Bug 1465185 - REBUILD: mvapich2-2.2-1.el7.src.rpm for ppc64le-selinux Returning: FAIL
REBUILD: mvapich2-2.2-1.el7.src.rpm for ppc64le-selinux Returning: FAIL
Status: CLOSED DUPLICATE of bug 1422000
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Lukas Vrabec
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-26 19:46 EDT by zguo
Modified: 2017-06-28 02:01 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-06-27 06:57:10 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description zguo 2017-06-26 19:46:58 EDT
Description of problem:

 Running: /usr/sbin/ausearch  -sv no -m AVC -ts  06/26/2017 07:54:23 
SELinux Check: FAIL
SELinux AVC messages found:
----
time->Mon Jun 26 08:49:32 2017
type=SYSCALL msg=audit(1498481372.694:215393): arch=c0000015 syscall=286 success=no exit=-13 a0=ffffffffffffff9c a1=10014324f08 a2=84800 a3=0 items=0 ppid=6727 pid=6765 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7897 comm="certwatch" exe="/usr/bin/certwatch" subj=system_u:system_r:certwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1498481372.694:215393): avc:  denied  { dac_read_search } for  pid=6765 comm="certwatch" capability=2  scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1498481372.694:215393): avc:  denied  { dac_override } for  pid=6765 comm="certwatch" capability=1  scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tclass=capability
----
time->Mon Jun 26 08:49:32 2017
type=SYSCALL msg=audit(1498481372.704:215394): arch=c0000015 syscall=286 success=no exit=-13 a0=ffffffffffffff9c a1=10014324ec8 a2=84800 a3=0 items=0 ppid=6727 pid=6765 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7897 comm="certwatch" exe="/usr/bin/certwatch" subj=system_u:system_r:certwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1498481372.704:215394): avc:  denied  { dac_read_search } for  pid=6765 comm="certwatch" capability=2  scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1498481372.704:215394): avc:  denied  { dac_override } for  pid=6765 comm="certwatch" capability=1  scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tclass=capability
----
time->Mon Jun 26 08:49:32 2017
type=SYSCALL msg=audit(1498481372.884:215395): arch=c0000015 syscall=286 success=no exit=-13 a0=ffffffffffffff9c a1=10032564a78 a2=84800 a3=0 items=0 ppid=6727 pid=6788 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7897 comm="certwatch" exe="/usr/bin/certwatch" subj=system_u:system_r:certwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1498481372.884:215395): avc:  denied  { dac_read_search } for  pid=6788 comm="certwatch" capability=2  scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1498481372.884:215395): avc:  denied  { dac_override } for  pid=6788 comm="certwatch" capability=1  scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tclass=capability
----
time->Mon Jun 26 08:49:32 2017
type=SYSCALL msg=audit(1498481372.884:215396): arch=c0000015 syscall=286 success=no exit=-13 a0=ffffffffffffff9c a1=10032564a38 a2=84800 a3=0 items=0 ppid=6727 pid=6788 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7897 comm="certwatch" exe="/usr/bin/certwatch" subj=system_u:system_r:certwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1498481372.884:215396): avc:  denied  { dac_read_search } for  pid=6788 comm="certwatch" capability=2  scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1498481372.884:215396): avc:  denied  { dac_override } for  pid=6788 comm="certwatch" capability=1  scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tclass=capability
----
time->Mon Jun 26 08:49:33 2017
type=SYSCALL msg=audit(1498481373.034:215397): arch=c0000015 syscall=286 success=no exit=-13 a0=ffffffffffffff9c a1=10039b09068 a2=84800 a3=0 items=0 ppid=6727 pid=6790 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7897 comm="certwatch" exe="/usr/bin/certwatch" subj=system_u:system_r:certwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1498481373.034:215397): avc:  denied  { dac_read_search } for  pid=6790 comm="certwatch" capability=2  scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1498481373.034:215397): avc:  denied  { dac_override } for  pid=6790 comm="certwatch" capability=1  scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tclass=capability
----
time->Mon Jun 26 08:49:33 2017
type=SYSCALL msg=audit(1498481373.034:215398): arch=c0000015 syscall=286 success=no exit=-13 a0=ffffffffffffff9c a1=10039b09028 a2=84800 a3=0 items=0 ppid=6727 pid=6790 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7897 comm="certwatch" exe="/usr/bin/certwatch" subj=system_u:system_r:certwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1498481373.034:215398): avc:  denied  { dac_read_search } for  pid=6790 comm="certwatch" capability=2  scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1498481373.034:215398): avc:  denied  { dac_override } for  pid=6790 comm="certwatch" capability=1  scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tclass=capability
TPSHINT: It is possible that other stable systems activity has caused this issue.
If you are sure that this is the case, you may waive this failure.
If you have any doubts, RE-RUN tps-srpmtest to be sure.
TPSRESULT: REBUILD: mvapich2-2.2-1.el7.src.rpm for ppc64le-selinux Returning: FAIL

Version-Release number of selected component (if applicable):
.qa.[root@ibm-p8-kvm-lt-guest-07 tps]# rpm -qa| grep selinux
selinux-policy-minimum-3.13.1-164.el7.noarch
pcp-selinux-3.11.8-3.el7.ppc64le
libselinux-python-2.5-6.el7.ppc64le
selinux-policy-devel-3.13.1-164.el7.noarch
selinux-policy-doc-3.13.1-164.el7.noarch
libselinux-utils-2.5-6.el7.ppc64le
selinux-policy-mls-3.13.1-164.el7.noarch
libselinux-devel-2.5-6.el7.ppc64le
libselinux-ruby-2.5-6.el7.ppc64le
pcp-selinux-3.11.8-7.el7.ppc64le
libselinux-debuginfo-2.5-6.el7.ppc64le
selinux-policy-targeted-3.13.1-164.el7.noarch
libselinux-2.5-6.el7.ppc64le
libselinux-static-2.5-6.el7.ppc64le
selinux-policy-3.13.1-164.el7.noarch
selinux-policy-sandbox-3.13.1-164.el7.noarch
.qa.[root@ibm-p8-kvm-lt-guest-07 tps]# hostname
ibm-p8-kvm-lt-guest-07.rhts.eng.bos.redhat.com


How reproducible:
Always on ppc64le system.

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
REBUILD: mvapich2-2.2-1.el7.src.rpm for ppc64le(not ppc64le-selinux) passed.
Comment 2 Honggang LI 2017-06-26 21:14:42 EDT
(In reply to zguo from comment #0)

> TPSRESULT: REBUILD: mvapich2-2.2-1.el7.src.rpm for ppc64le-selinux
  ^^^^^^^^^^

This string means the rpm rebuilding task was running over an Errata stable system. However, as I know the Errata stable is a sharing resource. QE contacts of Errata tasks will try to "fix" the Errata system to make sure their TPS tasks passed. That means the stable system may not in sanity healthy. The selinux failure may be introduced by someone else to resolve their issue.

You need install a fresh RHEL-7.4 on a ppc64le machine. Then you should tests to confirm this issue:

1) build mvapich2-2.2-1.el7.src.rpm with rpmbuild
2) build mvapich2-2.2-1.el7.src.rpm with mock
Comment 3 Milos Malik 2017-06-27 02:29:59 EDT
I believe this bug is a duplicate of BZ#1422000. The certwatch tool is executed from cron and it has no relation to any TPS jobs.
Comment 4 Lukas Vrabec 2017-06-27 06:57:10 EDT

*** This bug has been marked as a duplicate of bug 1422000 ***
Comment 5 zguo 2017-06-27 23:31:45 EDT
(In reply to Honggang LI from comment #2)
> (In reply to zguo from comment #0)
> 
> > TPSRESULT: REBUILD: mvapich2-2.2-1.el7.src.rpm for ppc64le-selinux
>   ^^^^^^^^^^
> 
> This string means the rpm rebuilding task was running over an Errata stable
> system. However, as I know the Errata stable is a sharing resource. QE
> contacts of Errata tasks will try to "fix" the Errata system to make sure
> their TPS tasks passed. That means the stable system may not in sanity
> healthy. The selinux failure may be introduced by someone else to resolve
> their issue.
> 
> You need install a fresh RHEL-7.4 on a ppc64le machine. Then you should
> tests to confirm this issue:
> 
> 1) build mvapich2-2.2-1.el7.src.rpm with rpmbuild
Succeeded.
> 2) build mvapich2-2.2-1.el7.src.rpm with mock
Could not set up mock running env successfully. 
$ mock --rebuild  mvapich2-2.2-1.el7.src.rpm

......

Downloading packages:
warning: /var/lib/mock/epel-7-ppc64le/root/var/cache/yum/base/packages/perl-HTTP-Tiny-0.033-3.el7.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Retrieving key from file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-7


GPG key retrieval failed: [Errno 14] curl#37 - "Couldn't open file /usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-7"
Comment 6 Honggang LI 2017-06-28 02:01:32 EDT
(In reply to zguo from comment #5)

> > 1) build mvapich2-2.2-1.el7.src.rpm with rpmbuild
> Succeeded.
> > 2) build mvapich2-2.2-1.el7.src.rpm with mock
> Could not set up mock running env successfully. 
> $ mock --rebuild  mvapich2-2.2-1.el7.src.rpm
> 
> ......
> 
> Downloading packages:
> warning:
> /var/lib/mock/epel-7-ppc64le/root/var/cache/yum/base/packages/perl-HTTP-Tiny-
> 0.033-3.el7.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5:
> NOKEY
> Retrieving key from
> file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-7
> 
> 
> GPG key retrieval failed: [Errno 14] curl#37 - "Couldn't open file
> /usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-7"

This confirmed that mvapich2 building failure is nothing to do with the selinux bug. We can ignore mock failure as the configuration is different from our internal building system.

Note You need to log in before you can comment on or make changes to this bug.