Description of problem: In the end of jenkins build, it would generate avc denial in audit.log on node. Version-Release number of selected component (if applicable): http://download.lab.bos.redhat.com/rel-eng/OpenShiftEnterprise/1.2/2013-06-26.3/ selinux-policy-targeted-3.7.19-195.el6_4.10.noarch selinux-policy-3.7.19-195.el6_4.10.noarch How reproducible: Always Steps to Reproduce: 1. Create a php app and jenkins app, embed jenkins-client to php app 2. Make some changes in the php app git repo to trigger jenkins build 3. Monitoring the audit.log on the node, avc denial would be generated once the build action completed as "SUCCESS" [root@node1 ~]# tailf /var/log/audit/audit.log |grep avc type=AVC msg=audit(1372654405.272:100925): avc: denied { getattr } for pid=29079 comm="java" path="/proc/mtrr" dev=proc ino=4026531957 scontext=unconfined_u:system_r:openshift_t:s0:c1,c382 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file Actual results: Expected results: No such message in the log Additional info:
Miroslav, Would it be possible to allow processes running in Gears to read MTRR info? require { type mtrr_device_t; type openshift_t; class file getattr; } #============= openshift_t ============== allow openshift_t mtrr_device_t:file getattr; This is fairly low severity for now so it could wait until RHEL 6.5.
Are you getting more AVC msgs in permissive mode?
There are no additional AVC messages in permissive mode.
Could you open a new rhel6.5 bug?
verify this bug on puddle: 2.0/2013-11-15.1 selinux-policy-3.7.19-231.el6.noarch selinux-policy-targeted-3.7.19-231.el6.noarch In the end of jenkins build, it would NOT generate avc denial in audit.log on node