Bug 1283674
Summary: | VIRT HA+ router VRRP environmet. dhclient, vnc and redis-server denied | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Alexander Stafeyev <astafeye> | ||||||
Component: | openstack-selinux | Assignee: | Ryan Hallisey <rhallise> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Alexander Stafeyev <astafeye> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 8.0 (Liberty) | CC: | astafeye, jschluet, lhh, mgrepl, rbiba, sasha, sgordon, tfreger, yeylon | ||||||
Target Milestone: | beta | ||||||||
Target Release: | 8.0 (Liberty) | ||||||||
Hardware: | x86_64 | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | openstack-selinux-0.6.49-1.el7ost | Doc Type: | Bug Fix | ||||||
Doc Text: |
Prior to this update, SELinix prevented dhclient, vnc, and redis from working. New rules have now been added to allow these software tools to run successfully.
|
Story Points: | --- | ||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2016-04-07 21:12:52 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Try openstack-selinux-0.6.45-1.el7ost because I think it will fix this. I think the AVC breaking this the nova_t one. Alex, please retest on the latest osp8, it's already contain this version of SELinux openstack-selinux-0.6.45-1.el7ost. Update this bug with your results. Thanks openstack-selinux-0.6.45-1.el7ost.noarch root@overcloud-controller-0 ~]# sealert -a /var/log/audit/audit.log 17% done'list' object has no attribute 'split' 117% done found 1 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing /usr/bin/redis-server from name_connect access on the tcp_socket port 6379. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that redis-server should be allowed name_connect access on the port 6379 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep redis-server /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:redis_t:s0 Target Context system_u:object_r:redis_port_t:s0 Target Objects port 6379 [ tcp_socket ] Source redis-server Source Path /usr/bin/redis-server Port 6379 Host <Unknown> Source RPM Packages redis-2.8.21-1.el7ost.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name overcloud-controller-0.localdomain Platform Linux overcloud-controller-0.localdomain 3.10.0-327.el7.x86_64 #1 SMP Thu Oct 29 17:29:29 EDT 2015 x86_64 x86_64 Alert Count 989 First Seen 2015-11-29 01:26:58 EST Last Seen 2015-11-29 01:43:35 EST Local ID 8d00614d-2eee-46fe-8924-5819ac2427ad Raw Audit Messages type=AVC msg=audit(1448779415.155:2413): avc: denied { name_connect } for pid=4133 comm="redis-server" dest=6379 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:redis_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1448779415.155:2413): arch=x86_64 syscall=connect success=no exit=EACCES a0=9 a1=7fba364ab670 a2=10 a3=7fffdeafa134 items=0 ppid=1 pid=4133 auid=4294967295 uid=990 gid=987 euid=990 suid=990 fsuid=990 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm=redis-server exe=/usr/bin/redis-server subj=system_u:system_r:redis_t:s0 key=(null) Hash: redis-server,redis_t,redis_port_t,tcp_socket,name_connect Created attachment 1100098 [details]
openstack-selinux-0.6.45-1.el7ost.noarch logs
This AVC was fix in openstack-selinux-0.6.46-1.el7 type=AVC msg=audit(1449390604.395:5271): avc: denied { create } for pid=17121 comm="su" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket type=AVC msg=audit(1449393248.423:8265): avc: denied { read } for pid=3486 comm="sshd" name="lastlog" dev="sda2" ino=365978 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file type=AVC msg=audit(1449393248.424:8266): avc: denied { read write } for pid=3486 comm="sshd" name="lastlog" dev="sda2" ino=365978 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file type=AVC msg=audit(1449393989.852:9113): avc: denied { read write } for pid=26966 comm="useradd" name="lastlog" dev="sda2" ino=365978 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file Skipping because I don't think it's related: allow logrotate_t self:netlink_selinux_socket create; Adding these 2 rules: allow sshd_t cluster_var_log_t:file { read write }; allow useradd_t cluster_var_log_t:file { read write }; Saw a bunch of AVCs regarding tmpfs_t. Those can be fixed with: `restorecon -R -v /etc/ld.so.cache` Either way, the AVCs left over shouldn't affect usability. [root@overcloud-controller-1 ~]# rpm -qa | grep selinux libselinux-devel-2.2.2-6.el7.x86_64 libselinux-python-2.2.2-6.el7.x86_64 openstack-selinux-0.6.50-1.el7ost.noarch libselinux-2.2.2-6.el7.x86_64 libselinux-ruby-2.2.2-6.el7.x86_64 libselinux-utils-2.2.2-6.el7.x86_64 selinux-policy-3.13.1-60.el7.noarch selinux-policy-devel-3.13.1-60.el7.noarch selinux-policy-targeted-3.13.1-60.el7.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-0603.html |
Created attachment 1096699 [details] sealert 8G ram on each VM ( instack and nova/controllers VMs) 1 cpu instack, 2 cpus for each other VM. ( 3 controllers 2 novas) Description of problem: See the following when executing: sudo grep -i AVC -r /var/log/audit/ /var/log/audit/audit.log.3:type=AVC msg=audit(1447758589.159:90): avc: denied { read } for pid=10386 comm="dhclient" name="dhclient-br-ex.pid" dev="tmpfs" ino=32228 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file /var/log/audit/audit.log.3:type=AVC msg=audit(1447758589.180:92): avc: denied { write } for pid=10386 comm="dhclient" name="dhclient-br-ex.pid" dev="tmpfs" ino=32228 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file /var/log/audit/audit.log.3:type=AVC msg=audit(1447759742.547:993): avc: denied { search } for pid=6782 comm="nova-novncproxy" name="httpd" dev="sda2" ino=12583097 scontext=system_u:system_r:nova_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=dir /var/log/audit/audit.log.2:type=AVC msg=audit(1447795201.742:40639): avc: denied { write } for pid=10386 comm="dhclient" name="dhclient-br-ex.pid" dev="tmpfs" ino=32228 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file /var/log/audit/audit.log:type=AVC msg=audit(1447832783.562:260): avc: denied { name_connect } for pid=4192 comm="redis-server" dest=6379 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:redis_port_t:s0 tclass=tcp_socket Version-Release number of selected component (if applicable): rpm -qa | grep neutron openstack-neutron-common-7.0.0-3.el7ost.noarch openstack-neutron-7.0.0-3.el7ost.noarch openstack-neutron-ml2-7.0.0-3.el7ost.noarch openstack-neutron-lbaas-7.0.0-2.el7ost.noarch python-neutron-7.0.0-3.el7ost.noarch openstack-neutron-metering-agent-7.0.0-3.el7ost.noarch python-neutronclient-3.1.0-1.el7ost.noarch openstack-neutron-openvswitch-7.0.0-3.el7ost.noarch python-neutron-lbaas-7.0.0-2.el7ost.noarch How reproducible: 100% Steps to Reproduce: 1. install environment. 2.sudo grep -i AVC -r /var/log/audit/ on all the controllers 3. if not reproduces: neutron subnet-create --name admin-ext-sub --disable-dhcp admin-ext 192.0.2.0/24 --allocation_pools list=true type=dict start=192.0.2.150,end=192.0.2.200 --gateway_ip=192.0.2.1 NID=$(neutron net-create int_net | awk -F'[ \t]*\\|[ \t]*' '/ id / {print $3}') neutron subnet-create int_net 192.168.1.0/24 --dns_nameservers list=true 10.35.28.28 --name int_sub neutron net-list neutron subnet-list neutron router-create Router_eNet neutron router-list neutron router-interface-add Router_eNet subnet=int_sub neutron router-gateway-set Router_eNet admin-ext Actual results: vnc denied dhclient denied redis server denied Expected results: should not be denied . Additional info: file attached