Project

General

Profile

Bug #11560

foreman-debug to skip USER_AVC SELinux audit "denials"

Added by Bryan Kearney almost 4 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Category:
foreman-debug
Target version:
Difficulty:
Triaged:
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1209794
Description of problem:
foreman-debug checking for SELinux denials wrongly reports also USER_AVC records like below example. Those are logs of policy load and not real denials. foreman-debug then wrongly reports "DENIALS: 12" to stdout.

Version-Release number of selected component (if applicable):
foreman-debug-1.7.2.15-1.el7sat.noarch

How reproducible:
100%

Steps to Reproduce:
1. e.g. on freshly installed RHEL7.1 and Sat6.1 (most probably reproducible anywhere), run foreman-debug
2. Check it's output and selinux_denials.log it generates

Actual results:
foreman-debug output having:

HOSTNAME: pmoravec-sat61.gsslab.brq.redhat.com
OS: redhat
RELEASE: Red Hat Enterprise Linux Server release 7.1 (Maipo)
FOREMAN: 1.7.2
RUBY: ruby 2.0.0p598 (2014-11-13) [x86_64-linux]
PUPPET: 3.6.2
DENIALS: 12

selinux_denials.log having 12 records like:
time->Wed Apr 8 09:31:02 2015
type=USER_AVC msg=audit(1428478262.651:1213): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=11) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Expected results:
foreman-debug output to have "DENIALS: 0"
selinux_denials.log without the USER_AVC logs

Additional info:
/me not sure what all audit logs could be of USER_AVC type, or if there could be also real denials. But definitely the above logs are not SELinux denials and should not be reported as such by foreman-debug.

Associated revisions

Revision ee2d45d0 (diff)
Added by Lukas Zapletal almost 4 years ago

Fixes #11560 - foreman-debug counts denials correctly

History

#1 Updated by Bryan Kearney almost 4 years ago

  • Category set to foreman-debug

#2 Updated by Lukas Zapletal almost 4 years ago

We can use

ausearch -m avc -r

instead

#3 Updated by The Foreman Bot almost 4 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/2637 added
  • Pull request deleted ()

#4 Updated by Lukas Zapletal almost 4 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#5 Updated by Dominic Cleal almost 4 years ago

  • Legacy Backlogs Release (now unused) set to 63
  • Assignee set to Lukas Zapletal

Also available in: Atom PDF