Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1406673

Summary: avc denied errors (dev="tmpfs") in audit.log
Product: Red Hat Enterprise Virtualization Manager Reporter: cshao <cshao>
Component: ovirt-nodeAssignee: Douglas Schilling Landgraf <dougsland>
Status: CLOSED CURRENTRELEASE QA Contact: cshao <cshao>
Severity: high Docs Contact:
Priority: high    
Version: 3.6.9CC: amarchuk, cshao, dguo, dougsland, fdeutsch, gklein, huzhao, jiawu, leiwang, lsurette, mgoldboi, rbarry, weiwang, yaniwang, ycui, ykaul, yzhao
Target Milestone: ovirt-3.6.10Keywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rhev-hypervisor7-7.3-20170110.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-23 14:12:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Node RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/var/log/*.*; /tmp/log; sosreport; none

Description cshao 2016-12-21 08:33:50 UTC 
Created attachment 1234261 [details]
/var/log/*.*; /tmp/log; sosreport;

Description of problem:
After RHEVH installed,there are AVC denied errors (dev="tmpfs") in audit.log.

type=AVC msg=audit(1482319168.924:51): avc:  denied  { read } for  pid=1998 comm="iptables" name="xtables.lock" dev="tmpfs" ino=23877 scontext=system_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file


Version:
rhev-hypervisor7-7.2-20161220.0
ovirt-node-3.6.1-15.0.el7ev.noarch
selinux-policy-3.13.1-60.el7_2.9.noarch


How reproducible:
100%

Steps to Reproduce:
1.RHEV-H installed successful. selinux in enforcing mode as default.
2.Login to rhevh,
#grep "avc:  denied" /var/log/audit/audit.log
  
Actual results:
AVC msgs in audit.log

Expected results:
No avc denied errors in audit.log.
Comment 1 Ryan Barry 2016-12-22 13:35:45 UTC 
The only package changed here was the kernel, so I'd be somewhat surprised if this was new.

Can this be reproduced on 3.6.10? If not, I'd suggest that we close this once 3.6.10
Comment 3 cshao 2016-12-23 02:35:07 UTC 
(In reply to Ryan Barry from comment #1)
> The only package changed here was the kernel, so I'd be somewhat surprised
> if this was new.
> 
> Can this be reproduced on 3.6.10? If not, I'd suggest that we close this
> once 3.6.10

This error can be reproduced on 3.6.10 as well.

Test version:
RHEV-H 7.3 for RHEV 3.6.10 (rhev-hypervisor7-7.3-20161028.1)
ovirt-node-3.6.1-34.0.el7ev.noarch
selinux-policy-3.13.1-102.el7.noarch

# cat /etc/redhat-release 
Red Hat Enterprise Virtualization Hypervisor release 7.3 (20161028.1.el7ev)

# 
# grep "avc:  denied" /var/log/audit/audit.log
type=AVC msg=audit(1482459394.399:25): avc:  denied  { read write } for  pid=1297 comm="lldpad" name="lldpad.state" dev="tmpfs" ino=18471 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
Comment 4 Fabian Deutsch 2016-12-23 12:10:06 UTC 
Please also check if this is reproducible on RHEL-H - I could imagine that it is as well.
Comment 5 Ying Cui 2016-12-23 12:59:38 UTC 
(In reply to Fabian Deutsch from comment #4)
> Please also check if this is reproducible on RHEL-H - I could imagine that
> it is as well.

This is vintage RHEV-H 7.3 _ONLY_ bug, I could recall during last RHVH 4.0.6 build testing, chen did not mention such error. From this bug description, it is 100% reproduce on vintage RHEV-H 7.3. 

Chen, correct me if needed.
Comment 6 Ryan Barry 2016-12-23 16:36:12 UTC 
This looks very similar to rhbz#1401208 (also on 7.3).

That bug was not 100% reproducible, but the same bug appearing on two streams makes me wonder if it's also reproducible on RHEL, since vintage and NGN don't share any appreciable amount of code.
Comment 7 Ryan Barry 2016-12-23 16:36:57 UTC 
Seems that the autolinking is gone:

https://bugzilla.redhat.com/show_bug.cgi?id=1401208
Comment 8 cshao 2016-12-26 06:12:04 UTC 
(In reply to Fabian Deutsch from comment #4)
> Please also check if this is reproducible on RHEL-H - I could imagine that
> it is as well.

No such issue on RHEL-H (RHEL-7.3-20161019.0-Server-x86_64-dvd1.iso + selinux-policy-3.7.19-231.el6.noarch).
Comment 9 Fabian Deutsch 2017-01-02 09:45:08 UTC 
Interesting. Then we really need to understand why we get this AVC on RHVH.

Can you please also check RHEL-H with /var on a separate LV?
Comment 10 Fabian Deutsch 2017-01-03 10:24:22 UTC 
My bad, it's vintage Node.
Comment 11 cshao 2017-01-03 11:22:55 UTC 
Cancel the needinfo flag according #c10.
Comment 13 cshao 2017-01-11 03:14:56 UTC 
Test version:
rhev-hypervisor7-7.3-20170110.1
ovirt-node-3.6.1-40.0.el7ev.noarch
selinux-policy-3.13.1-102.el7_3.7.noarch

Test steps:
1.RHEV-H installed successful. selinux in enforcing mode as default.
2.Login to rhevh,
# grep "avc:  denied" /var/log/audit/audit.log

Test result:
No avc denied errors in audit.log.

So the bug is fixed by build rhev-hypervisor7-7.3-20170110.1, I will verify this bug once bug status is ON_QA.
Comment 14 cshao 2017-01-12 11:16:03 UTC 
Verify this bug according #c13.