Description of problem: I have seen following AVCS in /var/log/audit/audit.log when regression is run. Version-Release number of selected component (if applicable): gluster-nagios-common-0.2.0-2.el7rhgs.noarch nagios-plugins-1.4.16-11.el7rhgs.x86_64 gluster-nagios-addons-0.2.2-1.el7rhgs.x86_64 nagios-common-3.5.1-6.el7.x86_64 nagios-plugins-ide_smart-1.4.16-11.el7rhgs.x86_64 nagios-plugins-procs-1.4.16-11.el7rhgs.x86_64 rpm -qa | grep selinux selinux-policy-targeted-3.13.1-26.el7.noarch libselinux-utils-2.2.2-6.el7.x86_64 libselinux-2.2.2-6.el7.x86_64 selinux-policy-3.13.1-26.el7.noarch libselinux-python-2.2.2-6.el7.x86_64 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
#============= NetworkManager_t ============== allow NetworkManager_t device_t:sock_file write; #============= audisp_t ============== allow audisp_t device_t:sock_file write; #============= auditd_t ============== allow auditd_t device_t:sock_file write; #============= dhcpc_t ============== allow dhcpc_t device_t:sock_file write; #============= glusterd_t ============== allow glusterd_t device_t:sock_file write; #============= groupadd_t ============== allow groupadd_t device_t:sock_file write; #============= iscsid_t ============== allow iscsid_t device_t:sock_file write; #============= nrpe_t ============== allow nrpe_t device_t:sock_file write; allow nrpe_t self:capability dac_override; #============= policykit_t ============== allow policykit_t device_t:sock_file write; #============= postfix_master_t ============== allow postfix_master_t device_t:sock_file write; #============= postfix_pickup_t ============== allow postfix_pickup_t device_t:sock_file write; #============= postfix_qmgr_t ============== allow postfix_qmgr_t device_t:sock_file write; #============= rhnsd_t ============== allow rhnsd_t device_t:sock_file write; allow rhnsd_t self:capability sys_tty_config; #============= rpcbind_t ============== allow rpcbind_t device_t:sock_file write; #============= rpcd_t ============== allow rpcd_t device_t:sock_file write; #============= setsebool_t ============== allow setsebool_t device_t:sock_file write; #============= sshd_t ============== allow sshd_t device_t:sock_file write; #============= syslogd_t ============== allow syslogd_t nagios_unconfined_plugin_exec_t:file execute; #============= system_dbusd_t ============== allow system_dbusd_t device_t:sock_file write; #============= useradd_t ============== allow useradd_t device_t:sock_file write; #============= wdmd_t ============== allow wdmd_t device_t:sock_file write; allow wdmd_t self:capability sys_tty_config;
Attaching the audit logs from all the machines. http://rhsqe-repo.lab.eng.blr.redhat.com/sosreports/rhsc/1230711/
Following command does not cure all AVCs, but majority of them will not appear anyore: # restorecon -v /dev/log
Hi Milos, Can you explain me on why do we need to do this manually? Does the selinux policy does not take care of it? Thanks kasturi.
Hi kasturi, my advice from comment#4 is bad. I gave it before I had time to investigate the problem. Deeper analysis showed that latest selinux-policy build introduced a regression. it's filed as BZ#1230932. The regression will be solved today by a new build of selinux-policy and manual changes won't be needed.
Thanks milos for the update.
Hi Milos, I am seeing some avcs while i check for the status of auditd in RHEL7.1. Can you please tell me if this is a known bug which is going to be fixed? Jun 15 11:10:16 dhcp37-70.lab.eng.blr.redhat.com python[901]: SELinux is preventing /usr/sbin/sedispatch from write access on the sock_file log. ***** Plugin catchall (100. confidence) suggests **************************... Jun 15 11:10:17 dhcp37-70.lab.eng.blr.redhat.com python[901]: SELinux is preventing /usr/sbin/sedispatch from write access on the sock_file log. ***** Plugin catchall (100. confidence) suggests **************************... Jun 15 11:10:18 dhcp37-70.lab.eng.blr.redhat.com python[901]: SELinux is preventing /usr/sbin/sedispatch from write access on the sock_file log. ***** Plugin catchall (100. confidence) suggests **************************... Jun 15 11:10:19 dhcp37-70.lab.eng.blr.redhat.com python[901]: SELinux is preventing /usr/sbin/sedispatch from write access on the sock_file log. ***** Plugin catchall (100. confidence) suggests **************************... Jun 15 11:10:20 dhcp37-70.lab.eng.blr.redhat.com python[901]: SELinux is preventing /usr/sbin/sedispatch from write access on the sock_file log. ***** Plugin catchall (100. confidence) suggests **************************... Jun 15 11:10:21 dhcp37-70.lab.eng.blr.redhat.com python[901]: SELinux is preventing /usr/sbin/sedispatch from write access on the sock_file log. ***** Plugin catchall (100. confidence) suggests **************************... Jun 15 11:10:22 dhcp37-70.lab.eng.blr.redhat.com python[901]: SELinux is preventing /usr/sbin/sedispatch from write access on the sock_file log. ***** Plugin catchall (100. confidence) suggests **************************... Jun 15 11:10:23 dhcp37-70.lab.eng.blr.redhat.com python[901]: SELinux is preventing /usr/sbin/sedispatch from write access on the sock_file log. ***** Plugin catchall (100. confidence) suggests **************************... Jun 15 11:10:24 dhcp37-70.lab.eng.blr.redhat.com python[901]: SELinux is preventing /usr/sbin/sedispatch from write access on the sock_file log. ***** Plugin catchall (100. confidence) suggests **************************... Jun 15 11:10:25 dhcp37-70.lab.eng.blr.redhat.com python[901]: SELinux is preventing /usr/sbin/sedispatch from write access on the sock_file log. ***** Plugin catchall (100. confidence) suggests **************************... Hint: Some lines were ellipsized, use -l to show in full. Thanks kasturi
Please install selinux-policy-3.13.1-27.el7. It fixes a regression introduced by selinux-policy-3.13.1-26.el7 (BZ#1230932). Majority of AVCs will not appear again.
Waiting on selinux build to verify this bug.
Verified with build selinux-policy-targeted-3.13.1-23.el7_1.10.noarch and selinux-policy-3.13.1-23.el7_1.10.noarch. Following are the booleans set on RHSC+Nagios Server and on RHS nodes. RHSC+Nagios Server:(RHEL6.7) ============================ getsebool -a | grep nagios logging_syslogd_run_nagios_plugins --> off nagios_run_sudo --> on RHGS Nodes:(RHEL7) ========================= logging_syslogd_run_nagios_plugins --> on nagios_run_pnp4nagios --> off nagios_run_sudo --> on No avs seen in audit.log output from audit.log from both nodes: ========================================= cat /var/log/audit/audit.log | audit2allow Nothing to do cat /var/log/audit/audit.log | audit2allow Nothing to do
I have ran the regression and have put my results in comment 16. So clearing the need info on lubos.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-1494.html