Bug 1568993

Summary: undercloud dnsmasq avc denied messages are in the audit.log
Product: Red Hat OpenStack Reporter: Attila Fazekas <afazekas>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED ERRATA QA Contact: Udi Shkalim <ushkalim>
Severity: high Docs Contact:
Priority: high    
Version: 13.0 (Queens)CC: bfournie, emacchi, fhubik, jjoyce, mgrepl, psedlak, sasha, srevivo
Target Milestone: betaKeywords: Triaged
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.8.14-2.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-27 13:52:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Attila Fazekas 2018-04-18 13:33:26 UTC 
Description of problem:
We had trouble in booting up overcloud nodes and we noticed avc: denial messages in the audit.log

Version-Release number of selected component (if applicable):
openstack-selinux.noarch          0.8.14-1.el7ost       @rhelosp-13.0-puddle    

type=AVC msg=audit(1523966763.994:1875): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966763.995:1876): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:45:98:9f" dev="vda1" ino=113286650 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966763.995:1877): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966776.468:1910): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966781.458:1911): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
Comment 2 Lon Hohberger 2018-04-18 15:55:51 UTC 
Also reported:

type=AVC msg=audit(1523966763.994:1875): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966763.995:1876): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:45:98:9f" dev="vda1" ino=113286650 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966763.995:1877): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966776.468:1910): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966781.458:1911): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966786.453:1912): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:45:98:9f" dev="vda1" ino=113286650 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966887.636:1963): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966893.099:1964): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966899.002:1965): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:45:98:9f" dev="vda1" ino=113286650 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523990351.136:7704): avc:  denied  { getattr } for  pid=31332 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523990351.136:7705): avc:  denied  { getattr } for  pid=31332 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:45:98:9f" dev="vda1" ino=113286650 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523990351.136:7706): avc:  denied  { getattr } for  pid=31332 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523990360.012:7719): avc:  denied  { read } for  pid=31332 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=114077529 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523990360.013:7720): avc:  denied  { read } for  pid=31332 comm="dnsmasq" name="52:54:00:45:98:9f" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523990360.013:7721): avc:  denied  { read } for  pid=31332 comm="dnsmasq" name="52:54:00:6b:18:f3" dev="vda1" ino=113286650 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

It looks like /var/lib/ironic-inspector/dhcp-hostsdir should be virt_var_lib_t ?
Comment 3 Lon Hohberger 2018-04-18 15:57:01 UTC 
Or - dnsmasq_lease_t
Comment 4 Lon Hohberger 2018-04-18 16:06:56 UTC 
./ironic_inspector/pxe_filter/dnsmasq.py - unlinks files from that directory, reads, opens, etc.
Comment 5 Lon Hohberger 2018-04-18 16:21:47 UTC 
dnsmasq_t already has:

allow daemon var_lib_t:dir { getattr open search };
allow daemon var_lib_t:dir { getattr open search }; [ daemons_enable_cluster_mode ]:False
allow daemon var_lib_t:dir { getattr open search }; [ daemons_enable_cluster_mode ]:True
allow dnsmasq_t file_type:filesystem getattr;
allow dnsmasq_t var_lib_t:dir { add_name getattr ioctl lock open read remove_name search write };
allow domain base_file_type:dir { getattr open search };
allow domain var_lib_t:dir { getattr open search };
allow nsswitch_domain var_lib_t:dir { getattr ioctl lock open read search };
Comment 6 Pavel Sedlák 2018-04-18 17:35:16 UTC 
btw for completeness i see these three cases (obv. open in addition to read and getattr) when retried in permissive

> type=AVC msg=audit(...): avc:  denied  { getattr } for  pid=8168 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:7c:b5:00" dev="vda1" ino=114077529 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> type=AVC msg=audit(...): avc:  denied  { open } for  pid=8168 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:7c:b5:00" dev="vda1" ino=114077529 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> type=AVC msg=audit(...): avc:  denied  { read } for  pid=8168 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=114077529 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
Comment 7 Lon Hohberger 2018-04-18 18:57:50 UTC 
Instead of creating potential side-issues by changing the file context, I think the least potentially destabilizing thing is to give dnsmasq_t manage_file_perms for var_lib_t. This isn't ideal, obviously, however, it is a simple short-term fix.
Comment 10 Lon Hohberger 2018-04-18 20:22:48 UTC 
openstack-selinux-0.8.14-2.el7ost
Comment 17 Harald Jensås 2018-04-27 11:14:55 UTC 
*** Bug 1572537 has been marked as a duplicate of this bug. ***
Comment 19 Lon Hohberger 2018-06-14 19:51:53 UTC 
This passed the regression tests based on the reported AVCs.
Comment 21 errata-xmlrpc 2018-06-27 13:52:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086