Bug 966876 - AVC denials when running rhc create-app
Summary: AVC denials when running rhc create-app
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Node
Version: 2.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Jason DeTiberus
QA Contact: libra bugs
URL:
Whiteboard:
: 971769 (view as bug list)
Depends On: 968344
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-05-24 07:40 UTC by Jan Pazdziora (Red Hat)
Modified: 2017-03-08 17:35 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.7.19-195.el6_4.10
Doc Type: Bug Fix
Doc Text:
Cause: SElinux policy was denying certain access when creating gears. Consequence: AVC denials were seen in node host audit.log. No apparent impairment of functionality. Fix: RHEL released a new selinux-policy RPM that addresses the problem. Install it. Result: The AVC denials stop.
Clone Of:
Environment:
Last Closed: 2013-07-09 18:48:36 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
SELinux policy patch (1.06 KB, patch)
2013-05-28 13:44 UTC, Jason DeTiberus
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 968344 0 unspecified CLOSED pam_cgroup and pam_namespace AVC denials with Openshift Enterprise 1.2 Candidate 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHEA-2013:1033 0 normal SHIPPED_LIVE Red Hat OpenShift Enterprise 1.2 Client Release Advisory 2013-07-09 22:47:07 UTC

Internal Links: 968344

Description Jan Pazdziora (Red Hat) 2013-05-24 07:40:33 UTC
Description of problem:

When running

# rhc create-app -n test -a perly -t perl-5.10

on a all-on-one-machine installation done using

https://raw.github.com/openshift/openshift-extras/enterprise-1.2/enterprise/install-scripts/generic/openshift.sh

I see AVC denials in the audit/audit.log:

type=AVC msg=audit(1369379929.298:515): avc:  denied  { search } for  pid=13447 comm="sshd" name="cgroup" dev=dm-0 ino=786433 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1369379929.308:516): avc:  denied  { getattr } for  pid=13450 comm="oo-namespace-in" path="/var/lib/openshift/519f14476892df898500002c/.env/CARTRIDGE_VERSION_2" dev=dm-0 ino=1050337 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:openshift_var_lib_t:s0 tclass=file

Version-Release number of selected component (if applicable):

build/OpenShiftEnterprise/1.2/2013-05-23.2

How reproducible:

Deterministic -- I see it upon every rhc create-app run.

Steps to Reproduce:
1. Have all-on-one-machine OpenShift Enterprise installation.
2. Do rhn setup with namespace test.
3. Run ( tail -f /var/log/audit/audit.log | grep AVC ) &
4. rhc create-app -n test -a perlz -t perl-5.10

Actual results:

# rhc create-app -n test -a perlz -t perl-5.10
Application Options
-------------------
  Namespace:  test
  Cartridges: perl-5.10
  Gear Size:  default
  Scaling:    no

Creating application 'perlz' ... done

Waiting for your DNS name to be available ... done

Downloading the application Git repository ...
Initialized empty Git repository in /mnt/tests/OpenShift/Enterprise/install/nightly/perlz/.git/
Warning: Permanently added 'perlz-test.example.com' (RSA) to the list of known hosts.
type=AVC msg=audit(1369381108.469:713): avc:  denied  { search } for  pid=24319 comm="sshd" name="cgroup" dev=dm-0 ino=786433 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1369381108.480:714): avc:  denied  { getattr } for  pid=24322 comm="oo-namespace-in" path="/var/lib/openshift/519f18e26892df898500003f/.env/CARTRIDGE_VERSION_2" dev=dm-0 ino=1049060 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:openshift_var_lib_t:s0 tclass=file

Your application code is now in 'perlz'

Expected results:

No AVC denial.

Additional info:

I'm not sure which component it is really, putting it to Broker for now.

Comment 2 Jan Pazdziora (Red Hat) 2013-05-24 07:43:02 UTC
For the JBossEAP cartridge, there is one more AVC denial about /tmp/jbosseap.log, let me put it into this bugzilla as well:


# rhc create-app -n test -a eapy -t jbosseap-6.0
Application Options
-------------------
  Namespace:  test
  Cartridges: jbosseap-6.0
  Gear Size:  default
  Scaling:    no

Creating application 'eapy' ... type=AVC msg=audit(1369381323.584:788): avc:  denied  { write } for  pid=28061 comm="oo-cgroup-read" path="/tmp/jbosseap.log" dev=dm-0 ino=1056922 scontext=unconfined_u:system_r:openshift_cgroup_read_t:s0:c0,c505 tcontext=unconfined_u:object_r:openshift_tmp_t:s0:c0,c505 tclass=file
done

Waiting for your DNS name to be available ... done

Downloading the application Git repository ...
Initialized empty Git repository in /mnt/tests/OpenShift/Enterprise/install/nightly/eapy/.git/
Warning: Permanently added 'eapy-test.example.com' (RSA) to the list of known hosts.
type=AVC msg=audit(1369381335.469:802): avc:  denied  { search } for  pid=1861 comm="sshd" name="cgroup" dev=dm-0 ino=786433 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1369381335.870:803): avc:  denied  { getattr } for  pid=2078 comm="oo-namespace-in" path="/var/lib/openshift/519f19c06892df8985000052/.env/CARTRIDGE_VERSION_2" dev=dm-0 ino=1845664 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:openshift_var_lib_t:s0 tclass=file

Your application code is now in 'eapy'

Comment 4 Jan Pazdziora (Red Hat) 2013-05-24 08:15:41 UTC
The full AVC denials under Permissive are

type=AVC msg=audit(1369383270.886:1064): avc:  denied  { write } for  pid=667 comm="oo-cgroup-read" path="/tmp/jbosseap.log" dev=dm-0 ino=1056997 scontext=unconfined_u:system_r:openshift_cgroup_read_t:s0:c0,c506 tcontext=unconfined_u:object_r:openshift_tmp_t:s0:c0,c506 tclass=file

type=AVC msg=audit(1369383282.771:1078): avc:  denied  { search } for  pid=1065 comm="sshd" name="cgroup" dev=dm-0 ino=786433 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1369383282.771:1078): avc:  denied  { write } for  pid=1065 comm="sshd" name="tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1369383282.771:1078): avc:  denied  { open } for  pid=1065 comm="sshd" name="tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1369383282.772:1079): avc:  denied  { getattr } for  pid=1065 comm="sshd" path="/cgroup/cpu/openshift/519f215b6892df8985000065/tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1369383283.171:1080): avc:  denied  { getattr } for  pid=1071 comm="oo-namespace-in" path="/var/lib/openshift/519f215b6892df8985000065/.env/CARTRIDGE_VERSION_2" dev=dm-0 ino=1056888 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:openshift_var_lib_t:s0 tclass=file

Comment 5 Jason DeTiberus 2013-05-28 13:44:54 UTC
Created attachment 753925 [details]
SELinux policy patch

I've tested with the attached patch to selinux-policy, and it resolves the AVCs on app creation for perl apps (and 2 of the 3 AVC denials for jboss apps, the one related to /tmp/jbosseap.log is unrelated to the base policies).

Comment 6 Jason DeTiberus 2013-05-28 13:46:10 UTC
Miroslav, Please review the attached patch for selinux-policy.

Comment 7 openshift-github-bot 2013-05-28 19:47:00 UTC
Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/6c12d246b425783221318046fd71564d21e8f726
Bug 966876 - Fix AVC denial in jbossas7 and jbosseap6 carts on startup

https://bugzilla.redhat.com/show_bug.cgi?id=966876

Redirect stderr to /dev/null when running oo-cgroup-read from bin/standalone.conf in jbosseap and jbossas v2 carts.  These are run with stderr redirected to a logfile in the gears tmp directory and oo-cgroup-read is trying to open a file handle to this logfile causing an AVC denial

Comment 8 Miroslav Grepl 2013-05-29 07:53:49 UTC
(In reply to Jason DeTiberus from comment #5)
> Created attachment 753925 [details]
> SELinux policy patch
> 
> I've tested with the attached patch to selinux-policy, and it resolves the
> AVCs on app creation for perl apps (and 2 of the 3 AVC denials for jboss
> apps, the one related to /tmp/jbosseap.log is unrelated to the base
> policies).

Could you please open a new selinux-policy bug for these fixes. Thank you.

Comment 9 Jason DeTiberus 2013-06-07 12:26:46 UTC
*** Bug 971769 has been marked as a duplicate of this bug. ***

Comment 10 Jason DeTiberus 2013-06-07 16:24:34 UTC
Tagged selinux-policy-3.7.19-195.el6_4.10 into the latest puddle, please verify with this version of selinux-policy

Comment 11 Gaoyun Pei 2013-06-08 09:39:54 UTC
Verify this bug on puddle:
http://buildvm-devops.usersys.redhat.com/puddle/build/OpenShiftEnterprise/1.2/2013-06-07.2/
[root@node2 yum.repos.d]# rpm -qa|grep selinux-policy
selinux-policy-3.7.19-195.el6_4.10.noarch
selinux-policy-targeted-3.7.19-195.el6_4.10.noarch


Created a jbosseap-6.0 app, control this app like restart or ssh into it.
No avc denials in audit.log

Comment 13 errata-xmlrpc 2013-07-09 18:48:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1033.html


Note You need to log in before you can comment on or make changes to this bug.