Description of problem: Getting AVC denials in the audit.log from the cron job that gathers mcollective facts. Apparently only part of the facts aren't being gathered - the gear counts. Version-Release number of selected component (if applicable): http://buildvm-devops.usersys.redhat.com/puddle/build/OpenShiftEnterprise/1.1.z/2013-03-06.1/ openshift-origin-msg-node-mcollective-1.0.3-1.el6op.noarch selinux-policy-3.7.19-195.el6_4.2.noarch Steps to Reproduce: 1. Create an OSE installation 2. Create some apps 3. Wait for mcollective facter to run (do not run as root) 3. grep gears /etc/mcollective/facts.yaml Actual results: all zeroes Expected results: positive numbers at least for e.g. gears_total_count Additional info: The problem appears to stem from this line of code (where app_dir iterates over the gear directories): Dir.glob(File.join(app_dir, %w{app-root runtime .state})).each do |file| This line however succeeds in counting git repositories: git_repos_count += Dir.glob(File.join(app_dir, "git/*.git")).count Selinux contexts: system_u:object_r:openshift_var_lib_t:s0:c0,c1002 /var/lib/openshift/1db5352de6864a7592c9b56252beff9c/app-root/runtime/ system_u:object_r:openshift_var_lib_t:s0:c0,c1002 /var/lib/openshift/1db5352de6864a7592c9b56252beff9c/app-root/runtime/.state system_u:object_r:openshift_var_lib_t:s0:c0,c1002 /var/lib/openshift/1db5352de6864a7592c9b56252beff9c/git system_u:object_r:openshift_var_lib_t:s0:c0,c1002 /var/lib/openshift/1db5352de6864a7592c9b56252beff9c/git/1db5352de6.git/ Running the audit.log through audit2allow gives the following policy: #============= openshift_cron_t ============== allow openshift_cron_t self:capability { dac_read_search dac_override };
My devenv does not seem to have this problem.
*** This bug has been marked as a duplicate of bug 915701 ***