It seems @kevin disabled the loading of the custom SELinux rule that avoids AVCs for some rsyslog / audit thing infra hosts do, on F31 and higher:
https://infrastructure.fedoraproject.org/cgit/ansible.git/commit/?id=239f247757868a27df5802392ac24291eed931d0
that smells like it was supposed to be a quick hack, but it's still there months later, and it means most F31+ boxes in infra are going to have their logs flooded with AVCs like this:
Mar 12 05:02:47 openqa-aarch64-01.qa.fedoraproject.org audit[936]: AVC avc: denied { getattr } for pid=936 comm="in:imfile" path="/var/log/audit" dev="sda4" ino=268630710 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir permissive=0 Mar 12 05:02:47 openqa-aarch64-01.qa.fedoraproject.org audit[936]: AVC avc: denied { search } for pid=936 comm="in:imfile" name="audit" dev="sda4" ino=268630710 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir permissive=0 Mar 12 05:02:57 openqa-aarch64-01.qa.fedoraproject.org audit[936]: AVC avc: denied { getattr } for pid=936 comm="in:imfile" path="/var/log/audit" dev="sda4" ino=268630710 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir permissive=0 Mar 12 05:02:57 openqa-aarch64-01.qa.fedoraproject.org audit[936]: AVC avc: denied { search } for pid=936 comm="in:imfile" name="audit" dev="sda4" ino=268630710 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir permissive=0
...every ten seconds. Can we drop this hack now, or at least target it better? I've manually loaded the policy on the three boxes I care about that I noticed were affected (the new openQA aarch64 worker hosts), but I expect it'll be affecting others too.
we can, I don't recall if that was the f29 armv7 boxes or what... but we can't until after freeze. I don't think we want to do this until we are unfrozen.
it must have been boxes you were deploying F31 on, or else the commit wouldn't make any sense :)
Metadata Update from @smooge: - Issue priority set to: Waiting on Assignee (was: Needs Review)
ok, whatever it was, it's gone now. I was able to load the module on a fedora 31 staging builder just fine.
I''ve reverted the commit. We may need to update the policy file to make sure it reloads everywhere....
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.