Bug 1263143 - sshd_t denials in audit.log
Summary: sshd_t denials in audit.log
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-node
Version: 3.5.4
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ovirt-3.6.0-rc3
: 3.6.0
Assignee: Fabian Deutsch
QA Contact: cshao
URL:
Whiteboard:
Depends On:
Blocks: 1266094
TreeView+ depends on / blocked
 
Reported: 2015-09-15 08:21 UTC by cshao
Modified: 2016-03-09 14:37 UTC (History)
10 users (show)

Fixed In Version: ovirt-node-3.2.3-23 rhev-hypervisor7-7.1-20150917.0 rhev-hypervisor6-6.7-20150917.0
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1266094 (view as bug list)
Environment:
Last Closed: 2016-03-09 14:37:58 UTC
oVirt Team: Node
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
avc.tar.gz (1.13 MB, application/x-gzip)
2015-09-15 08:21 UTC, cshao 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0378 0 normal SHIPPED_LIVE ovirt-node bug fix and enhancement update for RHEV 3.6 2016-03-09 19:06:36 UTC
oVirt gerrit 46150 0 master MERGED semodule: Anoter rule Never
oVirt gerrit 46156 0 ovirt-3.6 MERGED semodule: Anoter rule Never
oVirt gerrit 46176 0 ovirt-3.5 MERGED semodule: Anoter rule Never

Description cshao 2015-09-15 08:21:37 UTC 
Created attachment 1073533 [details]
avc.tar.gz

Description of problem:
After RHEVH installed,there are AVC denied errors in audit.log.

Version:
rhev-hypervisor6-6.7-20150911.0.el6ev
ovirt-node-3.2.3-20.el6.noarch
selinux-policy-3.7.19-279.el6_7.5.noarch

+
rhev-hypervisor7-7.1-20150911.0.el6ev
ovirt-node-3.2.3-20.el7.noarch
selinux-policy-3.13.1-23.el7_1.17.noarch

How reproducible:
100%

Steps to Reproduce:
1.RHEV-H installed successful. selinux in enforcing mode as default.
2.Login to rhevh,

rhev-hypervisor6-6.7-20150911.0.el6ev
# grep "avc:  denied" /var/log/audit/audit.log
type=AVC msg=audit(1442297840.266:191555): avc:  denied  { signull } for  pid=4411 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process


rhev-hypervisor7-7.1-20150911.0.el6ev
# grep "avc:  denied" /var/log/audit/audit.log
type=AVC msg=audit(1442220371.841:628): avc:  denied  { signull } for  pid=19746 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1442297821.262:7760): avc:  denied  { signull } for  pid=12159 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1442298766.021:7898): avc:  denied  { signull } for  pid=13324 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process

  
Actual results:
AVC msgs in audit.log

Expected results:
No avc denied errors in audit.log.


Additional info:
Comment 4 cshao 2015-10-26 06:45:14 UTC 
Test version:
rhev-hypervisor7-7.2-20151025.0.el7ev
ovirt-node-3.3.0-0.18.20151022git82dc52c.el7ev.noarch
selinux-policy-3.13.1-60.el7.noarch

Test steps:
1.RHEV-H installed successful. selinux in enforcing mode as default.
2.Login to rhevh,
3. Run command: #grep "avc:  denied" /var/log/audit/audit.log

Test result:
No avc denied errors in audit.log.

So the bug is fixed, change bug status to VERIFIED.
Comment 6 errata-xmlrpc 2016-03-09 14:37:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0378.html
Note You need to log in before you can comment on or make changes to this bug.