Bug 1667276
| Summary: | Selinux - bunch of "avc: denied" messages in logs on rhel8. | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Alexander Chuzhoy <sasha> |
| Component: | rhosp-director | Assignee: | Cédric Jeanneret <cjeanner> |
| Status: | CLOSED WORKSFORME | QA Contact: | Gurenko Alex <agurenko> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 15.0 (Stein) | CC: | cjeanner, dbecker, dprince, mburns, morazi, sasha |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-01-29 14:21:14 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hello! So, the relabelto will stay - it doesn't block the copy of the backup/config things, and allowing them is a security breach we don't want to see. The connectto might be OK, although I'd like to know a bit more about that: any idea of the container(s) wantin to connect? Apparently, some "sudo" command from within a container are issued.. ? The setexec might be OK, I think it might be accepted as an `openstack-selinux' patch Finally, the write from sss_cache needs some investigation in order to check what's going on in there (like the connectto). I'll check with the security team and openstack-selinux maintainers for patches, acceptable changes and the like. I agree with Cédric. Lets not let the container be able to relabel files. Quick update: the "net_broadcast" should be taken care in openstack-selinux with https://github.com/redhat-openstack/openstack-selinux/pull/22 Another quick update: the AVC regarding sss are known, and apparently fixed with selinux-policy-3.14.1-48.el8 (see https://bugzilla.redhat.com/show_bug.cgi?id=1651531) Also, this one is weird:
type=AVC msg=audit(1547766061.463:5904): avc: denied { setexec } for pid=208019 comm="crond" scontext=system_u:system_r:container_t:s0:c560,c816 tcontext=system_u:system_r:container_t:s0:c560,c816 tclass=process permissive=0
According to https://github.com/containers/container-selinux/blob/master/container.te#L663 this is allowed...
OK, container-selinux package is probably too old: https://github.com/containers/container-selinux/commit/de8020d4441bbd80e2f2c1646a34d60a15c3c270 I was the one adding this permission 3 months ago. You might still be using a pretty old podman as well, care to share its version (podman --version or, even better, podman --info)? podman version 0.10.1.3 Hey, As discussed: pretty old versions, we target podman 1.x on rhel8. There's just the "relabelto" which is "valid", but as stated, we won't add new policy for this one. It's tracked in LP https://bugs.launchpad.net/tripleo/+bug/1813313 (I'm still digging the reasons). It doesn't prevent the deploy or use. Cheers, C. |
Selinux - bunch of "avc: denied" messages in logs on rhel8. Environment: rpm-plugin-selinux-4.14.2-4.el8.x86_64 libselinux-utils-2.8-5.el8.x86_64 libselinux-2.8-5.el8.x86_64 selinux-policy-3.14.1-47.el8.noarch python3-libselinux-2.8-5.el8.x86_64 selinux-policy-targeted-3.14.1-47.el8.noarch container-selinux-2.73-3.el8+1838+91f7e486.noarch libselinux-ruby-2.8-5.el8.x86_64 openstack-selinux-0.8.17-0.20190116195130.faef39f.fc28.noarch Steps to reproduce: Deploy underclod and check the selinux logs type=AVC msg=audit(1547761255.316:344): avc: denied { write } for pid=3343 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547761255.330:345): avc: denied { write } for pid=3345 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547761255.373:347): avc: denied { write } for pid=3352 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547761255.388:348): avc: denied { write } for pid=3355 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547761255.429:352): avc: denied { write } for pid=3361 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547761255.442:353): avc: denied { write } for pid=3363 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547761255.472:356): avc: denied { write } for pid=3367 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547761255.486:357): avc: denied { write } for pid=3370 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547761256.334:360): avc: denied { write } for pid=3385 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547761256.347:361): avc: denied { write } for pid=3387 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547761256.425:363): avc: denied { write } for pid=3392 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547761256.439:364): avc: denied { write } for pid=3395 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547761304.199:368): avc: denied { write } for pid=3493 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547761304.212:369): avc: denied { write } for pid=3497 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547761304.252:371): avc: denied { write } for pid=3502 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547761304.267:372): avc: denied { write } for pid=3505 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547762083.217:965): avc: denied { net_broadcast } for pid=14942 comm="ovs-vswitchd" capability=11 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0 type=AVC msg=audit(1547763361.789:1450): avc: denied { relabelto } for pid=59015 comm="cp" name="account.ring.gz" dev="vda3" ino=46502778 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547763361.790:1451): avc: denied { relabelto } for pid=59015 comm="cp" name="container.ring.gz" dev="vda3" ino=46502783 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547763361.790:1452): avc: denied { relabelto } for pid=59015 comm="cp" name="object.ring.gz" dev="vda3" ino=46507314 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547763361.790:1453): avc: denied { relabelto } for pid=59015 comm="cp" name="account.builder" dev="vda3" ino=46507315 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547763361.791:1454): avc: denied { relabelto } for pid=59015 comm="cp" name="container.builder" dev="vda3" ino=46507316 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547763361.791:1455): avc: denied { relabelto } for pid=59015 comm="cp" name="object.builder" dev="vda3" ino=46507317 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547763361.792:1456): avc: denied { relabelto } for pid=59015 comm="cp" name="1547762819.object.builder" dev="vda3" ino=14865268 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547763361.792:1457): avc: denied { relabelto } for pid=59015 comm="cp" name="1547762820.account.builder" dev="vda3" ino=14865269 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547763361.792:1458): avc: denied { relabelto } for pid=59015 comm="cp" name="1547762821.container.builder" dev="vda3" ino=14865270 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547763361.793:1459): avc: denied { relabelto } for pid=59015 comm="cp" name="1547762827.object.builder" dev="vda3" ino=14865271 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547763361.793:1460): avc: denied { relabelto } for pid=59015 comm="cp" name="1547762827.object.ring.gz" dev="vda3" ino=14865272 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547763361.793:1461): avc: denied { relabelto } for pid=59015 comm="cp" name="1547762828.account.builder" dev="vda3" ino=14865273 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547763361.794:1462): avc: denied { relabelto } for pid=59015 comm="cp" name="1547762828.account.ring.gz" dev="vda3" ino=14865274 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547763361.794:1463): avc: denied { relabelto } for pid=59015 comm="cp" name="1547762828.container.builder" dev="vda3" ino=14865275 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547763361.794:1464): avc: denied { relabelto } for pid=59015 comm="cp" name="1547762828.container.ring.gz" dev="vda3" ino=14865276 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547763361.795:1465): avc: denied { relabelto } for pid=59015 comm="cp" name="backups" dev="vda3" ino=14865267 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1547763998.684:1784): avc: denied { connectto } for pid=76566 comm="sudo" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:container_t:s0:c333,c682 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 type=AVC msg=audit(1547764002.141:1796): avc: denied { connectto } for pid=76989 comm="sudo" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:container_t:s0:c306,c376 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 type=AVC msg=audit(1547764004.893:1808): avc: denied { connectto } for pid=77403 comm="sudo" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:container_t:s0:c13,c548 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 type=AVC msg=audit(1547764015.418:1851): avc: denied { connectto } for pid=78837 comm="sudo" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:container_t:s0:c83,c217 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 type=AVC msg=audit(1547764064.026:2076): avc: denied { connectto } for pid=86089 comm="sudo" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:container_t:s0:c416,c485 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 type=AVC msg=audit(1547766061.463:5904): avc: denied { setexec } for pid=208019 comm="crond" scontext=system_u:system_r:container_t:s0:c560,c816 tcontext=system_u:system_r:container_t:s0:c560,c816 tclass=process permissive=0 type=AVC msg=audit(1547766061.594:5912): avc: denied { setexec } for pid=208040 comm="crond" scontext=system_u:system_r:container_t:s0:c962,c1010 tcontext=system_u:system_r:container_t:s0:c962,c1010 tclass=process permissive=0 type=AVC msg=audit(1547766061.894:5929): avc: denied { setexec } for pid=208127 comm="crond" scontext=system_u:system_r:container_t:s0:c384,c548 tcontext=system_u:system_r:container_t:s0:c384,c548 tclass=process permissive=0 type=AVC msg=audit(1547766061.905:5931): avc: denied { setexec } for pid=208125 comm="crond" scontext=system_u:system_r:container_t:s0:c384,c548 tcontext=system_u:system_r:container_t:s0:c384,c548 tclass=process permissive=0