Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1112173 - sshd_t / var_log_t denials in audit.log
Summary: sshd_t / var_log_t denials in audit.log
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-node
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 3.5.0
Assignee: Douglas Schilling Landgraf
QA Contact: Virtualization Bugs
URL:
Whiteboard: node
Depends On:
Blocks: 1123329 rhev3.5beta rhev35betablocker 1156165 rhev35rcblocker rhev35gablocker
TreeView+ depends on / blocked
 
Reported: 2014-06-23 09:33 UTC by Ying Cui
Modified: 2016-02-10 20:11 UTC (History)
10 users (show)

Fixed In Version: rhev-hypervisor6-6.6-20141218.0.iso rhev-hypervisor7-7.0-20141218.0.iso
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-11 20:59:16 UTC
oVirt Team: Node
Target Upstream Version:


Attachments (Terms of Use)
audit.log (deleted)
2014-09-29 09:13 UTC, cshao
no flags Details
rhevh7-1006-audit.log (deleted)
2014-10-08 10:16 UTC, cshao
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2015:0160 normal SHIPPED_LIVE ovirt-node bug fix and enhancement update 2015-02-12 01:34:52 UTC
oVirt gerrit 30242 None None None Never
oVirt gerrit 33412 None None None Never
oVirt gerrit 33447 None None None Never

Description Ying Cui 2014-06-23 09:33:37 UTC
Description of problem:
After RHEVH installed,there are AVC denied errors in audit.log.

Version:
Red Hat Enterprise Virtualization Hypervisor release 6.5 (20140618.0.el6ev)
ovirt-node-3.0.1-18.el6_5.10.noarch
selinux-policy-3.7.19-231.el6_5.3.noarch

How reproducible:
Always.

Steps to Reproduce:
1.RHEV-H installed successful. selinux in enforcing mode as default.
2.Login to rhevh,

# grep "avc:  denied" /var/log/audit/audit.log  
type=AVC msg=audit(1403511143.852:28066): avc:  denied  { write } for  pid=30664 comm="sshd" name="lastlog" dev=dm-8 ino=36 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file


  
Actual results:
AVC msgs in audit.log

Expected results:
No avc denied errors in audit.log.


Additional info:

Comment 1 Douglas Schilling Landgraf 2014-07-29 21:53:30 UTC
Moving to POST, next rebase should resolve this report.

Comment 3 cshao 2014-09-28 06:57:03 UTC
Test version:
rhev-hypervisor7-7.0-20140926.0.iso
ovirt-node-3.1.0-0.17.20140925git29c3403.el7.noarch

This issue is still exist in rhev-hypervisor7-7.0-20140926.0.iso.
So change the status from ON_QA to Assigned.

Comment 4 Fabian Deutsch 2014-09-29 08:35:21 UTC
Chen, could you please attach /var/log/audit/audit.log

Comment 5 cshao 2014-09-29 09:13:57 UTC
Created attachment 942241 [details]
audit.log

Upload audit.log

Comment 6 Douglas Schilling Landgraf 2014-09-29 14:26:15 UTC
(In reply to shaochen from comment #5)
> Created attachment 942241 [details]
> audit.log
> 
> Upload audit.log

Hi shaochen,

Thanks for the audit.log
I do believe we got a different report here, would be nice for next time open a different bug.

I can see:
#1)
type=AVC msg=audit(1411981667.351:981): avc:  denied  { search } for  pid=3081 comm="sanlock" name="/" dev="dm-9" ino=2 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir

Should be resolved: 
ovirt.te: sanlock_t auditd_log_t:dir
http://gerrit.ovirt.org/#/c/33447/

#2)
type=AVC msg=audit(1411981667.526:986): avc:  denied  { search } for  pid=3112 comm=72733A6D61696E20513A526567 name="/" dev="dm-9" ino=2 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir

Should be resolved:
selinux: More additional rules for el7
http://gerrit.ovirt.org/#/c/33412/

Comment 7 Fabian Deutsch 2014-09-29 14:31:43 UTC
Because of the nature of SELinux denials will always come up over time.

So, please to not re-open this bug or set it to FailedQA, but please open a new bug for each denial you are seeing, otherwise we'll never be able to close down this bug.

Comment 8 cshao 2014-09-30 03:29:16 UTC
Thank you for reminding, I will report new bug for different avc report next time.

Thanks!

Comment 9 cshao 2014-10-08 10:15:45 UTC
Test version:
rhev-hypervisor7-7.0-20141006.0.el7ev
ovirt-node-3.1.0-0.20.20141006gitc421e04.el7.noarch
selinux-policy-3.12.1-153.el7_0.11.noarch

Test steps:
1.RHEV-H installed successful. selinux in enforcing mode as default.
2.Login to rhevh,

# grep "avc:  denied" /var/log/audit/audit.log 
type=AVC msg=audit(1412762736.026:1743): avc:  denied  { getattr } for  pid=4627 comm="sshd" path="/var/log/lastlog" dev="dm-11" ino=35 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s0 tclass=file
type=AVC msg=audit(1412762736.026:1744): avc:  denied  { write } for  pid=4627 comm="sshd" name="wtmp" dev="dm-11" ino=34 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s0 tclass=file
type=AVC msg=audit(1412762736.026:1745): avc:  denied  { getattr } for  pid=4627 comm="sshd" path="/var/log/lastlog" dev="dm-11" ino=35 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s0 tclass=file


Still met sshd AVC denied errors in audit.log.
So change bug status to ASSIGNED.

Comment 10 cshao 2014-10-08 10:16:42 UTC
Created attachment 944924 [details]
rhevh7-1006-audit.log

Comment 11 Fabian Deutsch 2014-10-09 13:28:19 UTC
(In reply to shaochen from comment #9)
> Test version:
> rhev-hypervisor7-7.0-20141006.0.el7ev
> ovirt-node-3.1.0-0.20.20141006gitc421e04.el7.noarch
> selinux-policy-3.12.1-153.el7_0.11.noarch
> 
> Test steps:
> 1.RHEV-H installed successful. selinux in enforcing mode as default.
> 2.Login to rhevh,
> 
> # grep "avc:  denied" /var/log/audit/audit.log 
> type=AVC msg=audit(1412762736.026:1743): avc:  denied  { getattr } for 
> pid=4627 comm="sshd" path="/var/log/lastlog" dev="dm-11" ino=35
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:auditd_log_t:s0 tclass=file
> type=AVC msg=audit(1412762736.026:1744): avc:  denied  { write } for 
> pid=4627 comm="sshd" name="wtmp" dev="dm-11" ino=34
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:auditd_log_t:s0 tclass=file
> type=AVC msg=audit(1412762736.026:1745): avc:  denied  { getattr } for 
> pid=4627 comm="sshd" path="/var/log/lastlog" dev="dm-11" ino=35
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:auditd_log_t:s0 tclass=file
> 
> 
> Still met sshd AVC denied errors in audit.log.
> So change bug status to ASSIGNED.

This denial is covered in bug 1128065 and related to a different cause.

Comment 12 Ying Cui 2015-01-21 11:43:13 UTC
The bug description sshd_t/var_log_t denials did not exist on the following build.
rhev-hypervisor7-7.0-20150114.0
ovirt-node-3.2.1-4.el7.noarch

rhev-hypervisor6-6.6-20150114.0
ovirt-node-3.2.1-4.el6.noarch

for another denial on sshd, we already reported new bug 1184341 to trace detail.

Comment 14 errata-xmlrpc 2015-02-11 20:59:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-0160.html


Note You need to log in before you can comment on or make changes to this bug.