Bug 1283674

Summary: VIRT HA+ router VRRP environmet. dhclient, vnc and redis-server denied
Product: Red Hat OpenStack Reporter: Alexander Stafeyev <astafeye>
Component: openstack-selinuxAssignee: Ryan Hallisey <rhallise>
Status: CLOSED ERRATA QA Contact: Alexander Stafeyev <astafeye>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0 (Liberty)CC: astafeye, jschluet, lhh, mgrepl, rbiba, sasha, sgordon, tfreger, yeylon
Target Milestone: beta   
Target Release: 8.0 (Liberty)   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.6.49-1.el7ost Doc Type: Bug Fix
Doc Text:
Prior to this update, SELinix prevented dhclient, vnc, and redis from working. New rules have now been added to allow these software tools to run successfully.
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-07 21:12:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
sealert
none
openstack-selinux-0.6.45-1.el7ost.noarch logs none

Description Alexander Stafeyev 2015-11-19 14:38:50 UTC
Created attachment 1096699 [details]
sealert

8G ram on each VM ( instack and nova/controllers VMs) 1 cpu instack, 2 cpus for each other VM. ( 3 controllers 2 novas) 

Description of problem:
See the following when executing: 
sudo grep -i AVC -r /var/log/audit/

/var/log/audit/audit.log.3:type=AVC msg=audit(1447758589.159:90): avc:  denied  { read } for  pid=10386 comm="dhclient" name="dhclient-br-ex.pid" dev="tmpfs" ino=32228 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file

/var/log/audit/audit.log.3:type=AVC msg=audit(1447758589.180:92): avc:  denied  { write } for  pid=10386 comm="dhclient" name="dhclient-br-ex.pid" dev="tmpfs" ino=32228 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file

/var/log/audit/audit.log.3:type=AVC msg=audit(1447759742.547:993): avc:  denied  { search } for  pid=6782 comm="nova-novncproxy" name="httpd" dev="sda2" ino=12583097 scontext=system_u:system_r:nova_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=dir


/var/log/audit/audit.log.2:type=AVC msg=audit(1447795201.742:40639): avc:  denied  { write } for  pid=10386 comm="dhclient" name="dhclient-br-ex.pid" dev="tmpfs" ino=32228 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file

/var/log/audit/audit.log:type=AVC msg=audit(1447832783.562:260): avc:  denied  { name_connect } for  pid=4192 comm="redis-server" dest=6379 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:redis_port_t:s0 tclass=tcp_socket

Version-Release number of selected component (if applicable):
rpm -qa | grep neutron
openstack-neutron-common-7.0.0-3.el7ost.noarch
openstack-neutron-7.0.0-3.el7ost.noarch
openstack-neutron-ml2-7.0.0-3.el7ost.noarch
openstack-neutron-lbaas-7.0.0-2.el7ost.noarch
python-neutron-7.0.0-3.el7ost.noarch
openstack-neutron-metering-agent-7.0.0-3.el7ost.noarch
python-neutronclient-3.1.0-1.el7ost.noarch
openstack-neutron-openvswitch-7.0.0-3.el7ost.noarch
python-neutron-lbaas-7.0.0-2.el7ost.noarch

How reproducible:
100%

Steps to Reproduce:
1. install environment.
2.sudo grep -i AVC -r /var/log/audit/ on all the controllers
3. if not reproduces: 
neutron subnet-create --name admin-ext-sub --disable-dhcp admin-ext 192.0.2.0/24 --allocation_pools list=true type=dict start=192.0.2.150,end=192.0.2.200 --gateway_ip=192.0.2.1

NID=$(neutron net-create int_net | awk -F'[ \t]*\\|[ \t]*' '/ id / {print $3}')
neutron subnet-create int_net 192.168.1.0/24 --dns_nameservers list=true 10.35.28.28 --name int_sub
neutron net-list
neutron subnet-list
neutron router-create Router_eNet
neutron router-list
neutron router-interface-add Router_eNet subnet=int_sub
neutron router-gateway-set Router_eNet admin-ext

Actual results:
vnc denied
dhclient denied 
redis server denied 

Expected results:
should not be denied . 

Additional info:
file attached

Comment 2 Ryan Hallisey 2015-11-19 15:16:06 UTC
Try openstack-selinux-0.6.45-1.el7ost because I think it will fix this.  I think the AVC breaking this the nova_t one.

Comment 3 Toni Freger 2015-11-24 06:22:42 UTC
Alex, 
please retest on the latest osp8, it's already contain this version of SELinux openstack-selinux-0.6.45-1.el7ost. Update this bug with your results.

Thanks

Comment 4 Alexander Stafeyev 2015-11-29 06:45:22 UTC
openstack-selinux-0.6.45-1.el7ost.noarch

root@overcloud-controller-0 ~]# sealert -a /var/log/audit/audit.log
 17% done'list' object has no attribute 'split'
117% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/bin/redis-server from name_connect access on the tcp_socket port 6379.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that redis-server should be allowed name_connect access on the port 6379 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep redis-server /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:redis_t:s0
Target Context                system_u:object_r:redis_port_t:s0
Target Objects                port 6379 [ tcp_socket ]
Source                        redis-server
Source Path                   /usr/bin/redis-server
Port                          6379
Host                          <Unknown>
Source RPM Packages           redis-2.8.21-1.el7ost.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-60.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     overcloud-controller-0.localdomain
Platform                      Linux overcloud-controller-0.localdomain
                              3.10.0-327.el7.x86_64 #1 SMP Thu Oct 29 17:29:29
                              EDT 2015 x86_64 x86_64
Alert Count                   989
First Seen                    2015-11-29 01:26:58 EST
Last Seen                     2015-11-29 01:43:35 EST
Local ID                      8d00614d-2eee-46fe-8924-5819ac2427ad

Raw Audit Messages
type=AVC msg=audit(1448779415.155:2413): avc:  denied  { name_connect } for  pid=4133 comm="redis-server" dest=6379 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:redis_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1448779415.155:2413): arch=x86_64 syscall=connect success=no exit=EACCES a0=9 a1=7fba364ab670 a2=10 a3=7fffdeafa134 items=0 ppid=1 pid=4133 auid=4294967295 uid=990 gid=987 euid=990 suid=990 fsuid=990 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm=redis-server exe=/usr/bin/redis-server subj=system_u:system_r:redis_t:s0 key=(null)

Hash: redis-server,redis_t,redis_port_t,tcp_socket,name_connect

Comment 5 Alexander Stafeyev 2015-11-29 06:55:03 UTC
Created attachment 1100098 [details]
openstack-selinux-0.6.45-1.el7ost.noarch logs

Comment 6 Ryan Hallisey 2015-11-30 14:33:12 UTC
This AVC was fix in openstack-selinux-0.6.46-1.el7

Comment 10 Ryan Hallisey 2015-12-07 13:34:03 UTC
type=AVC msg=audit(1449390604.395:5271): avc:  denied  { create } for  pid=17121 comm="su" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket
type=AVC msg=audit(1449393248.423:8265): avc:  denied  { read } for  pid=3486 comm="sshd" name="lastlog" dev="sda2" ino=365978 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file
type=AVC msg=audit(1449393248.424:8266): avc:  denied  { read write } for  pid=3486 comm="sshd" name="lastlog" dev="sda2" ino=365978 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file
type=AVC msg=audit(1449393989.852:9113): avc:  denied  { read write } for  pid=26966 comm="useradd" name="lastlog" dev="sda2" ino=365978 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file

Comment 11 Ryan Hallisey 2015-12-09 14:40:50 UTC
Skipping because I don't think it's related:
allow logrotate_t self:netlink_selinux_socket create;

Adding these 2 rules:
allow sshd_t cluster_var_log_t:file { read write };
allow useradd_t cluster_var_log_t:file { read write };

Comment 12 Ryan Hallisey 2016-01-20 17:03:25 UTC
Saw a bunch of AVCs regarding tmpfs_t.  Those can be fixed with:
`restorecon -R -v /etc/ld.so.cache`

Either way, the AVCs left over shouldn't affect usability.

Comment 13 Alexander Stafeyev 2016-01-20 17:06:35 UTC
[root@overcloud-controller-1 ~]# rpm -qa | grep selinux
libselinux-devel-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64
openstack-selinux-0.6.50-1.el7ost.noarch
libselinux-2.2.2-6.el7.x86_64
libselinux-ruby-2.2.2-6.el7.x86_64
libselinux-utils-2.2.2-6.el7.x86_64
selinux-policy-3.13.1-60.el7.noarch
selinux-policy-devel-3.13.1-60.el7.noarch
selinux-policy-targeted-3.13.1-60.el7.noarch

Comment 14 errata-xmlrpc 2016-04-07 21:12:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0603.html