Bug 1320734 - AVC denials on QCI Sat6 system
Summary: AVC denials on QCI Sat6 system
Keywords:
Status: NEW
Alias: None
Product: Red Hat Quickstart Cloud Installer
Classification: Red Hat
Component: Installation - Satellite
Version: 1.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: John Matthews
QA Contact: Sudhir Mallamprabhakara
Dan Macpherson
URL:
Whiteboard:
Depends On:
Blocks: rhci-common-installer
TreeView+ depends on / blocked
 
Reported: 2016-03-23 21:24 UTC by Thom Carlin
Modified: 2016-10-14 12:33 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Thom Carlin 2016-03-23 21:24:30 UTC 
Description of problem:

AVC denials for Satellite 6 system (6.1.7)

Version-Release number of selected component (if applicable):

TP2 RC2

How reproducible:

Believe 100%

Steps to Reproduce:
1. Install Sat 6 using QCI ISO
2. Log in to run launch-fusor-installer
3. grep denied /var/log/audit/audit.log

Actual results:

type=AVC msg=audit(x.y:z): avc:  denied  { create } for  pid=12944 comm="gdm-session-wor" name=".cache" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(x.y:z): avc:  denied  { read } for  pid=27284 comm="tail" name="candlepin.log" dev="sda3" ino=2803330 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:tomcat_log_t:s0 tclass=file
type=AVC msg=audit(x.y:z): avc:  denied  { read } for  pid=27284 comm="tail" name="candlepin.log" dev="sda3" ino=2803330 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:tomcat_log_t:s0 tclass=file

Expected results:

No AVC denials

Additional info:

Diagnostics after error:

ll -Z /var/log/candlepin/candlepin.log
-rw-r--r--. tomcat tomcat system_u:object_r:tomcat_log_t:s0 /var/log/candlepin/candlepin.log

restorecon -RFvv .
restorecon reset /var/log/candlepin/cpdb.log context unconfined_u:object_r:var_log_t:s0->system_u:object_r:var_log_t:s0
restorecon reset /var/log/candlepin/cpinit.log context unconfined_u:object_r:var_log_t:s0->system_u:object_r:var_log_t:s0
restorecon reset /var/log/candlepin/candlepin.log context system_u:object_r:tomcat_log_t:s0->system_u:object_r:var_log_t:s0
restorecon reset /var/log/candlepin/error.log context system_u:object_r:tomcat_log_t:s0->system_u:object_r:var_log_t:s0
restorecon reset /var/log/candlepin/audit.log context system_u:object_r:tomcat_log_t:s0->system_u:object_r:var_log_t:s0

Note that candlepin.log (and friends) change from tomcat_log_t to var_log_t
Comment 1 Jason Montleon 2016-06-27 12:56:22 UTC 
Thom can you please retest with a current compose? I'd like to ensure this hasn't been fixed before cloning it for the Satellite team to resolve.
Comment 2 Thom Carlin 2016-07-11 15:48:45 UTC 
For QCI 1.2:
type=AVC msg=audit(1468254134.028:345): avc:  denied  { create } for  pid=8706 comm="gdm-session-wor" name=".cache" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

and

restorecon reset /var/lib/candlepin/hornetq context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/candlepin/hornetq/journal context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/candlepin/hornetq/journal/server.lock context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/candlepin/hornetq/journal/hornetq-data-1.hq context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/candlepin/hornetq/journal/hornetq-data-2.hq context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/candlepin/hornetq/bindings context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/candlepin/hornetq/bindings/hornetq-bindings-1.bindings context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/candlepin/hornetq/bindings/hornetq-bindings-2.bindings context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/candlepin/hornetq/largemsgs context system_u:object_r:tomcat_var_lib_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /usr/share/foreman/config/hooks context system_u:object_r:bin_t:s0->system_u:object_r:foreman_hook_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/nokogiri-1.6.6.2 context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/nokogiri-1.6.6.2/gem.build_complete context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/nokogiri-1.6.6.2/nokogiri context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/ruby-libvirt-0.5.2 context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/ruby-libvirt-0.5.2/gem.build_complete context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/passenger-4.0.18 context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/passenger-4.0.18/gem.build_complete context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/passenger-4.0.18/native context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/passenger-4.0.18/agents context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/passenger-4.0.18/agents/PassengerHelperAgent context system_u:object_r:usr_t:s0->system_u:object_r:passenger_exec_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/passenger-4.0.18/agents/PassengerLoggingAgent context system_u:object_r:usr_t:s0->system_u:object_r:passenger_exec_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/passenger-4.0.18/agents/PassengerWatchdog context system_u:object_r:usr_t:s0->system_u:object_r:passenger_exec_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/passenger-4.0.18/agents/SpawnPreparer context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/qpid_messaging-0.30.0 context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/qpid_messaging-0.30.0/gem.build_complete context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/ffi-1.4.0 context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/ffi-1.4.0/gem.build_complete context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/pg-0.15.1 context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/usr/lib64/gems/ruby/pg-0.15.1/gem.build_complete context system_u:object_r:usr_t:s0->system_u:object_r:lib_t:s0
restorecon reset /opt/theforeman/tfm/root/var/log/passenger-analytics context system_u:object_r:usr_t:s0->system_u:object_r:passenger_log_t:s0
restorecon reset /opt/theforeman/tfm/root/var/run context system_u:object_r:usr_t:s0->system_u:object_r:var_run_t:s0
restorecon reset /opt/theforeman/tfm/root/var/run/rubygem-passenger context system_u:object_r:usr_t:s0->system_u:object_r:var_run_t:s0
restorecon reset /dev/shm/pulse-shm-<<number>> context system_u:object_r:user_tmp_t:s0->system_u:object_r:user_tmpfs_t:s0
restorecon reset /sys/fs/cgroup context system_u:object_r:tmpfs_t:s0->system_u:object_r:cgroup_t:s0
restorecon set context /sys/fs/cgroup->system_u:object_r:cgroup_t:s0 failed:'Read-only file system'
restorecon reset /etc/foreman context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/database.yml context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/email.yaml context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/foreman-debug.conf context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/logging.yaml context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/plugins context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/plugins/foreman-tasks.yaml context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/plugins/fusor.yaml context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/plugins/katello context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/plugins/katello.yaml context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/settings.yaml context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/encryption_key.rb context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/client_cert.pem context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/client_key.pem context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /etc/foreman/proxy_ca.pem context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
restorecon reset /root/.pki context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:home_cert_t:s0
restorecon reset /root/.pki/nssdb context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:home_cert_t:s0
Comment 8 Jason Montleon 2016-08-05 15:52:17 UTC 
There are some obvious exceptions, but most of this looks like it's related to stuff packaged as part of Satellite or created as a result of running foreman-installer.
Comment 9 Stephen Benjamin 2016-10-14 12:33:14 UTC 
Satellite doesn't have any process that reads candlepin.log, this is coming from Fusor:

./server/app/controllers/fusor/api/v21/deployments_controller.rb:        when 'candlepin_log'
./server/app/controllers/fusor/api/v21/deployments_controller.rb:        when 'candlepin_log'
./server/app/controllers/fusor/api/v21/deployments_controller.rb:          File.join(dir, 'var/log/candlepin/candlepin.log')
Note You need to log in before you can comment on or make changes to this bug.