[SELinux] iptables and ip6tables: scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0

Bug #1861302 reported by Cédric Jeanneret
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Medium
Kevin Carter

Bug Description

Hello there,

We apparently have some issues with master when it comes to iptables and ip6tables:

type=AVC msg=audit(1580310490.333:7977): avc: denied { write } for pid=68963 comm="iptables" path="/root/.ansible_async/364502118240.67815.tmp" dev="sda1" ino=9551736 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
type=AVC msg=audit(1580310490.334:7978): avc: denied { write } for pid=68964 comm="ip6tables" path="/root/.ansible_async/364502118240.67815.tmp" dev="sda1" ino=9551736 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0

What I understand here is iptables_t tries to write things in admin_home_t, probably linked to the "async" way rules are being applied.

It might be best to move that "~/.ansible_async/" directory outside of /root/ (like /var/tmp maybe?) and, if needed, allow iptables_t to write in this other location.

Also, it might be "just" cosmetics, since I can see firewall rules in the INPUT tables (both iptables and ip6tables).

Cheers,

C.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.opendev.org/704836

Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/704836
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=d493845b1f42ffad3f3b97ccb9a3991cbf93d831
Submitter: Zuul
Branch: master

commit d493845b1f42ffad3f3b97ccb9a3991cbf93d831
Author: Kevin Carter <email address hidden>
Date: Wed Jan 29 09:59:53 2020 -0600

    Add global groupvar to set the ansible async dir

    The ansible async directory needs to be defined as something other that
    ~/.ansible_async to ensure we're not running into selinux violations
    when executing tasks with async and become.

    Bug: #1861302
    Change-Id: I2052aa8861025f8385c0817566fbc37bf6984ac0
    Signed-off-by: Kevin Carter <email address hidden>

Changed in tripleo:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers