Bug 1254113 - beah misses avc errors happening during reboots
Summary: beah misses avc errors happening during reboots
Keywords:
Status: CLOSED EOL
Alias: None
Product: Beaker
Classification: Retired
Component: beah
Version: develop
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: beaker-dev-list
QA Contact: tools-bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-08-17 07:53 UTC by Artem Savkov
Modified: 2020-02-11 12:14 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-02-11 12:11:15 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Beaker Project Gerrit 4344 0 None ABANDONED Use the same avc timestamp file across reboots. 2020-10-06 12:09:01 UTC

Description Artem Savkov 2015-08-17 07:53:08 UTC 
Description of problem:
While moving some of my tests to use restraint I've noticed that /distribution/kernelinstall test always fails with avc error with restraint on RHEL7, same test always passed with beah. After some debugging it turned out that the source of the problem is an incorrect timestamp beah uses in ausearch missing any error that happened during reboot before beah resuming the task. The avc error was caused by bug 1243764.

Here is an example of passing avc check with added debug output(added another ausearch without a timestamp):
Info: Searching AVC errors produced since 1439381891.97 (Wed Aug 12 08:18:11 2015)
Searching logs...
DT: 08/12/2015 08:18:18
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 08/12/2015 08:18:11 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.NooSVZ 2>&1'
<no matches>
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR'
----
time->Wed Aug 12 08:12:50 2015
type=SYSCALL msg=audit(1439381570.412:146): arch=c000003e syscall=263 success=no exit=-13 a0=ffffffffffffff9c a1=152d0c0 a2=0 a3=7ffe1d1089a0 items=0 ppid=35506 pid=35510 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rm" exe="/usr/bin/rm" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1439381570.412:146): avc:  denied  { unlink } for  pid=35510 comm="rm" name="added_servers" dev="tmpfs" ino=23643 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
Running 'rpm -q selinux-policy || true'
selinux-policy-3.13.1-37.el7.noarch

How reproducible:
100%

Steps to Reproduce:
1. submit a rhel7 job with /distribution/kernelinstall task

Actual results:
no avc errors reported

Expected results:
all avc errors properly reported

Additional info:
Proposed patch submitted to gerrit: https://gerrit.beaker-project.org/#/c/4344/
Comment 2 Martin Styk 2020-02-11 12:11:15 UTC 
Beah is no longer supported by Beaker development team.
Instead of that, we are working on Restraint test harness. You can find all the features of Restraint here.

https://restraint.readthedocs.io/en/latest/

If you think your RFE should be still implemented as part of Restraint feel free to create a new BZ ticket.

https://bugzilla.redhat.com/enter_bug.cgi?product=Restraint

In case you have any question feel free to reach out to me
Thank you,
Martin Styk <martin.styk>
Note You need to log in before you can comment on or make changes to this bug.