Hide Forgot
Created attachment 754385 [details] Patch against selinux-policy-3.7.19-200 Description of problem: AVC denials when SSHing into an Openshift Enterprise Node. Version-Release number of selected component (if applicable): Openshift Enterprise 1.2 Candidate selinux-policy-3.7.19-200.el6.noarch How reproducible: Every time Steps to Reproduce: 1. Install and Configure Openshift Enterprise 1.2 from the latest puddle 2. SSH into a gear 3. Actual results: type=AVC msg=audit(1369383282.771:1078): avc: denied { search } for pid=1065 comm="sshd" name="cgroup" dev=dm-0 ino=786433 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir type=AVC msg=audit(1369383282.771:1078): avc: denied { write } for pid=1065 comm="sshd" name="tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file type=AVC msg=audit(1369383282.771:1078): avc: denied { open } for pid=1065 comm="sshd" name="tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file type=AVC msg=audit(1369383282.772:1079): avc: denied { getattr } for pid=1065 comm="sshd" path="/cgroup/cpu/openshift/519f215b6892df8985000065/tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file type=AVC msg=audit(1369383283.171:1080): avc: denied { getattr } for pid=1071 comm="oo-namespace-in" path="/var/lib/openshift/519f215b6892df8985000065/.env/CARTRIDGE_VERSION_2" dev=dm-0 ino=1056888 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:openshift_var_lib_t:s0 tclass=file Expected results: No AVC denials Additional info:
Looks like this is fixed in selinux-policy-3.7.19-202.el6
Yes, it has been added.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html