Created attachment 1777571 [details] /var/log Description of problem: After RHVH is upgraded to the latest 4.4.6, there are AVC denied errors in audit.log Version-Release number of selected component (if applicable): RHVM: 4.4.6.5-0.17.el8ev RHVH: redhat-virtualization-host-4.4.6-20210426.0.el8_4 How reproducible 100% Steps to Reproduce: 1. Install RHVH-4.4-20210331.0-RHVH-x86_64-dvd1.iso 2. Add host to RHVM 3. Login to host, setup local repos and point to "redhat-virtualization-host-4.4.6-20210426.0.el8_4" 4. Remove audit.log before upgrade # mv /var/log/audit/audit.log /var/log/audit/audit.log.bak 5. Upgrade the host via RHVM 6. Check avc denied info in audit.log after upgrade # grep 'avc: denied' /var/log/audit/audit.log Actual results: There are AVC denied errors in audit.log ~~~~~~ # grep 'avc: denied' /var/log/audit/audit.log type=AVC msg=audit(1619768225.841:76): avc: denied { create } for pid=1969 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1619768225.841:77): avc: denied { create } for pid=1969 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1619753841.383:100): avc: denied { write } for pid=5708 comm="NetworkManager" path="/var/tmp/dracut.bN9njs/systemd-cat" dev="dm-8" ino=12583537 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:kdumpctl_tmp_t:s0 tclass=fifo_file permissive=0 ~~~~~~ Expected results: After upgrade, there is no AVC denied error in audit.log Additional info:
Additional info: ~~~~~~~~ # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 # imgbase w You are on rhvh-4.4.6.1-0.20210426.0+1 # imgbase layout rhvh-4.4.5.4-0.20210330.0 +- rhvh-4.4.5.4-0.20210330.0+1 rhvh-4.4.6.1-0.20210426.0 +- rhvh-4.4.6.1-0.20210426.0+1 ~~~~~~~~
Opened bug #1955461 to cover the gluster related denials.
Opened bug #1955466 to track the remaining denials.
I replaced the audit.log file and rebooted the host again, but the "avc: denied" errors still appeared in the new audit.log.
(In reply to peyu from comment #14) > I replaced the audit.log file and rebooted the host again, but the "avc: > denied" errors still appeared in the new audit.log. Can I access the system?
Sure, the information will be sent to you via Google chat.
Send you the information of the system/machine via google chat.
*** Bug 1955428 has been marked as a duplicate of this bug. ***
pending on the new 4.4.7 build to verify it
*** Bug 1955466 has been marked as a duplicate of this bug. ***
QE verified this bug on "redhat-virtualization-host-4.4.7-20210624.0.el8_4". Test version: RHVH: redhat-virtualization-host-4.4.7-20210624.0.el8_4 RHVM: 4.4.6.8-0.1.el8ev Steps to Reproduce: 1. Install RHVH-4.4-20210615.0-RHVH-x86_64-dvd1.iso 2. Add host to RHVM 3. Login to host, setup local repos and point to "redhat-virtualization-host-4.4.7-20210624.0.el8_4" 4. Remove audit.log before upgrade # mv /var/log/audit/audit.log /var/log/audit/audit.log.bak 5. Upgrade the host via RHVM 6. Check avc denied info in audit.log after upgrade # grep 'avc: denied' /var/log/audit/audit.log Test results: RHVH upgrade is successful. After upgrade, there is no "AVC denied" error in audit.log. Will move the bug Status to "VIRIFIED".
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Red Hat Virtualization Host security and bug fix update [ovirt-4.4.7]), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2736