1305325 – AVC seen with during ipa-server upgrade test execution

Bug 1305325 - AVC seen with during ipa-server upgrade test execution

Summary: AVC seen with during ipa-server upgrade test execution

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.2
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Stefan Kremen
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1331450
TreeView+	depends on / blocked

Reported:	2016-02-07 07:33 UTC by Nikhil Dehadrai
Modified:	2016-11-04 02:42 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.13.1-80.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1331450 (view as bug list)
Environment:
Last Closed:	2016-11-04 02:42:12 UTC
Target Upstream Version:

Attachments	(Terms of Use)
AVC Error -7.2.up2 upgrade testing (4.33 KB, text/plain) 2016-02-07 07:37 UTC, Nikhil Dehadrai	no flags	Details
AVC Error -7.2.up2 upgrade testing (dirsrv_off) (4.33 KB, text/plain) 2016-02-07 07:44 UTC, Nikhil Dehadrai	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2283	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2016-11-03 13:36:25 UTC

Description Nikhil Dehadrai 2016-02-07 07:33:43 UTC

Description of problem:
AVC seen with during ipa-server upgrade test execution.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-60.el7_2.3.noarch

How reproducible:
Always

Steps to Reproduce:
1. Setup IPA server for ipa-upgrade test suite execution on beaker. 
2. Make sure latest repo links are set correctly for test execution.
3. Initiate automation for ipa-upgrade test suite on beaker.
4. 

Actual results:
----
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 02/05/2016 07:04:47 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.yQZBCl 2>&1'
----
time->Fri Feb  5 07:07:46 2016
type=PATH msg=audit(1454674066.635:677): item=0 name="/run/user/0" inode=85673 dev=00:12 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 objtype=NORMAL
type=CWD msg=audit(1454674066.635:677):  cwd="/"
type=SYSCALL msg=audit(1454674066.635:677): arch=c000003e syscall=165 success=no exit=-13 a0=7f58a0477290 a1=7f58a18b63a0 a2=7f58a0477290 a3=6 items=1 ppid=1 pid=29819 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(1454674066.635:677): avc:  denied  { mounton } for  pid=29819 comm="systemd-logind" path="/run/user/0" dev="tmpfs" ino=85673 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir
----
time->Fri Feb  5 07:07:46 2016
type=PATH msg=audit(1454674066.635:678): item=0 name="/run/user/0" inode=104499 dev=00:12 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 objtype=NORMAL
type=CWD msg=audit(1454674066.635:678):  cwd="/"
type=SYSCALL msg=audit(1454674066.635:678): arch=c000003e syscall=165 success=no exit=-13 a0=7f58a0477290 a1=7f58a18b2e70 a2=7f58a0477290 a3=6 items=1 ppid=1 pid=29819 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(1454674066.635:678): avc:  denied  { mounton } for  pid=29819 comm="systemd-logind" path="/run/user/0" dev="tmpfs" ino=104499 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir
----

Expected results:
No AVC messages should be found

Additional info:
1. This error was observed while performing automation upgrade testing from RHEL 7.0 > RHEL 7.2.z (up2).
2. Also refer attachment for more logs.

Comment 1 Nikhil Dehadrai 2016-02-07 07:37:55 UTC

Created attachment 1121844 [details]
AVC Error -7.2.up2 upgrade testing

Comment 2 Nikhil Dehadrai 2016-02-07 07:44:44 UTC

Created attachment 1121857 [details]
AVC Error -7.2.up2 upgrade testing (dirsrv_off)

Comment 4 Milos Malik 2016-02-08 09:54:05 UTC

Is it possible that AVCs appeared before the selinux-policy = 3.13.1-60.el7_2.3 was installed?

# rpm -qa selinux\*
selinux-policy-targeted-3.13.1-60.el7_2.3.noarch
selinux-policy-sandbox-3.13.1-60.el7_2.3.noarch
selinux-policy-devel-3.13.1-60.el7_2.3.noarch
selinux-policy-doc-3.13.1-60.el7_2.3.noarch
selinux-policy-3.13.1-60.el7_2.3.noarch
selinux-policy-minimum-3.13.1-60.el7_2.3.noarch
selinux-policy-mls-3.13.1-60.el7_2.3.noarch
# sesearch -s systemd_logind_t -c dir -p mounton -A -C
Found 2 semantic av rules:
   allow systemd_logind_t user_tmp_t : dir { getattr mounton search open } ; 
   allow systemd_logind_t user_tmp_type : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename mounton add_name remove_name reparent search rmdir open } ; 

#

Comment 6 Milos Malik 2016-02-08 15:04:28 UTC

Let's wait for an explanation from the developers. Either the AVC has something to do with mount points or I don't know why it appeared.

Comment 7 Miroslav Grepl 2016-04-29 07:46:41 UTC

We need to back port fixes from Fedora.

Comment 11 errata-xmlrpc 2016-11-04 02:42:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.