1401210 – [RHVH 4.0.6] avc denied errors (system_dbusd_t) in audit.log after upgrade

Bug 1401210 - [RHVH 4.0.6] avc denied errors (system_dbusd_t) in audit.log after upgrade

Summary: [RHVH 4.0.6] avc denied errors (system_dbusd_t) in audit.log after upgrade

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	ovirt-node
Classification:	oVirt
Component:	Installation & Update
Sub Component:
Version:	4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	low vote
Target Milestone:	ovirt-4.0.7
Target Release:	---
Assignee:	Fabian Deutsch
QA Contact:	cshao
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-12-03 14:10 UTC by cshao
Modified:	2017-01-18 11:07 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-01-18 11:07:09 UTC
oVirt Team:	Node
Dependent Products:
Flags:	rule-engine: ovirt-4.0.z+ ycui: testing_plan_complete?

Attachments	(Terms of Use)
/var/log; /tmp; sosreport (1.12 MB, application/x-gzip) 2016-12-03 14:10 UTC, cshao	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	67908	0	master	MERGED	osupdater: try restorecon on upgrades	2017-01-11 18:37:24 UTC
oVirt gerrit	70049	0	ovirt-4.1	MERGED	osupdater: try restorecon on upgrades	2017-01-11 18:38:35 UTC

Description cshao 2016-12-03 14:10:41 UTC

Created attachment 1227675 [details]
/var/log; /tmp; sosreport

Description of problem:
[RHVH 4.0.6] avc denied errors (system_dbusd_t) in audit.log after upgrade

# imgbase layout
rhvh-4.0-0.20161116.0
 +- rhvh-4.0-0.20161116.0+1
rhvh-4.0-0.20161130.0
 +- rhvh-4.0-0.20161130.0+1

Version-Release number of selected component (if applicable):
redhat-virtualization-host-4.0-20161116.1
imgbased-0.8.10-0.1.el7ev.noarch

redhat-virtualization-host-4.0-20161130.0
imgbased-0.8.10-0.1.el7ev.noarch

How reproducible:
100%

Steps to Reproduce:
1. Install redhat-virtualization-host-4.0-20161116.1 via interactive anaconda.
2. Login RHVH and setup local repos
3. Upgrade RHVH from the old version to redhat-virtualization-host-4.0-20161130.0
4. Reboot and login the new build.
5. grep "avc:  denied" /var/log/audit/audit.log


Actual results:
After step5, avc denied errors (system_dbusd_t) in audit.log after upgrade

type=USER_AVC msg=audit(1480766795.927:120): pid=1132 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.2 spid=3866 tpid=1131 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:system_r:policykit_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1480766795.931:121): pid=1132 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.PolicyKit1.Authority member=RegisterAuthenticationAgentWithOptions dest=:1.2 spid=3866 tpid=1131 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:system_r:policykit_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1480766808.311:122): pid=1132 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.2 spid=4045 tpid=1131 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:system_r:policykit_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1480766808.311:123): pid=1132 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.PolicyKit1.Authority member=RegisterAuthenticationAgentWithOptions dest=:1.2 spid=4045 tpid=1131 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:system_r:policykit_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'


Expected results:
No avc denied errors in audit.log.

Additional info:
No such issue on clean RHVH(no update) 4.0.6 build.

Comment 1 Fabian Deutsch 2016-12-04 21:09:12 UTC

Do these denials also appear with RHEL-H?

Comment 2 cshao 2016-12-05 08:42:39 UTC

(In reply to Fabian Deutsch from comment #1)
> Do these denials also appear with RHEL-H?

No such issue on RHEL-H.

Comment 3 Ryan Barry 2016-12-06 16:08:50 UTC

I can't reproduce this. Were any additional steps taken?

Comment 4 cshao 2016-12-07 08:38:00 UTC

(In reply to Ryan Barry from comment #3)
> I can't reproduce this. Were any additional steps taken?

Hi Ryan, 

After double check, the registration step is must.

Let me correct the steps.
1. Install redhat-virtualization-host-4.0-20161116.1 via interactive anaconda.
2. Register RHVH to RHVM.
3. Login RHVH and setup local repos
4. Upgrade RHVH from the old version to redhat-virtualization-host-4.0-20161130.0
5. Reboot and login the new build.
6. grep "avc:  denied" /var/log/audit/audit.log

There will be another AVC bug occurred if we register to RHVM after the upgrade.
I will provide the details test steps and file a new bug.

Thanks.

Comment 5 Ryan Barry 2016-12-07 20:16:14 UTC

I'm still not able to reproduce this. I'll put up a test build later today for QE verification.

Steps taken:

1. Install redhat-virtualization-host-4.0-20161116.1 via interactive anaconda.
2. Register RHVH to RHVM.
3. Login RHVH and setup local repos
4. Upgrade RHVH from the old version to redhat-virtualization-host-4.0-20161130.0
5. Reboot and login the new build.
6. grep "avc:  denied" /var/log/audit/audit.log

No messages.

I waited about 60 minutes before commenting here just to make sure nothing came up.

Were any other steps taken? Attaching to storage? Setting up networks? Adding VMs?

Comment 7 cshao 2016-12-13 11:25:24 UTC

After two days testing, I can't reproduce this issue anymore.

Test scenarios 1:
1. Install RHVH old version.
2. Register RHVH to RHVM.
3. Attaching to storage
4. Adding VMs
5. Yum update to the latest RHVH.

Test result:
Pass without AVC error.


Test scenarios 2:
1. Install RHVH old version.
2. Yum update to the latest RHVH.
3. Register RHVH to RHVM.
4. Attaching to storage
5. Adding VMs

Test result:
Pass without AVC error.


Test scenarios 3:
1. Install RHVH old version.
2. Register RHVH to RHVM.
3. Attaching to storage
4. Adding VMs
5. Upgrade to the latest RHVH via RHVM.

Test result:
Pass without AVC error.


Test scenarios 4:
Repeat scenario 3 with bond+vlan env.

Test result:
Pass without AVC error.

Comment 8 Fabian Deutsch 2016-12-13 13:03:46 UTC

Moving this out for now according to comment 7

Comment 9 Ying Cui 2017-01-16 14:31:56 UTC

chen, could you take a look at this bug if we can not reproduce this bug on latest 4.0.z build and 4.1 build, we probably consider to close it.

Comment 10 cshao 2017-01-18 11:07:09 UTC

(In reply to Ying Cui from comment #9)
> chen, could you take a look at this bug if we can not reproduce this bug on
> latest 4.0.z build and 4.1 build, we probably consider to close it.


After repeated testing, the bug can't be reproduce anymore on latest 4.0.z(redhat-virtualization-host-4.0-20170104.1 ) build and 4.1(redhat-virtualization-host-4.1-20160116.0) build.

So close this bug as WORKSFORME.

Fell free to re-open this bug if can reproduce it again in the future.

Note You need to log in before you can comment on or make changes to this bug.