Lack of SELinux policies prevents normal operation of a CentOS based amphora
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
octavia |
Invalid
|
High
|
Unassigned |
Bug Description
For example: haproxy fails to read configuration on a centos based amphora instance
This issue is caused by SELinux, which is Enforcing by default (as it should).
The error (for the above mentioned example):
amphora-
More SELinux Issues:
SELinux is preventing /usr/sbin/haproxy from read access on the file haproxy.cfg.
SELinux is preventing /usr/sbin/haproxy from getattr access on the file /var/lib/
SELinux is preventing /usr/sbin/ip from mounton access on the directory /run/netns.
SELinux is preventing /usr/sbin/ip from mounton access on the directory /.
SELinux is preventing /usr/sbin/ip from mounton access on the directory /sys.
SELinux is preventing /usr/sbin/ip from mounton access on the directory /etc/sysconfig.
SELinux is preventing /usr/sbin/sysctl from getattr access on the filesystem /sys.
SELinux is preventing /usr/sbin/sysctl from write access on the file sysrq.
SELinux is preventing /usr/sbin/sysctl from getattr access on the file /proc/sys/
SELinux is preventing /usr/sbin/sysctl from write access on the file protected_
SELinux is preventing /usr/sbin/sysctl from getattr access on the file /proc/sys/
SELinux is preventing /usr/sbin/sysctl from write access on the file file-max.
SELinux is preventing /usr/sbin/
SELinux is preventing /usr/sbin/haproxy from using the dac_override capability.
SELinux is preventing /usr/sbin/haproxy from using the fowner capability.
SELinux is preventing /usr/sbin/haproxy from create access on the sock_file d842c875-
SELinux is preventing /usr/sbin/haproxy from setattr access on the sock_file 2c699b77-
SELinux is preventing /usr/sbin/haproxy from remove_name access on the directory 2c699b77-
SELinux is preventing /usr/sbin/haproxy from name_bind access on the tcp_socket port 80.
SELinux is preventing /usr/sbin/haproxy from listen access on the tcp_socket port None.
SELinux is preventing /usr/sbin/haproxy from write access on the directory d842c875-
SELinux is preventing /usr/sbin/haproxy from using the setgid capability.
SELinux is preventing /usr/sbin/haproxy from using the setuid capability.
SELinux is preventing /usr/sbin/haproxy from write access on the sock_file 2c699b77-
SELinux is preventing /usr/sbin/haproxy from link access on the sock_file d842c875-
SELinux is preventing /usr/sbin/haproxy from unlink access on the sock_file d842c875-
SELinux is preventing /usr/sbin/haproxy from add_name access on the directory d842c875-
SELinux is preventing /usr/sbin/
SELinux is preventing /usr/sbin/
SELinux is preventing /usr/sbin/haproxy from write access on the directory octavia.
SELinux is preventing /usr/sbin/haproxy from unlink access on the file d842c875-
SELinux is preventing /usr/sbin/haproxy from create access on the file 2c699b77-
SELinux is preventing /usr/sbin/haproxy from using the kill capability.
SELinux is preventing /usr/sbin/haproxy from getattr access on the file /var/lib/
I'll attached the full log to this bug.
The missing SELinux policies:
[root@amphora-
require {
type ifconfig_t;
type haproxy_t;
type haproxy_exec_t;
type var_lib_t;
type ifconfig_var_run_t;
type sysctl_fs_t;
type proc_security_t;
type sysctl_kernel_t;
type etc_t;
class capability { setuid kill setgid fowner net_bind_service dac_override };
class tcp_socket listen;
class dir mounton;
class file { execute read create execute_no_trans write getattr unlink open };
class sock_file { rename write link setattr create unlink };
}
#============= haproxy_t ==============
allow haproxy_t var_lib_t:file { read getattr open };
#============= ifconfig_t ==============
allow ifconfig_t etc_t:dir mounton;
allow ifconfig_t haproxy_exec_t:file { read execute open execute_no_trans };
allow ifconfig_t ifconfig_
allow ifconfig_t proc_security_
allow ifconfig_t self:capability { setuid kill setgid fowner net_bind_service dac_override };
#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow ifconfig_t self:tcp_socket listen;
allow ifconfig_t sysctl_fs_t:file { write getattr open };
allow ifconfig_t sysctl_
allow ifconfig_t var_lib_t:file { write getattr read create unlink open };
allow ifconfig_t var_lib_t:sock_file { rename write link setattr create unlink };
corenet_
dev_getattr_
files_filetrans
files_mounton_
files_mounton_
Changed in octavia: | |
importance: | Undecided → High |
status: | New → Confirmed |
@Michael, Following to our IRC chat I will try to incorporate the above mentioned policy to https:/ /github. com/openstack/ octavia/ blob/master/ elements/ haproxy- octavia/ os-refresh- config/ configure. d/20-haproxy- selinux
This would be part of https:/ /review. openstack. org/#/c/ 331841/