Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-14277

[AWS]Many AVC failures seen with : denied { create } comm="rhc-worker-play" and comm="ansible-playboo".

    XMLWordPrintable

Details

    • rhc-worker-playbook-0.1.8-7.el9
    • Normal
    • sst_insights
    • 22
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux

    Description

      Description of problem:
      Many AVC failures seen with : denied

      { create }

      comm="rhc-worker-play" and comm="ansible-playboo".

      type=PROCTITLE msg=audit(04/19/2023 12:26:23.290:371) : proctitle=/usr/bin/python3 /usr/libexec/rhc/rhc-worker-playbook.worker
      type=SYSCALL msg=audit(04/19/2023 12:26:23.290:371) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fbc46f27050 a2=O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC a3=0x1a4 items=0 ppid=24199 pid=24518 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhc-worker-play exe=/usr/bin/python3.9 subj=system_u:system_r:rhcd_t:s0 key=(null)
      type=AVC msg=audit(04/19/2023 12:26:23.290:371) : avc: denied

      { write } for pid=24518 comm=rhc-worker-play name=_pycache_ dev="nvme0n1p4" ino=25798780 scontext=system_u:system_r:rhcd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0
      ----
      type=PROCTITLE msg=audit(04/19/2023 12:26:37.251:393) : proctitle=/usr/bin/python3.11 /bin/ansible-playbook /tmp/tmpra9n_3m3/project/main.json
      type=SYSCALL msg=audit(04/19/2023 12:26:37.251:393) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f0ab341e2d0 a2=O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC a3=0x1a4 items=0 ppid=24518 pid=24948 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=unset comm=ansible-playboo exe=/usr/bin/python3.11 subj=system_u:system_r:rhcd_t:s0 key=(null)
      type=AVC msg=audit(04/19/2023 12:26:37.251:393) : avc: denied { write }

      for pid=24948 comm=ansible-playboo name=_pycache_ dev="nvme0n1p4" ino=1354793 scontext=system_u:system_r:rhcd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0

      Version-Release number of selected components (if applicable):
      RHEL-9.2

      How reproducible:
      100%

      Steps to Reproduce:
      1. Launch an aws instance with ami-0a7cc1e66703db662(RHEL-9.2.0-20230419.48)
      2. Check if avc log exist
      sudo ausearch -m AVC -ts today

      Actual results:
      Many AVC denial seen for comm="rhc-worker-play" and comm="ansible-playboo"
      http://10.73.196.244/results/iscsi/os_tests/20230419/home/jenkins/workspace/aws_os_tests_x86_64-844/os_tests_result_i3en.6xlarge/attachments/TestGeneralCheck.os_tests.tests.test_general_check.TestGeneralCheck.test_check_avclog/os_tests.tests.test_general_check.TestGeneralCheck.test_check_avclog.debug
      ...

      Expected results:
      No AVC denial should be there

      Additional info:

      Attachments

        Activity

          People

            ptoscano@redhat.com Pino Toscano
            rh-ee-libhe Libing He
            RH Bugzilla Integration RH Bugzilla Integration
            Craig Donnelly Craig Donnelly
            Votes:
            0 Vote for this issue
            Watchers:
            12 Start watching this issue

            Dates

              Created:
              Updated: