Bug 1254113 - beah misses avc errors happening during reboots
beah misses avc errors happening during reboots
Status: NEW
Product: Beaker
Classification: Community
Component: beah (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified (vote)
: ---
: ---
Assigned To: beaker-dev-list
Depends On:
  Show dependency treegraph
Reported: 2015-08-17 03:53 EDT by Artem Savkov
Modified: 2015-08-17 04:16 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Artem Savkov 2015-08-17 03:53:08 EDT
Description of problem:
While moving some of my tests to use restraint I've noticed that /distribution/kernelinstall test always fails with avc error with restraint on RHEL7, same test always passed with beah. After some debugging it turned out that the source of the problem is an incorrect timestamp beah uses in ausearch missing any error that happened during reboot before beah resuming the task. The avc error was caused by bug 1243764.

Here is an example of passing avc check with added debug output(added another ausearch without a timestamp):
Info: Searching AVC errors produced since 1439381891.97 (Wed Aug 12 08:18:11 2015)
Searching logs...
DT: 08/12/2015 08:18:18
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 08/12/2015 08:18:11 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.NooSVZ 2>&1'
<no matches>
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR'
time->Wed Aug 12 08:12:50 2015
type=SYSCALL msg=audit(1439381570.412:146): arch=c000003e syscall=263 success=no exit=-13 a0=ffffffffffffff9c a1=152d0c0 a2=0 a3=7ffe1d1089a0 items=0 ppid=35506 pid=35510 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rm" exe="/usr/bin/rm" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1439381570.412:146): avc:  denied  { unlink } for  pid=35510 comm="rm" name="added_servers" dev="tmpfs" ino=23643 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
Running 'rpm -q selinux-policy || true'

How reproducible:

Steps to Reproduce:
1. submit a rhel7 job with /distribution/kernelinstall task

Actual results:
no avc errors reported

Expected results:
all avc errors properly reported

Additional info:
Proposed patch submitted to gerrit: https://gerrit.beaker-project.org/#/c/4344/

Note You need to log in before you can comment on or make changes to this bug.