Bug 1128957

Summary: SELinux blocks nova-api from using tmp
Product: [Fedora] Fedora Reporter: Richard Su <rwsu>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: dominick.grift, dwalsh, lvrabec, mgrepl
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-180.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-10 22:42:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit.log
none
audit.log using selinux-policy-targeted-3.12.1-180.fc20.noarch none

Description Richard Su 2014-08-12 00:20:50 UTC
Created attachment 925889 [details]
audit.log

Description of problem:
When SELinux is in enforcing mode, nova-api fails on on certain tmpfs operations on /dev/shm

type=AVC msg=audit(1404764447.847:287): avc: denied { search } for pid=3445 comm="nova-api" name="/" dev="tmpfs" ino=7206 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1404764803.222:887): avc: denied { write } for pid=4548 comm="nova-api" name="/" dev="tmpfs" ino=7206 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1404764956.108:1138): avc: denied { read write open } for pid=4980 comm="nova-api" path="/dev/shm/sem.evCqpX" dev="tmpfs" ino=79253 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
type=AVC msg=audit(1404765012.601:1239): avc: denied { link } for pid=5138 comm="nova-api" name="sem.V0iPmT" dev="tmpfs" ino=85190 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
type=AVC msg=audit(1404765012.601:1240): avc: denied { remove_name } for pid=5138 comm="nova-api" name="sem.V0iPmT" dev="tmpfs" ino=85190 scontext=sys
type=AVC msg=audit(1404765106.415:1388): avc: denied { getattr } for pid=5354 comm="nova-api" path="/dev/shm/sem.S2pF2e" dev="tmpfs" ino=94592 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
type=AVC msg=audit(1404765106.415:1389): avc: denied { unlink } for pid=5354 comm="nova-api" name="sem.S2pF2e" dev="tmpfs" ino=94592 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-179.fc20.noarch
selinux-policy-targeted-3.12.1-179.fc20.noarch
upstream nova

How reproducible:
always

Steps to Reproduce:
1. Deploy tripleo overcloud

Actual results:
nova-api fails to start

Expected results:
nova-api starts

Additional info:

Comment 1 Daniel Walsh 2014-08-12 12:11:44 UTC
1ef02b3df5392fd9502d9479d79e6349f1fa9fb2 fixes this in git.

Comment 2 Daniel Walsh 2014-08-12 12:13:22 UTC
cce9b39b71202349c898ec0b4b24d54ef766daa7 Actually is a better fix.

Comment 3 Lukas Vrabec 2014-08-13 08:02:20 UTC
commit 6b6791acb84b509d82bdf02893ced001746ab69d
Author: Dan Walsh <dwalsh>
Date:   Tue Aug 12 08:11:05 2014 -0400

    Lets label content created by nova domains as tmp_t content.


https://github.com/selinux-policy/selinux-policy/commit/6b6791acb84b509d82bdf02893ced001746ab69d

Comment 4 Fedora Update System 2014-08-13 12:09:25 UTC
selinux-policy-3.12.1-180.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-180.fc20

Comment 5 Fedora Update System 2014-08-16 00:30:46 UTC
Package selinux-policy-3.12.1-180.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-180.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-9454/selinux-policy-3.12.1-180.fc20
then log in and leave karma (feedback).

Comment 6 Richard Su 2014-08-21 04:35:29 UTC
With 

selinux-policy-3.12.1-180.fc20.noarch
selinux-policy-targeted-3.12.1-180.fc20.noarch

I am still seeing a similar set of errors with accessing tmpfs 

audit.log:type=AVC msg=audit(1408592858.319:51726): avc:  denied  { getattr } for  pid=25352 comm="nova-api" name="/" dev="tmpfs" ino=7612 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
audit.log:type=AVC msg=audit(1408592858.323:51727): avc:  denied  { write } for  pid=25352 comm="nova-api" name="/" dev="tmpfs" ino=7612 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
audit.log:type=AVC msg=audit(1408592858.323:51727): avc:  denied  { add_name } for  pid=25352 comm="nova-api" name="sem.wUY5iY" scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
audit.log:type=AVC msg=audit(1408592858.323:51727): avc:  denied  { create } for  pid=25352 comm="nova-api" name="sem.wUY5iY" scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
audit.log:type=AVC msg=audit(1408592858.323:51727): avc:  denied  { read write open } for  pid=25352 comm="nova-api" path="/dev/shm/sem.wUY5iY" dev="tmpfs" ino=701151 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
audit.log:type=AVC msg=audit(1408592858.324:51728): avc:  denied  { link } for  pid=25352 comm="nova-api" name="sem.wUY5iY" dev="tmpfs" ino=701151 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
audit.log:type=AVC msg=audit(1408592858.324:51729): avc:  denied  { getattr } for  pid=25352 comm="nova-api" path="/dev/shm/sem.wUY5iY" dev="tmpfs" ino=701151 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
audit.log:type=AVC msg=audit(1408592858.324:51730): avc:  denied  { remove_name } for  pid=25352 comm="nova-api" name="sem.wUY5iY" dev="tmpfs" ino=701151 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
audit.log:type=AVC msg=audit(1408592858.324:51730): avc:  denied  { unlink } for  pid=25352 comm="nova-api" name="sem.wUY5iY" dev="tmpfs" ino=701151 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file

Comment 7 Richard Su 2014-08-21 04:39:20 UTC
Created attachment 929011 [details]
audit.log using selinux-policy-targeted-3.12.1-180.fc20.noarch

Comment 8 Miroslav Grepl 2014-08-21 07:09:06 UTC
commit 9940830be7992b1c2560bd103951ad5d6ff52941
Author: Miroslav Grepl <mgrepl>
Date:   Thu Aug 21 09:08:41 2014 +0200

    Call the proper interface fs_tmpfs_filetrans() in nova_domain_template().

diff --git a/nova.if b/nova.if
index 2d705a8..ce897e2 100644
--- a/nova.if
+++ b/nova.if
@@ -49,7 +49,7 @@ template(`nova_domain_template',`
        manage_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
        manage_lnk_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
        files_tmp_filetrans(nova_$1_t, nova_$1_tmp_t, { lnk_file file dir })
-       files_tmpfs_filetrans(nova_$1_t, nova_$1_tmp_t, { lnk_file file dir })
+       fs_tmpfs_filetrans(nova_$1_t, nova_$1_tmp_t, { lnk_file file dir })

Comment 9 Fedora Update System 2014-08-21 09:46:52 UTC
selinux-policy-3.12.1-180.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Richard Su 2014-08-22 00:53:53 UTC
With 
selinux-policy-3.12.1-181.fc20.noarch
selinux-policy-targeted-3.12.1-181.fc20.noarch

Seeing

type=AVC msg=audit(1408661444.531:56625): avc:  denied  { getattr } for  pid=30258 comm="nova-api" name="/" dev="tmpfs" ino=7612 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem

[root@overcloud-controller0-lnix4hcttlx2 audit]# find / -inum 7612
/sys/devices/pci0000:00/0000:00:03.0/ata2/power/runtime_suspended_time
/dev/shm
/opt/stack/venvs/openstack/lib/python2.7/site-packages/keystoneclient/tests/v2_0/test_extensions.pyc

Do I wait for -182? The version numbers in comments #3 and #5 are confusing. I'm guessing the majority of the problem got fixed in -181.

Comment 11 Richard Su 2014-09-10 22:42:46 UTC
Fixed in -182.