Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 966876

Summary: AVC denials when running rhc create-app
Product: OpenShift Container Platform Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: NodeAssignee: Jason DeTiberus <jdetiber>
Status: CLOSED ERRATA QA Contact: libra bugs <libra-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.2.0CC: bleanhar, gpei, jdetiber, jpazdziora, libra-onpremise-devel, lmeyer, mgrepl, pruan
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-195.el6_4.10 Doc Type: Bug Fix
Doc Text:
Cause: SElinux policy was denying certain access when creating gears. Consequence: AVC denials were seen in node host audit.log. No apparent impairment of functionality. Fix: RHEL released a new selinux-policy RPM that addresses the problem. Install it. Result: The AVC denials stop.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-09 18:48:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 968344    
Bug Blocks:    
Attachments:
Description Flags
SELinux policy patch none

Description Jan Pazdziora (Red Hat) 2013-05-24 07:40:33 UTC 
Description of problem:

When running

# rhc create-app -n test -a perly -t perl-5.10

on a all-on-one-machine installation done using

https://raw.github.com/openshift/openshift-extras/enterprise-1.2/enterprise/install-scripts/generic/openshift.sh

I see AVC denials in the audit/audit.log:

type=AVC msg=audit(1369379929.298:515): avc:  denied  { search } for  pid=13447 comm="sshd" name="cgroup" dev=dm-0 ino=786433 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1369379929.308:516): avc:  denied  { getattr } for  pid=13450 comm="oo-namespace-in" path="/var/lib/openshift/519f14476892df898500002c/.env/CARTRIDGE_VERSION_2" dev=dm-0 ino=1050337 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:openshift_var_lib_t:s0 tclass=file

Version-Release number of selected component (if applicable):

build/OpenShiftEnterprise/1.2/2013-05-23.2

How reproducible:

Deterministic -- I see it upon every rhc create-app run.

Steps to Reproduce:
1. Have all-on-one-machine OpenShift Enterprise installation.
2. Do rhn setup with namespace test.
3. Run ( tail -f /var/log/audit/audit.log | grep AVC ) &
4. rhc create-app -n test -a perlz -t perl-5.10

Actual results:

# rhc create-app -n test -a perlz -t perl-5.10
Application Options
-------------------
  Namespace:  test
  Cartridges: perl-5.10
  Gear Size:  default
  Scaling:    no

Creating application 'perlz' ... done

Waiting for your DNS name to be available ... done

Downloading the application Git repository ...
Initialized empty Git repository in /mnt/tests/OpenShift/Enterprise/install/nightly/perlz/.git/
Warning: Permanently added 'perlz-test.example.com' (RSA) to the list of known hosts.
type=AVC msg=audit(1369381108.469:713): avc:  denied  { search } for  pid=24319 comm="sshd" name="cgroup" dev=dm-0 ino=786433 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1369381108.480:714): avc:  denied  { getattr } for  pid=24322 comm="oo-namespace-in" path="/var/lib/openshift/519f18e26892df898500003f/.env/CARTRIDGE_VERSION_2" dev=dm-0 ino=1049060 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:openshift_var_lib_t:s0 tclass=file

Your application code is now in 'perlz'

Expected results:

No AVC denial.

Additional info:

I'm not sure which component it is really, putting it to Broker for now.
Comment 2 Jan Pazdziora (Red Hat) 2013-05-24 07:43:02 UTC 
For the JBossEAP cartridge, there is one more AVC denial about /tmp/jbosseap.log, let me put it into this bugzilla as well:


# rhc create-app -n test -a eapy -t jbosseap-6.0
Application Options
-------------------
  Namespace:  test
  Cartridges: jbosseap-6.0
  Gear Size:  default
  Scaling:    no

Creating application 'eapy' ... type=AVC msg=audit(1369381323.584:788): avc:  denied  { write } for  pid=28061 comm="oo-cgroup-read" path="/tmp/jbosseap.log" dev=dm-0 ino=1056922 scontext=unconfined_u:system_r:openshift_cgroup_read_t:s0:c0,c505 tcontext=unconfined_u:object_r:openshift_tmp_t:s0:c0,c505 tclass=file
done

Waiting for your DNS name to be available ... done

Downloading the application Git repository ...
Initialized empty Git repository in /mnt/tests/OpenShift/Enterprise/install/nightly/eapy/.git/
Warning: Permanently added 'eapy-test.example.com' (RSA) to the list of known hosts.
type=AVC msg=audit(1369381335.469:802): avc:  denied  { search } for  pid=1861 comm="sshd" name="cgroup" dev=dm-0 ino=786433 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1369381335.870:803): avc:  denied  { getattr } for  pid=2078 comm="oo-namespace-in" path="/var/lib/openshift/519f19c06892df8985000052/.env/CARTRIDGE_VERSION_2" dev=dm-0 ino=1845664 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:openshift_var_lib_t:s0 tclass=file

Your application code is now in 'eapy'
Comment 4 Jan Pazdziora (Red Hat) 2013-05-24 08:15:41 UTC 
The full AVC denials under Permissive are

type=AVC msg=audit(1369383270.886:1064): avc:  denied  { write } for  pid=667 comm="oo-cgroup-read" path="/tmp/jbosseap.log" dev=dm-0 ino=1056997 scontext=unconfined_u:system_r:openshift_cgroup_read_t:s0:c0,c506 tcontext=unconfined_u:object_r:openshift_tmp_t:s0:c0,c506 tclass=file

type=AVC msg=audit(1369383282.771:1078): avc:  denied  { search } for  pid=1065 comm="sshd" name="cgroup" dev=dm-0 ino=786433 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1369383282.771:1078): avc:  denied  { write } for  pid=1065 comm="sshd" name="tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1369383282.771:1078): avc:  denied  { open } for  pid=1065 comm="sshd" name="tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1369383282.772:1079): avc:  denied  { getattr } for  pid=1065 comm="sshd" path="/cgroup/cpu/openshift/519f215b6892df8985000065/tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1369383283.171:1080): avc:  denied  { getattr } for  pid=1071 comm="oo-namespace-in" path="/var/lib/openshift/519f215b6892df8985000065/.env/CARTRIDGE_VERSION_2" dev=dm-0 ino=1056888 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:openshift_var_lib_t:s0 tclass=file
Comment 5 Jason DeTiberus 2013-05-28 13:44:54 UTC 
Created attachment 753925 [details]
SELinux policy patch

I've tested with the attached patch to selinux-policy, and it resolves the AVCs on app creation for perl apps (and 2 of the 3 AVC denials for jboss apps, the one related to /tmp/jbosseap.log is unrelated to the base policies).
Comment 6 Jason DeTiberus 2013-05-28 13:46:10 UTC 
Miroslav, Please review the attached patch for selinux-policy.
Comment 7 openshift-github-bot 2013-05-28 19:47:00 UTC 
Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/6c12d246b425783221318046fd71564d21e8f726
Bug 966876 - Fix AVC denial in jbossas7 and jbosseap6 carts on startup

https://bugzilla.redhat.com/show_bug.cgi?id=966876

Redirect stderr to /dev/null when running oo-cgroup-read from bin/standalone.conf in jbosseap and jbossas v2 carts.  These are run with stderr redirected to a logfile in the gears tmp directory and oo-cgroup-read is trying to open a file handle to this logfile causing an AVC denial
Comment 8 Miroslav Grepl 2013-05-29 07:53:49 UTC 
(In reply to Jason DeTiberus from comment #5)
> Created attachment 753925 [details]
> SELinux policy patch
> 
> I've tested with the attached patch to selinux-policy, and it resolves the
> AVCs on app creation for perl apps (and 2 of the 3 AVC denials for jboss
> apps, the one related to /tmp/jbosseap.log is unrelated to the base
> policies).

Could you please open a new selinux-policy bug for these fixes. Thank you.
Comment 9 Jason DeTiberus 2013-06-07 12:26:46 UTC 
*** Bug 971769 has been marked as a duplicate of this bug. ***
Comment 10 Jason DeTiberus 2013-06-07 16:24:34 UTC 
Tagged selinux-policy-3.7.19-195.el6_4.10 into the latest puddle, please verify with this version of selinux-policy
Comment 11 Gaoyun Pei 2013-06-08 09:39:54 UTC 
Verify this bug on puddle:
http://buildvm-devops.usersys.redhat.com/puddle/build/OpenShiftEnterprise/1.2/2013-06-07.2/
[root@node2 yum.repos.d]# rpm -qa|grep selinux-policy
selinux-policy-3.7.19-195.el6_4.10.noarch
selinux-policy-targeted-3.7.19-195.el6_4.10.noarch


Created a jbosseap-6.0 app, control this app like restart or ssh into it.
No avc denials in audit.log
Comment 13 errata-xmlrpc 2013-07-09 18:48:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1033.html