Bug 968344 - pam_cgroup and pam_namespace AVC denials with Openshift Enterprise 1.2 Candidate
pam_cgroup and pam_namespace AVC denials with Openshift Enterprise 1.2 Candidate
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.4
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
Michal Trunecka
:
Depends On:
Blocks: 966876 1004824
  Show dependency treegraph
 
Reported: 2013-05-29 09:46 EDT by Jason DeTiberus
Modified: 2014-09-30 19:35 EDT (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-202.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1004824 (view as bug list)
Environment:
Last Closed: 2013-11-21 05:29:34 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch against selinux-policy-3.7.19-200 (1.06 KB, patch)
2013-05-29 09:46 EDT, Jason DeTiberus
no flags Details | Diff

  None (edit)
Description Jason DeTiberus 2013-05-29 09:46:06 EDT
Created attachment 754385 [details]
Patch against selinux-policy-3.7.19-200

Description of problem:
AVC denials when SSHing into an Openshift Enterprise Node.

Version-Release number of selected component (if applicable):
Openshift Enterprise 1.2 Candidate 
selinux-policy-3.7.19-200.el6.noarch

How reproducible:
Every time

Steps to Reproduce:
1. Install and Configure Openshift Enterprise 1.2 from the latest puddle
2. SSH into a gear
3.

Actual results:
type=AVC msg=audit(1369383282.771:1078): avc:  denied  { search } for  pid=1065 comm="sshd" name="cgroup" dev=dm-0 ino=786433 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1369383282.771:1078): avc:  denied  { write } for  pid=1065 comm="sshd" name="tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1369383282.771:1078): avc:  denied  { open } for  pid=1065 comm="sshd" name="tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1369383282.772:1079): avc:  denied  { getattr } for  pid=1065 comm="sshd" path="/cgroup/cpu/openshift/519f215b6892df8985000065/tasks" dev=cgroup ino=642682 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1369383283.171:1080): avc:  denied  { getattr } for  pid=1071 comm="oo-namespace-in" path="/var/lib/openshift/519f215b6892df8985000065/.env/CARTRIDGE_VERSION_2" dev=dm-0 ino=1056888 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:openshift_var_lib_t:s0 tclass=file

Expected results:
No AVC denials

Additional info:
Comment 1 Daniel Walsh 2013-06-04 16:44:36 EDT
Looks like this is fixed in selinux-policy-3.7.19-202.el6
Comment 3 Miroslav Grepl 2013-06-10 02:35:58 EDT
Yes, it has been added.
Comment 10 errata-xmlrpc 2013-11-21 05:29:34 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html

Note You need to log in before you can comment on or make changes to this bug.