Bug 1745142
Summary: | [OSP15] Large amount of AVC denials related to certmonger_t | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Julie Pichon <jpichon> | ||||
Component: | openstack-selinux | Assignee: | Julie Pichon <jpichon> | ||||
Status: | CLOSED NEXTRELEASE | QA Contact: | nlevinki <nlevinki> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 15.0 (Stein) | CC: | lhh, lvrabec, zcaplovi | ||||
Target Milestone: | --- | Keywords: | Triaged, ZStream | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2019-12-09 14:41:10 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Julie Pichon
2019-08-23 17:32:01 UTC
I'm leaning toward the thought we don't need to worry about all the read denials as it's SELinux doing its job. Running "pkill" apparently means reading through every process to get their info, to get at the right one e.g.: avc: denied { getattr } for pid=26751 comm=pkill path=/proc/2 dev="proc" ino=13044 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir permissive=1 type=AVC msg=audit(20/08/19 11:22:33.512:7882) : avc: denied { open } for pid=26751 comm=pkill path=/proc/2/stat dev="proc" ino=13045 sco ntext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=file permissive=1 and so on. There are dontaudit rules we might consider using if we wanted to hide these (maybe something like domain_dontaudit_read_all_domains_state, like "ps" uses?), though we'd want to make sure it doesn't hide access issues to labels that are needed. Perhaps if someone could run ps with -Z to confirm the label of the httpd and stunnel processes on that machine, since there are no obviously related denials? I'm looking at domain transitions and other interfaces related to containers to see how we might handle the other ones. The pkill denials will likely remain as per the reasoning in comment 1. For the rest I believe these should be resolved thanks to bug 1777368 and bug 1777263, which should be pulled automatically into the next openstack-selinux rebase for OSP15. I'm going to close this bug for now based on this, though anyone feel free to reopen if you still see relevant AVCs after this. |