tripleo

  1. Bug #1819461
  2. Comment #1

Comment 1 for bug 1819461

Revision history for this message
Michele Baldessari (michele) wrote :

/var/log/audit/audit.log:type=USER_ACCT msg=audit(1553621646.085:3730): pid=71808 uid=42436 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c493,c684 msg='op=PAM:accounting grantors=pam_unix acct="nova" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'UID="unknown(42436)" AUID="unset"
/var/log/audit/audit.log:type=USER_CMD msg=audit(1553621646.085:3731): pid=71808 uid=42436 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c493,c684 msg='cwd="/" cmd="kolla_set_configs" terminal=? res=success'UID="unknown(42436)" AUID="unset"
/var/log/audit/audit.log:type=CRED_REFR msg=audit(1553621646.085:3732): pid=71808 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c493,c684 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
/var/log/audit/audit.log:type=AVC msg=audit(1553621646.085:3733): avc: denied { connectto } for pid=71808 comm="sudo" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:container_t:s0:c493,c684 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
/var/log/audit/audit.log:type=SYSCALL msg=audit(1553621646.085:3733): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=56057de3b810 a2=1d a3=7ffcbd665f90 items=0 ppid=71791 pid=71808 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:container_t:s0:c493,c684 key=(null)ARCH=x86_64 SYSCALL=connect AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
/var/log/audit/audit.log:type=USER_START msg=audit(1553621646.085:3734): pid=71808 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c493,c684 msg='op=PAM:session_open grantors=pam_limits,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
/var/log/audit/audit.log:type=USER_END msg=audit(1553621646.180:3735): pid=71808 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c493,c684 msg='op=PAM:session_close grantors=pam_limits,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
/var/log/audit/audit.log:type=CRED_DISP msg=audit(1553621646.180:3736): pid=71808 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c493,c684 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
/var/log/secure:Mar 26 17:34:06 undercloud-0 sudo[71808]: nova : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/bin/kolla_set_configs
/var/log/secure:Mar 26 17:34:06 undercloud-0 sudo[71808]: pam_systemd(sudo:session): Failed to connect to system bus: Permission denied
/var/log/secure:Mar 26 17:34:06 undercloud-0 sudo[71808]: pam_unix(sudo:session): session opened for user root by (uid=0)
/var/log/secure:Mar 26 17:34:06 undercloud-0 sudo[71808]: pam_unix(sudo:session): session closed for user root

So it seems this is the nova user:
 [root@undercloud-0 ~]# podman exec -it nova_api sh -c 'grep 42436 /etc/{passwd,group}'
/etc/passwd:nova:x:42436:42436::/var/lib/nova:/usr/sbin/nologin
/etc/group:nova:x:42436:

It *might* be the nova-scheduler:
Mar 26 17:34:06 undercloud-0 podman[71700]: INFO:__main__:Setting permission for /var/log/nova
Mar 26 17:34:06 undercloud-0 podman[71700]: INFO:__main__:Setting permission for /var/log/nova/nova-manage.log
Mar 26 17:34:06 undercloud-0 podman[71700]: INFO:__main__:Setting permission for /var/log/nova/nova-conductor.log
Mar 26 17:34:06 undercloud-0 podman[71700]: INFO:__main__:Setting permission for /var/log/nova/nova-scheduler.log
Mar 26 17:34:06 undercloud-0 podman[71700]: INFO:__main__:Setting permission for /var/log/nova/nova-metadata-api.log
Mar 26 17:34:06 undercloud-0 podman[71700]: INFO:__main__:Setting permission for /var/log/nova/nova-api.log
Mar 26 17:34:06 undercloud-0 podman[71700]: INFO:__main__:Setting permission for /var/log/nova/nova-compute.log
Mar 26 17:34:06 undercloud-0 podman[71700]: INFO:__main__:Setting permission for /var/log/nova/nova-placement-api.log
Mar 26 17:34:06 undercloud-0 podman[71700]: ++ cat /run_command
Mar 26 17:34:06 undercloud-0 podman[71700]: + CMD='/usr/bin/nova-scheduler '
Mar 26 17:34:06 undercloud-0 podman[71700]: + ARGS=
Mar 26 17:34:06 undercloud-0 podman[71700]: + [[ ! -n '' ]]
Mar 26 17:34:06 undercloud-0 podman[71700]: + . kolla_extend_start
Mar 26 17:34:06 undercloud-0 podman[71700]: ++ [[ ! -d /var/log/kolla/nova ]]
Mar 26 17:34:06 undercloud-0 podman[71700]: +++ stat -c %a /var/log/kolla/nova
Mar 26 17:34:06 undercloud-0 podman[71700]: ++ [[ 2755 != \7\5\5 ]]
Mar 26 17:34:06 undercloud-0 podman[71700]: ++ chmod 755 /var/log/kolla/nova
Mar 26 17:34:06 undercloud-0 podman[71700]: ++ . /usr/local/bin/kolla_nova_extend_start
Mar 26 17:34:06 undercloud-0 podman[71700]: + echo 'Running command: '\''/usr/bin/nova-scheduler '\'''
Mar 26 17:34:06 undercloud-0 podman[71700]: Running command: '/usr/bin/nova-scheduler '
Mar 26 17:34:06 undercloud-0 podman[71700]: + exec /usr/bin/nova-scheduler
Mar 26 17:34:06 undercloud-0 dbus-daemon[669]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Mar 26 17:34:06 undercloud-0 setroubleshoot[71811]: failed to retrieve rpm info for /run/dbus/system_bus_socket
Mar 26 17:34:06 undercloud-0 setroubleshoot[71811]: SELinux is preventing /usr/bin/sudo from connectto access on the unix_stream_socket /run/dbus/system_bus_socket. For complete SELinux messages run: sealert -l e86477d3-6245-456c-aecd-fd142fc9efa6
Mar 26 17:34:06 undercloud-0 platform-python[71811]: SELinux is preventing /usr/bin/sudo from connectto access on the unix_stream_socket /run/dbus/system_bus_socket.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that sudo should be allowed connectto access on the system_bus_socket unix_stream_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'sudo' --raw | audit2allow -M my-sudo#012# semodule -X 300 -i my-sudo.pp#012
Mar 26 17:34:07 undercloud-0 setroubleshoot[71811]: failed to retrieve rpm info for /run/dbus/system_bus_socket
Mar 26 17:34:07 undercloud-0 setroubleshoot[71811]: SELinux is preventing /usr/bin/sudo from connectto access on the unix_stream_socket /run/dbus/system_bus_socket. For complete SELinux messages run: sealert -l e86477d3-6245-456c-aecd-fd142fc9efa6
Mar 26 17:34:07 undercloud-0 platform-python[71811]: SELinux is preventing /usr/bin/sudo from connectto access on the unix_stream_socket /run/dbus/system_bus_socket.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that sudo should be allowed connectto access on the system_bus_socket unix_stream_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'sudo' --raw | audit2allow -M my-sudo#012# semodule -X 300 -i my-sudo.pp#012