Bug 973984 - Produce "AVC" log in many situations such as create scaleable app or embed postgresql
Produce "AVC" log in many situations such as create scaleable app or embed po...
Status: CLOSED CURRENTRELEASE
Product: OpenShift Online
Classification: Red Hat
Component: Containers (Show other bugs)
2.x
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Rob Millner
libra bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-13 04:25 EDT by xjia
Modified: 2015-07-19 20:52 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-24 10:54:16 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description xjia 2013-06-13 04:25:26 EDT
Description of problem:
Embeding postgresql to app:
type=AVC msg=audit(1371108807.011:125020): avc:  denied  { node_bind } for  pid=20323 comm="postgres" saddr=127.0.0.1 scontext=unconfined_u:system_r:openshift_t:s0:c0,c501 tcontext=system_u:object_r:node_t:s0:c1023 tclass=udp_socket

Create any scalable app:
type=AVC msg=audit(1371108286.933:124718): avc:  denied  { write } for  pid=14049 comm="ip" path="/var/run/openshift-port-proxy.lock" dev=xvde2 ino=263811 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openshift_var_run_t:s0 tclass=file
type=AVC msg=audit(1371108286.933:124718): avc:  denied  { write } for  pid=14049 comm="ip" path="/var/run/openshift-port-proxy-reload.lock" dev=xvde2 ino=263812 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openshift_var_run_t:s0 tclass=file

Create jenkins app:
type=AVC msg=audit(1371110993.863:125630): avc:  denied  { node_bind } for  pid=5811 comm="java" src=33848 scontext=unconfined_u:system_r:openshift_t:s0:c0,c504 tcontext=system_u:object_r:node_t:s0:c1023 tclass=udp_socket

Maybe I didn't cover all the situation, but seems all of these are caused by the same reason. "c1023". 
Version-Release number of selected component (if applicable):
devenv_3355

How reproducible:
always

Steps to Reproduce:
1. SSH into node, and tail -F /var/log/audit/audit.log | grep AVC
2. Create any app and embed postgresql sto this app

Actual results:
1.type=AVC msg=audit(1371108807.011:125020): avc:  denied  { node_bind } for  pid=20323 comm="postgres" saddr=127.0.0.1 scontext=unconfined_u:system_r:openshift_t:s0:c0,c501 tcontext=system_u:object_r:node_t:s0:c1023 tclass=udp_socket

Expected results:
No such error.

Additional info:
Comment 1 Rob Millner 2013-06-13 17:30:30 EDT
The Postgres AVC error, the scalable app AVC error, and the Jenkins AVC error are all separate bugs.

Postgres is trying to bind to address 127.0.0.1, forbidden in OpenShift.

Jenkins is trying to bind to port 33848, forbidden in OpenShift.


The scalable app issue appears to be a file descriptor being inherited by a child process across an SELinux transition (running the ip command inside of openshift-port-proxy-cfg).
Comment 2 openshift-github-bot 2013-06-14 03:32:10 EDT
Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/207c4676ae97061860ad4315d2c65df1b062047f
Bug 973984 - Inheriting the lock file FDs was causing AVC denials.
Comment 3 Rob Millner 2013-06-14 14:49:49 EDT
The ip command issue was fixed in the above commit.

In the version of php installed on OpenShift, there is no way to turn off statistics collector and no way to tell it to bind to another IP address.  Its just going to generate that message every time.
Comment 4 Rob Millner 2013-06-14 14:50:28 EDT
Sorry, make that "postgresql", not "php".  The joys of multitasking.
Comment 5 Rob Millner 2013-06-14 16:59:13 EDT
Jenkins has no configuration option to disable trying to bind to or send multicast packets on UDP port 33848.  We're just going to have to live with the AVC denial.
Comment 6 Rob Millner 2013-06-14 17:00:13 EDT
Of the three issues reported:
The scalable app issue: fixed in the above commit.

Jenkins: cannot be fixed.

Postgres: cannot be fixed.
Comment 7 Meng Bo 2013-06-17 05:59:08 EDT
According to Rob's comment, check the scalable app issue on devenv_3368,

tailf /var/log/audit/audit.log |grep AVC 
during creating scalable app.

No AVE denial generated.

Move bug to verified.

Note You need to log in before you can comment on or make changes to this bug.