1469823 – OSP11 -undercloud on RHEL 7.4: avc: denied { setpgid } for pid=26143 comm="keepalived" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=process

Bug 1469823 - OSP11 -undercloud on RHEL 7.4: avc: denied { setpgid } for pid=26143 comm="keepalived" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=process

Summary: OSP11 -undercloud on RHEL 7.4: avc: denied { setpgid } for pid=26143 comm=...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	11.0 (Ocata)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	urgent
Target Milestone:	z2
Target Release:	11.0 (Ocata)
Assignee:	Lon Hohberger
QA Contact:	Udi Shkalim
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-07-11 22:07 UTC by Marius Cornea
Modified:	2017-09-13 21:50 UTC (History)
CC List:	10 users (show)
Fixed In Version:	openstack-selinux-0.8.9-0.1.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-09-13 21:50:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
audit log (4.13 MB, text/plain) 2017-07-11 22:08 UTC, Marius Cornea	no flags	Details
audit log (1.71 MB, text/plain) 2017-07-11 22:11 UTC, Marius Cornea	no flags	Details
Show Obsolete (1) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2722	0	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 11.0 Bug Fix and Enhancement Advisory	2017-09-14 01:48:41 UTC

Internal Links: 1486638 1500813

Description Marius Cornea 2017-07-11 22:07:08 UTC

Description of problem:
After OSP11 to OSP12 undercloud upgrade /var/log/audit/audit.log keeps logging keepalived related avc denials.

Version-Release number of selected component (if applicable):
libselinux-utils-2.5-11.el7.x86_64
openstack-selinux-0.8.8-0.20170622195307.74ddc0e.el7ost.noarch
libselinux-2.5-11.el7.x86_64
selinux-policy-3.13.1-166.el7.noarch
libselinux-python-2.5-11.el7.x86_64
container-selinux-2.19-2.1.el7.noarch
libselinux-ruby-2.5-11.el7.x86_64
selinux-policy-targeted-3.13.1-166.el7.noarch


How reproducible:
100%

Steps to Reproduce:
1. Deploy OSP11
2. Upgrade undercloud to OSP12

Actual results:
/var/log/audit/audit.log keeps logging keepalived related avc denials.

Expected results:
/var/log/audit/audit.log should be clean of denials.

Additional info:
Attaching audit.log

Comment 1 Marius Cornea 2017-07-11 22:08:21 UTC

Created attachment 1296544 [details]
audit log

Comment 2 Marius Cornea 2017-07-11 22:11:33 UTC

Created attachment 1296546 [details]
audit log

Comment 3 Marius Cornea 2017-07-11 22:39:33 UTC

Checking the audit log it looks that this error is there from the beginning so it's most probably not related to upgrade at all but to OSP11 deployment on RHEL 7.4

Comment 4 Marius Cornea 2017-07-12 12:40:58 UTC

I can confirm the denials are there from OSP11 undercloud deployment, it's not related to upgrade.

Comment 5 Lon Hohberger 2017-08-01 13:19:55 UTC

https://github.com/redhat-openstack/openstack-selinux/commit/bd843a705122ec58bee5bbd2c13509f21822747e

Comment 8 Lon Hohberger 2017-09-01 16:21:31 UTC

Access for the reported AVC is allowed on 0.8.9-0.1

Comment 10 errata-xmlrpc 2017-09-13 21:50:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2722

Note You need to log in before you can comment on or make changes to this bug.