Bug 1272989 - AVC messages generated during installation process
Summary: AVC messages generated during installation process
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.0.0
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
: ---
Assignee: Scott Dodson
QA Contact: Xiaoli Tian
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-10-19 11:28 UTC by Veronika Kabatova
Modified: 2017-08-24 20:49 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-24 20:49:47 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Veronika Kabatova 2015-10-19 11:28:35 UTC
Description of problem:
While testing setup (advanced installation and HTPassword Identity Provider, as in documentation) on Beaker, AVC messages / errors are generated during the installation process.

Version-Release number of selected component (if applicable):
3.0

How reproducible:
Always

Steps to Reproduce:
1. Use Beaker job for testing advanced installation (http://pkgs.devel.redhat.com/cgit/tests/OpenShift/tree/Enterprise/install/3.0).
2. After advanced installation part, AVC messages cause the fail of the test setup, even if everything works correctly. 

Actual results:
Automatic AVC message check fails with log:

Info: Searching AVC errors produced since 1445200230.51 (Sun Oct 18 16:30:30 2015)
Searching logs...
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 10/18/2015 16:30:30 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.mzMfor 2>&1'
----
time->Sun Oct 18 16:34:24 2015
type=SYSCALL msg=audit(1445200464.103:5225): arch=c000003e syscall=1 success=yes exit=5 a0=e a1=7fcb5eb6a000 a2=5 a3=1aee8a0 items=0 ppid=1 pid=29764 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/bin/python2.7" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1445200464.103:5225): avc:  granted  { setsecparam } for  pid=29764 comm="tuned" scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security
----
time->Sun Oct 18 16:34:55 2015
type=USER_AVC msg=audit(1445200495.167:5463): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Sun Oct 18 16:34:55 2015
type=USER_AVC msg=audit(1445200495.167:5464): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=4)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.mzMfor | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.3mlsjt 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
Running 'rpm -q selinux-policy || true'
selinux-policy-3.13.1-60.el7.noarch

Expected results:
No fail occurs.

Additional info:
You can clone the Beaker job <https://beaker.engineering.redhat.com/jobs/1117907>


Note You need to log in before you can comment on or make changes to this bug.