Description of problem: Having upgraded from 2.0.1 to 2.0.3, following denial may be spotted in logs of both RHUA and CDS nodes: type=AVC msg=audit(1335283594.556:33557): avc: denied { unlink } for pid=23455 comm="httpd" name=".23455.1.1.sock" dev=dm-0 ino=2887826 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=sock_file type=SYSCALL msg=audit(1335283594.556:33557): arch=c000003e syscall=87 success=yes exit=0 a0=7f0c1b31a588 a1=0 a2=5b9f a3=0 items=0 ppid=1 pid=23455 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=821 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) The log is present just once and can't be reproduced by httpd restart hence it most likely originates in the upgrade itself. The fact that during the upgrade the steps recommend to: - enable selinux - restart pulp-server and that the action being denied is an unlink, one might guess this happens during the httpd daemon being stopped. Version-Release number of selected component (if applicable): How reproducible: 1 of 1 Steps to Reproduce: 1. deploy 2.0.1 2. use recommended steps to upgrade to 2.0.3 3. check the audit log for presence of denials Actual results: A denial is present in audit log Expected results: Confirm this is OK and--or put into documentation Additional info: N/A
Created attachment 580394 [details] audit logs The audit.log.1 had been "rotated" just before the upgrade procedure started. The audit.log thus should contain entries relevant only to the upgrade itself.
interesting, sounds like something that we can treat w/ a lower severity.
recreated.. [root@dhcp231-185 CLIENT]# cat /var/log/audit/audit.log | grep -i denied type=AVC msg=audit(1335549744.240:62455): avc: denied { unlink } for pid=46640 comm="httpd" name=".46640.0.1.sock" dev=dm-0 ino=25165830 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=sock_file [root@dhcp231-185 CLIENT]# [root@dhcp231-185 CLIENT]# [root@dhcp231-185 CLIENT]# [root@dhcp231-185 CLIENT]# service pulp-server restart Stopping httpd: [ OK ] Stopping Qpid AMQP daemon: [ OK ] Stopping mongod: [ OK ] Starting mongod: [ OK ] Starting Qpid AMQP daemon: [ OK ] Starting httpd: [ OK ] [root@dhcp231-185 CLIENT]# cat /var/log/audit/audit.log | grep -i denied type=AVC msg=audit(1335549744.240:62455): avc: denied { unlink } for pid=46640 comm="httpd" name=".46640.0.1.sock" dev=dm-0 ino=25165830 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=sock_file [root@dhcp231-185 CLIENT]# rpm -qa | grep pulp m2crypto-0.21.1.pulp-7.el6.x86_64 flipping to 2.1 per tsanders
update documentation about upgrade to say stop httpd service on the rhua before updating
The instructions for SELinux are only the README, so I've updated them to reflect this requirement.
... and the README does indeed contain the correction in biuld: http://download.lab.bos.redhat.com/devel/candidate-trees/RHEL-6.3-RHUI-2.1-20120705.0/2.1.3/Server/x86_64/iso/RHEL-6.3-RHUI-2.1-20120705.0-Server-x86_64-DVD1.iso == SELinux == To enable SELinux first stop the pulp-server service on the RHUA and pulp-cds service on the CDS. You can now enable SELinux if you so choose on the RHUA and each CDS by editing the /etc/selinux/config file or running "setenforce 1" Start the pulp-server service on the RHUA and the pulp-cds service on the CDS after enabling SELinux.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Httpd denial appears in both Red Hat Update Appliance (RHUA) and content delivery server (CDS) logs when RHUI is upgraded from 2.0.1 to 2.0.3. Stop the pulp-server service on RHUA and pulp-cds service on the CDS before upgrading to avoid errors.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2012-1205.html