Bug 966876 - AVC denials when running rhc create-app
AVC denials when running rhc create-app
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Kubernetes (Show other bugs)
2.2.0
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jason DeTiberus
libra bugs
:
: 971769 (view as bug list)
Depends On: 968344
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-24 03:40 EDT by Jan Pazdziora
Modified: 2017-03-08 12 EST (History)
8 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-195.el6_4.10
Doc Type: Bug Fix
Doc Text:
Cause: SElinux policy was denying certain access when creating gears. Consequence: AVC denials were seen in node host audit.log. No apparent impairment of functionality. Fix: RHEL released a new selinux-policy RPM that addresses the problem. Install it. Result: The AVC denials stop.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-09 14:48:36 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
SELinux policy patch (1.06 KB, patch)
2013-05-28 09:44 EDT, Jason DeTiberus
no flags Details | Diff

  None (edit)
Description Jan Pazdziora 2013-05-24 03:40:33 EDT
Description of problem:

When running

# rhc create-app -n test -a perly -t perl-5.10

on a all-on-one-machine installation done using

https://raw.github.com/openshift/openshift-extras/enterprise-1.2/enterprise/install-scripts/generic/openshift.sh

I see AVC denials in the audit/audit.log:

type=AVC msg=audit(1369379929.298:515): avc:  denied  { search } for  pid=13447 comm="sshd" name="cgroup" dev=dm-0 ino=786433 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1369379929.308:516): avc:  denied  { getattr } for  pid=13450 comm="oo-namespace-in" path="/var/lib/openshift/519f14476892df898500002c/.env/CARTRIDGE_VERSION_2" dev=dm-0 ino=1050337 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:openshift_var_lib_t:s0 tclass=file

Version-Release number of selected component (if applicable):

build/OpenShiftEnterprise/1.2/2013-05-23.2

How reproducible:

Deterministic -- I see it upon every rhc create-app run.

Steps to Reproduce:
1. Have all-on-one-machine OpenShift Enterprise installation.
2. Do rhn setup with namespace test.
3. Run ( tail -f /var/log/audit/audit.log | grep AVC ) &
4. rhc create-app -n test -a perlz -t perl-5.10

Actual results:

# rhc create-app -n test -a perlz -t perl-5.10
Application Options
-------------------
  Namespace:  test
  Cartridges: perl-5.10
  Gear Size:  default
  Scaling:    no

Creating application 'perlz' ... done

Waiting for your DNS name to be available ... done

Downloading the application Git repository ...
Initialized empty Git repository in /mnt/tests/OpenShift/Enterprise/install/nightly/perlz/.git/
Warning: Permanently added 'perlz-test.example.com' (RSA) to the list of known hosts.
type=AVC msg=audit(1369381108.469:713): avc:  denied  { search } for  pid=24319 comm="sshd" name="cgroup" dev=dm-0 ino=786433 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1369381108.480:714): avc:  denied  { getattr } for  pid=24322 comm="oo-namespace-in" path="/var/lib/openshift/519f18e26892df898500003f/.env/CARTRIDGE_VERSION_2" dev=dm-0 ino=1049060 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:openshift_var_lib_t:s0 tclass=file

Your application code is now in 'perlz'

Expected results:

No AVC denial.

Additional info:

I'm not sure which component it is really, putting it to Broker for now.
Comment 2 Jan Pazdziora 2013-05-24 03:43:02 EDT
For the JBossEAP cartridge, there is one more AVC denial about /tmp/jbosseap.log, let me put it into this bugzilla as well:


# rhc create-app -n test -a eapy -t jbosseap-6.0
Application Options
-------------------
  Namespace:  test
  Cartridges: jbosseap-6.0
  Gear Size:  default
  Scaling:    no

Creating application 'eapy' ... type=AVC msg=audit(1369381323.584:788): avc:  denied  { write } for  pid=28061 comm="oo-cgroup-read" path="/tmp/jbosseap.log" dev=dm-0 ino=1056922 scontext=unconfined_u:system_r:openshift_cgroup_read_t:s0:c0,c505 tcontext=unconfined_u:object_r:openshift_tmp_t:s0:c0,c505 tclass=file
done

Waiting for your DNS name to be available ... done

Downloading the application Git repository ...
Initialized empty Git repository in /mnt/tests/OpenShift/Enterprise/install/nightly/eapy/.git/
Warning: Permanently added 'eapy-test.example.com' (RSA) to the list of known hosts.
type=AVC msg=audit(1369381335.469:802): avc:  denied  { search } for  pid=1861 comm="sshd" name="cgroup" dev=dm-0 ino=786433 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1369381335.870:803): avc:  denied  { getattr } for  pid=2078 comm="oo-namespace-in" path="/var/lib/openshift/519f19c06892df8985000052/.env/CARTRIDGE_VERSION_2" dev=dm-0 ino=1845664 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:openshift_var_lib_t:s0 tclass=file

Your application code is now in 'eapy'
Comment 4 Jan Pazdziora 2013-05-24 04:15:41 EDT
The full AVC denials under Permissive are

type=AVC msg=audit(1369383270.886:1064): avc:  denied  { write } for  pid=667 comm="oo-cgroup-read" path="/tmp/jbosseap.log" dev=dm-0 ino=1056997 scontext=unconfined_u:system_r:openshift_cgroup_read_t:s0:c0,c506 tcontext=unconfined_u:object_r:openshift_tmp_t:s0:c0,c506 tclass=file

type=AVC msg=audit(1369383282.771:1078): avc:  denied  { search } for  pid=1065 comm="sshd" name="cgroup" dev=dm-0 ino=786433 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1369383282.771:1078): avc:  denied  { write } for  pid=1065 comm="sshd" name="tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1369383282.771:1078): avc:  denied  { open } for  pid=1065 comm="sshd" name="tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1369383282.772:1079): avc:  denied  { getattr } for  pid=1065 comm="sshd" path="/cgroup/cpu/openshift/519f215b6892df8985000065/tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1369383283.171:1080): avc:  denied  { getattr } for  pid=1071 comm="oo-namespace-in" path="/var/lib/openshift/519f215b6892df8985000065/.env/CARTRIDGE_VERSION_2" dev=dm-0 ino=1056888 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:openshift_var_lib_t:s0 tclass=file
Comment 5 Jason DeTiberus 2013-05-28 09:44:54 EDT
Created attachment 753925 [details]
SELinux policy patch

I've tested with the attached patch to selinux-policy, and it resolves the AVCs on app creation for perl apps (and 2 of the 3 AVC denials for jboss apps, the one related to /tmp/jbosseap.log is unrelated to the base policies).
Comment 6 Jason DeTiberus 2013-05-28 09:46:10 EDT
Miroslav, Please review the attached patch for selinux-policy.
Comment 7 openshift-github-bot 2013-05-28 15:47:00 EDT
Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/6c12d246b425783221318046fd71564d21e8f726
Bug 966876 - Fix AVC denial in jbossas7 and jbosseap6 carts on startup

https://bugzilla.redhat.com/show_bug.cgi?id=966876

Redirect stderr to /dev/null when running oo-cgroup-read from bin/standalone.conf in jbosseap and jbossas v2 carts.  These are run with stderr redirected to a logfile in the gears tmp directory and oo-cgroup-read is trying to open a file handle to this logfile causing an AVC denial
Comment 8 Miroslav Grepl 2013-05-29 03:53:49 EDT
(In reply to Jason DeTiberus from comment #5)
> Created attachment 753925 [details]
> SELinux policy patch
> 
> I've tested with the attached patch to selinux-policy, and it resolves the
> AVCs on app creation for perl apps (and 2 of the 3 AVC denials for jboss
> apps, the one related to /tmp/jbosseap.log is unrelated to the base
> policies).

Could you please open a new selinux-policy bug for these fixes. Thank you.
Comment 9 Jason DeTiberus 2013-06-07 08:26:46 EDT
*** Bug 971769 has been marked as a duplicate of this bug. ***
Comment 10 Jason DeTiberus 2013-06-07 12:24:34 EDT
Tagged selinux-policy-3.7.19-195.el6_4.10 into the latest puddle, please verify with this version of selinux-policy
Comment 11 Gaoyun Pei 2013-06-08 05:39:54 EDT
Verify this bug on puddle:
http://buildvm-devops.usersys.redhat.com/puddle/build/OpenShiftEnterprise/1.2/2013-06-07.2/
[root@node2 yum.repos.d]# rpm -qa|grep selinux-policy
selinux-policy-3.7.19-195.el6_4.10.noarch
selinux-policy-targeted-3.7.19-195.el6_4.10.noarch


Created a jbosseap-6.0 app, control this app like restart or ssh into it.
No avc denials in audit.log
Comment 13 errata-xmlrpc 2013-07-09 14:48:36 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1033.html

Note You need to log in before you can comment on or make changes to this bug.