Bug 1469823 - OSP11 -undercloud on RHEL 7.4: avc: denied { setpgid } for pid=26143 comm="keepalived" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=process
Summary: OSP11 -undercloud on RHEL 7.4: avc: denied { setpgid } for pid=26143 comm=...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 11.0 (Ocata)
Hardware: Unspecified
OS: Unspecified
high
urgent
Target Milestone: z2
: 11.0 (Ocata)
Assignee: Lon Hohberger
QA Contact: Udi Shkalim
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-07-11 22:07 UTC by Marius Cornea
Modified: 2017-09-13 21:50 UTC (History)
10 users (show)

Fixed In Version: openstack-selinux-0.8.9-0.1.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-09-13 21:50:42 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
audit log (4.13 MB, text/plain)
2017-07-11 22:08 UTC, Marius Cornea
no flags Details
audit log (1.71 MB, text/plain)
2017-07-11 22:11 UTC, Marius Cornea
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2722 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 11.0 Bug Fix and Enhancement Advisory 2017-09-14 01:48:41 UTC

Internal Links: 1486638 1500813

Description Marius Cornea 2017-07-11 22:07:08 UTC
Description of problem:
After OSP11 to OSP12 undercloud upgrade /var/log/audit/audit.log keeps logging keepalived related avc denials.

Version-Release number of selected component (if applicable):
libselinux-utils-2.5-11.el7.x86_64
openstack-selinux-0.8.8-0.20170622195307.74ddc0e.el7ost.noarch
libselinux-2.5-11.el7.x86_64
selinux-policy-3.13.1-166.el7.noarch
libselinux-python-2.5-11.el7.x86_64
container-selinux-2.19-2.1.el7.noarch
libselinux-ruby-2.5-11.el7.x86_64
selinux-policy-targeted-3.13.1-166.el7.noarch


How reproducible:
100%

Steps to Reproduce:
1. Deploy OSP11
2. Upgrade undercloud to OSP12

Actual results:
/var/log/audit/audit.log keeps logging keepalived related avc denials.

Expected results:
/var/log/audit/audit.log should be clean of denials.

Additional info:
Attaching audit.log

Comment 1 Marius Cornea 2017-07-11 22:08:21 UTC
Created attachment 1296544 [details]
audit log

Comment 2 Marius Cornea 2017-07-11 22:11:33 UTC
Created attachment 1296546 [details]
audit log

Comment 3 Marius Cornea 2017-07-11 22:39:33 UTC
Checking the audit log it looks that this error is there from the beginning so it's most probably not related to upgrade at all but to OSP11 deployment on RHEL 7.4

Comment 4 Marius Cornea 2017-07-12 12:40:58 UTC
I can confirm the denials are there from OSP11 undercloud deployment, it's not related to upgrade.

Comment 8 Lon Hohberger 2017-09-01 16:21:31 UTC
Access for the reported AVC is allowed on 0.8.9-0.1

Comment 10 errata-xmlrpc 2017-09-13 21:50:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2722


Note You need to log in before you can comment on or make changes to this bug.