Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 623566 - capture problems emerged during reservesys [beaker doesn't catch AVC denial]
capture problems emerged during reservesys [beaker doesn't catch AVC denial]
Status: CLOSED CURRENTRELEASE
Product: Beaker
Classification: Community
Component: beah (Show other bugs)
0.5
All Linux
medium Severity medium (vote)
: future_maint
: ---
Assigned To: Bill Peck
: FutureFeature
Depends On:
Blocks: 545868
  Show dependency treegraph
 
Reported: 2010-08-12 03:40 EDT by Petr Sklenar
Modified: 2012-10-07 18:35 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 623952 (view as bug list)
Environment:
Last Closed: 2012-10-04 00:52:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Petr Sklenar 2010-08-12 03:40:44 EDT
Description of problem:
I have one test which cause avc denial but beaker doesn't recorded

Version-Release number of selected component (if applicable):
beaker.engineering.redhat.com
Version - 0.5.53 

How reproducible:
deterministic

Steps to Reproduce:
1. schedule one same test causing avc denial on many machines
2. one will pass and other will fail
  
Actual results:
beaker doesn't catch a avc denial

Expected results:
beaker have to record it

Additional info:
beaker says pass but there is avc denial:
https://beaker.engineering.redhat.com/jobs/11637

denial is:

      Beaker Test information:
                         HOSTNAME=tyan-gt24-07.rhts.eng.bos.redhat.com
                            JOBID=11637
                         RECIPEID=21462
                    RESULT_SERVER=127.0.0.1:7090
                           DISTRO=RHEL5-Server-U5
                     ARCHITECTURE=x86_64
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
[root@tyan-gt24-07 ~]# cat /var/log/audit/audit.log | grep den
type=AVC msg=audit(1281512936.256:18): avc:  denied  { read write } for  pid=3778 comm="ifconfig" path="socket:[11811]" dev=sockfs ino=11811 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket
type=AVC msg=audit(1281512936.256:18): avc:  denied  { read append } for  pid=3778 comm="ifconfig" path="/var/beah/journals/beakerlc.journal" dev=dm-0 ino=4228414 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1281512936.412:19): avc:  denied  { read write } for  pid=3779 comm="ifconfig" path="socket:[12064]" dev=sockfs ino=12064 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket
type=AVC msg=audit(1281513938.365:114): avc:  denied  { getattr } for  pid=19429 comm="osa-dispatcher" path="/etc/krb5.conf" dev=dm-0 ino=17105499 scontext=system_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file
[root@tyan-gt24-07 ~]# date
Thu Aug 12 03:36:01 EDT 2010


beaker says fail which is OK
https://beaker.engineering.redhat.com/jobs/11716
Comment 2 Marian Csontos 2010-08-12 10:18:40 EDT
Does not look like a too serious problem to me:

Try strftime("%Y%m%d-%H%M%S", 1281512936)
20100811-094856

So this happened long after your task has finished - see console:

  08/11/10 03:49:14  JobID:11637 Test:/distribution/install Response:1
  08/11/10 03:49:14  testID:270934 start:
  08/11/10 03:49:21  testID:270934 finish:
  08/11/10 03:49:33  JobID:11637 Test:/CoreOS/Spacewalk/Installer/Sanity/Whole-installation/SW-nightly-PostgreSQL-porkchop Response:1
  08/11/10 03:49:33  testID:270935 start:
  [-- MARK -- Wed Aug 11 03:50:00 2010] 
  [-- MARK -- Wed Aug 11 03:55:00 2010] 
  [-- MARK -- Wed Aug 11 04:00:00 2010] 
  [-- MARK -- Wed Aug 11 04:05:00 2010] 
  08/11/10 04:05:55  testID:270935 finish:
  08/11/10 04:06:06  JobID:11637 Test:/distribution/reservesys Response:1
  08/11/10 04:06:06  testID:270936 start:
  08/11/10 04:06:06  JobID:11637 Test:/distribution/reservesys Response:1
   INIT: version 2.86 reloading 
  [-- MARK -- Wed Aug 11 04:10:00 2010] 
  [-- MARK -- Wed Aug 11 04:15:00 2010] 

So the AVC warning was risen well after your task has finished...
I expect you were running some test manually while machine was reservesys'ed.

Would you expect task to report the future warning as well? ;-)

I will (one day) add AVC reporting to reservesys...
Comment 3 Petr Sklenar 2010-08-12 11:33:52 EDT
There is job https://beaker.engineering.redhat.com/jobs/11637
and test /CoreOS/Spacewalk/Installer/Sanity/Whole-installation/SW-nightly-PostgreSQL-porkchop caused AVC denial not me during reservesys.

Look at job https://beaker.engineering.redhat.com/jobs/11716 for the same avc which was catched by beaker.

I looked into machine when /distribution/reservesys was running, then recipe was manually canceled.

> So the AVC warning was risen well after your task has finished...

Is it possible that AVC appears when /CoreOS/Spacewalk/Installer/Sanity/Whole-installation/SW-nightly-PostgreSQL-porkchop was finished due to slow setroubleshooter or something like that? 

> Would you expect task to report the future warning as well? ;-)
yes, please can you implement :) ?
Comment 4 Marian Csontos 2010-08-13 02:47:55 EDT
Yes, I saw the test which fails, but I presume selinux reports denials with correct timestamp and will rely on it unless there is a BZ attached here.

I do not think setroubleshooter has anything to do with it: IIUC it is only processing the logged event... And it is unlikely 5+ hour delay would be caused by slow setroubleshooter.

More likely there is a RHN process running in the background (osa-dispatcher is my hot candidate) triggering an action (cron or own mechanism) which results in AVC denial:

type=AVC msg=audit(1281513938.365:114): avc:  denied  { getattr } for 
pid=19429 comm="osa-dispatcher" path="/etc/krb5.conf" dev=dm-0 ino=17105499
scontext=system_u:system_r:osa_dispatcher_t:s0
tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file

The remaining denials are mine. There is no policy for harness at the moment, so it is not a surprise...
Comment 5 Jan Pazdziora 2010-08-13 03:29:41 EDT
(In reply to comment #2)
> Does not look like a too serious problem to me:
> 
> Try strftime("%Y%m%d-%H%M%S", 1281512936)
> 20100811-094856
> 
> So this happened long after your task has finished - see console:
> 
>   08/11/10 03:49:14  JobID:11637 Test:/distribution/install Response:1
>   08/11/10 03:49:14  testID:270934 start:
>   08/11/10 03:49:21  testID:270934 finish:
>   08/11/10 03:49:33  JobID:11637

Please repeat the computation with timezones taken into account.
Comment 8 Bill Peck 2012-09-04 13:26:40 EDT
This should be solved now.  We clear the avc log between each test run now.
Comment 9 Dan Callaghan 2012-10-04 00:52:36 EDT
Assuming this is fixed now.
Comment 10 Jan Pazdziora 2012-10-04 03:11:01 EDT
Could we change NOTABUG to CURRENTRELEASE?
Comment 11 Dan Callaghan 2012-10-07 18:35:37 EDT
Sure, resolution changed, though I don't see that it makes much difference to anything...

Note You need to log in before you can comment on or make changes to this bug.