tripleo

[SELinux] iptables and ip6tables: scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0

Bug #1861302 reported by Cédric Jeanneret on 2020-01-29

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	Medium	Kevin Carter

Bug Description

Hello there,

We apparently have some issues with master when it comes to iptables and ip6tables:

type=AVC msg=audit(1580310490.333:7977): avc: denied { write } for pid=68963 comm="iptables" path="/root/.ansible_async/364502118240.67815.tmp" dev="sda1" ino=9551736 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
type=AVC msg=audit(1580310490.334:7978): avc: denied { write } for pid=68964 comm="ip6tables" path="/root/.ansible_async/364502118240.67815.tmp" dev="sda1" ino=9551736 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0

What I understand here is iptables_t tries to write things in admin_home_t, probably linked to the "async" way rules are being applied.

It might be best to move that "~/.ansible_async/" directory outside of /root/ (like /var/tmp maybe?) and, if needed, allow iptables_t to write in this other location.

Also, it might be "just" cosmetics, since I can see firewall rules in the INPUT tables (both iptables and ip6tables).

Cheers,

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-29: Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.opendev.org/704836

Changed in tripleo:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-26: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/704836
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=d493845b1f42ffad3f3b97ccb9a3991cbf93d831
Submitter: Zuul
Branch: master

commit d493845b1f42ffad3f3b97ccb9a3991cbf93d831
Author: Kevin Carter <email address hidden>
Date: Wed Jan 29 09:59:53 2020 -0600

Add global groupvar to set the ansible async dir

    The ansible async directory needs to be defined as something other that
    ~/.ansible_async to ensure we're not running into selinux violations
    when executing tasks with async and become.

    Bug: #1861302
    Change-Id: I2052aa8861025f8385c0817566fbc37bf6984ac0
    Signed-off-by: Kevin Carter <email address hidden>

Changed in tripleo:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.