Bug 862263 - "selinux denials" check of stscleint-cloud-plugin may not find SELinux denials if setroubleshoot is not installed or its service is disabled
"selinux denials" check of stscleint-cloud-plugin may not find SELinux denial...
Status: CLOSED EOL
Product: Red Hat Certification Program
Classification: Red Hat
Component: redhat-certification-cloud (Show other bugs)
1.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: sankarshan
Swati Goswami
:
Depends On:
Blocks: 873112
  Show dependency treegraph
 
Reported: 2012-10-02 09:40 EDT by Satoru SATOH
Modified: 2015-10-26 09:05 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-26 09:05:21 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Satoru SATOH 2012-10-02 09:40:49 EDT
Description of problem:

There is a code in
stsclient-2.0-3:/usr/lib/python2.6/site-packages/stsclient_cloud_plugin/security.py
such as:

def selinux_denials():
    """Check for SELinux denials and capture raw output from sealert
    Returns "" if no denial otherwise sealert output for denial.
    """
    alerts = []
    output = ""

    try:
        alerts = re.findall(r"^.*setroubleshoot:.*(sealert\s-l\s.*)", \
                                open("/var/log/messages", 'r').read(), \
                                re.MULTILINE)
    ...


It doesn't seem worthwhile to grep 'setroubleshoot' in
/var/log/messages if setroubleshoot is not installed
in CCP guest images. And this (setroubleshoot is not
installed) may be common in RHEL server systems.


IMHO, it should be better to check if audit service is
enabled *and* grep 'avc: denied' from /var/log/audit/audit.log
(or utilize ausearch or whatever similar dedicated tools)
as typical SELinux denial message looks like the following:

type=AVC msg=audit(1348570890.401:721): avc:  denied  { execute } for
pid=27481 comm="restorecon" path="/usr/lib64/libselinux.so.1"
dev="tmpfs"...


Version-Release number of selected component (if applicable):
stsclient{,-cloud-plugin}-2.0-3


Actual results: I cannot find SELinux denials if setroubleshoot is
not installed or its service is disabled.


Expected results: It can find SELinux denials.


Additional info:
Past log (/var/log/messages.*) may be candidate to search SELinux denials for
Comment 2 Satoru SATOH 2015-06-14 22:51:07 EDT
I've looked at the corresponding code in ccp-client and it's also the same [1].
Add to this, to search /var/log/messages for SELinux AVC denials is just
wrong in RHEL 7.


[1] selinux_denials() in
    usr/lib/python2.7/site-packages/rhcert/suites/cloud/selinux_checks.py
    in ccp-client-2.0-1.el7.

Note You need to log in before you can comment on or make changes to this bug.