Bug 816473 - Updating from 2.0.1 to 2.0.3 an httpd denial present in audit log
Updating from 2.0.1 to 2.0.3 an httpd denial present in audit log
Status: CLOSED ERRATA
Product: Red Hat Update Infrastructure for Cloud Providers
Classification: Red Hat
Component: RHUA (Show other bugs)
2.1
Unspecified Unspecified
high Severity unspecified
: ---
: ---
Assigned To: James Slagle
wes hayutin
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-26 03:44 EDT by mkovacik
Modified: 2012-08-24 09:26 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Httpd denial appears in both Red Hat Update Appliance (RHUA) and content delivery server (CDS) logs when RHUI is upgraded from 2.0.1 to 2.0.3. Stop the pulp-server service on RHUA and pulp-cds service on the CDS before upgrading to avoid errors.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-24 07:54:25 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit logs (171.42 KB, application/zip)
2012-04-26 03:58 EDT, mkovacik
no flags Details

  None (edit)
Description mkovacik 2012-04-26 03:44:34 EDT
Description of problem:
Having upgraded from 2.0.1 to 2.0.3, following denial may be spotted in logs of both RHUA and CDS nodes:

  type=AVC msg=audit(1335283594.556:33557): avc:  denied  { unlink } for  pid=23455 comm="httpd" name=".23455.1.1.sock" dev=dm-0 ino=2887826 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=sock_file type=SYSCALL msg=audit(1335283594.556:33557): arch=c000003e syscall=87 success=yes exit=0 a0=7f0c1b31a588 a1=0 a2=5b9f a3=0 items=0 ppid=1 pid=23455 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=821 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

The log is present just once and can't be reproduced by httpd restart hence it most likely originates in the upgrade itself. The fact that during the upgrade the steps recommend to:
- enable selinux
- restart pulp-server
and that the action being denied is an unlink, one might guess this happens during the httpd daemon being stopped.

Version-Release number of selected component (if applicable):


How reproducible:
1 of 1

Steps to Reproduce:
1. deploy 2.0.1
2. use recommended steps to upgrade to 2.0.3
3. check the audit log for presence of denials
  
Actual results:
A denial is present in audit log

Expected results:
Confirm this is OK and--or put into documentation

Additional info:
N/A
Comment 1 mkovacik 2012-04-26 03:58:28 EDT
Created attachment 580394 [details]
audit logs

The audit.log.1 had been "rotated" just before the upgrade procedure started. The audit.log thus should contain entries relevant only to the upgrade itself.
Comment 2 wes hayutin 2012-04-26 08:52:00 EDT
interesting, sounds like something that we can treat w/ a lower severity.
Comment 3 wes hayutin 2012-04-27 14:25:47 EDT
recreated..

[root@dhcp231-185 CLIENT]# cat /var/log/audit/audit.log | grep -i denied
type=AVC msg=audit(1335549744.240:62455): avc:  denied  { unlink } for  pid=46640 comm="httpd" name=".46640.0.1.sock" dev=dm-0 ino=25165830 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=sock_file
[root@dhcp231-185 CLIENT]# 
[root@dhcp231-185 CLIENT]# 
[root@dhcp231-185 CLIENT]# 
[root@dhcp231-185 CLIENT]# service pulp-server restart
Stopping httpd:                                            [  OK  ]
Stopping Qpid AMQP daemon:                                 [  OK  ]
Stopping mongod:                                           [  OK  ]
Starting mongod:                                           [  OK  ]
Starting Qpid AMQP daemon:                                 [  OK  ]
Starting httpd:                                            [  OK  ]
[root@dhcp231-185 CLIENT]# cat /var/log/audit/audit.log | grep -i denied
type=AVC msg=audit(1335549744.240:62455): avc:  denied  { unlink } for  pid=46640 comm="httpd" name=".46640.0.1.sock" dev=dm-0 ino=25165830 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=sock_file
[root@dhcp231-185 CLIENT]# rpm -qa | grep pulp
m2crypto-0.21.1.pulp-7.el6.x86_64


flipping to 2.1 per tsanders
Comment 4 James Slagle 2012-05-29 13:32:24 EDT
update documentation about upgrade to say stop httpd service on the rhua before updating
Comment 5 James Slagle 2012-06-11 13:19:44 EDT
The instructions for SELinux are only the README, so I've updated them to reflect this requirement.
Comment 6 mkovacik 2012-07-19 08:17:03 EDT
... and the README does indeed contain the correction in biuld: http://download.lab.bos.redhat.com/devel/candidate-trees/RHEL-6.3-RHUI-2.1-20120705.0/2.1.3/Server/x86_64/iso/RHEL-6.3-RHUI-2.1-20120705.0-Server-x86_64-DVD1.iso

== SELinux ==

To enable SELinux first stop the pulp-server service on the RHUA and pulp-cds
service on the CDS.

You can now enable SELinux if you so choose on the RHUA and each CDS by
editing the /etc/selinux/config file or running "setenforce 1"

Start the pulp-server service on the RHUA and the pulp-cds service on the CDS
after enabling SELinux.
Comment 7 Julie 2012-08-15 14:54:08 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Httpd denial appears in both Red Hat Update Appliance (RHUA) and content delivery server (CDS) logs when RHUI is upgraded from 2.0.1 to 2.0.3. Stop the pulp-server service on RHUA and pulp-cds service on the CDS before upgrading to avoid errors.
Comment 9 errata-xmlrpc 2012-08-24 07:54:25 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2012-1205.html

Note You need to log in before you can comment on or make changes to this bug.