Bug 1469823 – OSP11 -undercloud on RHEL 7.4: avc: denied { setpgid } for pid=26143 comm="keepalived" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=process

Bug 1469823 - OSP11 -undercloud on RHEL 7.4: avc: denied { setpgid } for pid=26143 comm="keepalived" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=process

Summary:	OSP11 -undercloud on RHEL 7.4: avc: denied { setpgid } for pid=26143 comm=...

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux (Show other bugs)
Sub Component:
Version:	11.0 (Ocata)
Hardware:	Unspecified Unspecified

Priority	high Severity urgent
Target Milestone:	z2
Target Release:	11.0 (Ocata)
Assigned To:	Lon Hohberger
QA Contact:	Udi Shkalim
Docs Contact:

URL:
Whiteboard:
Keywords:	Triaged, ZStream

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2017-07-11 18:07 EDT by Marius Cornea
Modified:	2017-09-13 17:50 EDT (History)
CC List:	10 users (show)

See Also:
Fixed In Version:	openstack-selinux-0.8.9-0.1.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-09-13 17:50:42 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
audit log (4.13 MB, text/plain) 2017-07-11 18:08 EDT, Marius Cornea	no flags	Details
audit log (1.71 MB, text/plain) 2017-07-11 18:11 EDT, Marius Cornea	no flags	Details
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Marius Cornea 2017-07-11 18:07:08 EDT

Description of problem:
After OSP11 to OSP12 undercloud upgrade /var/log/audit/audit.log keeps logging keepalived related avc denials.

Version-Release number of selected component (if applicable):
libselinux-utils-2.5-11.el7.x86_64
openstack-selinux-0.8.8-0.20170622195307.74ddc0e.el7ost.noarch
libselinux-2.5-11.el7.x86_64
selinux-policy-3.13.1-166.el7.noarch
libselinux-python-2.5-11.el7.x86_64
container-selinux-2.19-2.1.el7.noarch
libselinux-ruby-2.5-11.el7.x86_64
selinux-policy-targeted-3.13.1-166.el7.noarch


How reproducible:
100%

Steps to Reproduce:
1. Deploy OSP11
2. Upgrade undercloud to OSP12

Actual results:
/var/log/audit/audit.log keeps logging keepalived related avc denials.

Expected results:
/var/log/audit/audit.log should be clean of denials.

Additional info:
Attaching audit.log

Comment 1 Marius Cornea 2017-07-11 18:08 EDT

Created attachment 1296544 [details]
audit log

Comment 2 Marius Cornea 2017-07-11 18:11 EDT

Created attachment 1296546 [details]
audit log

Comment 3 Marius Cornea 2017-07-11 18:39:33 EDT

Checking the audit log it looks that this error is there from the beginning so it's most probably not related to upgrade at all but to OSP11 deployment on RHEL 7.4

Comment 4 Marius Cornea 2017-07-12 08:40:58 EDT

I can confirm the denials are there from OSP11 undercloud deployment, it's not related to upgrade.

Comment 5 Lon Hohberger 2017-08-01 09:19:55 EDT

https://github.com/redhat-openstack/openstack-selinux/commit/bd843a705122ec58bee5bbd2c13509f21822747e

Comment 8 Lon Hohberger 2017-09-01 12:21:31 EDT

Access for the reported AVC is allowed on 0.8.9-0.1

Comment 10 errata-xmlrpc 2017-09-13 17:50:42 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2722

Note You need to log in before you can comment on or make changes to this bug.