SELinux keepalived read denials

Bug #1416056 reported by Richard Su
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Richard Su

Bug Description

These denials are being logged on the overcloud controller node. They are not present on compute nodes.

type=AVC msg=audit(1422372787.429:193): avc: denied { open } for pid=4422 comm="os-apply-config" path="/var/log/os-apply-config.log" dev="sda2" ino=53123 scontext=system_u:system_r:keepalived_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(1422372787.438:194): avc: denied { getattr } for pid=4421 comm="os-apply-config" path="/var/lib/os-collect-config/os_config_files.json" dev="sda2" ino=1019499 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1422372787.439:195): avc: denied { read } for pid=4422 comm="os-apply-config" name="os_config_files.json" dev="sda2" ino=1019499 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1422372787.439:195): avc: denied { open } for pid=4422 comm="os-apply-config" path="/var/lib/os-collect-config/os_config_files.json" dev="sda2" ino=1019499 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1422372787.440:196): avc: denied { getattr } for pid=4422 comm="os-apply-config" path="/var/lib/heat-cfntools/cfn-init-data" dev="sda2" ino=53171 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1422372787.440:197): avc: denied { read } for pid=4421 comm="os-apply-config" name="cfn-init-data" dev="sda2" ino=53171 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1422372787.440:197): avc: denied { open } for pid=4421 comm="os-apply-config" path="/var/lib/heat-cfntools/cfn-init-data" dev="sda2" ino=53171 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1422372787.440:198): avc: denied { getattr } for pid=4422 comm="os-apply-config" path="/var/lib/cloud/data/cfn-init-data" dev="sda2" ino=53174 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:cloud_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1422372787.440:199): avc: denied { read } for pid=4421 comm="os-apply-config" name="cfn-init-data" dev="sda2" ino=53174 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:cloud_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1422372787.440:199): avc: denied { open } for pid=4421 comm="os-apply-config" path="/var/lib/cloud/data/cfn-init-data" dev="sda2" ino=53174 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:cloud_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1422372787.736:200): avc: denied { getattr } for pid=4418 comm="keepalived_vip_" path="/usr/sbin/ip" dev="sda2" ino=581819 scontext=system_u:system_r:keepalived_t:s0 tcontext=unconfined_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1422372787.736:201): avc: denied { execute } for pid=4418 comm="keepalived_vip_" name="ip" dev="sda2" ino=581819 scontext=system_u:system_r:keepalived_t:s0 tcontext=unconfined_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1422372787.736:202): avc: denied { read } for pid=4418 comm="keepalived_vip_" name="ip" dev="sda2" ino=581819 scontext=system_u:system_r:keepalived_t:s0 tcontext=unconfined_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1422372787.736:203): avc: denied { open } for pid=4435 comm="keepalived_vip_" path="/usr/sbin/ip" dev="sda2" ino=581819 scontext=system_u:system_r:keepalived_t:s0 tcontext=unconfined_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1422372787.736:203): avc: denied { execute_no_trans } for pid=4435 comm="keepalived_vip_" path="/usr/sbin/ip" dev="sda2" ino=581819 scontext=system_u:system_r:keepalived_t:s0 tcontext=unconfined_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1

Revision history for this message
Richard Su (rwsu) wrote :
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-image-elements (master)

Fix proposed to branch: master
Review: https://review.openstack.org/151366

Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
Richard Su (rwsu) wrote :
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-image-elements (master)

Reviewed: https://review.openstack.org/151366
Committed: https://git.openstack.org/cgit/openstack/tripleo-image-elements/commit/?id=3e0eebbe72d050918db79642090d1e67240a0666
Submitter: Jenkins
Branch: master

commit 3e0eebbe72d050918db79642090d1e67240a0666
Author: Richard Su <email address hidden>
Date: Thu Jan 29 11:59:31 2015 -0800

    SELinux keepalived read denials

    Custom policy to fix read denials seen on overcloud controller node.

    Filed bug to upstream selinux-policy for a more permanent fix:
    https://bugzilla.redhat.com/show_bug.cgi?id=1187348

    Change-Id: I51b6081642e5fb6c4df1bbaefaffc86cb69fc7ff
    Partial-Bug: 1416056

Brent Eagles (beagles)
tags: added: workaround
Ben Nemec (bnemec)
Changed in tripleo:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.