Bug 484653 - AVC denials upon osa-dispatcher start
AVC denials upon osa-dispatcher start
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
wes hayutin
Depends On:
Blocks: 457079
  Show dependency treegraph
Reported: 2009-02-09 05:10 EST by Jan Pazdziora
Modified: 2009-09-10 15:11 EDT (History)
2 users (show)

See Also:
Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-09-10 15:11:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Pazdziora 2009-02-09 05:10:24 EST
Description of problem:

When Satellite is finished installing and installer says

* Restarting services.
Installation complete.

AVC denials related to osa-dispatcher appear in audit.log.

Version-Release number of selected component (if applicable):


How reproducible:

Seen once.

Steps to Reproduce:
1. Run installer, with something like ./install.pl --disconnected --run-updater
2. Run tail -f /var/log/audit/audit.log | grep AVC
Actual results:

type=AVC msg=audit(1233931612.812:279): avc:  denied  { getsched } for  pid=24065 comm="osa-dispatcher" scontext=root:system_r:osa_dispatcher_t:s0 tcontext=root:system_r:osa_dispatcher_t:s0 tclass=process
type=AVC msg=audit(1233931612.815:280): avc:  denied  { sys_nice } for  pid=24065 comm="osa-dispatcher" capability=23 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=root:system_r:osa_dispatcher_t:s0 tclass=capability
type=AVC msg=audit(1233931612.815:280): avc:  denied  { setsched } for  pid=24065 comm="osa-dispatcher" scontext=root:system_r:osa_dispatcher_t:s0 tcontext=root:system_r:osa_dispatcher_t:s0 tclass=process
type=AVC msg=audit(1233931612.824:281): avc:  denied  { getattr } for  pid=24065 comm="osa-dispatcher" path="/tmp" dev=dm-0 ino=1502913 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1233931612.824:282): avc:  denied  { read } for  pid=24065 comm="osa-dispatcher" name="tmp" dev=dm-0 ino=1502913 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1233931613.695:283): avc:  denied  { chown } for  pid=24065 comm="osa-dispatcher" capability=0 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=root:system_r:osa_dispatcher_t:s0 tclass=capability
type=AVC msg=audit(1233931613.697:284): avc:  denied  { fowner } for  pid=24065 comm="osa-dispatcher" capability=3 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=root:system_r:osa_dispatcher_t:s0 tclass=capability
type=AVC msg=audit(1233931614.101:285): avc:  denied  { node_bind } for  pid=24065 comm="osa-dispatcher" saddr= scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket

Expected results:

No osa-dispatcher-related ABC denials.

Additional info:
Comment 1 Jan Pazdziora 2009-02-09 06:51:05 EST
I've now seen the same issue on RHEL 4, with Satellite-5.3.0-RHEL4-re20090206.1 (i386).
Comment 2 Jan Pazdziora 2009-02-11 03:50:44 EST
Addressed in Spacewalk, commits a9be07b51b0cd2546e84f7816c4d431d09328024, 732ef53481b549e066fc8f81cd25164ac4057459, and eb4002c6afb3d77ac1a33e22310825f57e6c866d.

Available in osad-5.9.5-1.
Comment 3 wes hayutin 2009-02-21 11:37:30 EST
*** Bug 486742 has been marked as a duplicate of this bug. ***
Comment 4 Jan Pazdziora 2009-02-24 07:30:47 EST
With compose Satellite-5.3.0-RHEL5-re20090220.1 available, moving ON_QA.
Comment 5 wes hayutin 2009-03-09 16:11:08 EDT
Comment 6 Miroslav Suchý 2009-08-26 07:29:32 EDT
[root@xen5 ~]# getenforce; echo EEEEEEEEE >>/var/log/audit/audit.log; /etc/init.d/osa-dispatcher restart ; grep -A 999999999 EEEEEEEEE  /var/log/audit/audit.log |grep denied
Shutting down osa-dispatcher:                              [  OK  ]
Starting osa-dispatcher:                                   [  OK  ]

verified in stage on xen5
Comment 7 Brandon Perkins 2009-09-10 15:11:30 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.