1451974 – avc denied errors (logrotate) in audit.log after upgrade

Bug 1451974 - avc denied errors (logrotate) in audit.log after upgrade

Summary: avc denied errors (logrotate) in audit.log after upgrade

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	ovirt-node
Classification:	oVirt
Component:	Installation & Update
Sub Component:
Version:	4.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	medium
Target Milestone:	ovirt-4.3.2
Target Release:	---
Assignee:	Yuval Turgeman
QA Contact:	Huijuan Zhao
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-05-18 03:59 UTC by Huijuan Zhao
Modified:	2019-03-15 05:56 UTC (History)
CC List:	13 users (show)
Fixed In Version:	imgbased-0.9.42-0.1.el7ev
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-03-15 05:56:05 UTC
oVirt Team:	Node
Embargoed:
Dependent Products:
Flags:	rule-engine: ovirt-4.3+ cshao: testing_ack+

Attachments	(Terms of Use)
All logs(sosreport) on machine hp-dl385pg8-15 (12.91 MB, application/x-gzip) 2017-05-18 04:01 UTC, Huijuan Zhao	no flags	Details
All logs(sosreport) on Dell machine (12.33 MB, application/x-gzip) 2017-05-18 04:02 UTC, Huijuan Zhao	no flags	Details
Comment 11: All logs(sosreport, imgbased.log, /var/log) from host (10.86 MB, application/x-gzip) 2017-08-17 09:17 UTC, Huijuan Zhao	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	80070	0	master	MERGED	osupdater: restore /usr/share for the rpmdb	2021-01-28 11:06:08 UTC
oVirt gerrit	80487	0	ovirt-4.1	MERGED	osupdater: restore /usr/share for the rpmdb	2021-01-28 11:06:08 UTC

Description Huijuan Zhao 2017-05-18 03:59:34 UTC

Description of problem:
avc denied errors (logrotate) in /var/log/audit/audit.log after upgrade.

[root@hp-dl385pg8-15 ~]# grep "avc:  denied" /var/log/audit/audit.log
type=AVC msg=audit(1494930121.993:646): avc:  denied  { write } for  pid=4339 comm="logrotate" name="logrotate.status" dev="dm-13" ino=8389660 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1494990781.596:1480): avc:  denied  { write } for  pid=28463 comm="logrotate" name="logrotate.status" dev="dm-13" ino=8389660 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file


# imgbase layout
rhvh-4.0-0.20160919.0
 +- rhvh-4.0-0.20160919.0+1
rhvh-4.1-0.20170512.0
 +- rhvh-4.1-0.20170512.0+1


Version-Release number of selected component (if applicable):
1. Before upgrade:
redhat-virtualization-host-4.0-20160919.0
2. After upgrade:
redhat-virtualization-host-4.1-20170512.0
imgbased-0.9.25-0.1.el7ev.noarch
kernel-3.10.0-514.16.1.el7.x86_64


How reproducible:
Tested twice on machine hp-dl385pg8-15(iSCSI disk), reproduced only one time.
Tested one time on dell machine, also encountered this issue.


Steps to Reproduce:
1. Install RHVH 4.0 build redhat-virtualization-host-4.0-20160919.0 via interactive anaconda.
2. Login RHVH, add RHVH to RHVM 4.0(4.0.7.4-0.1.el7ev).
3. Login RHVH, setup local repos and update to rhvh-4.1-20170512.0:
   # yum update
4. Reboot and login the new build rhvh-4.1-20170512.0
5. # grep "avc:  denied" /var/log/audit/audit.log


Actual results:
After step5, avc denied errors (logrotate) in audit.log after upgrade:
# grep "avc:  denied" /var/log/audit/audit.log
type=AVC msg=audit(1494930121.993:646): avc:  denied  { write } for  pid=4339 comm="logrotate" name="logrotate.status" dev="dm-13" ino=8389660 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1494990781.596:1480): avc:  denied  { write } for  pid=28463 comm="logrotate" name="logrotate.status" dev="dm-13" ino=8389660 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file


Excepted results:
After step5, there should be no avc error.


Additional info:
1. Also encountered this issue once with dell machine when upgrade from rhvh-4.0-0.20160817.0 to rhvh-4.1-0.20170512.0.

[root@dhcp-10-16 ~]# grep "avc:  denied" /var/log/audit/audit.log
type=AVC msg=audit(1495076762.123:188): avc:  denied  { write } for  pid=28779 comm="logrotate" name="logrotate.status" dev="dm-9" ino=37750803 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file

Comment 1 Huijuan Zhao 2017-05-18 04:01:37 UTC

Created attachment 1279863 [details]
All logs(sosreport) on machine hp-dl385pg8-15

Comment 2 Huijuan Zhao 2017-05-18 04:02:43 UTC

Created attachment 1279864 [details]
All logs(sosreport) on Dell machine

Comment 3 Ryan Barry 2017-05-18 06:08:35 UTC

We can probably extend setfiles in osupdater to include /var also

Comment 4 Ryan Barry 2017-07-03 12:24:32 UTC

Is this still reproducible on current 4.1.3 builds (which include a number of selinux fixes?)

Comment 5 Huijuan Zhao 2017-07-03 12:38:23 UTC

(In reply to Ryan Barry from comment #4)
> Is this still reproducible on current 4.1.3 builds (which include a number
> of selinux fixes?)

Yes, still encountered  avc denied errors in audit.log after upgrade to rhvh-4.1-20170629.0.


Test version:
From: redhat-virtualization-host-4.0-20170307.0
To:   redhat-virtualization-host-4.1-20170629.0


Test steps:
Almost same as comment 0


Actual results:
[root@hp-bl460cg9-01 ~]# grep "avc:  denied" /var/log/audit/audit.log
type=AVC msg=audit(1499060939.465:22): avc:  denied  { create } for  pid=1863 comm="abrt-server" name="last-via-server" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=file
type=AVC msg=audit(1499060939.603:24): avc:  denied  { write } for  pid=1868 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-9" ino=659762 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
type=AVC msg=audit(1499061647.042:293): avc:  denied  { execute } for  pid=36569 comm="cockpit-ws" name="cockpit-ssh" dev="dm-9" ino=656381 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file

Comment 6 Ryan Barry 2017-07-03 12:49:33 UTC

Thanks for the fast response.

We know about the cockpit-ssh issue (which is related to "Other Options" not appearing -- we're waiting for the cockpit team to fix this).

Douglas, can you look at the others?

Comment 7 Huijuan Zhao 2017-07-13 03:15:57 UTC

Actually, when I tested with different versions and different machines, there were different avc denied errors in audit.log after upgrade.

I tested again with rhvh-4.1-0.20170706.0 in two different machines, the detailed info are as below:

Test version:
From: redhat-virtualization-host-4.0-20170307.0
To:   redhat-virtualization-host-4.1-20170706.0 

# imgbase layout
rhvh-4.0-0.20170307.0
 +- rhvh-4.0-0.20170307.0+1
rhvh-4.1-0.20170706.0
 +- rhvh-4.1-0.20170706.0+1


Test steps:
Same as comment 0


Actual results:
1. In machine 1(DELL machine), After step 5:
[root@dhcp-10-16 ~]# grep "avc:  denied" /var/log/audit/audit.log
type=AVC msg=audit(1499912994.372:22): avc:  denied  { create } for  pid=1469 comm="abrt-server" name="last-via-server" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=file
type=AVC msg=audit(1499912994.648:23): avc:  denied  { write } for  pid=1471 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-6" ino=39193719 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
type=AVC msg=audit(1499912994.653:24): avc:  denied  { write } for  pid=1471 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-6" ino=39193719 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
type=AVC msg=audit(1499912994.659:25): avc:  denied  { write } for  pid=1471 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-6" ino=39193719 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
type=AVC msg=audit(1499913062.692:176): avc:  denied  { write } for  pid=24004 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-6" ino=39193719 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
type=AVC msg=audit(1499913062.693:177): avc:  denied  { write } for  pid=24004 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-6" ino=39193719 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
type=AVC msg=audit(1499913062.693:178): avc:  denied  { write } for  pid=24004 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-6" ino=39193719 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file

2. In machine 2(IBM server), after step 5:
[root@ibm-x3650m5-04 ~]# grep "avc:  denied" /var/log/audit/audit.log
type=AVC msg=audit(1499915080.876:21): avc:  denied  { create } for  pid=1771 comm="abrt-server" name="last-via-server" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=file
type=AVC msg=audit(1499915081.173:22): avc:  denied  { write } for  pid=1776 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-7" ino=33164336 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
type=AVC msg=audit(1499915081.191:23): avc:  denied  { write } for  pid=1776 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-7" ino=33164336 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
type=AVC msg=audit(1499915081.199:24): avc:  denied  { write } for  pid=1776 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-7" ino=33164336 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
type=AVC msg=audit(1499915102.838:75): avc:  denied  { read } for  pid=3464 comm="iptables" name="xtables.lock" dev="tmpfs" ino=41912 scontext=system_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sosreport_var_run_t:s0 tclass=file
type=AVC msg=audit(1499915102.844:76): avc:  denied  { read } for  pid=3465 comm="ip6tables" name="xtables.lock" dev="tmpfs" ino=41912 scontext=system_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sosreport_var_run_t:s0 tclass=file
type=AVC msg=audit(1499915130.706:150): avc:  denied  { write } for  pid=21956 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-7" ino=33164336 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
type=AVC msg=audit(1499915130.707:151): avc:  denied  { write } for  pid=21956 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-7" ino=33164336 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
type=AVC msg=audit(1499915130.708:152): avc:  denied  { write } for  pid=21956 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-7" ino=33164336 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file


Expected results:
No avc denied errors in audit.log after upgrade.


I will send the two ENVs info via email, please check if needed. Thanks!

Comment 8 Ryan Barry 2017-07-31 22:50:38 UTC

I can't reproduce this. Can you provide a another test system, please?

Comment 9 Huijuan Zhao 2017-08-01 04:07:12 UTC

(In reply to Ryan Barry from comment #8)
> I can't reproduce this. Can you provide a another test system, please?

Sure, I will send test system to you via email once reproduced.

Comment 10 Huijuan Zhao 2017-08-01 08:47:31 UTC

Still encountered avc denied errors after upgrade to redhat-virtualization-host-4.1-20170728.0.

Test version:
From: redhat-virtualization-host-4.0-20170307.1
To:   redhat-virtualization-host-4.1-20170728.0
      imgbased-0.9.36-0.1.el7ev.noarch

# imgbase layout
rhvh-4.0-0.20170307.0
 +- rhvh-4.0-0.20170307.0+1
rhvh-4.1-0.20170728.0
 +- rhvh-4.1-0.20170728.0+1


Test steps:
1. Install rhvh-4.0-0.20170307.0
2. Login rhvh-4.0, setup ntp
   # systemctl enable ntpd
   # systemctl start ntpd
3. Setup local repos and upgrade rhvh to rhvh-4.1-0.20170728.0
   # yum update
4. Reboot and login new layer rhvh-4.1-0.20170728.0, check:
   # grep "avc:  denied" /var/log/audit/audit.log


Actual results:
After step4, there are avc denied errors:

[root@dhcp-10-16 ~]# grep "avc:  denied" /var/log/audit/audit.log
type=AVC msg=audit(1501574101.078:31): avc:  denied  { create } for  pid=1344 comm="abrt-server" name="last-via-server" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=file
type=AVC msg=audit(1501574101.436:33): avc:  denied  { write } for  pid=1347 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-6" ino=47975226 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
type=AVC msg=audit(1501574101.441:34): avc:  denied  { write } for  pid=1347 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-6" ino=47975226 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
type=AVC msg=audit(1501574101.442:35): avc:  denied  { write } for  pid=1347 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-6" ino=47975226 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
type=AVC msg=audit(1501574172.109:197): avc:  denied  { write } for  pid=27448 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-6" ino=47975226 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
type=AVC msg=audit(1501574172.110:198): avc:  denied  { write } for  pid=27448 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-6" ino=47975226 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
type=AVC msg=audit(1501574172.111:199): avc:  denied  { write } for  pid=27448 comm="abrt-action-sav" name=".dbenv.lock" dev="dm-6" ino=47975226 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file



Already sent the test system to you via email, please check it, thanks!

Comment 11 Huijuan Zhao 2017-08-17 09:12:35 UTC

Still encountered avc denied errors after upgrade to redhat-virtualization-host-4.1-20170816.2.

Test version:
From: redhat-virtualization-host-4.1-20170808.0
To:   redhat-virtualization-host-4.1-20170816.2
      imgbased-0.9.47-0.1.el7ev.noarch

# imgbase layout
rhvh-4.1-0.20170808.0
 +- rhvh-4.1-0.20170808.0+1
rhvh-4.1-0.20170817.0
 +- rhvh-4.1-0.20170817.0+1

Test steps:
1. Install rhvh-4.1-0.20170808.0
2. Setup local repos and upgrade rhvh to rhvh-4.1-0.20170817.0
   # yum update
3. Reboot and login new layer rhvh-4.1-0.20170817.0, check:
   # grep "avc:  denied" /var/log/audit/audit.log

Actual results:
After step3, there are avc denied errors:

# grep "avc:  denied" /var/log/audit/audit.log
type=AVC msg=audit(1502953404.336:192): avc:  denied  { entrypoint } for  pid=10987 comm="runcon" path="/usr/sbin/chroot" dev="dm-4" ino=2628846 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1502953404.341:193): avc:  denied  { sys_chroot } for  pid=10987 comm="chroot" capability=18  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability

So this bug is not fixed completely, I will change the status to ASSIGNED.

Comment 12 Red Hat Bugzilla Rules Engine 2017-08-17 09:12:40 UTC

Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.

Comment 13 Huijuan Zhao 2017-08-17 09:17:34 UTC

Created attachment 1314604 [details]
Comment 11: All logs(sosreport, imgbased.log, /var/log) from host

Comment 14 Ryan Barry 2017-08-17 11:19:03 UTC

This is a different bug, which seems to be from imgbased (either setfiles_t or one of the rpm %post scripts)

Still a denial, but I'd expect that this occurs while the upgrade is happening.

Comment 15 Ryan Barry 2017-08-23 13:42:04 UTC

It seems like we'll need a rule to allow type transitions to chroot_t...

Comment 16 Yuval Turgeman 2017-08-29 09:23:09 UTC

Hi, I managed to recreate this, setfiles is not failing on these avc denials.  We need to relabel some files on the new image, and we do that by adding the setfiles_t domain into permissive (semanage permissive -a setfiles_t), chrooting and running setfiles.
If setfiles doesn't work, the upgrade process should fail (will miss boot entry, and post script would fail).  This isn't the case, since the upgrade seems to finish correctly.
What we're seeing here is simply what would fail if setfiles_t was in enforcing mode and not permissive.  So I think it's ok - what happens when you reboot to the new image ? Is everything working, or more avc denials occur ?

Comment 17 Huijuan Zhao 2017-08-29 10:34:19 UTC

(In reply to Yuval Turgeman from comment #16)
> Hi, I managed to recreate this, setfiles is not failing on these avc
> denials.  We need to relabel some files on the new image, and we do that by
> adding the setfiles_t domain into permissive (semanage permissive -a
> setfiles_t), chrooting and running setfiles.
> If setfiles doesn't work, the upgrade process should fail (will miss boot
> entry, and post script would fail).  This isn't the case, since the upgrade
> seems to finish correctly.
> What we're seeing here is simply what would fail if setfiles_t was in
> enforcing mode and not permissive.  So I think it's ok - what happens when
> you reboot to the new image ? Is everything working, or more avc denials
> occur ?

Seems normal when reboot to the new image, the basic functions work well.

But actually, there are different avc denied errors randomly. I encountered other avc errors when reproduce this issue according to comment 11.

#  grep "avc:  denied" /var/log/audit/audit.log
type=AVC msg=audit(1503998323.879:451): avc:  denied  { sendto } for  pid=1078 comm="chronyd" path="/run/chrony/chronyc.9994.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=AVC msg=audit(1503998807.392:519): avc:  denied  { entrypoint } for  pid=32674 comm="runcon" path="/usr/sbin/chroot" dev="dm-4" ino=41950365 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1503998807.401:520): avc:  denied  { sys_chroot } for  pid=32674 comm="chroot" capability=18  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability


I will send ENV info to you via email.

Comment 18 Sandro Bonazzola 2017-09-04 07:02:21 UTC

Postponing to 4.2.0 and lowering priority as per comment #17

Comment 19 Ryan Barry 2018-01-13 00:32:51 UTC

Is this still reproducible? If so, can you provide steps?

I'm mostly interested in whether registration to engine is required to reproduce.

Comment 20 Huijuan Zhao 2018-01-15 01:20:40 UTC

Yes, Ryan. Can still encounter this issue, but not every time.
And the avc errors type maybe different.

In my testing, I added the host to engine, then encountered this issue.
Test version:
# imgbase layout
rhvh-4.1-0.20171101.0
 +- rhvh-4.1-0.20171101.0+1
rhvh-4.2.0.6-0.20180104.0
 +- rhvh-4.2.0.6-0.20180104.0+1

The avc denied errors looks like below:
----------------------------------------------------
type=AVC msg=audit(1515415139.863:393): avc:  denied  { sendto } for  pid=988 comm="chronyd" path="/run/chrony/chronyc.28447.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=AVC msg=audit(1515415141.865:394): avc:  denied  { sendto } for  pid=988 comm="chronyd" path="/run/chrony/chronyc.28447.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=AVC msg=audit(1515415145.879:395): avc:  denied  { sendto } for  pid=988 comm="chronyd" path="/run/chrony/chronyc.28465.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=AVC msg=audit(1515415146.880:396): avc:  denied  { sendto } for  pid=988 comm="chronyd" path="/run/chrony/chronyc.28465.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=AVC msg=audit(1515415148.883:397): avc:  denied  { sendto } for  pid=988 comm="chronyd" path="/run/chrony/chronyc.28465.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=AVC msg=audit(1515415152.888:398): avc:  denied  { sendto } for  pid=988 comm="chronyd" path="/run/chrony/chronyc.28485.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=AVC msg=audit(1515415153.889:405): avc:  denied  { sendto } for  pid=988 comm="chronyd" path="/run/chrony/chronyc.28485.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=AVC msg=audit(1515415155.891:407): avc:  denied  { sendto } for  pid=988 comm="chronyd" path="/run/chrony/chronyc.28485.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=AVC msg=audit(1515415159.897:408): avc:  denied  { sendto } for  pid=988 comm="chronyd" path="/run/chrony/chronyc.28505.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=AVC msg=audit(1515415160.899:409): avc:  denied  { sendto } for  pid=988 comm="chronyd" path="/run/chrony/chronyc.28505.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=AVC msg=audit(1515415162.901:410): avc:  denied  { sendto } for  pid=988 comm="chronyd" path="/run/chrony/chronyc.28505.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=AVC msg=audit(1515415530.029:462): avc:  denied  { entrypoint } for  pid=14449 comm="runcon" path="/usr/sbin/chroot" dev="dm-3" ino=9444622 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1515415530.043:463): avc:  denied  { sys_chroot } for  pid=14449 comm="chroot" capability=18  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1515415545.199:464): avc:  denied  { sys_chroot } for  pid=14455 comm="chroot" capability=18  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1515415545.436:465): avc:  denied  { entrypoint } for  pid=14456 comm="runcon" path="/usr/sbin/chroot" dev="dm-3" ino=9444622 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=USER_AVC msg=audit(1515415684.390:474): pid=974 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.72 spid=31640 tpid=31638 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1515415693.760:475): avc:  denied  { write } for  pid=31649 comm="groupadd" path="/dev/null" dev="tmpfs" ino=80302 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_script_tmpfs_t:s0 tclass=chr_file
type=AVC msg=audit(1515415693.773:477): avc:  denied  { write } for  pid=31650 comm="useradd" path="/dev/null" dev="tmpfs" ino=80302 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_script_tmpfs_t:s0 tclass=chr_file
type=AVC msg=audit(1515415695.232:479): avc:  denied  { search } for  pid=31640 comm="systemd-machine" name="31639" dev="proc" ino=79517 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1515415695.232:479): avc:  denied  { read } for  pid=31640 comm="systemd-machine" name="cgroup" dev="proc" ino=81183 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=file
type=AVC msg=audit(1515415695.232:479): avc:  denied  { open } for  pid=31640 comm="systemd-machine" path="/proc/31639/cgroup" dev="proc" ino=81183 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=file
type=AVC msg=audit(1515415695.233:480): avc:  denied  { getattr } for  pid=31640 comm="systemd-machine" path="/proc/31639/cgroup" dev="proc" ino=81183 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=file, not null
---------------------------------------------

Comment 21 Huijuan Zhao 2018-01-15 01:35:49 UTC

Update: 
Did not encounter this issue when upgrade from rhvh-4.0 to rhvh-4.1 with the same machine as comment 20.

Test version:
From: rhvh-4.0-20170307.1
To:   rhvh-4.1-20171228.0

Comment 22 Ryan Barry 2018-01-15 01:59:31 UTC

I wasn't able to reproduce last week. Registration to engine necessary?

Comment 23 Huijuan Zhao 2018-01-15 02:21:41 UTC

Yes, it is also probability appearance in my testing, better to register to engine.

Comment 24 Sandro Bonazzola 2019-01-21 08:31:14 UTC

re-targeting to 4.3.1 since this BZ has not been proposed as blocker for 4.3.0.
If you think this bug should block 4.3.0 please re-target and set blocker flag.

Comment 25 Sandro Bonazzola 2019-02-18 07:57:56 UTC

Moving to 4.3.2 not being identified as blocker for 4.3.1

Comment 26 Huijuan Zhao 2019-02-26 09:43:10 UTC

Still encountered "avc denied" issue in rhvh-4.3.0.5-0.20190225.0 

# imgbase layout
rhvh-4.2.4.3-0.20180622.0
 +- rhvh-4.2.4.3-0.20180622.0+1
rhvh-4.3.0.5-0.20190225.0
 +- rhvh-4.3.0.5-0.20190225.0+1

# imgbase w
You are on rhvh-4.3.0.5-0.20190225.0+1

# grep "avc:  denied" /var/log/audit/audit.log
type=AVC msg=audit(1551159644.494:1170): avc:  denied  { sendto } for  pid=1111 comm="chronyd" path="/run/chrony/chronyc.23946.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=AVC msg=audit(1551159645.496:1171): avc:  denied  { sendto } for  pid=1111 comm="chronyd" path="/run/chrony/chronyc.23946.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=AVC msg=audit(1551159647.498:1173): avc:  denied  { sendto } for  pid=1111 comm="chronyd" path="/run/chrony/chronyc.23946.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=AVC msg=audit(1551159651.507:1179): avc:  denied  { sendto } for  pid=1111 comm="chronyd" path="/run/chrony/chronyc.23984.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=AVC msg=audit(1551159652.508:1191): avc:  denied  { sendto } for  pid=1111 comm="chronyd" path="/run/chrony/chronyc.23984.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=AVC msg=audit(1551159654.511:1212): avc:  denied  { sendto } for  pid=1111 comm="chronyd" path="/run/chrony/chronyc.23984.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=AVC msg=audit(1551159658.516:1225): avc:  denied  { sendto } for  pid=1111 comm="chronyd" path="/run/chrony/chronyc.24096.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=AVC msg=audit(1551159659.518:1226): avc:  denied  { sendto } for  pid=1111 comm="chronyd" path="/run/chrony/chronyc.24096.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=AVC msg=audit(1551159661.520:1227): avc:  denied  { sendto } for  pid=1111 comm="chronyd" path="/run/chrony/chronyc.24096.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=AVC msg=audit(1551160503.353:1634): avc:  denied  { entrypoint } for  pid=1154 comm="runcon" path="/usr/sbin/chroot" dev="dm-4" ino=31464695 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1551160503.355:1635): avc:  denied  { sys_chroot } for  pid=1154 comm="chroot" capability=18  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability

Comment 27 Yuval Turgeman 2019-02-26 09:55:15 UTC

Thanks, please keep in mind that the denials for runcon and chroot are ok, i'll handle the chronyd issue

Comment 28 Sandro Bonazzola 2019-03-12 09:23:36 UTC

Yuval please check if this got fixed in last rebuild

Comment 29 Yuval Turgeman 2019-03-14 09:39:16 UTC

I couldn't reproduce this on RHVH-4.3-20190313.3-RHVH-x86_64-dvd1.iso - can you please check ?

Comment 30 Huijuan Zhao 2019-03-14 10:20:10 UTC

I can not 100% reproduce it on RHVH-4.3-20190313.3-RHVH-x86_64-dvd1.iso. 
Actually just as Comment 20 said, only can encounter it sometimes, and the error type maybe different on different versions.

Test version:
rhvh-4.2.8.3-0.20190219.0
 +- rhvh-4.2.8.3-0.20190219.0+1
rhvh-4.3.0.5-0.20190313.0
 +- rhvh-4.3.0.5-0.20190313.0+1

I tested it manually just now and did not reproduce it.
But in automation log, still encountered it. The avc denied errors looks like below: 
----------------------------------------------------
type=AVC msg=audit(1552543388.102:1269): avc:  denied  { sendto } for  pid=4040 comm="chronyd" path="/run/chrony/chronyc.26104.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552543389.103:1271): avc:  denied  { sendto } for  pid=4040 comm="chronyd" path="/run/chrony/chronyc.26104.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552543391.105:1272): avc:  denied  { sendto } for  pid=4040 comm="chronyd" path="/run/chrony/chronyc.26104.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552543395.124:1291): avc:  denied  { sendto } for  pid=4040 comm="chronyd" path="/run/chrony/chronyc.26169.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552543396.126:1298): avc:  denied  { sendto } for  pid=4040 comm="chronyd" path="/run/chrony/chronyc.26169.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552543398.131:1299): avc:  denied  { sendto } for  pid=4040 comm="chronyd" path="/run/chrony/chronyc.26169.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552543402.133:1336): avc:  denied  { sendto } for  pid=4040 comm="chronyd" path="/run/chrony/chronyc.26264.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552543403.135:1337): avc:  denied  { sendto } for  pid=4040 comm="chronyd" path="/run/chrony/chronyc.26264.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552543405.137:1338): avc:  denied  { sendto } for  pid=4040 comm="chronyd" path="/run/chrony/chronyc.26264.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552543409.144:1340): avc:  denied  { sendto } for  pid=4040 comm="chronyd" path="/run/chrony/chronyc.26269.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552543410.146:1341): avc:  denied  { sendto } for  pid=4040 comm="chronyd" path="/run/chrony/chronyc.26269.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552543412.148:1342): avc:  denied  { sendto } for  pid=4040 comm="chronyd" path="/run/chrony/chronyc.26269.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552543416.155:1343): avc:  denied  { sendto } for  pid=4040 comm="chronyd" path="/run/chrony/chronyc.26274.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552543417.156:1344): avc:  denied  { sendto } for  pid=4040 comm="chronyd" path="/run/chrony/chronyc.26274.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552543419.158:1345): avc:  denied  { sendto } for  pid=4040 comm="chronyd" path="/run/chrony/chronyc.26274.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552543423.166:1361): avc:  denied  { sendto } for  pid=4040 comm="chronyd" path="/run/chrony/chronyc.26409.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552543424.167:1362): avc:  denied  { sendto } for  pid=4040 comm="chronyd" path="/run/chrony/chronyc.26409.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552543426.169:1363): avc:  denied  { sendto } for  pid=4040 comm="chronyd" path="/run/chrony/chronyc.26409.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552543430.175:1364): avc:  denied  { sendto } for  pid=4040 comm="chronyd" path="/run/chrony/chronyc.26419.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552543431.176:1371): avc:  denied  { sendto } for  pid=4040 comm="chronyd" path="/run/chrony/chronyc.26419.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552543433.178:1372): avc:  denied  { sendto } for  pid=4040 comm="chronyd" path="/run/chrony/chronyc.26419.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552543834.487:1537): avc:  denied  { entrypoint } for  pid=32057 comm="runcon" path="/usr/sbin/chroot" dev="dm-4" ino=3677759 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552543834.491:1538): avc:  denied  { sys_chroot } for  pid=32057 comm="chroot" capability=18  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability permissive=1
type=USER_AVC msg=audit(1552543894.465:1549): pid=3973 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.163 spid=32125 tpid=32123 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1552543902.998:1554): avc:  denied  { write } for  pid=32132 comm="groupadd" path="/dev/null" dev="tmpfs" ino=131509 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_script_tmpfs_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1552543903.014:1556): avc:  denied  { write } for  pid=32133 comm="useradd" path="/dev/null" dev="tmpfs" ino=131509 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_script_tmpfs_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1552543904.422:1559): avc:  denied  { search } for  pid=32125 comm="systemd-machine" name="32124" dev="proc" ino=131279 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=dir permissive=1
type=AVC msg=audit(1552543904.422:1559): avc:  denied  { read } for  pid=32125 comm="systemd-machine" name="cgroup" dev="proc" ino=132510 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(1552543904.422:1559): avc:  denied  { open } for  pid=32125 comm="systemd-machine" path="/proc/32124/cgroup" dev="proc" ino=132510 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(1552543904.424:1560): avc:  denied  { getattr } for  pid=32125 comm="systemd-machine" path="/proc/32124/cgroup" dev="proc" ino=132510 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=file permissive=1, not null
-------------------------------------------------------------

I will check more later.

Comment 31 Yuval Turgeman 2019-03-14 10:23:11 UTC

Can you please describe the exact steps to reproduce ? I think you're seeing denials from 4.2.8

Comment 32 Huijuan Zhao 2019-03-15 05:56:05 UTC

(In reply to Yuval Turgeman from comment #31)
> Can you please describe the exact steps to reproduce ? I think you're seeing
> denials from 4.2.8

You are right, after double check, the "chronyc" denials were from 4.2.8.

qiyuan monitored the automation machine before and after upgrade, both had the "chronyc" denials.

I tested it manually with another machine following the exact same steps as automation scripts, both before and after upgrade had the "chronyc" denials.

Test version:
# imgbase layout
rhvh-4.2.8.3-0.20190219.0
 +- rhvh-4.2.8.3-0.20190219.0+1
rhvh-4.3.0.5-0.20190313.0
 +- rhvh-4.3.0.5-0.20190313.0+1

Test steps:
1. Install rhvh-4.2.8.3-0.20190219.0
2. Install http in rhvh:
   #yum install http
3. Register rhvh-4.2.8.3 to rhvm-4.2.7.5
4. Check "#grep "avc:  denied" /var/log/audit/audit.log"
5. Upgrade rhvh-4.2 to rhvh-4.3:
   #yum update
6. Login rhvh-4.3, check "#grep "avc:  denied" /var/log/audit/audit.log"

Test results:
1. After step 4, the output is below:
# grep "avc:  denied" /var/log/audit/audit.log
type=AVC msg=audit(1552625707.134:1074): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2567.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625708.135:1098): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2567.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625710.137:1099): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2567.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625714.149:1118): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2676.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625715.150:1119): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2676.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625717.152:1138): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2676.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625721.158:1139): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2720.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625722.159:1141): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2720.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625724.161:1142): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2720.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625728.166:1143): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2726.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625729.168:1144): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2726.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625731.170:1145): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2726.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625735.175:1146): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2728.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625736.177:1147): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2728.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625738.179:1148): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2728.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625742.184:1149): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2729.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625743.185:1155): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2729.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625745.187:1156): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2729.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625749.192:1157): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2732.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625750.194:1158): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2732.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625752.196:1159): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2732.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0

2. After step 6, the output is below:
# grep "avc:  denied" /var/log/audit/audit.log
type=AVC msg=audit(1552625707.134:1074): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2567.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625708.135:1098): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2567.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625710.137:1099): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2567.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625714.149:1118): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2676.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625715.150:1119): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2676.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625717.152:1138): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2676.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625721.158:1139): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2720.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625722.159:1141): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2720.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625724.161:1142): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2720.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625728.166:1143): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2726.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625729.168:1144): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2726.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625731.170:1145): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2726.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625735.175:1146): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2728.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625736.177:1147): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2728.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625738.179:1148): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2728.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625742.184:1149): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2729.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625743.185:1155): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2729.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625745.187:1156): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2729.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625749.192:1157): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2732.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625750.194:1158): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2732.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552625752.196:1159): avc:  denied  { sendto } for  pid=13105 comm="chronyd" path="/run/chrony/chronyc.2732.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1552627763.506:1336): avc:  denied  { entrypoint } for  pid=8368 comm="runcon" path="/usr/sbin/chroot" dev="dm-4" ino=119020782 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552627763.509:1337): avc:  denied  { sys_chroot } for  pid=8368 comm="chroot" capability=18  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability permissive=1
type=AVC msg=audit(1552627769.740:1338): avc:  denied  { sys_chroot } for  pid=8370 comm="chroot" capability=18  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability permissive=1


So according to Comment 27, closing the bug.

Note You need to log in before you can comment on or make changes to this bug.