Bug 1776326
Summary: | Wrong context for /var/run/openvswitch directory | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Julie Pichon <jpichon> |
Component: | openstack-tripleo-heat-templates | Assignee: | Cédric Jeanneret <cjeanner> |
Status: | CLOSED NOTABUG | QA Contact: | Sasha Smolyak <ssmolyak> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 16.0 (Train) | CC: | bcafarel, cjeanner, fhallal, jpichon, lhh, lvrabec, mburns, nlevinki, skramaja, zcaplovi |
Target Milestone: | --- | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | 1772025 | Environment: | |
Last Closed: | 2019-12-12 07:16:47 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Julie Pichon
2019-11-25 13:40:40 UTC
We will need an upstream backport to Train. I think I'm wrong in there - we probably don't need to change t-h-t since the selinux change allows openvswitch_t to create dirs in container_file_t context. That said... I'm wondering if the new policy is enough since ovs will probably need to create files/sockets/others within those directories, and the context might be container_file_t as well. Need some testing on my side. I think we may be fine for the files & sockets, see https://github.com/redhat-openstack/openstack-selinux/blob/master/os-podman.te / https://github.com/redhat-openstack/openstack-selinux/commit/c33f7560 manage_files_pattern(openvswitch_t, container_file_t, container_file_t) manage_sock_files_pattern(openvswitch_t, container_file_t, container_file_t) I remember being caught before where manage_files_pattern() allows r/w on files but not directory creation, which is the rule we were missing in bug 1772025. So we may be ok? pretty sure we don't need to drop the ":z" flag - doing so would prevent the containers to actually write in that location, since container_t isn't allowed to write in openvswitch_var_run_file_t (or something like that). I've reverted upstream master patch (https://review.opendev.org/696074). Need some more testing on that. I think this can probably be closed, or at least we're good in the context of bug 1772025 - the new rule was sufficient to resolve. Closing as "NOTABUG" since, well, it's not a bug :). |