Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 912709 - When create jenkins app, there will be some AVC message in audit.log
When create jenkins app, there will be some AVC message in audit.log
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Containers (Show other bugs)
1.1.1
Unspecified Unspecified
low Severity low
: ---
: ---
Assigned To: Brenton Leanhardt
libra bugs
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-02-19 08:32 EST by xjia
Modified: 2017-03-08 12 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-09 14:59:01 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2013:1032 normal SHIPPED_LIVE Red Hat OpenShift Enterprise 1.2 Node Release Advisory 2013-07-09 18:57:19 EDT

  None (edit)
Description xjia 2013-02-19 08:32:26 EST 
Description of problem:
Create a jenkins app, see the log in /var/log/audit/audit.log on node.

Version-Release number of selected component (if applicable):
http://buildvm-devops.usersys.redhat.com/puddle/build/OpenShiftEnterprise/1.1.z/2013-02-18.3


How reproducible:
always

Steps to Reproduce:
1.Create a jenkins app 
rhc app create jenkins jenkins 
2. On node:  tailf /var/log/audit/audit.log | grep java


Actual results:
[root@node1 ~]# tailf /var/log/audit/audit.log | grep java
type=AVC msg=audit(1361280256.039:65402152): avc:  denied  { name_bind } for  pid=25490 comm="java" src=5353 scontext=system_u:system_r:openshift_t:s0:c0,c507 tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1361280256.039:65402152): arch=c000003e syscall=49 success=no exit=-13 a0=83 a1=7f6e7719e1e0 a2=10 a3=268 items=0 ppid=1 pid=25490 auid=4294967295 uid=507 gid=507 euid=507 suid=507 fsuid=507 egid=507 sgid=507 fsgid=507 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" subj=system_u:system_r:openshift_t:s0:c0,c507 key=(null)


Expected results:
No such info

Additional info:
Comment 2 Brenton Leanhardt 2013-02-19 09:33:06 EST 
Does this denial actually cause a breakage from the user's perspective?
Comment 3 xjia 2013-02-21 08:14:02 EST 
I only created jenkins app and access the app. No other things. 

But now, it doesn't exist. Don't know why.
Comment 4 Brenton Leanhardt 2013-02-21 08:57:57 EST 
OK, we'll leave this at low severity but plan on fixing it with the next minor release.
Comment 5 Luke Meyer 2013-06-28 14:30:46 EDT 
I believe updated selinux-policy may have addressed this at least for OSE 1.2. Can you please test?
Comment 6 Gaoyun Pei 2013-07-01 01:13:10 EDT 
Test jenkins application on 1.2 RC2 puddle:
http://download.lab.bos.redhat.com/rel-eng/OpenShiftEnterprise/1.2/2013-06-26.3/

selinux-policy-targeted-3.7.19-195.el6_4.10.noarch
selinux-policy-3.7.19-195.el6_4.10.noarch

During the jenkins app creation and embedding process, there would not be any AVC denied message shown out, so this bug could be verified. 

But in the end of jenkins build, it would generate avc denial in audit.log, not sure whether it has any relationship with this bug, or it's another new bug.

Here's the reproduce step:
1. Create a php app and jenkins app, embed jenkins-client to php app

2. Make some changes in the php app git repo to trigger jenkins build

3. Monitoring the audit.log on the node, avc denial would be generated once the build action completed as "SUCCESS"
[root@node1 ~]# tailf /var/log/audit/audit.log |grep avc

type=AVC msg=audit(1372654405.272:100925): avc:  denied  { getattr } for  pid=29079 comm="java" path="/proc/mtrr" dev=proc ino=4026531957 scontext=unconfined_u:system_r:openshift_t:s0:c1,c382 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file
Comment 7 Gaoyun Pei 2013-07-01 01:48:57 EDT 
Move this bug to VERIVIED due to the related issue has been resolved.

About the new issue mentioned in Comment 6, do you think it is necessary to file a new bug to trace that?  Thanks!
Comment 8 Brenton Leanhardt 2013-07-01 13:36:56 EDT 
I vote we track the issue in Comment #6 as a new bug against 1.2.1.
Comment 9 Gaoyun Pei 2013-07-02 03:14:00 EDT 
A new bug was filed to track the new issue:
https://bugzilla.redhat.com/show_bug.cgi?id=980353

Thanks
Comment 11 errata-xmlrpc 2013-07-09 14:59:01 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1032.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.