Bug 967621 - AVC denials when running puppet apply --verbose configure_origin.pp
AVC denials when running puppet apply --verbose configure_origin.pp
Status: CLOSED CURRENTRELEASE
Product: OpenShift Origin
Classification: Red Hat
Component: Pod (Show other bugs)
2.x
Unspecified Unspecified
medium Severity low
: ---
: ---
Assigned To: Daniel Walsh
libra bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-27 11:54 EDT by Jan Pazdziora
Modified: 2016-06-10 09:43 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-06-10 09:43:02 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Pazdziora 2013-05-27 11:54:27 EDT
Description of problem:

I'm attempting to install OpenShift Origin on Fedora 18 using the documentation at 

  http://openshift.github.io/origin/file.install_origin_using_puppet.html

After the puppet finishes AVC denials

type=AVC msg=audit(1369662782.829:566): avc:  denied  { search } for  pid=16426 comm="ruby" name="puppet" dev="dm-1" ino=524425 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1369662782.845:567): avc:  denied  { getattr } for  pid=16426 comm="ruby" path="/usr/sbin/sendmail.sendmail" dev="dm-1" ino=665487 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
type=AVC msg=audit(1369662782.845:568): avc:  denied  { getattr } for  pid=16426 comm="ruby" path="/usr/sbin/sendmail.sendmail" dev="dm-1" ino=665487 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
type=AVC msg=audit(1369662782.860:569): avc:  denied  { search } for  pid=16426 comm="ruby" name="puppet" dev="dm-1" ino=393997 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir

The audit2allow -a shows

allow openshift_cron_t puppet_etc_t:dir search;
allow openshift_cron_t puppet_var_lib_t:dir search;
allow openshift_cron_t sendmail_exec_t:file getattr;

Version-Release number of selected component (if applicable):

OpenShift Origin installed today.

How reproducible:

Deterministic, I've seen this on multiple installations.

Steps to Reproduce:
1. Try to install OpenShift Origin using the puppet apply --verbose configure_origin.pp method.
2. Monitor /var/log/audit/audit.log.

Actual results:

AVC denials as listed above.

Expected results:

No AVC denials.

Additional info:
Comment 2 Jan Pazdziora 2013-06-14 03:16:48 EDT
I've seen similar problem on Fedora 19 lately:

type=AVC msg=audit(1371208263.979:969): avc:  denied  { getattr } for  pid=6454 comm="ruby-mri" path="/usr/sbin/sendmail.sendmail" dev="dm-1" ino=795764 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
type=AVC msg=audit(1371208263.979:970): avc:  denied  { execute } for  pid=6454 comm="ruby-mri" name="sendmail.sendmail" dev="dm-1" ino=795764 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file

(this is under permissive). Then the audit2allow -a says

#============= openshift_cron_t ==============
allow openshift_cron_t sendmail_exec_t:file { getattr execute };
Comment 4 Krishna Raman 2013-12-09 19:19:50 EST
Verified the messages but this does nto affect any functionality. Will email dwalsh to add selinux policies.

type=AVC msg=audit(1386633008.042:1187): avc:  denied  { getattr } for  pid=7846 comm="ruby-mri" path="/usr/sbin/sendmail.sendmail" dev="dm-1" ino=397488 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
type=AVC msg=audit(1386633008.048:1188): avc:  denied  { execute } for  pid=7846 comm="ruby-mri" name="sendmail.sendmail" dev="dm-1" ino=397488 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
type=AVC msg=audit(1386633009.042:1189): avc:  denied  { search } for  pid=8091 comm="virt-what" name="1" dev="proc" ino=5770 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir
type=AVC msg=audit(1386633009.042:1189): avc:  denied  { getattr } for  pid=8091 comm="virt-what" path="/proc/1/environ" dev="proc" ino=5772 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1386633009.046:1190): avc:  denied  { read } for  pid=8103 comm="cat" name="environ" dev="proc" ino=5772 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1386633009.046:1190): avc:  denied  { open } for  pid=8103 comm="cat" path="/proc/1/environ" dev="proc" ino=5772 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1386633068.213:1214): avc:  denied  { getattr } for  pid=10396 comm="ruby-mri" path="/usr/sbin/sendmail.sendmail" dev="dm-1" ino=397488 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
type=AVC msg=audit(1386633068.214:1215): avc:  denied  { execute } for  pid=10396 comm="ruby-mri" name="sendmail.sendmail" dev="dm-1" ino=397488 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
type=AVC msg=audit(1386633068.748:1216): avc:  denied  { search } for  pid=10590 comm="virt-what" name="1" dev="proc" ino=5770 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir
type=AVC msg=audit(1386633068.748:1216): avc:  denied  { getattr } for  pid=10590 comm="virt-what" path="/proc/1/environ" dev="proc" ino=5772 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1386633068.751:1217): avc:  denied  { read } for  pid=10602 comm="cat" name="environ" dev="proc" ino=5772 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1386633068.751:1217): avc:  denied  { open } for  pid=10602 comm="cat" path="/proc/1/environ" dev="proc" ino=5772 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1386633129.174:1239): avc:  denied  { getattr } for  pid=10884 comm="ruby-mri" path="/usr/sbin/sendmail.sendmail" dev="dm-1" ino=397488 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
type=AVC msg=audit(1386633129.174:1240): avc:  denied  { execute } for  pid=10884 comm="ruby-mri" name="sendmail.sendmail" dev="dm-1" ino=397488 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
type=AVC msg=audit(1386633129.864:1241): avc:  denied  { search } for  pid=11092 comm="virt-what" name="1" dev="proc" ino=5770 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir
type=AVC msg=audit(1386633129.864:1241): avc:  denied  { getattr } for  pid=11092 comm="virt-what" path="/proc/1/environ" dev="proc" ino=5772 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1386633129.868:1242): avc:  denied  { read } for  pid=11104 comm="cat" name="environ" dev="proc" ino=5772 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1386633129.868:1242): avc:  denied  { open } for  pid=11104 comm="cat" path="/proc/1/environ" dev="proc" ino=5772 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1386633182.837:1263): avc:  denied  { getattr } for  pid=11379 comm="ruby-mri" path="/usr/sbin/sendmail.sendmail" dev="dm-1" ino=397488 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
type=AVC msg=audit(1386633182.838:1264): avc:  denied  { execute } for  pid=11379 comm="ruby-mri" name="sendmail.sendmail" dev="dm-1" ino=397488 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
type=AVC msg=audit(1386633183.238:1265): avc:  denied  { search } for  pid=11561 comm="virt-what" name="1" dev="proc" ino=5770 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir
type=AVC msg=audit(1386633183.238:1265): avc:  denied  { getattr } for  pid=11561 comm="virt-what" path="/proc/1/environ" dev="proc" ino=5772 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1386633183.240:1266): avc:  denied  { read } for  pid=11573 comm="cat" name="environ" dev="proc" ino=5772 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1386633183.240:1266): avc:  denied  { open } for  pid=11573 comm="cat" path="/proc/1/environ" dev="proc" ino=5772 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1386634382.318:1414): avc:  denied  { search } for  pid=515 comm="virt-what" name="1" dev="proc" ino=5770 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir
type=AVC msg=audit(1386634382.318:1414): avc:  denied  { getattr } for  pid=515 comm="virt-what" path="/proc/1/environ" dev="proc" ino=5772 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1386634382.321:1415): avc:  denied  { read } for  pid=527 comm="cat" name="environ" dev="proc" ino=5772 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1386634382.321:1415): avc:  denied  { open } for  pid=527 comm="cat" path="/proc/1/environ" dev="proc" ino=5772 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1386634562.350:376): avc:  denied  { getattr } for  pid=2251 comm="ruby-mri" path="/usr/sbin/sendmail.sendmail" dev="dm-1" ino=397488 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
type=AVC msg=audit(1386634562.350:377): avc:  denied  { execute } for  pid=2251 comm="ruby-mri" name="sendmail.sendmail" dev="dm-1" ino=397488 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
type=AVC msg=audit(1386634562.955:378): avc:  denied  { search } for  pid=2433 comm="virt-what" name="1" dev="proc" ino=5770 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir
type=AVC msg=audit(1386634562.955:378): avc:  denied  { getattr } for  pid=2433 comm="virt-what" path="/proc/1/environ" dev="proc" ino=5772 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1386634562.960:379): avc:  denied  { read } for  pid=2445 comm="cat" name="environ" dev="proc" ino=5772 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1386634562.960:379): avc:  denied  { open } for  pid=2445 comm="cat" path="/proc/1/environ" dev="proc" ino=5772 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1386634623.148:387): avc:  denied  { search } for  pid=2710 comm="virt-what" name="1" dev="proc" ino=5770 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir
type=AVC msg=audit(1386634623.148:387): avc:  denied  { getattr } for  pid=2710 comm="virt-what" path="/proc/1/environ" dev="proc" ino=5772 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1386634623.156:388): avc:  denied  { read } for  pid=2722 comm="cat" name="environ" dev="proc" ino=5772 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1386634623.156:388): avc:  denied  { open } for  pid=2722 comm="cat" path="/proc/1/environ" dev="proc" ino=5772 scontext=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file


#============= openshift_cron_t ==============
allow openshift_cron_t init_t:dir search;
allow openshift_cron_t init_t:file { read getattr open };
allow openshift_cron_t sendmail_exec_t:file { getattr execute };
Comment 7 Daniel Walsh 2016-06-10 09:43:02 EDT
Closin this ancient bugzilla, hopefully it is fixed, if not reopen.

Note You need to log in before you can comment on or make changes to this bug.