Bug 1272989 - AVC messages generated during installation process
AVC messages generated during installation process
Status: NEW
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer (Show other bugs)
3.0.0
Unspecified Unspecified
medium Severity low
: ---
: ---
Assigned To: Scott Dodson
Xiaoli Tian
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-19 07:28 EDT by Veronika Kabatova
Modified: 2017-06-01 15:54 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Veronika Kabatova 2015-10-19 07:28:35 EDT
Description of problem:
While testing setup (advanced installation and HTPassword Identity Provider, as in documentation) on Beaker, AVC messages / errors are generated during the installation process.

Version-Release number of selected component (if applicable):
3.0

How reproducible:
Always

Steps to Reproduce:
1. Use Beaker job for testing advanced installation (http://pkgs.devel.redhat.com/cgit/tests/OpenShift/tree/Enterprise/install/3.0).
2. After advanced installation part, AVC messages cause the fail of the test setup, even if everything works correctly. 

Actual results:
Automatic AVC message check fails with log:

Info: Searching AVC errors produced since 1445200230.51 (Sun Oct 18 16:30:30 2015)
Searching logs...
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 10/18/2015 16:30:30 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.mzMfor 2>&1'
----
time->Sun Oct 18 16:34:24 2015
type=SYSCALL msg=audit(1445200464.103:5225): arch=c000003e syscall=1 success=yes exit=5 a0=e a1=7fcb5eb6a000 a2=5 a3=1aee8a0 items=0 ppid=1 pid=29764 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/bin/python2.7" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1445200464.103:5225): avc:  granted  { setsecparam } for  pid=29764 comm="tuned" scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security
----
time->Sun Oct 18 16:34:55 2015
type=USER_AVC msg=audit(1445200495.167:5463): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Sun Oct 18 16:34:55 2015
type=USER_AVC msg=audit(1445200495.167:5464): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=4)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.mzMfor | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.3mlsjt 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
Running 'rpm -q selinux-policy || true'
selinux-policy-3.13.1-60.el7.noarch

Expected results:
No fail occurs.

Additional info:
You can clone the Beaker job <https://beaker.engineering.redhat.com/jobs/1117907>

Note You need to log in before you can comment on or make changes to this bug.