Bug 1365653
Summary: | Failure to configure team with ifcfg | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Amit Supugade <asupugad> | |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
Severity: | urgent | Docs Contact: | Mirek Jahoda <mjahoda> | |
Priority: | urgent | |||
Version: | 7.3 | CC: | asupugad, dapospis, jaster, lvrabec, lxin, mgrepl, mjahoda, mleitner, mmalik, plautrba, pvrabec, ssekidde | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | selinux-policy-3.13.1-95.el7 | Doc Type: | Bug Fix | |
Doc Text: |
It is not known issue anymore, fixed in selinux-policy-3.13.1-95.el7
|
Story Points: | --- | |
Clone Of: | ||||
: | 1367180 (view as bug list) | Environment: | ||
Last Closed: | 2016-11-04 02:36:34 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1366991, 1367180 |
Description
Amit Supugade
2016-08-09 18:30:08 UTC
The /run/teamd/team0.conf file is mislabeled. Following command will fix it: # restorecon -Rv /run/teamd Does the scenario work now? (In reply to Milos Malik from comment #12) > The /run/teamd/team0.conf file is mislabeled. Following command will fix it: Sorry for my ignorance on the topic but assuming that's it, how can we avoid this? Was the file created in a wrong way? We have to find out which process created the /run/teamd directory and which process created the team0.conf file. Files inside /run/teamd directory should inherit the same SELinux label unless selinux-policy tells otherwise. Did it happen on a clean machine? (In reply to Milos Malik from comment #14) > We have to find out which process created the /run/teamd directory and which > process created the team0.conf file. Files inside /run/teamd directory > should inherit the same SELinux label unless selinux-policy tells otherwise. > Did it happen on a clean machine? Hi, Milos When we run "ifup team0", the current shell process calls: /etc/sysconfig/network-scripts/ifup-Team, in it: mkdir -p /run/teamd/ || exit 1 echo "${TEAM_CONFIG}" > /run/teamd/${DEVICE}.conf || exit 1 /usr/bin/systemctl start teamd@${DEVICE}.service || exit 1 <----[1] (${DEVICE} is team0 here) So current shell process create this directory and file. ls -Z "/run/teamd/team0.conf" -rw-r--r--. root root unconfined_u:object_r:var_run_t:s0 /run/teamd/team0.conf However, [1] will send a request to systemd, then systemd process starts teamd daemon with: /usr/bin/teamd -U -D -o -t %i -f /run/teamd/%i.conf (%i is team0 here) So systemd process access this file. [root@localhost ~]# ps axZ |grep systemd system_u:system_r:init_t:s0 1 ? Ss 0:20 /usr/lib/systemd/systemd --switched-root --system --deserialize 21 --------- If we config "BOOT=yes" in team configuration, it works fine, as network service call ifup-Team and create the directory and the file when system is booting. But if we config "BOOT=no" in team configuration, network will not call it.then we may use ifup team0 to start it manually in an shell terminal, then this issue is triggered. (In reply to Milos Malik from comment #12) > The /run/teamd/team0.conf file is mislabeled. Following command will fix it: > > # restorecon -Rv /run/teamd > > Does the scenario work now? This command did not fix it. I saw the same behaviour as before. Which version of selinux-policy do you have on your machine? # rpm -qa selinux-policy\* (In reply to Milos Malik from comment #17) > Which version of selinux-policy do you have on your machine? > > # rpm -qa selinux-policy\* [root@sam ~]# rpm -qa selinux-policy\* selinux-policy-targeted-3.13.1-93.el7.noarch selinux-policy-3.13.1-93.el7.noarch There is one test case among selinux-policy tests which is dedicated to teamd: * /CoreOS/selinux-policy/Regression/teamd-and-similar The /run/teamd directory did not exist on my VMs before running the test case. After running the test case I see following. The directory is labeled correctly. # rpm -qf /run/teamd/ file /run/teamd is not owned by any package # ls -dZ /run/teamd/ drwxr-xr-x. root root system_u:object_r:NetworkManager_var_run_t:s0 /run/teamd/ # Could you remove the /run/teamd directory first, run your scenario and then provide output of following commands? # ls -Z /run/teamd (In reply to Milos Malik from comment #19) > There is one test case among selinux-policy tests which is dedicated to > teamd: > * /CoreOS/selinux-policy/Regression/teamd-and-similar > > The /run/teamd directory did not exist on my VMs before running the test > case. After running the test case I see following. The directory is labeled > correctly. > > # rpm -qf /run/teamd/ > file /run/teamd is not owned by any package > # ls -dZ /run/teamd/ > drwxr-xr-x. root root system_u:object_r:NetworkManager_var_run_t:s0 > /run/teamd/ > # > > Could you remove the /run/teamd directory first, run your scenario and then > provide output of following commands? > > # ls -Z /run/teamd Here is the output of the command as requested- [root@sam run]# ls -Z /run/teamd -rw-r--r--. root root system_u:object_r:NetworkManager_var_run_t:s0 team0.pid srwx------. root root system_u:object_r:NetworkManager_var_run_t:s0 team0.sock Hi (In reply to Milos Malik from comment #19) > There is one test case among selinux-policy tests which is dedicated to > teamd: > * /CoreOS/selinux-policy/Regression/teamd-and-similar > > The /run/teamd directory did not exist on my VMs before running the test > case. After running the test case I see following. The directory is labeled > correctly. > > # rpm -qf /run/teamd/ > file /run/teamd is not owned by any package > # ls -dZ /run/teamd/ > drwxr-xr-x. root root system_u:object_r:NetworkManager_var_run_t:s0 > /run/teamd/ > # > > Could you remove the /run/teamd directory first, run your scenario and then > provide output of following commands? > > # ls -Z /run/teamd Pls disable NM, this issue happens without NM. (In reply to Amit Supugade from comment #20) > (In reply to Milos Malik from comment #19) > > There is one test case among selinux-policy tests which is dedicated to > > teamd: > > * /CoreOS/selinux-policy/Regression/teamd-and-similar > > > > The /run/teamd directory did not exist on my VMs before running the test > > case. After running the test case I see following. The directory is labeled > > correctly. > > > > # rpm -qf /run/teamd/ > > file /run/teamd is not owned by any package > > # ls -dZ /run/teamd/ > > drwxr-xr-x. root root system_u:object_r:NetworkManager_var_run_t:s0 > > /run/teamd/ > > # > > > > Could you remove the /run/teamd directory first, run your scenario and then > > provide output of following commands? > > > > # ls -Z /run/teamd > Here is the output of the command as requested- > [root@sam run]# ls -Z /run/teamd > -rw-r--r--. root root system_u:object_r:NetworkManager_var_run_t:s0 team0.pid > srwx------. root root system_u:object_r:NetworkManager_var_run_t:s0 > team0.sock without NM, it should be: ls -Z "/run/teamd/team0.conf" -rw-r--r--. root root unconfined_u:object_r:var_run_t:s0 /run/teamd/team0.conf -----^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Milos, are you able to reproduce it? Guys, how is /run/teamd created? (In reply to Miroslav Grepl from comment #24) > Guys, > how is /run/teamd created? Miroslav, pls check c15 . Ok, I overlooked. Thanks.
So it happens because of
>But if we config "BOOT=no" in team configuration, network will not call it.then
>we may use ifup team0 to start it manually in an shell terminal, then this issue
>is triggered.
Could you please test it with the following local policy?
$ cat mypol.cil
(typetransition unconfined_t var_run_t dir "teamd" NetworkManager_var_run_t)
# semodule -i mypol.cil
to see if it works correctly?
Thank you.
Hi, today, I found out same issue in my test, but only on aarch64. Other architectures work fine. I use nmcli in my test, but it fails without nmcli too. # rpm -q selinux-policy kernel selinux-policy-3.13.1-93.el7.noarch kernel-4.5.0-3.el7.aarch64 # ausearch -m avc -m user_avc -m selinux_err -i -ts recent <no matches> # nmcli connection add con-name teamTest ifname teamTest type team config '{"runner": {"name": "activebackup"}}' Connection 'teamTest' (effd6db2-5189-4c69-ba1e-ce67a76c75b4) successfully added. # ausearch -m avc -m user_avc -m selinux_err -i -ts recent ---- type=PROCTITLE msg=audit(08/22/2016 10:05:51.376:449) : proctitle=/usr/bin/teamd -o -n -U -D -N -t teamTest -c {"runner": {"name": "activebackup"}} type=SYSCALL msg=audit(08/22/2016 10:05:51.376:449) : arch=aarch64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=chaos a3=0x3fff1deae30 items=0 ppid=764 pid=28763 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=teamd exe=/usr/bin/teamd subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(08/22/2016 10:05:51.376:449) : avc: denied { create } for pid=28763 comm=teamd scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=netlink_generic_socket permissive=0 ---- type=PROCTITLE msg=audit(08/22/2016 10:05:51.716:450) : proctitle=/usr/bin/teamd -o -n -U -D -N -t teamTest -c {"runner": {"name": "activebackup"}} type=SYSCALL msg=audit(08/22/2016 10:05:51.716:450) : arch=aarch64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=chaos a3=0x3ffd7e99200 items=0 ppid=764 pid=28767 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=teamd exe=/usr/bin/teamd subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(08/22/2016 10:05:51.716:450) : avc: denied { create } for pid=28767 comm=teamd scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=netlink_generic_socket permissive=0 ---- type=PROCTITLE msg=audit(08/22/2016 10:05:52.047:451) : proctitle=/usr/bin/teamd -o -n -U -D -N -t teamTest -c {"runner": {"name": "activebackup"}} type=SYSCALL msg=audit(08/22/2016 10:05:52.047:451) : arch=aarch64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=chaos a3=0x3fffbd6f2e0 items=0 ppid=764 pid=28771 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=teamd exe=/usr/bin/teamd subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(08/22/2016 10:05:52.047:451) : avc: denied { create } for pid=28771 comm=teamd scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=netlink_generic_socket permissive=0 ---- type=PROCTITLE msg=audit(08/22/2016 10:05:52.382:452) : proctitle=/usr/bin/teamd -o -n -U -D -N -t teamTest -c {"runner": {"name": "activebackup"}} type=SYSCALL msg=audit(08/22/2016 10:05:52.382:452) : arch=aarch64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=chaos a3=0x3ffc9913c40 items=0 ppid=764 pid=28775 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=teamd exe=/usr/bin/teamd subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(08/22/2016 10:05:52.382:452) : avc: denied { create } for pid=28775 comm=teamd scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=netlink_generic_socket permissive=0 (In reply to Miroslav Grepl from comment #26) > Ok, I overlooked. Thanks. > > So it happens because of > > > >But if we config "BOOT=no" in team configuration, network will not call it.then > >we may use ifup team0 to start it manually in an shell terminal, then this issue > >is triggered. > > Could you please test it with the following local policy? > > $ cat mypol.cil > (typetransition unconfined_t var_run_t dir "teamd" NetworkManager_var_run_t) > # semodule -i mypol.cil > > to see if it works correctly? > > Thank you. Hi, I tried with the local policy and it worked fine. Log below- [root@robin ~]# cat mypol.cil (typetransition unconfined_t var_run_t dir "teamd" NetworkManager_var_run_t) [root@robin ~]# systemctl status NetworkManager ● NetworkManager.service - Network Manager Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; enabled; vendor preset: enabled) Active: inactive (dead) since Mon 2016-08-22 11:33:10 EDT; 2s ago Docs: man:NetworkManager(8) Main PID: 817 (code=exited, status=0/SUCCESS) CGroup: /system.slice/NetworkManager.service └─879 /sbin/dhclient -d -q -sf /usr/libexec/nm-dhcp-helper -pf /var/run/dhclient-enp5s0f0.pid -lf /var/lib/NetworkManager/dhclient-0bb2b557-70e0-4f3f-b3d2-4c4335f91... Aug 22 11:26:58 robin.knqe.lab.eng.bos.redhat.com NetworkManager[817]: <info> [1471879618.5664] device (enp7s0f0): link disconnected Aug 22 11:26:58 robin.knqe.lab.eng.bos.redhat.com NetworkManager[817]: <info> [1471879618.5671] device (enp7s0f1): link disconnected Aug 22 11:31:03 robin.knqe.lab.eng.bos.redhat.com NetworkManager[817]: <info> [1471879863.1986] device (enp7s0f1): link connected Aug 22 11:31:04 robin.knqe.lab.eng.bos.redhat.com NetworkManager[817]: <info> [1471879864.2008] device (enp7s0f1): link disconnected Aug 22 11:31:28 robin.knqe.lab.eng.bos.redhat.com NetworkManager[817]: <info> [1471879888.3075] device (enp7s0f1): link connected Aug 22 11:31:29 robin.knqe.lab.eng.bos.redhat.com NetworkManager[817]: <info> [1471879889.2921] device (enp7s0f0): link connected Aug 22 11:33:10 robin.knqe.lab.eng.bos.redhat.com systemd[1]: Stopping Network Manager... Aug 22 11:33:10 robin.knqe.lab.eng.bos.redhat.com NetworkManager[817]: <info> [1471879990.2194] caught SIGTERM, shutting down normally. Aug 22 11:33:10 robin.knqe.lab.eng.bos.redhat.com NetworkManager[817]: <info> [1471879990.2227] exiting (success) Aug 22 11:33:10 robin.knqe.lab.eng.bos.redhat.com systemd[1]: Stopped Network Manager. [root@robin ~]# [root@robin ~]# semodule -i mypol.cil [root@robin ~]# cat <<-EOF > /etc/sysconfig/network-scripts/ifcfg-enp7s0f0 > DEVICE=enp7s0f0 > ONBOOT=no > TEAM_MASTER=team0 > EOF [root@robin ~]# [root@robin ~]# cat <<-EOF > /etc/sysconfig/network-scripts/ifcfg-enp7s0f1 > DEVICE=enp7s0f1 > ONBOOT=no > TEAM_MASTER=team0 > EOF [root@robin ~]# [root@robin ~]# [root@robin ~]# cat <<-EOF > /etc/sysconfig/network-scripts/ifcfg-team0 > DEVICE=team0 > ONBOOT=no > BOOTPROTO=none > IPADDR=192.168.23.11 > NETMASK=255.255.255.0 > TEAM_CONFIG='{"runner": {"name": "activebackup"}, "link_watch": {"name": "ethtool"}}' > EOF [root@robin ~]# [root@robin ~]# ifup team0 [root@robin ~]# [root@robin ~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp7s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master team0 state UP qlen 1000 link/ether 00:90:fa:8a:5c:7a brd ff:ff:ff:ff:ff:ff inet6 fe80::290:faff:fe8a:5c7a/64 scope link valid_lft forever preferred_lft forever 3: enp5s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether e4:11:5b:dd:d6:06 brd ff:ff:ff:ff:ff:ff inet 10.19.15.27/24 brd 10.19.15.255 scope global dynamic enp5s0f0 valid_lft 84345sec preferred_lft 84345sec inet6 2620:52:0:130b:e611:5bff:fedd:d606/64 scope global noprefixroute dynamic valid_lft 2591822sec preferred_lft 604622sec inet6 fe80::e611:5bff:fedd:d606/64 scope link valid_lft forever preferred_lft forever 4: enp7s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master team0 state UP qlen 1000 link/ether 00:90:fa:8a:5c:7a brd ff:ff:ff:ff:ff:ff inet6 fe80::290:faff:fe8a:5c82/64 scope link valid_lft forever preferred_lft forever 5: enp5s0f1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000 link/ether e4:11:5b:dd:d6:07 brd ff:ff:ff:ff:ff:ff 6: team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000 link/ether 00:90:fa:8a:5c:7a brd ff:ff:ff:ff:ff:ff inet 192.168.23.11/24 brd 192.168.23.255 scope global team0 valid_lft forever preferred_lft forever inet6 2001::290:faff:fe8a:5c7a/64 scope global mngtmpaddr dynamic valid_lft 2591999sec preferred_lft 604799sec inet6 fe80::290:faff:fe8a:5c7a/64 scope link valid_lft forever preferred_lft forever This bug is causing many other team test failures. Increasing Priority and Severity. Ok we have tested fix. (typetransition unconfined_t var_run_t dir "teamd" NetworkManager_var_run_t) (allow NetworkManager_t NetworkManager_t ( netlink_generic_socket ( create ))) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html |