2020997 – RHVH 4.4: There are AVC denied errors in audit.log after upgrade

Bug 2020997 - RHVH 4.4: There are AVC denied errors in audit.log after upgrade

Summary: RHVH 4.4: There are AVC denied errors in audit.log after upgrade

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	redhat-virtualization-host
Sub Component:
Version:	4.4.9
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Yedidyah Bar David
QA Contact:	cshao
Docs Contact:
URL:
Whiteboard:
Depends On:	1955415 1955461 1955466 2063871 2082147 2095184
Blocks:	2111410
TreeView+	depends on / blocked

Reported:	2021-11-08 03:39 UTC by peyu
Modified:	2022-08-10 12:21 UTC (History)
CC List:	17 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:	1955415
Clones:	2111410 (view as bug list)
Environment:
Last Closed:	2022-08-10 12:21:59 UTC
oVirt Team:	Node
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHV-43935	0	None	None	None	2021-11-08 03:43:33 UTC

Comment 2 peyu 2021-11-08 04:06:17 UTC

This issue occurred again when RHVH was upgraded from rhvh-4.4.8.1-0.20210903.0+1 to rhvh-4.4.9.2-0.20211104.0+1.

Comment 5 Michal Skrivanek 2022-04-25 12:42:15 UTC

since these are platform's AVC denials it should probably be retested with RHEL 8.6. Do we have any results?

Comment 32 Zdenek Pytela 2022-08-01 14:30:26 UTC

As momd seems to be the service, can you try

  # chcon -t virtd_exec_t /usr/sbin/momd

and reproduce again? This change will persist reboot, but not reinstallation.

Comment 43 Michal Skrivanek 2022-08-10 08:07:17 UTC

so...everything works ok and we can close the bug, right?

Comment 44 Martin Perina 2022-08-10 12:21:59 UTC

Mentioned AVC denials are raised during RHVH upgrade, where we have a custom way how to apply selinux updates due to differences between RHVH and RHELH. As those AVC denials are raised only during upgrade phase and the host is fully functional after reboot (which is the last phase of an upgrade), closing this bug as deferred, because we don't have enough resources to reimplement selinux update code in RHVH

Note You need to log in before you can comment on or make changes to this bug.