Bug #43396
closedselinux denial on el8
0%
Description
SELinux denials found on ubuntu@smithi171.front.sepia.ceph.com: ['type=AVC msg=audit(1576786614.808:3780): avc: denied { open } for pid=15987 comm="setroubleshootd" path="/var/lib/rpm/Packages" dev="sda1" ino=61046 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.808:3782): avc: denied { map } for pid=15987 comm="setroubleshootd" path="/var/lib/rpm/Name" dev="sda1" ino=61070 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.268:3768): avc: denied { getattr } for pid=15724 comm="rhsmcertd-worke" path="/var/lib/rpm/Packages" dev="sda1" ino=61046 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.581:3778): avc: denied { unlink } for pid=15724 comm="rhsmcertd-worke" name="metadata_lock.pid" dev="sda1" ino=57312 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.268:3766): avc: denied { read write } for pid=15724 comm="rhsmcertd-worke" name=".dbenv.lock" dev="sda1" ino=61154 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.337:3775): avc: denied { open } for pid=15724 comm="rhsmcertd-worke" path="/var/cache/dnf/metadata_lock.pid" dev="sda1" ino=57312 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.662:3779): avc: denied { read } for pid=15724 comm="rhsmcertd-worke" name="satellite-5-client.module" dev="sda1" ino=57237 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.337:3775): avc: denied { add_name } for pid=15724 comm="rhsmcertd-worke" name="metadata_lock.pid" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=1', 'type=AVC msg=audit(1576786614.439:3776): avc: denied { open } for pid=15724 comm="rhsmcertd-worke" path="/var/cache/dnf/epel-fafd94c310c51e1e/metalink.xml" dev="sda1" ino=262189 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:rpm_var_cache_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.808:3780): avc: denied { read } for pid=15987 comm="setroubleshootd" name="Packages" dev="sda1" ino=61046 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.337:3775): avc: denied { create } for pid=15724 comm="rhsmcertd-worke" name="metadata_lock.pid" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.808:3781): avc: denied { lock } for pid=15987 comm="setroubleshootd" path="/var/lib/rpm/Packages" dev="sda1" ino=61046 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.268:3767): avc: denied { lock } for pid=15724 comm="rhsmcertd-worke" path="/var/lib/rpm/.dbenv.lock" dev="sda1" ino=61154 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.337:3774): avc: denied { open } for pid=15724 comm="rhsmcertd-worke" path="/var/log/hawkey.log" dev="sda1" ino=60817 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.268:3766): avc: denied { open } for pid=15724 comm="rhsmcertd-worke" path="/var/lib/rpm/.dbenv.lock" dev="sda1" ino=61154 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.662:3779): avc: denied { open } for pid=15724 comm="rhsmcertd-worke" path="/etc/dnf/modules.d/satellite-5-client.module" dev="sda1" ino=57237 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.333:3773): avc: denied { map } for pid=15724 comm="rhsmcertd-worke" path="/var/lib/rpm/Name" dev="sda1" ino=61070 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.337:3775): avc: denied { write } for pid=15724 comm="rhsmcertd-worke" name="dnf" dev="sda1" ino=60792 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=1', 'type=AVC msg=audit(1576786614.581:3778): avc: denied { remove_name } for pid=15724 comm="rhsmcertd-worke" name="metadata_lock.pid" dev="sda1" ino=57312 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=1', 'type=AVC msg=audit(1576786614.464:3777): avc: denied { setattr } for pid=15724 comm="rhsmcertd-worke" name="6e2fe611f78ac434c2918bac1eec468dbd24c9b4cdb65bf6a744d10f764f3284-primary.xml.gz" dev="sda1" ino=262155 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:rpm_var_cache_t:s0 tclass=file permissive=1']
/a/sage-2019-12-19_19:10:50-rados-master-distro-basic-smithi/4615422
Updated by Patrick Donnelly over 4 years ago
- Status changed from New to In Progress
- Assignee set to Patrick Donnelly
- Target version set to v15.0.0
- Source set to Q/A
2020-01-03T23:04:56.964 DEBUG:teuthology.run_tasks:Unwinding manager selinux 2020-01-03T23:04:57.106 INFO:teuthology.orchestra.run.smithi091:> mkdir /home/ubuntu/cephtest/archive/audit && sudo cp /var/log/audit/audit.log /home/ubuntu/cephtest/archive/audit && sudo chown $USER /home/ubuntu/cephtest/archive/audit/audit.log && gzip /home/ubuntu/cephtest/archive/audit/audit.log 2020-01-03T23:04:57.175 INFO:teuthology.orchestra.run.smithi168:> mkdir /home/ubuntu/cephtest/archive/audit && sudo cp /var/log/audit/audit.log /home/ubuntu/cephtest/archive/audit && sudo chown $USER /home/ubuntu/cephtest/archive/audit/audit.log && gzip /home/ubuntu/cephtest/archive/audit/audit.log 2020-01-03T23:04:57.242 INFO:teuthology.orchestra.run.smithi168:> sudo grep 'avc: .*denied' /var/log/audit/audit.log | grep -v '\(comm="dmidecode"\|chronyd.service\|name="cephtest"\|scontext=system_u:system_r:nrpe_t:s0\|scontext=system_u:system_r:pcp_pmlogger_t\|scontext=system_u:system_r:pcp_pmcd_t:s0\|comm="rhsmd"\|scontext=system_u:system_r:syslogd_t:s0\|tcontext=system_u:system_r:nrpe_t:s0\|comm="updatedb"\|comm="smartd"\)' 2020-01-03T23:04:57.273 DEBUG:teuthology.orchestra.run:got remote process result: 1 2020-01-03T23:04:57.274 INFO:teuthology.orchestra.run.smithi091:> sudo grep 'avc: .*denied' /var/log/audit/audit.log | grep -v '\(comm="dmidecode"\|chronyd.service\|name="cephtest"\|scontext=system_u:system_r:nrpe_t:s0\|scontext=system_u:system_r:pcp_pmlogger_t\|scontext=system_u:system_r:pcp_pmcd_t:s0\|comm="rhsmd"\|scontext=system_u:system_r:syslogd_t:s0\|tcontext=system_u:system_r:nrpe_t:s0\|comm="updatedb"\|comm="smartd"\)' 2020-01-03T23:04:57.304 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.153:5216): avc: denied { read write } for pid=22266 comm="rhsmcertd-worke" name=".dbenv.lock" dev="sda1" ino=262270 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 2020-01-03T23:04:57.305 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.153:5216): avc: denied { open } for pid=22266 comm="rhsmcertd-worke" path="/var/lib/rpm/.dbenv.lock" dev="sda1" ino=262270 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 2020-01-03T23:04:57.305 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.153:5217): avc: denied { lock } for pid=22266 comm="rhsmcertd-worke" path="/var/lib/rpm/.dbenv.lock" dev="sda1" ino=262270 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 2020-01-03T23:04:57.305 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.153:5218): avc: denied { getattr } for pid=22266 comm="rhsmcertd-worke" path="/var/lib/rpm/__db.001" dev="sda1" ino=262271 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 2020-01-03T23:04:57.305 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.153:5219): avc: denied { map } for pid=22266 comm="rhsmcertd-worke" path="/var/lib/rpm/__db.001" dev="sda1" ino=262271 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 2020-01-03T23:04:57.306 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.240:5220): avc: denied { open } for pid=22266 comm="rhsmcertd-worke" path="/var/log/hawkey.log" dev="sda1" ino=60817 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 2020-01-03T23:04:57.306 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.240:5221): avc: denied { write } for pid=22266 comm="rhsmcertd-worke" name="dnf" dev="sda1" ino=60792 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=1 2020-01-03T23:04:57.306 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.240:5221): avc: denied { add_name } for pid=22266 comm="rhsmcertd-worke" name="metadata_lock.pid" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=1 2020-01-03T23:04:57.306 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.240:5221): avc: denied { create } for pid=22266 comm="rhsmcertd-worke" name="metadata_lock.pid" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=file permissive=1 2020-01-03T23:04:57.307 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.240:5221): avc: denied { open } for pid=22266 comm="rhsmcertd-worke" path="/var/cache/dnf/metadata_lock.pid" dev="sda1" ino=60471 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=file permissive=1 2020-01-03T23:04:57.307 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.351:5222): avc: denied { open } for pid=22266 comm="rhsmcertd-worke" path="/var/cache/dnf/ceph-15444cae4656afef/repodata/repomd.xml" dev="sda1" ino=262154 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:rpm_var_cache_t:s0 tclass=file permissive=1 2020-01-03T23:04:57.307 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.478:5223): avc: denied { remove_name } for pid=22266 comm="rhsmcertd-worke" name="metadata_lock.pid" dev="sda1" ino=60471 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=1 2020-01-03T23:04:57.307 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.478:5223): avc: denied { unlink } for pid=22266 comm="rhsmcertd-worke" name="metadata_lock.pid" dev="sda1" ino=60471 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=file permissive=1 2020-01-03T23:04:57.308 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.559:5224): avc: denied { read } for pid=22266 comm="rhsmcertd-worke" name="satellite-5-client.module" dev="sda1" ino=57237 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1 2020-01-03T23:04:57.308 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.559:5224): avc: denied { open } for pid=22266 comm="rhsmcertd-worke" path="/etc/dnf/modules.d/satellite-5-client.module" dev="sda1" ino=57237 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1 2020-01-03T23:04:57.308 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091953.215:5225): avc: denied { read } for pid=22320 comm="setroubleshootd" name="Packages" dev="sda1" ino=262250 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 2020-01-03T23:04:57.308 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091953.215:5225): avc: denied { open } for pid=22320 comm="setroubleshootd" path="/var/lib/rpm/Packages" dev="sda1" ino=262250 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 2020-01-03T23:04:57.308 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091953.215:5226): avc: denied { lock } for pid=22320 comm="setroubleshootd" path="/var/lib/rpm/Packages" dev="sda1" ino=262250 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 2020-01-03T23:04:57.309 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091953.215:5227): avc: denied { map } for pid=22320 comm="setroubleshootd" path="/var/lib/rpm/Name" dev="sda1" ino=262251 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 2020-01-03T23:04:57.309 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091957.991:5230): avc: denied { read } for pid=22351 comm="rpm" name="Packages" dev="sda1" ino=262250 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 2020-01-03T23:04:57.309 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091957.991:5230): avc: denied { open } for pid=22351 comm="rpm" path="/var/lib/rpm/Packages" dev="sda1" ino=262250 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 2020-01-03T23:04:57.309 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091957.991:5231): avc: denied { lock } for pid=22351 comm="rpm" path="/var/lib/rpm/Packages" dev="sda1" ino=262250 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 2020-01-03T23:04:57.310 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091957.991:5232): avc: denied { map } for pid=22351 comm="rpm" path="/var/lib/rpm/Name" dev="sda1" ino=262251 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 2020-01-03T23:04:57.310 DEBUG:teuthology.task.selinux:ubuntu@smithi091.front.sepia.ceph.com has 23 denials
From: /ceph/teuthology-archive/pdonnell-2020-01-03_20:54:58-fs-wip-pdonnell-testing-20200103.181716-distro-basic-smithi/4637211/teuthology.log
and others.
Updated by Patrick Donnelly over 4 years ago
- Status changed from In Progress to Fix Under Review
Updated by Kefu Chai over 4 years ago
- Status changed from Fix Under Review to Resolved