Bug 1093297
| Summary: | selinux AVC RHEL7 and RDO - Neutron | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Community] RDO | Reporter: | Ofer Blaut <oblaut> | ||||||||
| Component: | openstack-selinux | Assignee: | Lon Hohberger <lhh> | ||||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ofer Blaut <oblaut> | ||||||||
| Severity: | urgent | Docs Contact: | |||||||||
| Priority: | urgent | ||||||||||
| Version: | unspecified | CC: | mgrepl, rhallise, twilson, yeylon | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2015-08-18 19:44:27 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
Created attachment 893389 [details]
audit.log in permissive mode
audit.log after installing via packstack --allinone and switching to permissive mode and rebooting.
Created attachment 893403 [details]
policy generated by audit2allow
This mostly looks reasonable:
#============= neutron_t ==============
allow neutron_t netutils_exec_t:file { read execute open execute_no_trans };
allow neutron_t self:packet_socket { bind create getattr };
allow neutron_t self:process setcap;
#============= nova_scheduler_t ==============
allow nova_scheduler_t passwd_file_t:file { read getattr open };
... except the setcap. Miroslav, didn't we find that this usually happened with too many forks or something like that last year - so ulimits were wrong? It seems familiar.
type=AVC msg=audit(1399480702.628:913): avc: denied { setcap } for pid=4476 comm="arping" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=process
type=SYSCALL msg=audit(1399480702.628:913): arch=c000003e syscall=126 success=yes exit=0 a0=7f34e4be7014 a1=7f34e4be701c a2=1 a3=7fff3b9b7f80 items=0 ppid=4473 pid=4476 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="arping" exe="/usr/sbin/arping" subj=system_u:system_r:neutron_t:s0 key=(null)
Ah, nevermind - it's from calling arping. Perhaps we simply need to transition when called.
Yes netutils_domtrans(neutron_t) But actually, we should go with
netutils_exec(neutron_t)
allow neutron_t self:packet_socket { bind create getattr };
allow neutron_t self:process setcap;
I added it to F20/rawhide and also will back port to RHEL7. |
Created attachment 891408 [details] neutron AVCs Description of problem: There are different selinux AVCs on using neutron RDO on RHEL 7 attached Version-Release number of selected component (if applicable): libselinux-2.2.2-6.el7.x86_64 libselinux-utils-2.2.2-6.el7.x86_64 selinux-policy-targeted-3.12.1-153.el7.noarch libselinux-ruby-2.2.2-6.el7.x86_64 libselinux-python-2.2.2-6.el7.x86_64 selinux-policy-3.12.1-153.el7.noarch How reproducible: Steps to Reproduce: 1.set selinux to enforcing 2.deploy VM using network created by neutron (OVS ) 3.check /var/log/messages Actual results: Expected results: Additional info: