1569226 – selinux denies sshd access to lastlog on overcloud nodes

Bug 1569226 - selinux denies sshd access to lastlog on overcloud nodes

Summary: selinux denies sshd access to lastlog on overcloud nodes

Keywords:
Status:	CLOSED DUPLICATE of bug 1543914
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	13.0 (Queens)
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Lon Hohberger
QA Contact:	Udi Shkalim
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-04-18 20:10 UTC by Pavel Sedlák
Modified:	2018-04-19 15:43 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-19 15:43:00 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Pavel Sedlák 2018-04-18 20:10:48 UTC

In osp13-director deployment i've noticed selinux avc denials on all overcloud nodes (used one controller, compute and ceph node, found this denial on each of them):

> type=AVC msg=audit(1524079572.998:2482): avc:  denied  { read } for  pid=20936 comm="sshd" name="lastlog" dev="vda2" ino=14075748 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file
> type=AVC msg=audit(1524079572.998:2483): avc:  denied  { read write } for  pid=20936 comm="sshd" name="lastlog" dev="vda2" ino=14075748 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file

atm it's unclear to me what is triggering it neither if it breaks anything.


openstack-selinux.noarch            0.8.14-1.el7ost    @rhos-13.0-signed        

ceph-selinux.x86_64                 2:12.2.1-46.el7cp  @rhos-13.0-ceph-3-mon-signed
container-selinux.noarch            2:2.55-1.el7       @rhos-13.0-rhel-7-extras-signed
libselinux-python.x86_64            2.5-12.el7         @anaconda/7.5            
libselinux-ruby.x86_64              2.5-12.el7         @rhos-13.0-rhel-7-signed 
libselinux-utils.x86_64             2.5-12.el7         @anaconda/7.5            
libselinux.x86_64                   2.5-12.el7         @anaconda/7.5            
selinux-policy.noarch               3.13.1-192.el7     @anaconda/7.5            
selinux-policy-targeted.noarch      3.13.1-192.el7     @anaconda/7.5            
shadow-utils.x86_64                 2:4.1.5.1-24.el7   @anaconda/7.5

Comment 2 Lon Hohberger 2018-04-19 15:43:00 UTC


*** This bug has been marked as a duplicate of bug 1543914 ***

Note You need to log in before you can comment on or make changes to this bug.