Bug 1698065

Summary: OpenStack overcloud - container AVC denials
Product: Red Hat Enterprise Linux 8 Reporter: Lon Hohberger <lhh>
Component: container-selinuxAssignee: Daniel Walsh <dwalsh>
Status: CLOSED INSUFFICIENT_DATA QA Contact: atomic-bugs <atomic-bugs>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.0CC: dwalsh, tsweeney
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-03 21:33:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lon Hohberger 2019-04-09 14:34:02 UTC 
Description of problem:

The OpenStack 15 overcloud permissive runs note the following issues:


 - dbus stuff
type=AVC msg=audit(1552838561.611:8885): avc:  denied  { connectto } for  pid=112515 comm="sudo" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:container_t:s0:c252,c882 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
type=USER_AVC msg=audit(1552838561.627:8886): pid=800 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=112515 scontext=system_u:system_r:container_t:s0:c252,c882 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1552838561.632:8887): pid=800 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers dest=org.freedesktop.systemd1 spid=112515 tpid=1 scontext=system_u:system_r:container_t:s0:c252,c882 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1552838561.632:8888): pid=800 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.2354 spid=1 tpid=112515 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_t:s0:c252,c882 tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=AVC msg=audit(1552838599.473:9112): avc:  denied  { connectto } for  pid=118885 comm="sudo" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:container_t:s0:c408,c831 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
type=USER_AVC msg=audit(1552838599.503:9113): pid=800 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=118885 scontext=system_u:system_r:container_t:s0:c408,c831 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1552838599.507:9114): pid=800 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers dest=org.freedesktop.systemd1 spid=118885 tpid=1 scontext=system_u:system_r:container_t:s0:c408,c831 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1552838599.512:9115): pid=800 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.2530 spid=1 tpid=118885 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_t:s0:c408,c831 tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"

- logrotate
type=AVC msg=audit(1552840081.642:12049): avc:  denied  { read } for  pid=249377 comm="logrotate" name="openvswitch" dev="vda2" ino=7184415 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
Comment 1 Daniel Walsh 2019-09-01 11:14:30 UTC 
Why exactly is this a container-selinux issue?

Lon is this fixed?  Should this be assigned to selinux-policy?
Comment 2 Daniel Walsh 2019-09-01 11:15:07 UTC 
How do I get container-selinux bugs assigned to me rather then sitting out in Jindrich queue?
Comment 3 Daniel Walsh 2019-09-01 11:15:45 UTC 
*** Bug 1698064 has been marked as a duplicate of this bug. ***
Comment 5 Tom Sweeney 2020-06-03 21:33:14 UTC 
As there's been no response in over 6 months from the reporter and it's unclear if this has been fixed in later releases, closing this issue.  If the issue still persists, please reopen, or better yet create a new BZ.