17 EDT

Upstream bug component is Provisioning

Comment 5 Bryan Kearney 2015-08-26 14:29:00 EDT

Upstream bug component is Foreman Debug

Comment 6 Bryan Kearney 2015-08-27 16:03:38 EDT

Moving to POST since upstream bug http://projects.theforeman.org/issues/11560 has been closed
-------------
Lukas Zapletal
Applied in changeset commit:ee2d45d090b81b00586fcccfcb524ea3bc272839.

Comment 7 Tazim Kolhar 2015-10-21 05:27:26 EDT

*** This bug is verified in upstream.  This fix should eventually land in future downstream builds ***

Version Tested:
# rpm -qa  | grep foreman
nec-em17.rhts.eng.bos.redhat.com-foreman-client-1.0-1.noarch
foreman-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch
tfm-rubygem-hammer_cli_foreman_docker-0.0.3-4.el7.noarch
nec-em17.rhts.eng.bos.redhat.com-foreman-proxy-client-1.0-1.noarch
tfm-rubygem-hammer_cli_foreman-0.4.0-1.201510071112git33fd59b.el7.noarch
foreman-debug-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch
foreman-release-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch
foreman-postgresql-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch
foreman-vmware-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch
tfm-rubygem-foreman_hooks-0.3.9-1.el7.noarch
tfm-rubygem-foreman-tasks-0.7.6-1.fm1_10.el7.noarch
tfm-rubygem-hammer_cli_foreman_tasks-0.0.8-1.el7.noarch
tfm-rubygem-foreman_bootdisk-6.0.0-2.fm1_10.el7.noarch
foreman-release-scl-1-1.el7.x86_64
foreman-libvirt-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch
foreman-selinux-1.11.0-0.develop.201510071426git6234447.el7.noarch
foreman-ovirt-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch
tfm-rubygem-hammer_cli_foreman_bootdisk-0.1.3-3.el7.noarch
tfm-rubygem-foreman_gutterball-0.0.1-3.el7.noarch
nec-em17.rhts.eng.bos.redhat.com-foreman-proxy-1.0-2.noarch
tfm-rubygem-foreman_discovery-4.1.0-1.fm1_10.el7.noarch
tfm-rubygem-foreman_docker-1.4.1-2.fm1_10.el7.noarch
foreman-proxy-1.11.0-0.develop.201510120849git5f36f2e.el7.noarch
foreman-compute-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch
foreman-gce-1.11.0-0.develop.201510121538gitb6b977a.el7.noarch

steps:
1. e.g. on freshly installed RHEL7.1 and Sat6.1 (most probably reproducible anywhere), run foreman-debug
2. Check it's output and selinux_denials.log it generates
# foreman-debug
Exporting tasks, this may take a few minutes.


 HOSTNAME: nec-em17.rhts.eng.bos.redhat.com
       OS: redhat
  RELEASE: Red Hat Enterprise Linux Server release 7.1 (Maipo)
  FOREMAN: 1.11.0-develop
     RUBY: ruby 2.0.0p598 (2014-11-13) [x86_64-linux]
   PUPPET: 3.8.3
  DENIALS: 0

selinux_denials.log without the USER_AVC logs
type=USER_END msg=audit(1445418059.465:10232): pid=9339 uid=0 auid=993 ses=1194 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="foreman" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1445418059.871:10233): pid=9340 uid=0 auid=993 ses=1193 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="foreman" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1445418059.872:10234): pid=9340 uid=0 auid=993 ses=1193 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="foreman" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_ACCT msg=audit(1445418061.880:10235): pid=9482 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_access,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1445418061.880:10236): pid=9482 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=LOGIN msg=audit(1445418061.880:10237): pid=9482 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 old-ses=4294967295 ses=1196 res=1
type=USER_START msg=audit(1445418061.888:10238): pid=9482 uid=0 auid=0 ses=1196 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1445418061.888:10239): pid=9482 uid=0 auid=0 ses=1196 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1445418061.908:10240): pid=9482 uid=0 auid=0 ses=1196 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1445418061.909:10241): pid=9482 uid=0 auid=0 ses=1196 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

Comment 8 Bryan Kearney 2015-11-13 14:03:15 EST

Upstream bug assigned to lzap@redhat.com

Comment 12 errata-xmlrpc 2016-07-27 04:50:29 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1500

Note You need to log in before you can comment on or make changes to this bug.