Description of problem: ------------------------ I found the following messages in the journal of an atomic host running RHGS container - [30793.604084] type=1400 audit(1451427122.156:5): avc: denied { getattr } for pid=23010 comm="logrotate" path="/var/log/glusterfs/etc-glusterfs-glusterd.vol.log" dev="dm-1" ino=12618760 scontext=system_u:s ystem_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=file [30793.608867] type=1400 audit(1451427122.161:6): avc: denied { getattr } for pid=23010 comm="logrotate" path="/var/log/glusterfs/cmd_history.log" dev="dm-1" ino=12650906 scontext=system_u:system_r:logrota te_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=file [30793.611522] type=1400 audit(1451427122.164:7): avc: denied { getattr } for pid=23010 comm="logrotate" path="/var/log/glusterfs/cli.log" dev="dm-1" ino=12650919 scontext=system_u:system_r:logrotate_t:s0- s0:c0.c1023 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=file [30793.613136] type=1400 audit(1451427122.166:8): avc: denied { getattr } for pid=23010 comm="logrotate" path="/var/log/glusterfs/nfs.log" dev="dm-1" ino=12650924 scontext=system_u:system_r:logrotate_t:s0- s0:c0.c1023 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=file [30793.617402] type=1400 audit(1451427122.170:9): avc: denied { getattr } for pid=23010 comm="logrotate" path="/var/log/glusterfs/glustershd.log" dev="dm-1" ino=12650925 scontext=system_u:system_r:logrotat e_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=file [30793.623718] type=1400 audit(1451427122.176:10): avc: denied { getattr } for pid=23010 comm="logrotate" path="/var/log/glusterfs/vol-rebalance.log" dev="dm-1" ino=12650923 scontext=system_u:system_r:logr otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=file [30793.628972] type=1400 audit(1451427122.181:11): avc: denied { getattr } for pid=23010 comm="logrotate" path="/var/log/glusterfs/glfsheal-rep3.log" dev="dm-1" ino=12650928 scontext=system_u:system_r:logr otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=file [30793.634881] type=1400 audit(1451427122.187:12): avc: denied { read } for pid=23010 comm="logrotate" name="bricks" dev="dm-1" ino=4217248 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=sy stem_u:object_r:svirt_sandbox_file_t:s0 tclass=dir [35915.526121] type=1400 audit(1451432244.079:13): avc: denied { write } for pid=23336 comm="nm-dispatcher" name="log" dev="devtmpfs" ino=38334 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=syste m_u:object_r:device_t:s0 tclass=sock_file [78690.625144] type=1400 audit(1451475019.178:14): avc: denied { write } for pid=25919 comm="nm-dispatcher" name="log" dev="devtmpfs" ino=38334 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=syste m_u:object_r:device_t:s0 tclass=sock_file [79442.567789] type=1400 audit(1451475771.120:15): avc: denied { write } for pid=25996 comm="sshd" name="log" dev="devtmpfs" ino=38334 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:obj ect_r:device_t:s0 tclass=sock_file [79454.982729] type=1400 audit(1451475783.535:16): avc: denied { write } for pid=26000 comm="sshd" name="log" dev="devtmpfs" ino=38334 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:obj ect_r:device_t:s0 tclass=sock_file [79489.221568] type=1400 audit(1451475817.774:17): avc: denied { write } for pid=26004 comm="sshd" name="log" dev="devtmpfs" ino=38334 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:obj ect_r:device_t:s0 tclass=sock_file [79490.148795] type=1400 audit(1451475818.701:18): avc: denied { write } for pid=26006 comm="sshd" name="log" dev="devtmpfs" ino=38334 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:obj ect_r:device_t:s0 tclass=sock_file Version-Release number of selected component (if applicable): ------------------------------------------------------------- rhgs-server-rhel7:3.1.2-3 How reproducible: ------------------ Frequently Steps to Reproduce: ------------------- 1. Observe messages in the journal of an atomic host running RHGS container. Actual results: --------------- AVC denials recorded in the journal.
Is there any functional issues we experience due to this AVC denials ?
(In reply to Humble Chirammal from comment #2) > Is there any functional issues we experience due to this AVC denials ? I cannot really say that at this point, because we have not been able to perform a lot of functional tests owing to setup issues that are turning out to be test blockers (BZ#1294459). I will report back once we are able to get results from our tests. I have also seen the following in output of `dmesg' - [ 2539.818822] type=1400 audit(1451921033.952:5): avc: denied { write } for pid=20272 comm="sshd" name="log" dev="devtmpfs" ino=35762 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=sock_file [ 2539.839595] type=1400 audit(1451921033.973:6): avc: denied { write } for pid=20272 comm="sshd" name="log" dev="devtmpfs" ino=35762 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=sock_file I don't know if this is related, but when I see the above denials, I am unable to login to the machine using the virt-manager console. Existing and new SSH connections to the machine are unaffected.
No avc denied messages are seen w.r.t logrotate with the CNS 3.4 on atomichost 7.3. Moving the bug to verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:0149