Bug 1469823 - OSP11 -undercloud on RHEL 7.4: avc: denied { setpgid } for pid=26143 comm="keepalived" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=process
OSP11 -undercloud on RHEL 7.4: avc: denied { setpgid } for pid=26143 comm=...
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux (Show other bugs)
11.0 (Ocata)
Unspecified Unspecified
high Severity urgent
: z2
: 11.0 (Ocata)
Assigned To: Lon Hohberger
Udi Shkalim
: Triaged, ZStream
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-11 18:07 EDT by Marius Cornea
Modified: 2017-09-13 17:50 EDT (History)
10 users (show)

See Also:
Fixed In Version: openstack-selinux-0.8.9-0.1.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-09-13 17:50:42 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit log (4.13 MB, text/plain)
2017-07-11 18:08 EDT, Marius Cornea
no flags Details
audit log (1.71 MB, text/plain)
2017-07-11 18:11 EDT, Marius Cornea
no flags Details

  None (edit)
Description Marius Cornea 2017-07-11 18:07:08 EDT
Description of problem:
After OSP11 to OSP12 undercloud upgrade /var/log/audit/audit.log keeps logging keepalived related avc denials.

Version-Release number of selected component (if applicable):
libselinux-utils-2.5-11.el7.x86_64
openstack-selinux-0.8.8-0.20170622195307.74ddc0e.el7ost.noarch
libselinux-2.5-11.el7.x86_64
selinux-policy-3.13.1-166.el7.noarch
libselinux-python-2.5-11.el7.x86_64
container-selinux-2.19-2.1.el7.noarch
libselinux-ruby-2.5-11.el7.x86_64
selinux-policy-targeted-3.13.1-166.el7.noarch


How reproducible:
100%

Steps to Reproduce:
1. Deploy OSP11
2. Upgrade undercloud to OSP12

Actual results:
/var/log/audit/audit.log keeps logging keepalived related avc denials.

Expected results:
/var/log/audit/audit.log should be clean of denials.

Additional info:
Attaching audit.log
Comment 1 Marius Cornea 2017-07-11 18:08 EDT
Created attachment 1296544 [details]
audit log
Comment 2 Marius Cornea 2017-07-11 18:11 EDT
Created attachment 1296546 [details]
audit log
Comment 3 Marius Cornea 2017-07-11 18:39:33 EDT
Checking the audit log it looks that this error is there from the beginning so it's most probably not related to upgrade at all but to OSP11 deployment on RHEL 7.4
Comment 4 Marius Cornea 2017-07-12 08:40:58 EDT
I can confirm the denials are there from OSP11 undercloud deployment, it's not related to upgrade.
Comment 8 Lon Hohberger 2017-09-01 12:21:31 EDT
Access for the reported AVC is allowed on 0.8.9-0.1
Comment 10 errata-xmlrpc 2017-09-13 17:50:42 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2722

Note You need to log in before you can comment on or make changes to this bug.