tripleo

AVC on Undercloud, Controller and Compute

Bug #1813313 reported by Cédric Jeanneret
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Cédric Jeanneret
tripleo train-1

Bug Description

Some AVC we still get with Stein, on Centos7

## Undercloud:
### Apparently swift is having some issues:
type=AVC msg=audit(1548423206.960:3983): avc: denied { relabelto } for pid=55370 comm="cp" name="account.ring.gz" dev="sda1" ino=205769901 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.960:3984): avc: denied { relabelto } for pid=55370 comm="cp" name="container.ring.gz" dev="sda1" ino=205769902 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.961:3985): avc: denied { relabelto } for pid=55370 comm="cp" name="object.ring.gz" dev="sda1" ino=205769903 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.962:3986): avc: denied { relabelto } for pid=55370 comm="cp" name="account.builder" dev="sda1" ino=205769904 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.962:3987): avc: denied { relabelto } for pid=55370 comm="cp" name="container.builder" dev="sda1" ino=205769905 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.963:3988): avc: denied { relabelto } for pid=55370 comm="cp" name="object.builder" dev="sda1" ino=205769906 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.964:3989): avc: denied { relabelto } for pid=55370 comm="cp" name="1548422747.object.builder" dev="sda1" ino=96679596 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.964:3990): avc: denied { relabelto } for pid=55370 comm="cp" name="1548422748.account.builder" dev="sda1" ino=96679597 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.965:3991): avc: denied { relabelto } for pid=55370 comm="cp" name="1548422748.container.builder" dev="sda1" ino=96679598 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.965:3992): avc: denied { relabelto } for pid=55370 comm="cp" name="1548422752.account.builder" dev="sda1" ino=96679599 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.965:3993): avc: denied { relabelto } for pid=55370 comm="cp" name="1548422752.account.ring.gz" dev="sda1" ino=96679600 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.966:3994): avc: denied { relabelto } for pid=55370 comm="cp" name="1548422752.object.builder" dev="sda1" ino=96679601 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.966:3995): avc: denied { relabelto } for pid=55370 comm="cp" name="1548422752.object.ring.gz" dev="sda1" ino=96679602 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.967:3996): avc: denied { relabelto } for pid=55370 comm="cp" name="1548422753.container.builder" dev="sda1" ino=96679603 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.967:3997): avc: denied { relabelto } for pid=55370 comm="cp" name="1548422753.container.ring.gz" dev="sda1" ino=96679604 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1548423206.967:3998): avc: denied { relabelto } for pid=55370 comm="cp" name="backups" dev="sda1" ino=96679595 scontext=system_u:system_r:container_t:s0:c106,c506 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=dir permissive=0

The "relabelto" will never be accepted. Maybe we have some labels to set properly on some mount?

### OVS is having a bad time. Note that my undercloud is enforcing selinux, so we will probably need the same perms as the Controller and Compute listed bellow:
type=AVC msg=audit(1548422425.681:3591): avc: denied { net_broadcast } for pid=17677 comm="ovs-vswitchd" capability=11 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive
=0
type=AVC msg=audit(1548423711.864:4557): avc: denied { search } for pid=17677 comm="ovs-vswitchd" name="openvswitch" dev="tmpfs" ino=69468 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass
=dir permissive=0
(hence, probably missing, the write, add_name, create, remove_name, unlink)

### qemu-kvm (On the undercloud ??)
type=AVC msg=audit(1548424179.553:6197): avc: denied { search } for pid=96138 comm="qemu-kvm" name="95027" dev="proc" ino=844680 scontext=unconfined_u:unconfined_r:svirt_tcg_t:s0:c269,c902 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=0
type=AVC msg=audit(1548424626.313:7188): avc: denied { search } for pid=99425 comm="qemu-kvm" name="95027" dev="proc" ino=844680 scontext=unconfined_u:unconfined_r:svirt_tcg_t:s0:c315,c753 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=0

Might be due to the fact I'm running the undercloud in a VM? Not really sure though...

## Controller:
### OVS seems to have a hard time:
type=AVC msg=audit(1548426271.263:26): avc: denied { net_broadcast } for pid=3667 comm="ovs-vswitchd" capability=11 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1548427946.511:8170): avc: denied { search } for pid=3667 comm="ovs-vswitchd" name="openvswitch" dev="tmpfs" ino=32424 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1548427946.512:8171): avc: denied { write } for pid=3667 comm="ovs-vswitchd" name="openvswitch" dev="tmpfs" ino=32424 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1548427946.512:8171): avc: denied { add_name } for pid=3667 comm="ovs-vswitchd" name="br-int.mgmt" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1548427946.512:8171): avc: denied { create } for pid=3667 comm="ovs-vswitchd" name="br-int.mgmt" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1548427946.651:8172): avc: denied { remove_name } for pid=3667 comm="ovs-vswitchd" name="br-int.mgmt" dev="tmpfs" ino=648649 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1548427946.651:8172): avc: denied { unlink } for pid=3667 comm="ovs-vswitchd" name="br-int.mgmt" dev="tmpfs" ino=648649 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=sock_file permissive=1

### Sudo has some issues as well, but I'm not sure it's really a problem:
type=AVC msg=audit(1548427928.333:8024): avc: denied { connectto } for pid=77655 comm="sudo" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:container_t:s0:c391,c397 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1

## Compute
### OVS issues (basically the same as the Controller, makes sense):
type=AVC msg=audit(1548426044.011:26): avc: denied { net_broadcast } for pid=3780 comm="ovs-vswitchd" capability=11 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1548427430.597:3399): avc: denied { search } for pid=3780 comm="ovs-vswitchd" name="openvswitch" dev="tmpfs" ino=30568 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1548427430.597:3400): avc: denied { write } for pid=3780 comm="ovs-vswitchd" name="openvswitch" dev="tmpfs" ino=30568 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1548427430.597:3400): avc: denied { add_name } for pid=3780 comm="ovs-vswitchd" name="br-ex.mgmt" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1548427430.597:3400): avc: denied { create } for pid=3780 comm="ovs-vswitchd" name="br-ex.mgmt" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1548427948.074:3641): avc: denied { search } for pid=3780 comm="ovs-vswitchd" name="openvswitch" dev="tmpfs" ino=30568 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1548427948.075:3642): avc: denied { write } for pid=3780 comm="ovs-vswitchd" name="openvswitch" dev="tmpfs" ino=30568 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1548427948.075:3642): avc: denied { add_name } for pid=3780 comm="ovs-vswitchd" name="br-int.mgmt" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1548427948.075:3642): avc: denied { create } for pid=3780 comm="ovs-vswitchd" name="br-int.mgmt" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1548427948.140:3643): avc: denied { create } for pid=3780 comm="ovs-vswitchd" name="br-int.snoop" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1548427948.216:3645): avc: denied { remove_name } for pid=3780 comm="ovs-vswitchd" name="br-int.mgmt" dev="tmpfs" ino=163861 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1548427948.216:3645): avc: denied { unlink } for pid=3780 comm="ovs-vswitchd" name="br-int.mgmt" dev="tmpfs" ino=163861 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=sock_file permissive=1

Tags: selinux
Cédric Jeanneret (cjeanner)
Changed in tripleo:
importance: Undecided → Medium
Bogdan Dobrelya (bogdando)
Changed in tripleo:
importance: Medium → High
Revision history for this message
Bogdan Dobrelya (bogdando) wrote :

the f28 job may be failing tempest cuz of AVCs logged for openvswitch, but I'm not sure.

See http://logs.openstack.org/55/632755/1/check/tripleo-ci-fedora-28-standalone/32ef125/logs/undercloud/var/log/journal.txt.gz#_Jan_23_23_58_05

then a few mins later:

http://logs.openstack.org/55/632755/1/check/tripleo-ci-fedora-28-standalone/32ef125/logs/undercloud/var/log/containers/neutron/dhcp-agent.log.txt.gz#_2019-01-24_00_01_34_730

Revision history for this message
Cédric Jeanneret (cjeanner) wrote :

OVS selinux policy is being updated with this pull-request:
https://pagure.io/openvswitch-selinux-policy/pull-request/3

Revision history for this message
Cédric Jeanneret (cjeanner) wrote :

As TripleO doesn't install the openvswitch-selinux-policy package, we must also push the policy to openstack-selinux:
https://github.com/redhat-openstack/openstack-selinux/pull/22

Revision history for this message
Cédric Jeanneret (cjeanner) wrote :

Patch for OVS working fine (tested on my lab). Waiting for review and merge, especially in openstack-selinux.

Revision history for this message
Cédric Jeanneret (cjeanner) wrote :

Regarding swift, it's weird, as at some point the relabelto is done:
-rw-r--r--. root root unconfined_u:object_r:container_file_t:s0 /var/lib/config-data/swift_ringbuilder/etc/swift/backups/1548664817.container.ring.gz

Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: stein-3 → stein-rc1
Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: stein-rc1 → train-1
Revision history for this message
Cédric Jeanneret (cjeanner) wrote :

those issues were sorted out in different changes, and duplicated in multiple LP (or even without any LP/BZ).

Changed in tripleo:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.