Red Hat Bugzilla – Bug 966876
AVC denials when running rhc create-app
Last modified: 2017-03-08 12:35 EST
Description of problem: When running # rhc create-app -n test -a perly -t perl-5.10 on a all-on-one-machine installation done using https://raw.github.com/openshift/openshift-extras/enterprise-1.2/enterprise/install-scripts/generic/openshift.sh I see AVC denials in the audit/audit.log: type=AVC msg=audit(1369379929.298:515): avc: denied { search } for pid=13447 comm="sshd" name="cgroup" dev=dm-0 ino=786433 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir type=AVC msg=audit(1369379929.308:516): avc: denied { getattr } for pid=13450 comm="oo-namespace-in" path="/var/lib/openshift/519f14476892df898500002c/.env/CARTRIDGE_VERSION_2" dev=dm-0 ino=1050337 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:openshift_var_lib_t:s0 tclass=file Version-Release number of selected component (if applicable): build/OpenShiftEnterprise/1.2/2013-05-23.2 How reproducible: Deterministic -- I see it upon every rhc create-app run. Steps to Reproduce: 1. Have all-on-one-machine OpenShift Enterprise installation. 2. Do rhn setup with namespace test. 3. Run ( tail -f /var/log/audit/audit.log | grep AVC ) & 4. rhc create-app -n test -a perlz -t perl-5.10 Actual results: # rhc create-app -n test -a perlz -t perl-5.10 Application Options ------------------- Namespace: test Cartridges: perl-5.10 Gear Size: default Scaling: no Creating application 'perlz' ... done Waiting for your DNS name to be available ... done Downloading the application Git repository ... Initialized empty Git repository in /mnt/tests/OpenShift/Enterprise/install/nightly/perlz/.git/ Warning: Permanently added 'perlz-test.example.com' (RSA) to the list of known hosts. type=AVC msg=audit(1369381108.469:713): avc: denied { search } for pid=24319 comm="sshd" name="cgroup" dev=dm-0 ino=786433 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir type=AVC msg=audit(1369381108.480:714): avc: denied { getattr } for pid=24322 comm="oo-namespace-in" path="/var/lib/openshift/519f18e26892df898500003f/.env/CARTRIDGE_VERSION_2" dev=dm-0 ino=1049060 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:openshift_var_lib_t:s0 tclass=file Your application code is now in 'perlz' Expected results: No AVC denial. Additional info: I'm not sure which component it is really, putting it to Broker for now.
For the JBossEAP cartridge, there is one more AVC denial about /tmp/jbosseap.log, let me put it into this bugzilla as well: # rhc create-app -n test -a eapy -t jbosseap-6.0 Application Options ------------------- Namespace: test Cartridges: jbosseap-6.0 Gear Size: default Scaling: no Creating application 'eapy' ... type=AVC msg=audit(1369381323.584:788): avc: denied { write } for pid=28061 comm="oo-cgroup-read" path="/tmp/jbosseap.log" dev=dm-0 ino=1056922 scontext=unconfined_u:system_r:openshift_cgroup_read_t:s0:c0,c505 tcontext=unconfined_u:object_r:openshift_tmp_t:s0:c0,c505 tclass=file done Waiting for your DNS name to be available ... done Downloading the application Git repository ... Initialized empty Git repository in /mnt/tests/OpenShift/Enterprise/install/nightly/eapy/.git/ Warning: Permanently added 'eapy-test.example.com' (RSA) to the list of known hosts. type=AVC msg=audit(1369381335.469:802): avc: denied { search } for pid=1861 comm="sshd" name="cgroup" dev=dm-0 ino=786433 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir type=AVC msg=audit(1369381335.870:803): avc: denied { getattr } for pid=2078 comm="oo-namespace-in" path="/var/lib/openshift/519f19c06892df8985000052/.env/CARTRIDGE_VERSION_2" dev=dm-0 ino=1845664 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:openshift_var_lib_t:s0 tclass=file Your application code is now in 'eapy'
The full AVC denials under Permissive are type=AVC msg=audit(1369383270.886:1064): avc: denied { write } for pid=667 comm="oo-cgroup-read" path="/tmp/jbosseap.log" dev=dm-0 ino=1056997 scontext=unconfined_u:system_r:openshift_cgroup_read_t:s0:c0,c506 tcontext=unconfined_u:object_r:openshift_tmp_t:s0:c0,c506 tclass=file type=AVC msg=audit(1369383282.771:1078): avc: denied { search } for pid=1065 comm="sshd" name="cgroup" dev=dm-0 ino=786433 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir type=AVC msg=audit(1369383282.771:1078): avc: denied { write } for pid=1065 comm="sshd" name="tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file type=AVC msg=audit(1369383282.771:1078): avc: denied { open } for pid=1065 comm="sshd" name="tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file type=AVC msg=audit(1369383282.772:1079): avc: denied { getattr } for pid=1065 comm="sshd" path="/cgroup/cpu/openshift/519f215b6892df8985000065/tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file type=AVC msg=audit(1369383283.171:1080): avc: denied { getattr } for pid=1071 comm="oo-namespace-in" path="/var/lib/openshift/519f215b6892df8985000065/.env/CARTRIDGE_VERSION_2" dev=dm-0 ino=1056888 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:openshift_var_lib_t:s0 tclass=file
Created attachment 753925 [details] SELinux policy patch I've tested with the attached patch to selinux-policy, and it resolves the AVCs on app creation for perl apps (and 2 of the 3 AVC denials for jboss apps, the one related to /tmp/jbosseap.log is unrelated to the base policies).
Miroslav, Please review the attached patch for selinux-policy.
Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/6c12d246b425783221318046fd71564d21e8f726 Bug 966876 - Fix AVC denial in jbossas7 and jbosseap6 carts on startup https://bugzilla.redhat.com/show_bug.cgi?id=966876 Redirect stderr to /dev/null when running oo-cgroup-read from bin/standalone.conf in jbosseap and jbossas v2 carts. These are run with stderr redirected to a logfile in the gears tmp directory and oo-cgroup-read is trying to open a file handle to this logfile causing an AVC denial
(In reply to Jason DeTiberus from comment #5) > Created attachment 753925 [details] > SELinux policy patch > > I've tested with the attached patch to selinux-policy, and it resolves the > AVCs on app creation for perl apps (and 2 of the 3 AVC denials for jboss > apps, the one related to /tmp/jbosseap.log is unrelated to the base > policies). Could you please open a new selinux-policy bug for these fixes. Thank you.
*** Bug 971769 has been marked as a duplicate of this bug. ***
Tagged selinux-policy-3.7.19-195.el6_4.10 into the latest puddle, please verify with this version of selinux-policy
Verify this bug on puddle: http://buildvm-devops.usersys.redhat.com/puddle/build/OpenShiftEnterprise/1.2/2013-06-07.2/ [root@node2 yum.repos.d]# rpm -qa|grep selinux-policy selinux-policy-3.7.19-195.el6_4.10.noarch selinux-policy-targeted-3.7.19-195.el6_4.10.noarch Created a jbosseap-6.0 app, control this app like restart or ssh into it. No avc denials in audit.log
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2013-1033.html