1294762 – AVC denials on atomic host while running RHGS container

Bug 1294762 - AVC denials on atomic host while running RHGS container

Summary: AVC denials on atomic host while running RHGS container

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Gluster Storage
Classification:	Red Hat Storage
Component:	rhgs-server-container
Sub Component:
Version:	rhgs-3.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	CNS 3.4
Assignee:	Mohamed Ashiq
QA Contact:	Prasanth
Docs Contact:
URL:
Whiteboard:
Depends On:	1303514 1396894
Blocks:	1268895 1385246
TreeView+	depends on / blocked

Reported:	2015-12-30 07:40 UTC by Shruti Sampat
Modified:	2019-10-10 10:47 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1303514 (view as bug list)
Environment:
Last Closed:	2017-01-18 14:58:44 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1396894	0	medium	CLOSED	[RFE] RHGS 3 layered docker image based on RHGS 3.1.3 and RHEL 7.3	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHEA-2017:0149	0	normal	SHIPPED_LIVE	rhgs-server-docker bug fix and enhancement update	2017-01-18 20:08:41 UTC

Internal Links: 1396894

Description Shruti Sampat 2015-12-30 07:40:43 UTC

Description of problem:
------------------------

I found the following messages in the journal of an atomic host running RHGS container -

[30793.604084] type=1400 audit(1451427122.156:5): avc:  denied  { getattr } for  pid=23010 comm="logrotate" path="/var/log/glusterfs/etc-glusterfs-glusterd.vol.log" dev="dm-1" ino=12618760 scontext=system_u:s
ystem_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=file
[30793.608867] type=1400 audit(1451427122.161:6): avc:  denied  { getattr } for  pid=23010 comm="logrotate" path="/var/log/glusterfs/cmd_history.log" dev="dm-1" ino=12650906 scontext=system_u:system_r:logrota
te_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=file
[30793.611522] type=1400 audit(1451427122.164:7): avc:  denied  { getattr } for  pid=23010 comm="logrotate" path="/var/log/glusterfs/cli.log" dev="dm-1" ino=12650919 scontext=system_u:system_r:logrotate_t:s0-
s0:c0.c1023 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=file
[30793.613136] type=1400 audit(1451427122.166:8): avc:  denied  { getattr } for  pid=23010 comm="logrotate" path="/var/log/glusterfs/nfs.log" dev="dm-1" ino=12650924 scontext=system_u:system_r:logrotate_t:s0-
s0:c0.c1023 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=file
[30793.617402] type=1400 audit(1451427122.170:9): avc:  denied  { getattr } for  pid=23010 comm="logrotate" path="/var/log/glusterfs/glustershd.log" dev="dm-1" ino=12650925 scontext=system_u:system_r:logrotat
e_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=file
[30793.623718] type=1400 audit(1451427122.176:10): avc:  denied  { getattr } for  pid=23010 comm="logrotate" path="/var/log/glusterfs/vol-rebalance.log" dev="dm-1" ino=12650923 scontext=system_u:system_r:logr
otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=file
[30793.628972] type=1400 audit(1451427122.181:11): avc:  denied  { getattr } for  pid=23010 comm="logrotate" path="/var/log/glusterfs/glfsheal-rep3.log" dev="dm-1" ino=12650928 scontext=system_u:system_r:logr
otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=file
[30793.634881] type=1400 audit(1451427122.187:12): avc:  denied  { read } for  pid=23010 comm="logrotate" name="bricks" dev="dm-1" ino=4217248 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=sy
stem_u:object_r:svirt_sandbox_file_t:s0 tclass=dir
[35915.526121] type=1400 audit(1451432244.079:13): avc:  denied  { write } for  pid=23336 comm="nm-dispatcher" name="log" dev="devtmpfs" ino=38334 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=syste
m_u:object_r:device_t:s0 tclass=sock_file
[78690.625144] type=1400 audit(1451475019.178:14): avc:  denied  { write } for  pid=25919 comm="nm-dispatcher" name="log" dev="devtmpfs" ino=38334 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=syste
m_u:object_r:device_t:s0 tclass=sock_file
[79442.567789] type=1400 audit(1451475771.120:15): avc:  denied  { write } for  pid=25996 comm="sshd" name="log" dev="devtmpfs" ino=38334 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:obj
ect_r:device_t:s0 tclass=sock_file
[79454.982729] type=1400 audit(1451475783.535:16): avc:  denied  { write } for  pid=26000 comm="sshd" name="log" dev="devtmpfs" ino=38334 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:obj
ect_r:device_t:s0 tclass=sock_file
[79489.221568] type=1400 audit(1451475817.774:17): avc:  denied  { write } for  pid=26004 comm="sshd" name="log" dev="devtmpfs" ino=38334 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:obj
ect_r:device_t:s0 tclass=sock_file
[79490.148795] type=1400 audit(1451475818.701:18): avc:  denied  { write } for  pid=26006 comm="sshd" name="log" dev="devtmpfs" ino=38334 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:obj
ect_r:device_t:s0 tclass=sock_file

Version-Release number of selected component (if applicable):
-------------------------------------------------------------
rhgs-server-rhel7:3.1.2-3 

How reproducible:
------------------
Frequently

Steps to Reproduce:
-------------------
1. Observe messages in the journal of an atomic host running RHGS container.

Actual results:
---------------
AVC denials recorded in the journal.

Comment 2 Humble Chirammal 2015-12-31 06:48:44 UTC

Is there any functional issues we experience due to this AVC denials ?

Comment 3 Shruti Sampat 2016-01-04 11:53:56 UTC

(In reply to Humble Chirammal from comment #2)
> Is there any functional issues we experience due to this AVC denials ?

I cannot really say that at this point, because we have not been able to perform a lot of functional tests owing to setup issues that are turning out to be test blockers (BZ#1294459). I will report back once we are able to get results from our tests.

I have also seen the following in output of `dmesg' -

[ 2539.818822] type=1400 audit(1451921033.952:5): avc:  denied  { write } for  pid=20272 comm="sshd" name="log" dev="devtmpfs" ino=35762 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=sock_file
[ 2539.839595] type=1400 audit(1451921033.973:6): avc:  denied  { write } for  pid=20272 comm="sshd" name="log" dev="devtmpfs" ino=35762 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=sock_file

I don't know if this is related, but when I see the above denials, I am unable to login to the machine using the virt-manager console. Existing and new SSH connections to the machine are unaffected.

Comment 22 krishnaram Karthick 2017-01-02 09:48:52 UTC

No avc denied messages are seen w.r.t logrotate with the CNS 3.4 on atomichost 7.3.

Moving the bug to verified.

Comment 24 errata-xmlrpc 2017-01-18 14:58:44 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:0149

Note You need to log in before you can comment on or make changes to this bug.