Some AVC we still get with Stein, on Centos7
## Undercloud:
### Apparently swift is having some issues:
type=AVC msg=audit(1548423206.960:3983): avc: denied { relabelto } for pid=55370 comm="cp" name="account.ring.gz" dev="sda1" ino=205769901 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.960:3984): avc: denied { relabelto } for pid=55370 comm="cp" name="container.ring.gz" dev="sda1" ino=205769902 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.961:3985): avc: denied { relabelto } for pid=55370 comm="cp" name="object.ring.gz" dev="sda1" ino=205769903 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.962:3986): avc: denied { relabelto } for pid=55370 comm="cp" name="account.builder" dev="sda1" ino=205769904 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.962:3987): avc: denied { relabelto } for pid=55370 comm="cp" name="container.builder" dev="sda1" ino=205769905 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.963:3988): avc: denied { relabelto } for pid=55370 comm="cp" name="object.builder" dev="sda1" ino=205769906 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.964:3989): avc: denied { relabelto } for pid=55370 comm="cp" name="1548422747.object.builder" dev="sda1" ino=96679596 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.964:3990): avc: denied { relabelto } for pid=55370 comm="cp" name="1548422748.account.builder" dev="sda1" ino=96679597 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.965:3991): avc: denied { relabelto } for pid=55370 comm="cp" name="1548422748.container.builder" dev="sda1" ino=96679598 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.965:3992): avc: denied { relabelto } for pid=55370 comm="cp" name="1548422752.account.builder" dev="sda1" ino=96679599 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.965:3993): avc: denied { relabelto } for pid=55370 comm="cp" name="1548422752.account.ring.gz" dev="sda1" ino=96679600 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.966:3994): avc: denied { relabelto } for pid=55370 comm="cp" name="1548422752.object.builder" dev="sda1" ino=96679601 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.966:3995): avc: denied { relabelto } for pid=55370 comm="cp" name="1548422752.object.ring.gz" dev="sda1" ino=96679602 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.967:3996): avc: denied { relabelto } for pid=55370 comm="cp" name="1548422753.container.builder" dev="sda1" ino=96679603 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.967:3997): avc: denied { relabelto } for pid=55370 comm="cp" name="1548422753.container.ring.gz" dev="sda1" ino=96679604 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.967:3998): avc: denied { relabelto } for pid=55370 comm="cp" name="backups" dev="sda1" ino=96679595 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=dir permissive=0
The "relabelto" will never be accepted. Maybe we have some labels to set properly on some mount?
### OVS is having a bad time. Note that my undercloud is enforcing selinux, so we will probably need the same perms as the Controller and Compute listed bellow:
type=AVC msg=audit(1548422425.681:3591): avc: denied { net_broadcast } for pid=17677 comm="ovs-vswitchd" capability=11 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive
=0
type=AVC msg=audit(1548423711.864:4557): avc: denied { search } for pid=17677 comm="ovs-vswitchd" name="openvswitch" dev="tmpfs" ino=69468 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass
=dir permissive=0
(hence, probably missing, the write, add_name, create, remove_name, unlink)
### qemu-kvm (On the undercloud ??)
type=AVC msg=audit(1548424179.553:6197): avc: denied { search } for pid=96138 comm="qemu-kvm" name="95027" dev="proc" ino=844680 scontext=unconfined_u:unconfined_r:svirt_tcg_t:s0:c269,c902 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=0
type=AVC msg=audit(1548424626.313:7188): avc: denied { search } for pid=99425 comm="qemu-kvm" name="95027" dev="proc" ino=844680 scontext=unconfined_u:unconfined_r:svirt_tcg_t:s0:c315,c753 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=0
Might be due to the fact I'm running the undercloud in a VM? Not really sure though...
## Controller:
### OVS seems to have a hard time:
type=AVC msg=audit(1548426271.263:26): avc: denied { net_broadcast } for pid=3667 comm="ovs-vswitchd" capability=11 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1548427946.511:8170): avc: denied { search } for pid=3667 comm="ovs-vswitchd" name="openvswitch" dev="tmpfs" ino=32424 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1548427946.512:8171): avc: denied { write } for pid=3667 comm="ovs-vswitchd" name="openvswitch" dev="tmpfs" ino=32424 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1548427946.512:8171): avc: denied { add_name } for pid=3667 comm="ovs-vswitchd" name="br-int.mgmt" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1548427946.512:8171): avc: denied { create } for pid=3667 comm="ovs-vswitchd" name="br-int.mgmt" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1548427946.651:8172): avc: denied { remove_name } for pid=3667 comm="ovs-vswitchd" name="br-int.mgmt" dev="tmpfs" ino=648649 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1548427946.651:8172): avc: denied { unlink } for pid=3667 comm="ovs-vswitchd" name="br-int.mgmt" dev="tmpfs" ino=648649 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=sock_file permissive=1
### Sudo has some issues as well, but I'm not sure it's really a problem:
type=AVC msg=audit(1548427928.333:8024): avc: denied { connectto } for pid=77655 comm="sudo" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:container_t:s0:c391,c397 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
## Compute
### OVS issues (basically the same as the Controller, makes sense):
type=AVC msg=audit(1548426044.011:26): avc: denied { net_broadcast } for pid=3780 comm="ovs-vswitchd" capability=11 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1548427430.597:3399): avc: denied { search } for pid=3780 comm="ovs-vswitchd" name="openvswitch" dev="tmpfs" ino=30568 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1548427430.597:3400): avc: denied { write } for pid=3780 comm="ovs-vswitchd" name="openvswitch" dev="tmpfs" ino=30568 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1548427430.597:3400): avc: denied { add_name } for pid=3780 comm="ovs-vswitchd" name="br-ex.mgmt" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1548427430.597:3400): avc: denied { create } for pid=3780 comm="ovs-vswitchd" name="br-ex.mgmt" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1548427948.074:3641): avc: denied { search } for pid=3780 comm="ovs-vswitchd" name="openvswitch" dev="tmpfs" ino=30568 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1548427948.075:3642): avc: denied { write } for pid=3780 comm="ovs-vswitchd" name="openvswitch" dev="tmpfs" ino=30568 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1548427948.075:3642): avc: denied { add_name } for pid=3780 comm="ovs-vswitchd" name="br-int.mgmt" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1548427948.075:3642): avc: denied { create } for pid=3780 comm="ovs-vswitchd" name="br-int.mgmt" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1548427948.140:3643): avc: denied { create } for pid=3780 comm="ovs-vswitchd" name="br-int.snoop" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1548427948.216:3645): avc: denied { remove_name } for pid=3780 comm="ovs-vswitchd" name="br-int.mgmt" dev="tmpfs" ino=163861 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1548427948.216:3645): avc: denied { unlink } for pid=3780 comm="ovs-vswitchd" name="br-int.mgmt" dev="tmpfs" ino=163861 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=sock_file permissive=1
the f28 job may be failing tempest cuz of AVCs logged for openvswitch, but I'm not sure.
See http:// logs.openstack. org/55/ 632755/ 1/check/ tripleo- ci-fedora- 28-standalone/ 32ef125/ logs/undercloud /var/log/ journal. txt.gz# _Jan_23_ 23_58_05
then a few mins later:
http:// logs.openstack. org/55/ 632755/ 1/check/ tripleo- ci-fedora- 28-standalone/ 32ef125/ logs/undercloud /var/log/ containers/ neutron/ dhcp-agent. log.txt. gz#_2019- 01-24_00_ 01_34_730