Bug 968344 - pam_cgroup and pam_namespace AVC denials with Openshift Enterprise 1.2 Candidate
Summary: pam_cgroup and pam_namespace AVC denials with Openshift Enterprise 1.2 Candidate
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.4
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Michal Trunecka
URL:
Whiteboard:
Depends On:
Blocks: 966876 1004824
TreeView+ depends on / blocked
 
Reported: 2013-05-29 13:46 UTC by Jason DeTiberus
Modified: 2014-09-30 23:35 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.7.19-202.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1004824 (view as bug list)
Environment:
Last Closed: 2013-11-21 10:29:34 UTC
Target Upstream Version:

Attachments (Terms of Use)
Patch against selinux-policy-3.7.19-200 (1.06 KB, patch)
2013-05-29 13:46 UTC, Jason DeTiberus 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 966876 0 unspecified CLOSED AVC denials when running rhc create-app 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2013:1598 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-11-20 21:39:24 UTC

Internal Links: 966876

Description Jason DeTiberus 2013-05-29 13:46:06 UTC 
Created attachment 754385 [details]
Patch against selinux-policy-3.7.19-200

Description of problem:
AVC denials when SSHing into an Openshift Enterprise Node.

Version-Release number of selected component (if applicable):
Openshift Enterprise 1.2 Candidate 
selinux-policy-3.7.19-200.el6.noarch

How reproducible:
Every time

Steps to Reproduce:
1. Install and Configure Openshift Enterprise 1.2 from the latest puddle
2. SSH into a gear
3.

Actual results:
type=AVC msg=audit(1369383282.771:1078): avc:  denied  { search } for  pid=1065 comm="sshd" name="cgroup" dev=dm-0 ino=786433 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1369383282.771:1078): avc:  denied  { write } for  pid=1065 comm="sshd" name="tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1369383282.771:1078): avc:  denied  { open } for  pid=1065 comm="sshd" name="tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1369383282.772:1079): avc:  denied  { getattr } for  pid=1065 comm="sshd" path="/cgroup/cpu/openshift/519f215b6892df8985000065/tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1369383283.171:1080): avc:  denied  { getattr } for  pid=1071 comm="oo-namespace-in" path="/var/lib/openshift/519f215b6892df8985000065/.env/CARTRIDGE_VERSION_2" dev=dm-0 ino=1056888 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:openshift_var_lib_t:s0 tclass=file

Expected results:
No AVC denials

Additional info:
Comment 1 Daniel Walsh 2013-06-04 20:44:36 UTC 
Looks like this is fixed in selinux-policy-3.7.19-202.el6
Comment 3 Miroslav Grepl 2013-06-10 06:35:58 UTC 
Yes, it has been added.
Comment 10 errata-xmlrpc 2013-11-21 10:29:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html
Note You need to log in before you can comment on or make changes to this bug.