Bug 1517744

Summary:	[RHEL-7.5] BUG: SELinux policy does not allow the opensm_t domain to control IB networks
Product:	Red Hat Enterprise Linux 7	Reporter:	Honggang LI <honli>
Component:	selinux-policy	Assignee:	Lukas Vrabec <lvrabec>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	7.5	CC:	ddutile, infiniband-qe, lvrabec, mgrepl, mmalik, mthacker, plautrba, pmoore, rdma-dev-team, ssekidde, yizhan
Target Milestone:	rc	Keywords:	Regression
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.13.1-181.el7	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-04-10 12:47:26 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1464478, 1523309

Description Honggang LI 2017-11-27 11:22:11 UTC

Description of problem:

Selinux/InfiniBand support had been backported to RHEL-7.5 by bz1464478. It seems we need create or update selinux policy for opensm.


Version-Release number of selected component (if applicable):
1) kernel >= -789
2) selinux-policy, need this patch (https://bugzilla.redhat.com/show_bug.cgi?id=1464478#c71)
3) opensm

How reproducible:
always

Steps to Reproduce:
1. /sbin/service opensm start
2. wait for a few minutes
3. ausearch -x opensm

Actual results:
----
time->Mon Nov 27 03:24:04 2017
type=PROCTITLE msg=audit(1511771044.457:521): proctitle="/usr/sbin/opensm"
type=SYSCALL msg=audit(1511771044.457:521): arch=c000003e syscall=1 success=yes exit=320 a0=5 a1=7f1900002050 a2=140 a3=0 items=0 ppid=1822 pid=1823 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="opensm" exe="/usr/sbin/opensm" subj=system_u:system_r:opensm_t:s0 key=(null)
type=AVC msg=audit(1511771044.457:521): avc:  denied  { access } for  pid=1823 comm="opensm" pkey=0xffff subnet_prefix=0:0:0:80fe:: scontext=system_u:system_r:opensm_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=infiniband_pkey permissive=1
----
time->Mon Nov 27 06:11:04 2017
type=PROCTITLE msg=audit(1511781064.567:564): proctitle="/usr/sbin/opensm"
type=SYSCALL msg=audit(1511781064.567:564): arch=c000003e syscall=1 success=yes exit=320 a0=5 a1=7f1900002050 a2=140 a3=0 items=0 ppid=1822 pid=1823 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="opensm" exe="/usr/sbin/opensm" subj=system_u:system_r:opensm_t:s0 key=(null)
type=AVC msg=audit(1511781064.567:564): avc:  denied  { access } for  pid=1823 comm="opensm" pkey=0xffff subnet_prefix=0:0:0:80fe:: scontext=system_u:system_r:opensm_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=infiniband_pkey permissive=1


Expected results:
No such selinux warning message

Additional info:
I don't know which component should be selected when I was filing this bug. As it is a selinux policy related issue, I picked up 'selinux-policy', please fix it if necessary.

Comment 2 Honggang LI 2017-11-27 14:22:55 UTC

https://bugzilla.redhat.com/show_bug.cgi?id=1464478#c90

Comment 3 Lukas Vrabec 2017-11-28 16:31:50 UTC

Fix in Fedora: 

commit 090161c49fc49d31633634095b6227e18e3215dd (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Lukas Vrabec <lvrabec>
Date:   Tue Nov 28 17:30:03 2017 +0100

    Allow domains networkmanager_t and opensm_t to control IPoIB VLANs

Comment 5 Don Dutile (Red Hat) 2017-11-28 19:59:48 UTC

(In reply to Lukas Vrabec from comment #3)
> Fix in Fedora: 
> 
> commit 090161c49fc49d31633634095b6227e18e3215dd (HEAD -> rawhide,
> origin/rawhide, origin/HEAD)
> Author: Lukas Vrabec <lvrabec>
> Date:   Tue Nov 28 17:30:03 2017 +0100
> 
>     Allow domains networkmanager_t and opensm_t to control IPoIB VLANs

Can we (minimally) get a (test) build for 7.5 so we can run tests on it tonight,
along with the kernel I pointed to here:
 https://bugzilla.redhat.com/show_bug.cgi?id=1464478#c93

Comment 6 Paul Moore 2017-11-28 20:23:05 UTC

(In reply to Don Dutile from comment #5)
> Can we (minimally) get a (test) build for 7.5 so we can run tests on it
> tonight,
> along with the kernel I pointed to here:
>  https://bugzilla.redhat.com/show_bug.cgi?id=1464478#c93

I forgot that Lukas is away at training all of this week (sorry Lukas!).  I'm currently working on a crude patch/scratch-build to use for testing, see BZ 1464478.

Comment 9 Honggang LI 2017-11-28 23:53:28 UTC

(In reply to Don Dutile from comment #5)
> (In reply to Lukas Vrabec from comment #3)
> > Fix in Fedora: 
> > 
> > commit 090161c49fc49d31633634095b6227e18e3215dd (HEAD -> rawhide,
> > origin/rawhide, origin/HEAD)
> > Author: Lukas Vrabec <lvrabec>
> > Date:   Tue Nov 28 17:30:03 2017 +0100
> > 
> >     Allow domains networkmanager_t and opensm_t to control IPoIB VLANs
> 
> Can we (minimally) get a (test) build for 7.5 so we can run tests on it
> tonight,
> along with the kernel I pointed to here:
>  https://bugzilla.redhat.com/show_bug.cgi?id=1464478#c93

I tested this kernel (with upstream v2 patch) with my scratch selinux-policy package (only IPoIB patch applied). It does not make any difference.

Now a v3 upstream kernel patch is available. I'm waiting for a scratch kernel with v3 patch.

Comment 10 Paul Moore 2017-11-29 00:31:20 UTC

(In reply to Honggang LI from comment #9)
> I tested this kernel (with upstream v2 patch) with my scratch selinux-policy
> package (only IPoIB patch applied). It does not make any difference.

To clarify, you are still seeing the same problems with SELinux access denials for NetworkManager and opensm?  If so, can you please share the audit records showing the denials?

Comment 11 Don Dutile (Red Hat) 2017-11-29 02:01:34 UTC

(In reply to Honggang LI from comment #9)
> (In reply to Don Dutile from comment #5)
> > (In reply to Lukas Vrabec from comment #3)
> > > Fix in Fedora: 
> > > 
> > > commit 090161c49fc49d31633634095b6227e18e3215dd (HEAD -> rawhide,
> > > origin/rawhide, origin/HEAD)
> > > Author: Lukas Vrabec <lvrabec>
> > > Date:   Tue Nov 28 17:30:03 2017 +0100
> > > 
> > >     Allow domains networkmanager_t and opensm_t to control IPoIB VLANs
> > 
> > Can we (minimally) get a (test) build for 7.5 so we can run tests on it
> > tonight,
> > along with the kernel I pointed to here:
> >  https://bugzilla.redhat.com/show_bug.cgi?id=1464478#c93
> 
> I tested this kernel (with upstream v2 patch) with my scratch selinux-policy
> package (only IPoIB patch applied). It does not make any difference.
> 
> Now a v3 upstream kernel patch is available. I'm waiting for a scratch
> kernel with v3 patch.

The v3 kernel is the same as the v2 kernel, except it gets around the kernel build warning in a different way ... setting new_pps to NULL and using it as a check in the second if in security.c.  there will be no functional difference with v3 vs v2. 

If this kernel & selinux policy update doesn't work, I have to ask: what is Mellanox using & testing to see that these patches fix the problem/issue?

Comment 12 Honggang LI 2017-11-29 02:19:48 UTC

(In reply to Paul Moore from comment #10)
> (In reply to Honggang LI from comment #9)
> > I tested this kernel (with upstream v2 patch) with my scratch selinux-policy
> > package (only IPoIB patch applied). It does not make any difference.
> 
> To clarify, you are still seeing the same problems with SELinux access
> denials for NetworkManager and opensm?  

I saw the same problems with SELinux access with Don's scratch kernel with the old in-box selinux-policy package. If patched selinux-policy package installed, IPoIB vlan works as expected.

Comment 13 Honggang LI 2017-11-29 02:22:17 UTC

(In reply to Don Dutile from comment #11)

> If this kernel & selinux policy update doesn't work, I have to ask: what is
> Mellanox using & testing to see that these patches fix the problem/issue?

The selinux-policy update fixes the IPoIB vlan issue. But the kernel update is helpless for the IPoIB vlan issue. I did not test the opensm issue yet.

Comment 14 Don Dutile (Red Hat) 2017-11-29 02:28:22 UTC

(In reply to Honggang LI from comment #13)
> (In reply to Don Dutile from comment #11)
> 
> > If this kernel & selinux policy update doesn't work, I have to ask: what is
> > Mellanox using & testing to see that these patches fix the problem/issue?
> 
> The selinux-policy update fixes the IPoIB vlan issue. But the kernel update
> is helpless for the IPoIB vlan issue. I did not test the opensm issue yet.

ok, I'm confused. Do you mean that your scratch selinux-policy build failed, but the one Lukas built did work?

the kernel fix will only work for iWARP-based RDMA -- it ignores the check for non-Pkey'd interface (iWARP).

Comment 15 Honggang LI 2017-11-29 03:07:13 UTC

(In reply to Don Dutile from comment #14)
> (In reply to Honggang LI from comment #13)
> > (In reply to Don Dutile from comment #11)
> > 
> > > If this kernel & selinux policy update doesn't work, I have to ask: what is
> > > Mellanox using & testing to see that these patches fix the problem/issue?
> > 
> > The selinux-policy update fixes the IPoIB vlan issue. But the kernel update
> > is helpless for the IPoIB vlan issue. I did not test the opensm issue yet.
> 
> ok, I'm confused. Do you mean that your scratch selinux-policy build failed,
> but the one Lukas built did work?

Mo, I never tested Lukas build, it was not ready until this morning. I only tested my scratch selinux-policy build.

Comment 16 Honggang LI 2017-11-29 03:10:28 UTC

It seems the selinux-policy still emits warning message about opensm.

[root@rdma03 ~]# uname -r 
4.14.0.0c86a6bd85ff

[root@rdma03 ~]# rpm -qa | grep  opensm
opensm-libs-3.3.20-2.el7.x86_64
opensm-3.3.20-2.el7.x86_64

[root@rdma03 ~]# rpm -qa | grep selinux-policy
selinux-policy-targeted-3.13.1-180.el7.pkeys.100.noarch
selinux-policy-devel-3.13.1-180.el7.noarch
selinux-policy-3.13.1-180.el7.pkeys.100.noarch

[root@rdma03 ~]# grep -v '^#' /etc/selinux/config 
SELINUX=permissive
SELINUXTYPE=targeted

[root@rdma03 ~]# getenforce 
Permissive

[root@rdma03 ~]# ausearch -x opensm
----
time->Tue Nov 28 21:55:52 2017
type=PROCTITLE msg=audit(1511924152.624:75): proctitle=2F7573722F7362696E2F6F70656E736D002D6700307830303032633930333030623363666632002D2D7375626E65745F70726566697800307866653830303030303030303030303031
type=SYSCALL msg=audit(1511924152.624:75): arch=c000003e syscall=16 success=yes exit=0 a0=5 a1=c01c1b01 a2=7ffe7c4f8e30 a3=7ffe7c4f8be0 items=0 ppid=1975 pid=1976 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="opensm" exe="/usr/sbin/opensm" subj=system_u:system_r:opensm_t:s0 key=(null)
type=AVC msg=audit(1511924152.624:75): avc:  denied  { manage_subnet } for  pid=1976 comm="opensm" device=mlx4_0 port_num=2 scontext=system_u:system_r:opensm_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=infiniband_endport permissive=1

[root@rdma03 ~]# ibstat
CA 'mlx4_0'
	CA type: MT4099
	Number of ports: 2
	Firmware version: 2.35.5100
	Hardware version: 1
	Node GUID: 0x0002c90300b3cff0
	System image GUID: 0x0002c90300b3cff3
	Port 1:
		State: Active
		Physical state: LinkUp
		Rate: 56
		Base lid: 2
		LMC: 0
		SM lid: 2
		Capability mask: 0x0259486a
		Port GUID: 0x0002c90300b3cff1
		Link layer: InfiniBand
	Port 2:
		State: Active
		Physical state: LinkUp
		Rate: 56
		Base lid: 3
		LMC: 0
		SM lid: 3
		Capability mask: 0x0259486a
		Port GUID: 0x0002c90300b3cff2
		Link layer: InfiniBand
[root@rdma03 ~]#

Comment 17 Paul Moore 2017-11-29 16:56:02 UTC

(In reply to Honggang LI from comment #15)
> (In reply to Don Dutile from comment #14)
> > (In reply to Honggang LI from comment #13)
> > > (In reply to Don Dutile from comment #11)
> > > 
> > > > If this kernel & selinux policy update doesn't work, I have to ask: what is
> > > > Mellanox using & testing to see that these patches fix the problem/issue?
> > > 
> > > The selinux-policy update fixes the IPoIB vlan issue. But the kernel update
> > > is helpless for the IPoIB vlan issue. I did not test the opensm issue yet.
> > 
> > ok, I'm confused. Do you mean that your scratch selinux-policy build failed,
> > but the one Lukas built did work?
> 
> Mo, I never tested Lukas build, it was not ready until this morning. I only
> tested my scratch selinux-policy build.

Please test the selinux-policy scratch-build from Lukas.  Regardless of the kernel used for testing there are also SELinux policy problems and the scratch-build from Lukas *should* resolve those.

Comment 18 Honggang LI 2017-12-04 07:19:10 UTC

(In reply to Paul Moore from comment #17)

> Please test the selinux-policy scratch-build from Lukas.  Regardless of the
> kernel used for testing there are also SELinux policy problems and the
> scratch-build from Lukas *should* resolve those.

See https://bugzilla.redhat.com/show_bug.cgi?id=1517744#c16
    https://bugzilla.redhat.com/show_bug.cgi?id=1517895#c5

Comment 21 Paul Moore 2017-12-04 16:27:36 UTC

Lukas, see Honggang LI's comments above, it appears the infiniband_endport:manage_subnet permission is missing for opensm_t/unlabeled_t.  I believe we need the following for opensm_t:

  +# SELinux/IB hack - https://bugzilla.redhat.com/show_bug.cgi?id=1517744
  +corenet_ib_access_unlabeled_pkeys(opensm_t)
  +corenet_ib_manage_subnet_unlabeled_endports(opensm_t)

I'm guessing your patch has the first line, but not the second.

Comment 22 Lukas Vrabec 2017-12-04 19:51:23 UTC

Yep, You're right. Fixed.

Thanks.

Comment 30 errata-xmlrpc 2018-04-10 12:47:26 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763