Uploaded image for project: 'JBoss Core Services'
  1. JBoss Core Services
  2. JBCS-250

Selinux problem with downgrade while service is running

XMLWordPrintable

    • Release Notes
    • Hide

      1) Install JBCS httpd with the selinux subpackage to enfore the selinux policy:

      # yum install jbcs-httpd24-httpd-selinux -y
      

      2) Start the httpd service (it has to be running to cause the selinux issues):

      # service jbcs-httpd24-httpd start
      

      3) Uninstall the selinux package to remove the policy:

      # yum remove jbcs-httpd24-httpd-selinux -y
      

      4) Check the audit.log for entries:

      # grep httpd /var/log/audit/audit.log | wc -l
      4
      
      Show
      1) Install JBCS httpd with the selinux subpackage to enfore the selinux policy: # yum install jbcs-httpd24-httpd-selinux -y 2) Start the httpd service (it has to be running to cause the selinux issues): # service jbcs-httpd24-httpd start 3) Uninstall the selinux package to remove the policy: # yum remove jbcs-httpd24-httpd-selinux -y 4) Check the audit.log for entries: # grep httpd /var/log/audit/audit.log | wc -l 4

      During TPS testing, some issues occur when trying to upgrade or downgrade jbcs.
      RHEL6 i386

      DeleteTest-selinux Test
      Running: /sbin/ausearch  -sv no -m AVC -ts  12/15/2016 02:30:45 
       SELinux Check: FAIL
       SELinux AVC messages found:
       ----
       time->Thu Dec 15 02:32:27 2016
       type=SYSCALL msg=audit(1481787147.003:149955): arch=40000003 syscall=4 success=no exit=-13 a0=2 a1=bfc07f9c a2=5e a3=10f70e0 items=0 ppid=1 pid=2242 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=17634 comm="httpd" exe="/opt/rh/jbcs-httpd24/root/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
       type=AVC msg=audit(1481787147.003:149955): avc:  denied  { append } for  pid=2242 comm="httpd" path="/opt/rh/jbcs-httpd24/root/var/log/httpd/error_log" dev=dm-0 ino=851301 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
       ----
       time->Thu Dec 15 02:32:27 2016
       type=SYSCALL msg=audit(1481787147.006:149956): arch=40000003 syscall=4 success=no exit=-13 a0=2 a1=bfc07dfc a2=aa a3=10f70e0 items=0 ppid=1 pid=2242 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=17634 comm="httpd" exe="/opt/rh/jbcs-httpd24/root/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
       type=AVC msg=audit(1481787147.006:149956): avc:  denied  { append } for  pid=2242 comm="httpd" path="/opt/rh/jbcs-httpd24/root/var/log/httpd/error_log" dev=dm-0 ino=851301 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
       ----
       time->Thu Dec 15 02:32:27 2016
       type=SYSCALL msg=audit(1481787147.006:149957): arch=40000003 syscall=4 success=no exit=-13 a0=2 a1=bfc07dfc a2=a3 a3=10f70e0 items=0 ppid=1 pid=2242 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=17634 comm="httpd" exe="/opt/rh/jbcs-httpd24/root/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
       type=AVC msg=audit(1481787147.006:149957): avc:  denied  { append } for  pid=2242 comm="httpd" path="/opt/rh/jbcs-httpd24/root/var/log/httpd/error_log" dev=dm-0 ino=851301 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
      

      RHEL6 x86_64

      DeleteTest-selinux Test
      Running: /sbin/ausearch  -sv no -m AVC -ts  12/15/2016 03:17:40 
       SELinux Check: FAIL
       SELinux AVC messages found:
       ----
       time->Thu Dec 15 03:22:28 2016
       type=SYSCALL msg=audit(1481790148.453:149916): arch=c000003e syscall=2 success=no exit=-13 a0=7f03158393a8 a1=80042 a2=1b6 a3=2e747865746e6f63 items=0 ppid=1 pid=27728 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=24894 comm="httpd" exe="/opt/rh/jbcs-httpd24/root/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
       type=AVC msg=audit(1481790148.453:149916): avc:  denied  { write } for  pid=27728 comm="httpd" name="manager.context.contexts.slotmem" dev=dm-0 ino=405884 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
       ----
       time->Thu Dec 15 03:22:28 2016
       type=SYSCALL msg=audit(1481790148.449:149915): arch=c000003e syscall=2 success=no exit=-13 a0=7f0315839358 a1=80042 a2=1b6 a3=646f6e2e65646f6e items=0 ppid=1 pid=27728 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=24894 comm="httpd" exe="/opt/rh/jbcs-httpd24/root/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
       type=AVC msg=audit(1481790148.449:149915): avc:  denied  { write } for  pid=27728 comm="httpd" name="manager.node.nodes.slotmem" dev=dm-0 ino=405883 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
       ----
       time->Thu Dec 15 03:22:28 2016
       type=SYSCALL msg=audit(1481790148.454:149917): arch=c000003e syscall=2 success=no exit=-13 a0=7f0315839400 a1=80042 a2=1b6 a3=736f682e74736f68 items=0 ppid=1 pid=27728 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=24894 comm="httpd" exe="/opt/rh/jbcs-httpd24/root/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
       type=AVC msg=audit(1481790148.454:149917): avc:  denied  { write } for  pid=27728 comm="httpd" name="manager.host.hosts.slotmem" dev=dm-0 ino=405886 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
       ----
       time->Thu Dec 15 03:22:28 2016
       type=SYSCALL msg=audit(1481790148.454:149918): arch=c000003e syscall=2 success=no exit=-13 a0=7f0315839450 a1=80042 a2=1b6 a3=7265636e616c6162 items=0 ppid=1 pid=27728 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=24894 comm="httpd" exe="/opt/rh/jbcs-httpd24/root/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
       type=AVC msg=audit(1481790148.454:149918): avc:  denied  { write } for  pid=27728 comm="httpd" name="manager.balancer.balancers.slotmem" dev=dm-0 ino=405887 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
       ----
       time->Thu Dec 15 03:22:28 2016
       type=SYSCALL msg=audit(1481790148.454:149919): arch=c000003e syscall=2 success=no exit=-13 a0=7f03158394a8 a1=80042 a2=1b6 a3=642e6e69616d6f64 items=0 ppid=1 pid=27728 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=24894 comm="httpd" exe="/opt/rh/jbcs-httpd24/root/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
       type=AVC msg=audit(1481790148.454:149919): avc:  denied  { write } for  pid=27728 comm="httpd" name="manager.domain.domain.slotmem" dev=dm-0 ino=405889 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
       ----
       time->Thu Dec 15 03:23:53 2016
       type=SYSCALL msg=audit(1481790233.000:149921): arch=c000003e syscall=1 success=no exit=-13 a0=2 a1=7ffe362644b0 a2=ab a3=7ffe362664ad items=0 ppid=1 pid=29786 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=24894 comm="httpd" exe="/opt/rh/jbcs-httpd24/root/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
       type=AVC msg=audit(1481790233.000:149921): avc:  denied  { append } for  pid=29786 comm="httpd" path="/opt/rh/jbcs-httpd24/root/var/log/httpd/error_log" dev=dm-0 ino=438457 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
       ----
       time->Thu Dec 15 03:23:53 2016
       type=SYSCALL msg=audit(1481790233.000:149922): arch=c000003e syscall=1 success=no exit=-13 a0=2 a1=7ffe362644b0 a2=a4 a3=7ffe362664ad items=0 ppid=1 pid=29786 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=24894 comm="httpd" exe="/opt/rh/jbcs-httpd24/root/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
       type=AVC msg=audit(1481790233.000:149922): avc:  denied  { append } for  pid=29786 comm="httpd" path="/opt/rh/jbcs-httpd24/root/var/log/httpd/error_log" dev=dm-0 ino=438457 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
      

      RHEL6 ppc64

      DeleteTest-selinux Test
      Running: /sbin/ausearch  -sv no -m AVC -ts  12/15/2016 03:09:09 
       SELinux Check: FAIL
       SELinux AVC messages found:
       ----
       time->Thu Dec 15 03:10:06 2016
       type=SYSCALL msg=audit(1481789406.989:2332): arch=80000015 syscall=4 success=no exit=-13 a0=2 a1=fffef61d7a8 a2=5e a3=0 items=0 ppid=1 pid=17614 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=360 comm="httpd" exe="/opt/rh/jbcs-httpd24/root/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
       type=AVC msg=audit(1481789406.989:2332): avc:  denied  { append } for  pid=17614 comm="httpd" path="/opt/rh/jbcs-httpd24/root/var/log/httpd/error_log" dev=dm-0 ino=800310 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
       ----
       time->Thu Dec 15 03:10:06 2016
       type=SYSCALL msg=audit(1481789406.989:2331): arch=80000015 syscall=4 success=no exit=-13 a0=2 a1=fffef61d568 a2=9e a3=0 items=0 ppid=1 pid=17614 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=360 comm="httpd" exe="/opt/rh/jbcs-httpd24/root/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
       type=AVC msg=audit(1481789406.989:2331): avc:  denied  { append } for  pid=17614 comm="httpd" path="/opt/rh/jbcs-httpd24/root/var/log/httpd/error_log" dev=dm-0 ino=800310 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
      

        1. JBCS-250.patch
          0.7 kB
          Coty Sutherland

              gzaronik@redhat.com George Zaronikas
              jonderka@redhat.com Jan Onderka
              Jan Onderka Jan Onderka
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: