Bug 1779052
Summary: | RHVH 4.4: AVC denied errors (dac_override) in audit.log | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | cshao <cshao> | ||||
Component: | redhat-virtualization-host | Assignee: | Lev Veyde <lveyde> | ||||
Status: | CLOSED ERRATA | QA Contact: | cshao <cshao> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 4.4.0 | CC: | cshao, godas, lsvaty, lveyde, mavital, pelauter, peyu, qiyuan, sbonazzo, shlei, weiwang, yaniwang, zpytela | ||||
Target Milestone: | ovirt-4.4.6 | Keywords: | ZStream | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | redhat-virtualization-host-4.4.6-20210402.2.el8_4 , glusterfs-selinux-1.0-3.el8rhgs.noarch | Doc Type: | No Doc Update | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2021-06-03 10:24:29 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | Node | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1937300 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Update with the latest 4.4 host. # imgbase w You are on rhvh-4.4.0.12-0.20200205.0+1 # grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1580981055.672:35): avc: denied { create } for pid=1653 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1580981055.672:36): avc: denied { create } for pid=1653 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1580981057.796:49): avc: denied { dac_override } for pid=1616 comm="firewalld" capability=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability permissive=0 # imgbase w You are on rhvh-4.4.0.14-0.20200226.0+1 [root@hp-dl385g8-03 ~]# grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1582791550.957:34): avc: denied { create } for pid=1820 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1582791550.957:35): avc: denied { create } for pid=1820 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1582791551.878:46): avc: denied { dac_override } for pid=1605 comm="firewalld" capability=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability permissive=0 Still can reproduce this issue with the latest RHVH 4.4. # imgbase w You are on rhvh-4.4.0.21-0.20200518.0+1 [root@hp-bl460cg9-01 ~]# grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1589858781.058:35): avc: denied { create } for pid=1948 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1589858781.058:36): avc: denied { create } for pid=1948 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1589858781.448:39): avc: denied { dac_override } for pid=1708 comm="firewalld" capability=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability permissive=0 Gobinda can you please have a look? This is looks like there may be some selinux policy missing for gluster rdma. it looks like a denial for the rdma socket. If we try to start glusterd using "glusterd" command and systemctl interchangeably then this error seen. @Sanju Can you please confirm? AVC denials doesn't seem to harm functionality, postponing to 4.4.3 Lev any update on this? (In reply to Sandro Bonazzola from comment #10) > Lev any update on this? No, not yet. On the latest RHVH we get: type=AVC msg=audit(1606825452.994:32): avc: denied { create } for pid=2240 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 Sent a patch to selinux-policy repo: https://github.com/fedora-selinux/selinux-policy/pull/496 After further debugging while adding more permissions it appears that that we get the following errors: type=AVC msg=audit(1606825452.994:32): avc: denied { create } for pid=2240 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1606825452.994:33): avc: denied { create } for pid=2240 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1607334511.266:32): avc: denied { setopt } for pid=2341 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1607334511.266:33): avc: denied { setopt } for pid=2341 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1607336313.918:31): avc: denied { bind } for pid=2379 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1607336313.919:32): avc: denied { bind } for pid=2379 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 Thus the full list of the permissions required are: allow glusterd_t self:netlink_rdma_socket { bind create setopt } Update: After clear the audit log on this same machine, and then reboot / un-register to engine, the AVC errors does not re-appear. So I will verify this bug after got new build which included the fixed patch. Lev see comment in your PR "consider cherry-picking to https://github.com/gluster/glusterfs-selinux/" Als, Lev, do you know in which rpm your fix will be included? (In reply to Sandro Bonazzola from comment #17) > Lev see comment in your PR "consider cherry-picking to > https://github.com/gluster/glusterfs-selinux/" Ported the patch and pushed a PR to glusterfs-selinux repo as well: https://github.com/gluster/glusterfs-selinux/pull/18 (In reply to Sandro Bonazzola from comment #18) > Als, Lev, do you know in which rpm your fix will be included? I expected the fix to be included in the next release of selinux-policy-targeted, however checking the builds made after the fix was merged it's still not there. Contacting the selinux-policy package maintainer (that builds the -targeted as well) for clarifications. If I understand correctly, the fix will be delivered as a part of bz#1937300 so no further selinux-policy backport is needed. # imgbase w You are on rhvh-4.4.5.4-0.20210330.0+1 # grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1617263279.650:39): avc: denied { create } for pid=2474 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1617263279.651:40): avc: denied { create } for pid=2474 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 redhat-virtualization-host-4.4.6-20210402.2.el8_4 contains glusterfs-selinux-1.0-3.el8rhgs.noarch Test version: rhvh-4.4.6.1-0.20210409.0+1 glusterfs-selinux-1.0-4.el8rhgs.noarch Test steps: 1. Install RHVH-4.4.6 successful. Selinux in enforcing mode as default. 2. Register to engine. 3. Login to RHVH and run "grep "avc: denied" /var/log/audit/audit.log". Test result: No AVC denied errors in audit.log So the bug is fixed, change bug status to VERIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Red Hat Virtualization Host security update [ovirt-4.4.6]), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2239 |
Created attachment 1641564 [details] all log info Description of problem: RHVH 4.4: AVC denied errors (dac_override) in audit.log Version-Release number of selected component (if applicable): redhat-virtualization-host-4.4.0-20191201.0.el8_1 How reproducible: 80% Steps to Reproduce: 1. RHVH-4.4-20191201.7-RHVH-x86_64-dvd1.iso installed successful. Selinux in enforcing mode as default. 2. Login to RHVH and run "grep "avc: denied" /var/log/audit/audit.log". 3. Actual results: # grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1575354047.697:51): avc: denied { dac_override } for pid=2882 comm="firewalld" capability=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability permissive=0 Expected results: No AVC denied errors in audit.log Additional info: