1402317 – sshd_t denials in audit.log after upgrade

Bug 1402317 - sshd_t denials in audit.log after upgrade

Summary: sshd_t denials in audit.log after upgrade

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	ovirt-node
Classification:	oVirt
Component:	Installation & Update
Sub Component:
Version:	4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	low vote
Target Milestone:	ovirt-4.0.7
Target Release:	---
Assignee:	Ryan Barry
QA Contact:	cshao
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-12-07 09:05 UTC by cshao
Modified:	2017-01-18 11:06 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-01-18 11:06:17 UTC
oVirt Team:	Node
Dependent Products:
Flags:	rule-engine: ovirt-4.0.z+ mgoldboi: planning_ack+ fdeutsch: devel_ack+ cshao: testing_ack+

Attachments	(Terms of Use)
/var/log; /tmp; sosreport (11.61 MB, application/x-gzip) 2016-12-07 09:05 UTC, cshao	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description cshao 2016-12-07 09:05:33 UTC

Created attachment 1228939 [details]
/var/log; /tmp; sosreport

Description of problem:
sshd_t denials in audit.log after upgrade


# imgbase layout
rhvh-4.0-0.20160817.0
 +- rhvh-4.0-0.20160817.0+1
rhvh-4.0-0.20161206.0
 +- rhvh-4.0-0.20161206.0+1


Version-Release number of selected component (if applicable):
redhat-virtualization-host-4.0-20161206.0
imgbased-0.8.11-0.1.el7ev.noarch
selinux-policy-3.13.1-102.el7_3.7.noarch

How reproducible:
100%

Steps to Reproduce:
1. Install rhvh-4.0-0.20160817.0 （GA build) via interactive anaconda.
2. Login RHVH and setup local repos
3. Upgrade RHVH from the old version to redhat-virtualization-host-4.0-20161206.0
4. Reboot and login the new build.
5. Register RHVH to RHVM.
6. grep "avc:  denied" /var/log/audit/audit.log


Actual results:
sshd_t denials in audit.log after upgrade

type=AVC msg=audit(1481093835.835:378): avc:  denied  { name_bind } for  pid=5377 comm="sshd" src=2223 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ovirt_vmconsole_host_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1481094473.549:62): avc:  denied  { name_bind } for  pid=1523 comm="sshd" src=2223 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ovirt_vmconsole_host_port_t:s0 tclass=tcp_socket

Expected results:
No avc denied errors in audit.log.

Additional info:
No such issue on clean RHVH(no update) 4.0.6 build.

Comment 1 Ryan Barry 2016-12-07 22:36:45 UTC

I also cannot reproduce this.

Steps taken:

Steps to Reproduce:
1. Install rhvh-4.0-0.20160817.0 （GA build) via interactive anaconda.
2. Login RHVH and setup local repos
3. Upgrade RHVH from the old version to redhat-virtualization-host-4.0-20161206.0
4. Reboot and login the new build.
5. Register RHVH to RHVM.
6. grep "avc:  denied" /var/log/audit/audit.log

No entries.

From audit.log, I also tried starting a VM. Still no entries.

Comment 2 Ying Cui 2016-12-08 10:06:01 UTC

More explanation for GA build version in comment 0, it should be RHVH-4.0-20160822.8-RHVH-x86_64-dvd1.iso with redhat-virtualization-host-4.0-20160817.0.x86_64.liveimg.squashfs.

Comment 4 Fabian Deutsch 2016-12-13 09:44:41 UTC

Moving this out because this bug can not be reproduced reliably.

Comment 5 Fabian Deutsch 2016-12-13 09:45:52 UTC

Do you know the functional impact of this bug?

Comment 6 Francesco Romani 2016-12-13 09:46:59 UTC

could you please report the two involved ovirt-vmconsole packages? E.g. upgrading from 1.0.1 to 1.0.4 ? We fixed issues like this not long ago.

Comment 7 cshao 2016-12-13 11:15:20 UTC

(In reply to Fabian Deutsch from comment #5)
> Do you know the functional impact of this bug?

It seems no effect during my testing.


(In reply to Francesco Romani from comment #6)
> could you please report the two involved ovirt-vmconsole packages? E.g.
> upgrading from 1.0.1 to 1.0.4 ? We fixed issues like this not long ago.

# imgbase w
[INFO] You are on rhvh-4.0-0.20160817.0+1
# rpm -qa | grep ovirt-vmconsole
ovirt-vmconsole-1.0.4-1.el7ev.noarch

# imgbase w
[INFO] You are on rhvh-4.0-0.20161206.0+1
[root@dhcp-66-146-222 ~]# rpm -qa | grep ovirt-vmconsole
ovirt-vmconsole-1.0.4-1.el7ev.noarch

Comment 8 cshao 2016-12-13 11:24:39 UTC

After two days testing, I can't reproduce this issue anymore.

Test scenarios 1:
1. Install RHVH old version.
2. Register RHVH to RHVM.
3. Attaching to storage
4. Adding VMs
5. Yum update to the latest RHVH.

Test result:
Pass without AVC error.


Test scenarios 2:
1. Install RHVH old version.
2. Yum update to the latest RHVH.
3. Register RHVH to RHVM.
4. Attaching to storage
5. Adding VMs

Test result:
Pass without AVC error.


Test scenarios 3:
1. Install RHVH old version.
2. Register RHVH to RHVM.
3. Attaching to storage
4. Adding VMs
5. Upgrade to the latest RHVH via RHVM.

Test result:
Pass without AVC error.


Test scenarios 4:
Repeat scenario 3 with bond+vlan env.

Test result:
Pass without AVC error.

Comment 9 Ying Cui 2017-01-16 14:31:39 UTC

chen, could you take a look at this bug if we can not reproduce this bug on latest 4.0.z build and 4.1 build, we probably consider to close it.

Comment 10 cshao 2017-01-18 11:06:17 UTC

(In reply to Ying Cui from comment #9)
> chen, could you take a look at this bug if we can not reproduce this bug on
> latest 4.0.z build and 4.1 build, we probably consider to close it.

After repeated testing, the bug can't be reproduce anymore on latest 4.0.z(redhat-virtualization-host-4.0-20170104.1 ) build and 4.1(redhat-virtualization-host-4.1-20160116.0) build.

So close this bug as WORKSFORME.

Fell free to re-open this bug if can reproduce it again in the future.

Note You need to log in before you can comment on or make changes to this bug.