tripleo

Swift service tries to relabel files

Bug #1819459 reported by Cédric Jeanneret on 2019-03-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Cédric Jeanneret	tripleo stein-rc1

Bug Description

Hello,

Swift service wants to relabel files in its container. This is prohibited in a selinux-enabled system with proper separation, and raises the following AVCs:

type=AVC msg=audit(1552310439.450:533): avc: denied { relabelto } for pid=27235 comm="cp" name="account.ring.gz" dev="vda1" ino=4713480 scontext=system_u:system_r:container_t:s0:c18,c213 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552310439.451:534): avc: denied { relabelto } for pid=27235 comm="cp" name="backups" dev="vda1" ino=4713486 scontext=system_u:system_r:container_t:s0:c18,c213 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=dir permissive=1

This might comes from a "cp -a" call, as that one will try (and fail) to reapply the SELinux labels.

Note: we will never allow relabelto from within a container, since it can lead to a major security hole on the host system.

Cheers,

Tags:

Alex Schultz (alex-schultz) on 2019-03-14

Changed in tripleo:
milestone:	stein-3 → stein-rc1

Revision history for this message

Michele Baldessari (michele) wrote on 2019-03-14:

Thanks Cedric. So I think this is the snippet that barfs on us:
          swift_copy_rings:
            image: *swift_ringbuilder_image
            net: none
            user: root
            detach: false
            command:
              # Use bash to run the cp command so that wildcards can be used
              - '/bin/bash'
              - '-c'
              - 'cp -v -a -t /etc/swift /swift_ringbuilder/etc/swift/*.gz /swift_ringbuilder/etc/swift/*.builder /swift_ringbuilder/etc/swift/backups'

This is from deployment/swift/swift-ringbuilder-container-puppet.yaml

Can we work around this by adding a specific --context[=CTX] param to the cp call?

Revision history for this message

Cédric Jeanneret (cjeanner) wrote on 2019-03-14:

Thanks Michele!
That's exactly the thing :).

We might want to either:
- replace "-a" by its plain option with some salt and pepper
- just add, after "-a", --no-preserve=context

Lemme try the latter first.

OpenStack Infra (hudson-openstack) on 2019-03-14

Changed in tripleo:
assignee:	nobody → Cédric Jeanneret (cjeanner)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-15: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/643240
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=c55cf61c99a8ad5e743672d1ef56fa12dbdc5f17
Submitter: Zuul
Branch: master

commit c55cf61c99a8ad5e743672d1ef56fa12dbdc5f17
Author: Cédric Jeanneret <email address hidden>
Date: Thu Mar 14 08:45:14 2019 +0100

Avoid "-a" cp option in order to avoid SELinux AVC

    Using "cp -a" in a container might lead to SELinux failures, since this option
    is a shortcut for "-dR --preserve=all". The "all" has the context, and we do
    not allow SELinux relabelling within containers.

Splitting the "-a" to "-dR --preserve" will provide the same end results, but
without the relabelling, preventing audit.log to fill up during the deploy.

Closes-Bug: #1819459
Change-Id: Ic280ad8e95fcc32986987f5abaa524f171d7c13b

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-04-18: Fix included in openstack/tripleo-heat-templates 10.5.0

This issue was fixed in the openstack/tripleo-heat-templates 10.5.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.