Bug 1294762 - AVC denials on atomic host while running RHGS container
AVC denials on atomic host while running RHGS container
Status: CLOSED ERRATA
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: rhgs-server-container (Show other bugs)
3.1
Unspecified Unspecified
unspecified Severity unspecified
: ---
: CNS 3.4
Assigned To: Mohamed Ashiq
Prasanth
: ZStream
Depends On: 1303514 1396894
Blocks: 1268895 1385246
  Show dependency treegraph
 
Reported: 2015-12-30 02:40 EST by Shruti Sampat
Modified: 2017-01-18 09:58 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1303514 (view as bug list)
Environment:
Last Closed: 2017-01-18 09:58:44 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Shruti Sampat 2015-12-30 02:40:43 EST
Description of problem:
------------------------

I found the following messages in the journal of an atomic host running RHGS container -

[30793.604084] type=1400 audit(1451427122.156:5): avc:  denied  { getattr } for  pid=23010 comm="logrotate" path="/var/log/glusterfs/etc-glusterfs-glusterd.vol.log" dev="dm-1" ino=12618760 scontext=system_u:s
ystem_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=file
[30793.608867] type=1400 audit(1451427122.161:6): avc:  denied  { getattr } for  pid=23010 comm="logrotate" path="/var/log/glusterfs/cmd_history.log" dev="dm-1" ino=12650906 scontext=system_u:system_r:logrota
te_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=file
[30793.611522] type=1400 audit(1451427122.164:7): avc:  denied  { getattr } for  pid=23010 comm="logrotate" path="/var/log/glusterfs/cli.log" dev="dm-1" ino=12650919 scontext=system_u:system_r:logrotate_t:s0-
s0:c0.c1023 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=file
[30793.613136] type=1400 audit(1451427122.166:8): avc:  denied  { getattr } for  pid=23010 comm="logrotate" path="/var/log/glusterfs/nfs.log" dev="dm-1" ino=12650924 scontext=system_u:system_r:logrotate_t:s0-
s0:c0.c1023 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=file
[30793.617402] type=1400 audit(1451427122.170:9): avc:  denied  { getattr } for  pid=23010 comm="logrotate" path="/var/log/glusterfs/glustershd.log" dev="dm-1" ino=12650925 scontext=system_u:system_r:logrotat
e_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=file
[30793.623718] type=1400 audit(1451427122.176:10): avc:  denied  { getattr } for  pid=23010 comm="logrotate" path="/var/log/glusterfs/vol-rebalance.log" dev="dm-1" ino=12650923 scontext=system_u:system_r:logr
otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=file
[30793.628972] type=1400 audit(1451427122.181:11): avc:  denied  { getattr } for  pid=23010 comm="logrotate" path="/var/log/glusterfs/glfsheal-rep3.log" dev="dm-1" ino=12650928 scontext=system_u:system_r:logr
otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=file
[30793.634881] type=1400 audit(1451427122.187:12): avc:  denied  { read } for  pid=23010 comm="logrotate" name="bricks" dev="dm-1" ino=4217248 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=sy
stem_u:object_r:svirt_sandbox_file_t:s0 tclass=dir
[35915.526121] type=1400 audit(1451432244.079:13): avc:  denied  { write } for  pid=23336 comm="nm-dispatcher" name="log" dev="devtmpfs" ino=38334 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=syste
m_u:object_r:device_t:s0 tclass=sock_file
[78690.625144] type=1400 audit(1451475019.178:14): avc:  denied  { write } for  pid=25919 comm="nm-dispatcher" name="log" dev="devtmpfs" ino=38334 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=syste
m_u:object_r:device_t:s0 tclass=sock_file
[79442.567789] type=1400 audit(1451475771.120:15): avc:  denied  { write } for  pid=25996 comm="sshd" name="log" dev="devtmpfs" ino=38334 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:obj
ect_r:device_t:s0 tclass=sock_file
[79454.982729] type=1400 audit(1451475783.535:16): avc:  denied  { write } for  pid=26000 comm="sshd" name="log" dev="devtmpfs" ino=38334 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:obj
ect_r:device_t:s0 tclass=sock_file
[79489.221568] type=1400 audit(1451475817.774:17): avc:  denied  { write } for  pid=26004 comm="sshd" name="log" dev="devtmpfs" ino=38334 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:obj
ect_r:device_t:s0 tclass=sock_file
[79490.148795] type=1400 audit(1451475818.701:18): avc:  denied  { write } for  pid=26006 comm="sshd" name="log" dev="devtmpfs" ino=38334 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:obj
ect_r:device_t:s0 tclass=sock_file

Version-Release number of selected component (if applicable):
-------------------------------------------------------------
rhgs-server-rhel7:3.1.2-3 

How reproducible:
------------------
Frequently

Steps to Reproduce:
-------------------
1. Observe messages in the journal of an atomic host running RHGS container.

Actual results:
---------------
AVC denials recorded in the journal.
Comment 2 Humble Chirammal 2015-12-31 01:48:44 EST
Is there any functional issues we experience due to this AVC denials ?
Comment 3 Shruti Sampat 2016-01-04 06:53:56 EST
(In reply to Humble Chirammal from comment #2)
> Is there any functional issues we experience due to this AVC denials ?

I cannot really say that at this point, because we have not been able to perform a lot of functional tests owing to setup issues that are turning out to be test blockers (BZ#1294459). I will report back once we are able to get results from our tests.

I have also seen the following in output of `dmesg' -

[ 2539.818822] type=1400 audit(1451921033.952:5): avc:  denied  { write } for  pid=20272 comm="sshd" name="log" dev="devtmpfs" ino=35762 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=sock_file
[ 2539.839595] type=1400 audit(1451921033.973:6): avc:  denied  { write } for  pid=20272 comm="sshd" name="log" dev="devtmpfs" ino=35762 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=sock_file

I don't know if this is related, but when I see the above denials, I am unable to login to the machine using the virt-manager console. Existing and new SSH connections to the machine are unaffected.
Comment 22 krishnaram Karthick 2017-01-02 04:48:52 EST
No avc denied messages are seen w.r.t logrotate with the CNS 3.4 on atomichost 7.3.

Moving the bug to verified.
Comment 24 errata-xmlrpc 2017-01-18 09:58:44 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:0149

Note You need to log in before you can comment on or make changes to this bug.