Bug 1305325 - AVC seen with during ipa-server upgrade test execution
AVC seen with during ipa-server upgrade test execution
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.2
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Lukas Vrabec
Stefan Kremen
:
Depends On:
Blocks: 1331450
  Show dependency treegraph
 
Reported: 2016-02-07 02:33 EST by Nikhil Dehadrai
Modified: 2016-11-03 22:42 EDT (History)
8 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-80.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1331450 (view as bug list)
Environment:
Last Closed: 2016-11-03 22:42:12 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
AVC Error -7.2.up2 upgrade testing (4.33 KB, text/plain)
2016-02-07 02:37 EST, Nikhil Dehadrai
no flags Details
AVC Error -7.2.up2 upgrade testing (dirsrv_off) (4.33 KB, text/plain)
2016-02-07 02:44 EST, Nikhil Dehadrai
no flags Details

  None (edit)
Description Nikhil Dehadrai 2016-02-07 02:33:43 EST
Description of problem:
AVC seen with during ipa-server upgrade test execution.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-60.el7_2.3.noarch

How reproducible:
Always

Steps to Reproduce:
1. Setup IPA server for ipa-upgrade test suite execution on beaker. 
2. Make sure latest repo links are set correctly for test execution.
3. Initiate automation for ipa-upgrade test suite on beaker.
4. 

Actual results:
----
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 02/05/2016 07:04:47 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.yQZBCl 2>&1'
----
time->Fri Feb  5 07:07:46 2016
type=PATH msg=audit(1454674066.635:677): item=0 name="/run/user/0" inode=85673 dev=00:12 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 objtype=NORMAL
type=CWD msg=audit(1454674066.635:677):  cwd="/"
type=SYSCALL msg=audit(1454674066.635:677): arch=c000003e syscall=165 success=no exit=-13 a0=7f58a0477290 a1=7f58a18b63a0 a2=7f58a0477290 a3=6 items=1 ppid=1 pid=29819 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(1454674066.635:677): avc:  denied  { mounton } for  pid=29819 comm="systemd-logind" path="/run/user/0" dev="tmpfs" ino=85673 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir
----
time->Fri Feb  5 07:07:46 2016
type=PATH msg=audit(1454674066.635:678): item=0 name="/run/user/0" inode=104499 dev=00:12 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 objtype=NORMAL
type=CWD msg=audit(1454674066.635:678):  cwd="/"
type=SYSCALL msg=audit(1454674066.635:678): arch=c000003e syscall=165 success=no exit=-13 a0=7f58a0477290 a1=7f58a18b2e70 a2=7f58a0477290 a3=6 items=1 ppid=1 pid=29819 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(1454674066.635:678): avc:  denied  { mounton } for  pid=29819 comm="systemd-logind" path="/run/user/0" dev="tmpfs" ino=104499 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir
----

Expected results:
No AVC messages should be found

Additional info:
1. This error was observed while performing automation upgrade testing from RHEL 7.0 > RHEL 7.2.z (up2).
2. Also refer attachment for more logs.
Comment 1 Nikhil Dehadrai 2016-02-07 02:37 EST
Created attachment 1121844 [details]
AVC Error -7.2.up2 upgrade testing
Comment 2 Nikhil Dehadrai 2016-02-07 02:44 EST
Created attachment 1121857 [details]
AVC Error -7.2.up2 upgrade testing (dirsrv_off)
Comment 4 Milos Malik 2016-02-08 04:54:05 EST
Is it possible that AVCs appeared before the selinux-policy = 3.13.1-60.el7_2.3 was installed?

# rpm -qa selinux\*
selinux-policy-targeted-3.13.1-60.el7_2.3.noarch
selinux-policy-sandbox-3.13.1-60.el7_2.3.noarch
selinux-policy-devel-3.13.1-60.el7_2.3.noarch
selinux-policy-doc-3.13.1-60.el7_2.3.noarch
selinux-policy-3.13.1-60.el7_2.3.noarch
selinux-policy-minimum-3.13.1-60.el7_2.3.noarch
selinux-policy-mls-3.13.1-60.el7_2.3.noarch
# sesearch -s systemd_logind_t -c dir -p mounton -A -C
Found 2 semantic av rules:
   allow systemd_logind_t user_tmp_t : dir { getattr mounton search open } ; 
   allow systemd_logind_t user_tmp_type : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename mounton add_name remove_name reparent search rmdir open } ; 

#
Comment 6 Milos Malik 2016-02-08 10:04:28 EST
Let's wait for an explanation from the developers. Either the AVC has something to do with mount points or I don't know why it appeared.
Comment 7 Miroslav Grepl 2016-04-29 03:46:41 EDT
We need to back port fixes from Fedora.
Comment 11 errata-xmlrpc 2016-11-03 22:42:12 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.