Description of problem: AVC denials for Satellite 6 system (6.1.7) Version-Release number of selected component (if applicable): TP2 RC2 How reproducible: Believe 100% Steps to Reproduce: 1. Install Sat 6 using QCI ISO 2. Log in to run launch-fusor-installer 3. grep denied /var/log/audit/audit.log Actual results: type=AVC msg=audit(x.y:z): avc: denied { create } for pid=12944 comm="gdm-session-wor" name=".cache" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir type=AVC msg=audit(x.y:z): avc: denied { read } for pid=27284 comm="tail" name="candlepin.log" dev="sda3" ino=2803330 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:tomcat_log_t:s0 tclass=file type=AVC msg=audit(x.y:z): avc: denied { read } for pid=27284 comm="tail" name="candlepin.log" dev="sda3" ino=2803330 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:tomcat_log_t:s0 tclass=file Expected results: No AVC denials Additional info: Diagnostics after error: ll -Z /var/log/candlepin/candlepin.log -rw-r--r--. tomcat tomcat system_u:object_r:tomcat_log_t:s0 /var/log/candlepin/candlepin.log restorecon -RFvv . restorecon reset /var/log/candlepin/cpdb.log context unconfined_u:object_r:var_log_t:s0->system_u:object_r:var_log_t:s0 restorecon reset /var/log/candlepin/cpinit.log context unconfined_u:object_r:var_log_t:s0->system_u:object_r:var_log_t:s0 restorecon reset /var/log/candlepin/candlepin.log context system_u:object_r:tomcat_log_t:s0->system_u:object_r:var_log_t:s0 restorecon reset /var/log/candlepin/error.log context system_u:object_r:tomcat_log_t:s0->system_u:object_r:var_log_t:s0 restorecon reset /var/log/candlepin/audit.log context system_u:object_r:tomcat_log_t:s0->system_u:object_r:var_log_t:s0 Note that candlepin.log (and friends) change from tomcat_log_t to var_log_t
Thom can you please retest with a current compose? I'd like to ensure this hasn't been fixed before cloning it for the Satellite team to resolve.
For QCI 1.2: type=AVC msg=audit(1468254134.028:345): avc: denied { create } for pid=8706 comm="gdm-session-wor" name=".cache" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir and restorecon reset /var/lib/candlepin/hornetq context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0 restorecon reset /var/lib/candlepin/hornetq/journal context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0 restorecon reset /var/lib/candlepin/hornetq/journal/server.lock context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0 restorecon reset /var/lib/candlepin/hornetq/journal/hornetq-data-1.hq context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0 restorecon reset /var/lib/candlepin/hornetq/journal/hornetq-data-2.hq context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0 restorecon reset /var/lib/candlepin/hornetq/bindings context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0 restorecon reset /var/lib/candlepin/hornetq/bindings/hornetq-bindings-1.bindings context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0 restorecon reset /var/lib/candlepin/hornetq/bindings/hornetq-bindings-2.bindings context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0 restorecon reset /var/lib/candlepin/hornetq/largemsgs context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0 restorecon reset /usr/share/foreman/config/hooks context system_u:object_r:bin_t:s0->system_u:object_r:foreman_hook_t:s0 restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/nokogiri-1.6.6.2 context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0 restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/nokogiri-1.6.6.2/gem.build_complete context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0 restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/nokogiri-1.6.6.2/nokogiri context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0 restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/ruby-libvirt-0.5.2 context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0 restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/ruby-libvirt-0.5.2/gem.build_complete context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0 restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/passenger-4.0.18 context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0 restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/passenger-4.0.18/gem.build_complete context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0 restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/passenger-4.0.18/native context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0 restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/passenger-4.0.18/agents context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0 restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/passenger-4.0.18/agents/PassengerHelperAgent context system_u:object_r:usr_t:s0->system_u:object_r:passenger_exec_t:s0 restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/passenger-4.0.18/agents/PassengerLoggingAgent context system_u:object_r:usr_t:s0->system_u:object_r:passenger_exec_t:s0 restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/passenger-4.0.18/agents/PassengerWatchdog context system_u:object_r:usr_t:s0->system_u:object_r:passenger_exec_t:s0 restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/passenger-4.0.18/agents/SpawnPreparer context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0 restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/qpid_messaging-0.30.0 context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0 restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/qpid_messaging-0.30.0/gem.build_complete context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0 restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/ffi-1.4.0 context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0 restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/ffi-1.4.0/gem.build_complete context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0 restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/pg-0.15.1 context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0 restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/pg-0.15.1/gem.build_complete context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0 restorecon reset /opt/theforeman/tfm/root/var/log/passenger-analytics context system_u:object_r:usr_t:s0->system_u:object_r:passenger_log_t:s0 restorecon reset /opt/theforeman/tfm/root/var/run context system_u:object_r:usr_t:s0->system_u:object_r:var_run_t:s0 restorecon reset /opt/theforeman/tfm/root/var/run/rubygem-passenger context system_u:object_r:usr_t:s0->system_u:object_r:var_run_t:s0 restorecon reset /dev/shm/pulse-shm-<<number>> context system_u:object_r:user_tmp_t:s0->system_u:object_r:user_tmpfs_t:s0 restorecon reset /sys/fs/cgroup context system_u:object_r:tmpfs_t:s0->system_u:object_r:cgroup_t:s0 restorecon set context /sys/fs/cgroup->system_u:object_r:cgroup_t:s0 failed:'Read-only file system' restorecon reset /etc/foreman context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0 restorecon reset /etc/foreman/database.yml context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0 restorecon reset /etc/foreman/email.yaml context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0 restorecon reset /etc/foreman/foreman-debug.conf context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0 restorecon reset /etc/foreman/logging.yaml context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0 restorecon reset /etc/foreman/plugins context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0 restorecon reset /etc/foreman/plugins/foreman-tasks.yaml context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0 restorecon reset /etc/foreman/plugins/fusor.yaml context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0 restorecon reset /etc/foreman/plugins/katello context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0 restorecon reset /etc/foreman/plugins/katello.yaml context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0 restorecon reset /etc/foreman/settings.yaml context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0 restorecon reset /etc/foreman/encryption_key.rb context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0 restorecon reset /etc/foreman/client_cert.pem context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0 restorecon reset /etc/foreman/client_key.pem context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0 restorecon reset /etc/foreman/proxy_ca.pem context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0 restorecon reset /root/.pki context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:home_cert_t:s0 restorecon reset /root/.pki/nssdb context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:home_cert_t:s0
There are some obvious exceptions, but most of this looks like it's related to stuff packaged as part of Satellite or created as a result of running foreman-installer.
Satellite doesn't have any process that reads candlepin.log, this is coming from Fusor: ./server/app/controllers/fusor/api/v21/deployments_controller.rb: when 'candlepin_log' ./server/app/controllers/fusor/api/v21/deployments_controller.rb: when 'candlepin_log' ./server/app/controllers/fusor/api/v21/deployments_controller.rb: File.join(dir, 'var/log/candlepin/candlepin.log')