Bug 1401208 - [RHVH 4.0.6] avc denied errors (dev="tmpfs") in audit.log after upgrade
Summary: [RHVH 4.0.6] avc denied errors (dev="tmpfs") in audit.log after upgrade
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: ovirt-node
Classification: oVirt
Component: Installation & Update
Version: 4.0
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ovirt-4.0.7
: ---
Assignee: Ryan Barry
QA Contact: cshao
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-03 14:08 UTC by cshao
Modified: 2017-01-18 11:08 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-01-18 11:08:18 UTC
oVirt Team: Node
Embargoed:
rule-engine: ovirt-4.0.z+

Attachments (Terms of Use)
/var/log; /tmp; sosreport (1.12 MB, application/x-gzip)
2016-12-03 14:08 UTC, cshao 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1359789 0 medium CLOSED avc: denied { read } for pid=25872 comm="iptables" name="xtables.lock 2021-02-22 00:41:40 UTC
oVirt gerrit 67908 0 master MERGED osupdater: try restorecon on upgrades 2017-01-11 18:37:24 UTC
oVirt gerrit 70049 0 ovirt-4.1 MERGED osupdater: try restorecon on upgrades 2017-01-11 18:38:35 UTC

Internal Links: 1359789

Description cshao 2016-12-03 14:08:49 UTC 
Created attachment 1227674 [details]
/var/log; /tmp; sosreport

Description of problem:
[RHVH 4.0.6] avc denied errors (dev="tmpfs") in audit.log after upgrade

# imgbase layout
rhvh-4.0-0.20161116.0
 +- rhvh-4.0-0.20161116.0+1
rhvh-4.0-0.20161130.0
 +- rhvh-4.0-0.20161130.0+1


Version-Release number of selected component (if applicable):
redhat-virtualization-host-4.0-20161116.1
imgbased-0.8.10-0.1.el7ev.noarch

redhat-virtualization-host-4.0-20161130.0
imgbased-0.8.10-0.1.el7ev.noarch


How reproducible:
100%

Steps to Reproduce:
1. Install redhat-virtualization-host-4.0-20161116.1 via interactive anaconda.
2. Login RHVH and setup local repos
3. Upgrade RHVH from the old version to redhat-virtualization-host-4.0-20161130.0
4. Reboot and login the new build.
5. grep "avc:  denied" /var/log/audit/audit.log

Actual results:
After step5, avc denied errors (dev="tmpfs") in audit.log after upgrade

grep "avc:  denied" /var/log/audit/audit.log
type=AVC msg=audit(1480665183.943:621): avc:  denied  { write } for  pid=21818 comm="rpc.statd" path="/run/rpc.statd.lock" dev="tmpfs" ino=51145 scontext=system_u:system_r:rpcd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file



Expected results:
No avc denied errors in audit.log.

Additional info:
No such issue on clean RHVH(no update) 4.0.6 build.
Comment 1 Fabian Deutsch 2016-12-04 21:09:47 UTC 
Does this denial also appear on RHEL-H?
Comment 2 cshao 2016-12-05 08:43:54 UTC 
(In reply to Fabian Deutsch from comment #1)
> Does this denial also appear on RHEL-H?

No such issue on RHEL-H.
Comment 3 Ryan Barry 2016-12-06 16:08:43 UTC 
I can't reproduce this. Were any additional steps taken?
Comment 4 Ryan Barry 2016-12-06 18:53:15 UTC 
I threw a patch at this, but I can't verify this without a reproducer.
Comment 5 cshao 2016-12-07 08:35:03 UTC 
(In reply to Ryan Barry from comment #3)
> I can't reproduce this. Were any additional steps taken?

Hi Ryan, 

After double check, the registration step is must.

Let me correct the steps.
1. Install redhat-virtualization-host-4.0-20161116.1 via interactive anaconda.
2. Register RHVH to RHVM.
2. Login RHVH and setup local repos
3. Upgrade RHVH from the old version to redhat-virtualization-host-4.0-20161130.0
4. Reboot and login the new build.
5. grep "avc:  denied" /var/log/audit/audit.log
Comment 6 Ryan Barry 2016-12-07 20:16:18 UTC 
I'm still not able to reproduce this. I'll put up a test build later today for QE verification.

Steps taken:

1. Install redhat-virtualization-host-4.0-20161116.1 via interactive anaconda.
2. Register RHVH to RHVM.
3. Login RHVH and setup local repos
4. Upgrade RHVH from the old version to redhat-virtualization-host-4.0-20161130.0
5. Reboot and login the new build.
6. grep "avc:  denied" /var/log/audit/audit.log

No messages.

I waited about 60 minutes before commenting here just to make sure nothing came up.

Were any other steps taken? Attaching to storage? Setting up networks? Adding VMs?
Comment 8 Fabian Deutsch 2016-12-13 09:50:33 UTC 
Is any NFS functionality impacted? Could you please test a simple flow with a NFS SD?
Comment 9 cshao 2016-12-13 11:23:19 UTC 
(In reply to Fabian Deutsch from comment #8)
> Is any NFS functionality impacted? Could you please test a simple flow with
> a NFS SD?

It seems no effect during my testing.

After two days testing, I can't reproduce this issue anymore.

Test scenarios 1:
1. Install RHVH old version.
2. Register RHVH to RHVM.
3. Attaching to storage
4. Adding VMs
5. Yum update to the latest RHVH.

Test result:
Pass without AVC error.


Test scenarios 2:
1. Install RHVH old version.
2. Yum update to the latest RHVH.
3. Register RHVH to RHVM.
4. Attaching to storage
5. Adding VMs

Test result:
Pass without AVC error.


Test scenarios 3:
1. Install RHVH old version.
2. Register RHVH to RHVM.
3. Attaching to storage
4. Adding VMs
5. Upgrade to the latest RHVH via RHVM.

Test result:
Pass without AVC error.


Test scenarios 4:
Repeat scenario 3 with bond+vlan env.

Test result:
Pass without AVC error.
Comment 10 Fabian Deutsch 2016-12-13 13:03:19 UTC 
Moving this out for now according to comment 9
Comment 11 Ying Cui 2017-01-16 14:32:08 UTC 
chen, could you take a look at this bug if we can not reproduce this bug on latest 4.0.z build and 4.1 build, we probably consider to close it.
Comment 12 cshao 2017-01-18 11:08:18 UTC 
(In reply to Ying Cui from comment #11)
> chen, could you take a look at this bug if we can not reproduce this bug on
> latest 4.0.z build and 4.1 build, we probably consider to close it.


After repeated testing, the bug can't be reproduce anymore on latest 4.0.z(redhat-virtualization-host-4.0-20170104.1 ) build and 4.1(redhat-virtualization-host-4.1-20160116.0) build.

So close this bug as WORKSFORME.

Fell free to re-open this bug if can reproduce it again in the future.
Note You need to log in before you can comment on or make changes to this bug.