Bug 953624 - cron job will generate avc denied message when selinux-policy-targeted-3.7.19-195.el6_4.1.noarch is installed on node.
Summary: cron job will generate avc denied message when selinux-policy-targeted-3.7.19...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OKD
Classification: Red Hat
Component: Containers
Version: 2.x
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: ---
: ---
Assignee: Mrunal Patel
QA Contact: libra bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-04-18 17:18 UTC by Luke Meyer
Modified: 2015-05-14 23:09 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 915701
Environment:
Last Closed: 2013-04-18 20:56:37 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Luke Meyer 2013-04-18 17:18:16 UTC 
+++ This bug was initially created as a clone of Bug #915701 +++

Description of problem:
After update selinux-policy to latest version (selinux-policy-3.7.19-195.el6_4.1.noarch), openshift cron job generated avc denied message.

Version-Release number of selected component (if applicable):
1.1.z/2013-02-20.1


How reproducible:
Always

Steps to Reproduce:
1.Install RHEL6.4 system, it installed selinux-policy-3.7.19-195.el6.noarch.
2.Setup node env on this system
3./etc/cron.minutely/openshift-facts will be executed every min, and monitor audit.log to make sure there is no avc denied message generated by this cron job.
4.Update selinux-policy to latest version (selinux-policy-3.7.19-195.el6_4.1.noarch).
# yum update selinux-policy
5.Monitor audit.log.
  
Actual results:
cron job will generate avc denied message.
# grep denied /var/log/audit/audit.log*|grep cron
/var/log/audit/audit.log.1:type=AVC msg=audit(1361875921.479:776343667): avc:  denied  { read } for  pid=13799 comm="ruby" name="localtime" dev=dm-0 ino=130732 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=file
/var/log/audit/audit.log.1:type=AVC msg=audit(1361875922.270:776344837): avc:  denied  { read } for  pid=13799 comm="ruby" name="localtime" dev=dm-0 ino=130732 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=file

Expected results:
cron job should not generate this avc denied message.

Additional info:
See original bug. This blocks correct recording of active gear count. It didn't seem to apply Online before, but now I am seeing it in today's Online devenv.
Comment 1 Mrunal Patel 2013-04-18 19:22:04 UTC 
This is the policy I generated for all the denials in cron:


module mycron5 1.0;

require {
        type http_port_t;
        type openshift_cron_t;
        type openshift_var_lib_t;
        class capability { dac_read_search dac_override };
        class tcp_socket name_connect;
        class lnk_file { read getattr };
}

#============= openshift_cron_t ==============

#!!!! This avc is allowed in the current policy
allow openshift_cron_t http_port_t:tcp_socket name_connect;

#!!!! This avc is allowed in the current policy
allow openshift_cron_t openshift_var_lib_t:lnk_file { read getattr };

#!!!! This avc is allowed in the current policy
allow openshift_cron_t self:capability { dac_read_search dac_override };

It looks like we need to back port the selinux-policy fix for RHEL 6.5
mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=915701
Comment 2 Luke Meyer 2013-04-18 19:57:07 UTC 
(In reply to comment #1)

> #!!!! This avc is allowed in the current policy
> allow openshift_cron_t self:capability { dac_read_search dac_override };

That should handle it in enterprise. Still, I'm seeing this sort of thing in my devenv:

type=SYSCALL msg=audit(1366314722.558:150825): arch=c000003e syscall=6 success=no exit=-13 a0=25384f0 a1=7fffb236d850 a2
=7fffb236d850 a3=2 items=0 ppid=5679 pid=5682 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) 
ses=1080 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 key=
(null)
type=AVC msg=audit(1366314722.558:150826): avc:  denied  { dac_override } for  pid=5682 comm="ruby" capability=1  sconte
xt=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tclass=c
apability
type=AVC msg=audit(1366314722.558:150826): avc:  denied  { dac_read_search } for  pid=5682 comm="ruby" capability=2  sco
ntext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tclas
s=capability
type=SYSCALL msg=audit(1366314722.558:150826): arch=c000003e syscall=6 success=no exit=-13 a0=25384f0 a1=7fffb236d850 a2=7fffb236d850 a3=2 items=0 ppid=5679 pid=5682 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1080 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366314722.558:150827): avc:  denied  { read } for  pid=5682 comm="ruby" name="test-ci48411115" dev=xvde2 ino=2246 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:openshift_var_lib_t:s0 tclass=lnk_file

for that, audit2allow says:
#============= openshift_cron_t ==============
allow openshift_cron_t openshift_var_lib_t:lnk_file read;

Not sure what is missing.
Comment 3 Mrunal Patel 2013-04-18 20:56:37 UTC 
Closing this for now since both Luke and I did not see this issue in latest devenvs. We could re-open this bug if we see the issue.
Note You need to log in before you can comment on or make changes to this bug.