906684 – [Installation-RHEL-6.4]cgrulesengd has "AVC" record in /var/log/audit/audit.log on node

Bug 906684 - [Installation-RHEL-6.4]cgrulesengd has "AVC" record in /var/log/audit/audit.log on node

Summary: [Installation-RHEL-6.4]cgrulesengd has "AVC" record in /var/log/audit/audit....

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Node
Sub Component:
Version:	1.1.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Brenton Leanhardt
QA Contact:	libra bugs
Docs Contact:
URL:
Whiteboard:
Depends On:	917966
Blocks:
TreeView+	depends on / blocked

Reported:	2013-02-01 08:43 UTC by xjia
Modified:	2015-07-20 00:52 UTC (History)
CC List:	6 users (show)
Fixed In Version:	selinux-policy-mls-3.7.19-195.el6_4.2.noarch.rpm
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	913673 (view as bug list)
Environment:
Last Closed:	2013-03-13 11:41:51 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	915519	0	high	CLOSED	Devenv burning 100% CPU on cgrulesengd	2021-02-22 00:41:40 UTC

Internal Links: 915519

Description xjia 2013-02-01 08:43:16 UTC

Description of problem:
After install node, then check the selinux log : there will be some AVC message in the log file.

type=SYSCALL msg=audit(1359701540.208:211863): arch=c000003e syscall=0 success=no exit=-13 a0=3 a1=7fffdc48a8a0 a2=400 a3=0 items=0 ppid=1 pid=20921 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1359701540.208:211864): avc:  denied  { read } for  pid=20921 comm="cgrulesengd" path="inotify" dev=inotifyfs ino=1 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir

Version-Release number of selected component (if applicable):
http://download.englab.nay.redhat.com/pub/rhel/rel-eng/RHEL6.4-20130130.0/6.4/Server/x86_64/
http://buildvm-devops.usersys.redhat.com/puddle/build/OpenShiftEnterprise/1.1.z/2013-01-30.2/
libselinux-utils-2.0.94-5.3.el6.x86_64
selinux-policy-3.7.19-195.el6.noarch
selinux-policy-targeted-3.7.19-195.el6.noarch
libselinux-2.0.94-5.3.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Finish installing node
2. Check the log file "/var/log/audit/audit.log"

Actual restuls:
type=AVC msg=audit(1359701540.208:211864): avc:  denied  { read } for  pid=20921 comm="cgrulesengd" path="inotify" dev=inotifyfs ino=1 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir

Expected results:
No such error

Additional info:
There will be more log in /var/log/message
Feb  1 15:05:30 node CGRE[20921]: Warning: cannot write tid 31998 to /cgroup/all/openshift/46ad84fd669f464c8dc15e8e217abb47//tasks:No such process
Feb  1 15:05:30 node CGRE[20921]: Warning: cgroup_attach_task_pid failed: 50016
Feb  1 15:05:30 node CGRE[20921]: Warning: failed to apply the rule. Error was: 50016

[root@node1 run]# ll -Z cgred.*
-rw-r--r--. root root  system_u:object_r:initrc_var_run_t:s0 cgred.pid
srw-rw----. root cgred system_u:object_r:cgred_var_run_t:s0 cgred.socket

Comment 3 Brenton Leanhardt 2013-02-01 16:53:00 UTC

cat'ing those two lines into "audit2allow -r" suggests the following.  I don't think this is OpenShift related so I'm going to search BZ for an upstream bug.

require {
        type cgred_t;
        type inotifyfs_t;
        class dir read;
}

#============= cgred_t ==============
allow cgred_t inotifyfs_t:dir read;

Comment 5 Miroslav Grepl 2013-02-04 11:11:25 UTC

Are you getting only these AVC msgs?


Could you execute

# setenforce 0

re-test it

# ps -eZ |grep initrc

# ausearch -m avc -ts recent

# setenforce 1

Comment 6 xjia 2013-02-04 11:58:28 UTC

[root@node ~]# setenforce 0
[root@node ~]# ps -eZ |grep initrc
system_u:system_r:openshift_initrc_t:s0-s0:c0.c1023 1496 ? 00:06:12 ruby
system_u:system_r:openshift_initrc_t:s0-s0:c0.c1023 15360 ? 00:00:00 sh <defunct>
system_u:system_r:openshift_initrc_t:s0-s0:c0.c1023 21723 ? 00:00:00 haproxy
[root@node ~]# ausearch -m avc -ts recent
----
time->Mon Feb  4 06:47:06 2013
type=SYSCALL msg=audit(1359978426.667:16668336): arch=c000003e syscall=0 success=no exit=-13 a0=3 a1=7fff71f2c000 a2=400 a3=0 items=0 ppid=1 pid=1367 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cgrulesengd" exe=2F7362696E2F636772756C6573656E6764202864656C6574656429 subj=system_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1359978426.667:16668336): avc:  denied  { read } for  pid=1367 comm="cgrulesengd" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:cgred_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
----
time->Mon Feb  4 06:47:06 2013
type=SYSCALL msg=audit(1359978426.667:16668337): arch=c000003e syscall=0 success=no exit=-13 a0=3 a1=7fff71f2c000 a2=400 a3=0 items=0 ppid=1 pid=1367 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cgrulesengd" exe=2F7362696E2F636772756C6573656E6764202864656C6574656429 subj=system_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1359978426.667:16668337): avc:  denied  { read } for  pid=1367 comm="cgrulesengd" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:cgred_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
----
time->Mon Feb  4 06:47:06 2013
type=SYSCALL msg=audit(1359978426.667:16668338): arch=c000003e syscall=0 success=no exit=-13 a0=3 a1=7fff71f2c000 a2=400 a3=0 items=0 ppid=1 pid=1367 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cgrulesengd" exe=2F7362696E2F636772756C6573656E6764202864656C6574656429 subj=system_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1359978426.667:16668338): avc:  denied  { read } for  pid=1367 comm="cgrulesengd" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:cgred_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
----
time->Mon Feb  4 06:47:06 2013
type=SYSCALL msg=audit(1359978426.667:16668339): arch=c000003e syscall=0 success=no exit=-13 a0=3 a1=7fff71f2c000 a2=400 a3=0 items=0 ppid=1 pid=1367 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cgrulesengd" exe=2F7362696E2F636772756C6573656E6764202864656C6574656429 subj=system_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1359978426.667:16668339): avc:  denied  { read } for  pid=1367 comm="cgrulesengd" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:cgred_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
----
time->Mon Feb  4 06:47:06 2013
type=SYSCALL msg=audit(1359978426.667:16668340): arch=c000003e syscall=0 success=no exit=-13 a0=3 a1=7fff71f2c000 a2=400 a3=0 items=0 ppid=1 pid=1367 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cgrulesengd" exe=2F7362696E2F636772756C6573656E6764202864656C6574656429 subj=system_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1359978426.667:16668340): avc:  denied  { read } for  pid=1367 comm="cgrulesengd" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:cgred_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
<--snip-->

Comment 7 Miroslav Grepl 2013-02-04 12:43:11 UTC

Does everything work correctly with a local policy?

Comment 8 Brenton Leanhardt 2013-02-04 14:02:42 UTC

Hi Miroslav,

What do you mean by a local policy exactly?

Comment 9 Miroslav Grepl 2013-02-19 14:55:46 UTC

I meant

# grep cgruleseng /var/log/audit/audit.log |audit2allow -R -M mypol
# semodule -i mypol.pp

Comment 10 Brenton Leanhardt 2013-02-19 15:48:24 UTC

Yes, after running those commands the denials stopped happening.  Here is the module that was generated:

policy_module(mypol, 1.0)

require {
        type cgred_t;
}

#============= cgred_t ==============
fs_list_inotifyfs(cgred_t)

Comment 11 Miroslav Grepl 2013-02-20 16:12:14 UTC

ok, we need to create a policy bug.

Comment 12 Brenton Leanhardt 2013-02-21 18:54:02 UTC

I'm moving this out of 1.1.1 since it will be fixed in base RHEL.  I have cloned the bug there.

Comment 15 xjia 2013-03-13 02:17:17 UTC

Version:
http://buildvm-devops.usersys.redhat.com/puddle/build/OpenShiftEnterprise/1.1.z/2013-03-06.1/

Verify：
1) verifying cgrulesengd denials and 100% cpu utilization on my dev environment
2) upgrade to selinux-policy-mls-3.7.19-195.el6_4.2.noarch.rpm
[root@node ~]# rpm -qa | grep selinux | grep policy
selinux-policy-targeted-3.7.19-195.el6_4.2.noarch
[root@node ~]# grep SELINUXTYPE /etc/selinux/config
# SELINUXTYPE= can take one of these two values:
SELINUXTYPE=targeted

3) smoke tested that everything worked as expected without having to restart cgrulesengd
https://tcms.engineering.redhat.com/run/58770/ 

I will create another bug for tracing the warning message in /var/log/message.

Comment 16 Brenton Leanhardt 2013-03-13 11:41:51 UTC

I'm closing this bug since the actual fix shipped with RHEL6.4.  Thanks for the help!

Note You need to log in before you can comment on or make changes to this bug.