Bug 1406673 - avc denied errors (dev="tmpfs") in audit.log
Summary: avc denied errors (dev="tmpfs") in audit.log
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-node
Version: 3.6.9
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ovirt-3.6.10
: ---
Assignee: Douglas Schilling Landgraf
QA Contact: cshao
URL:
Whiteboard:
Keywords: ZStream
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-21 08:33 UTC by cshao
Modified: 2017-01-23 14:12 UTC (History)
17 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2017-01-23 14:12:17 UTC


Attachments (Terms of Use)
/var/log/*.*; /tmp/log; sosreport; (6.05 MB, application/x-gzip)
2016-12-21 08:33 UTC, cshao
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0185 normal SHIPPED_LIVE ovirt-node bug fix and enhancement update for RHEV 3.6.10 2017-01-24 17:55:58 UTC
oVirt gerrit 69878 None None None 2017-01-09 22:01 UTC
oVirt gerrit 69881 None None None 2017-01-09 22:02 UTC

Description cshao 2016-12-21 08:33:50 UTC
Created attachment 1234261 [details]
/var/log/*.*; /tmp/log; sosreport;

Description of problem:
After RHEVH installed,there are AVC denied errors (dev="tmpfs") in audit.log.

type=AVC msg=audit(1482319168.924:51): avc:  denied  { read } for  pid=1998 comm="iptables" name="xtables.lock" dev="tmpfs" ino=23877 scontext=system_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file


Version:
rhev-hypervisor7-7.2-20161220.0
ovirt-node-3.6.1-15.0.el7ev.noarch
selinux-policy-3.13.1-60.el7_2.9.noarch


How reproducible:
100%

Steps to Reproduce:
1.RHEV-H installed successful. selinux in enforcing mode as default.
2.Login to rhevh,
#grep "avc:  denied" /var/log/audit/audit.log
  
Actual results:
AVC msgs in audit.log

Expected results:
No avc denied errors in audit.log.

Comment 1 Ryan Barry 2016-12-22 13:35:45 UTC
The only package changed here was the kernel, so I'd be somewhat surprised if this was new.

Can this be reproduced on 3.6.10? If not, I'd suggest that we close this once 3.6.10

Comment 3 cshao 2016-12-23 02:35:07 UTC
(In reply to Ryan Barry from comment #1)
> The only package changed here was the kernel, so I'd be somewhat surprised
> if this was new.
> 
> Can this be reproduced on 3.6.10? If not, I'd suggest that we close this
> once 3.6.10

This error can be reproduced on 3.6.10 as well.

Test version:
RHEV-H 7.3 for RHEV 3.6.10 (rhev-hypervisor7-7.3-20161028.1)
ovirt-node-3.6.1-34.0.el7ev.noarch
selinux-policy-3.13.1-102.el7.noarch

# cat /etc/redhat-release 
Red Hat Enterprise Virtualization Hypervisor release 7.3 (20161028.1.el7ev)

# 
# grep "avc:  denied" /var/log/audit/audit.log
type=AVC msg=audit(1482459394.399:25): avc:  denied  { read write } for  pid=1297 comm="lldpad" name="lldpad.state" dev="tmpfs" ino=18471 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file

Comment 4 Fabian Deutsch 2016-12-23 12:10:06 UTC
Please also check if this is reproducible on RHEL-H - I could imagine that it is as well.

Comment 5 Ying Cui 2016-12-23 12:59:38 UTC
(In reply to Fabian Deutsch from comment #4)
> Please also check if this is reproducible on RHEL-H - I could imagine that
> it is as well.

This is vintage RHEV-H 7.3 _ONLY_ bug, I could recall during last RHVH 4.0.6 build testing, chen did not mention such error. From this bug description, it is 100% reproduce on vintage RHEV-H 7.3. 

Chen, correct me if needed.

Comment 6 Ryan Barry 2016-12-23 16:36:12 UTC
This looks very similar to rhbz#1401208 (also on 7.3).

That bug was not 100% reproducible, but the same bug appearing on two streams makes me wonder if it's also reproducible on RHEL, since vintage and NGN don't share any appreciable amount of code.

Comment 7 Ryan Barry 2016-12-23 16:36:57 UTC
Seems that the autolinking is gone:

https://bugzilla.redhat.com/show_bug.cgi?id=1401208

Comment 8 cshao 2016-12-26 06:12:04 UTC
(In reply to Fabian Deutsch from comment #4)
> Please also check if this is reproducible on RHEL-H - I could imagine that
> it is as well.

No such issue on RHEL-H (RHEL-7.3-20161019.0-Server-x86_64-dvd1.iso + selinux-policy-3.7.19-231.el6.noarch).

Comment 9 Fabian Deutsch 2017-01-02 09:45:08 UTC
Interesting. Then we really need to understand why we get this AVC on RHVH.

Can you please also check RHEL-H with /var on a separate LV?

Comment 10 Fabian Deutsch 2017-01-03 10:24:22 UTC
My bad, it's vintage Node.

Comment 11 cshao 2017-01-03 11:22:55 UTC
Cancel the needinfo flag according #c10.

Comment 13 cshao 2017-01-11 03:14:56 UTC
Test version:
rhev-hypervisor7-7.3-20170110.1
ovirt-node-3.6.1-40.0.el7ev.noarch
selinux-policy-3.13.1-102.el7_3.7.noarch

Test steps:
1.RHEV-H installed successful. selinux in enforcing mode as default.
2.Login to rhevh,
# grep "avc:  denied" /var/log/audit/audit.log

Test result:
No avc denied errors in audit.log.

So the bug is fixed by build rhev-hypervisor7-7.3-20170110.1, I will verify this bug once bug status is ON_QA.

Comment 14 cshao 2017-01-12 11:16:03 UTC
Verify this bug according #c13.


Note You need to log in before you can comment on or make changes to this bug.