Bug 1779052
| Summary: | RHVH 4.4: AVC denied errors (dac_override) in audit.log | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | cshao <cshao> | ||||
| Component: | redhat-virtualization-host | Assignee: | Lev Veyde <lveyde> | ||||
| Status: | CLOSED ERRATA | QA Contact: | cshao <cshao> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 4.4.0 | CC: | cshao, godas, lsvaty, lveyde, mavital, pelauter, peyu, qiyuan, sbonazzo, shlei, weiwang, yaniwang, zpytela | ||||
| Target Milestone: | ovirt-4.4.6 | Keywords: | ZStream | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | redhat-virtualization-host-4.4.6-20210402.2.el8_4 , glusterfs-selinux-1.0-3.el8rhgs.noarch | Doc Type: | No Doc Update | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2021-06-03 10:24:29 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | Node | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1937300 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
Update with the latest 4.4 host.
# imgbase w
You are on rhvh-4.4.0.12-0.20200205.0+1
# grep "avc: denied" /var/log/audit/audit.log
type=AVC msg=audit(1580981055.672:35): avc: denied { create } for pid=1653 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
type=AVC msg=audit(1580981055.672:36): avc: denied { create } for pid=1653 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
type=AVC msg=audit(1580981057.796:49): avc: denied { dac_override } for pid=1616 comm="firewalld" capability=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability permissive=0
# imgbase w
You are on rhvh-4.4.0.14-0.20200226.0+1
[root@hp-dl385g8-03 ~]# grep "avc: denied" /var/log/audit/audit.log
type=AVC msg=audit(1582791550.957:34): avc: denied { create } for pid=1820 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
type=AVC msg=audit(1582791550.957:35): avc: denied { create } for pid=1820 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
type=AVC msg=audit(1582791551.878:46): avc: denied { dac_override } for pid=1605 comm="firewalld" capability=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability permissive=0
Still can reproduce this issue with the latest RHVH 4.4.
# imgbase w
You are on rhvh-4.4.0.21-0.20200518.0+1
[root@hp-bl460cg9-01 ~]# grep "avc: denied" /var/log/audit/audit.log
type=AVC msg=audit(1589858781.058:35): avc: denied { create } for pid=1948 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
type=AVC msg=audit(1589858781.058:36): avc: denied { create } for pid=1948 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
type=AVC msg=audit(1589858781.448:39): avc: denied { dac_override } for pid=1708 comm="firewalld" capability=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability permissive=0
Gobinda can you please have a look? This is looks like there may be some selinux policy missing for gluster rdma. it looks like a denial for the rdma socket. If we try to start glusterd using "glusterd" command and systemctl interchangeably then this error seen. @Sanju Can you please confirm? AVC denials doesn't seem to harm functionality, postponing to 4.4.3 Lev any update on this? (In reply to Sandro Bonazzola from comment #10) > Lev any update on this? No, not yet. On the latest RHVH we get:
type=AVC msg=audit(1606825452.994:32): avc: denied { create } for pid=2240 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
Sent a patch to selinux-policy repo: https://github.com/fedora-selinux/selinux-policy/pull/496 After further debugging while adding more permissions it appears that that we get the following errors:
type=AVC msg=audit(1606825452.994:32): avc: denied { create } for pid=2240 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
type=AVC msg=audit(1606825452.994:33): avc: denied { create } for pid=2240 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
type=AVC msg=audit(1607334511.266:32): avc: denied { setopt } for pid=2341 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
type=AVC msg=audit(1607334511.266:33): avc: denied { setopt } for pid=2341 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
type=AVC msg=audit(1607336313.918:31): avc: denied { bind } for pid=2379 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
type=AVC msg=audit(1607336313.919:32): avc: denied { bind } for pid=2379 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
Thus the full list of the permissions required are:
allow glusterd_t self:netlink_rdma_socket { bind create setopt }
Update: After clear the audit log on this same machine, and then reboot / un-register to engine, the AVC errors does not re-appear. So I will verify this bug after got new build which included the fixed patch. Lev see comment in your PR "consider cherry-picking to https://github.com/gluster/glusterfs-selinux/" Als, Lev, do you know in which rpm your fix will be included? (In reply to Sandro Bonazzola from comment #17) > Lev see comment in your PR "consider cherry-picking to > https://github.com/gluster/glusterfs-selinux/" Ported the patch and pushed a PR to glusterfs-selinux repo as well: https://github.com/gluster/glusterfs-selinux/pull/18 (In reply to Sandro Bonazzola from comment #18) > Als, Lev, do you know in which rpm your fix will be included? I expected the fix to be included in the next release of selinux-policy-targeted, however checking the builds made after the fix was merged it's still not there. Contacting the selinux-policy package maintainer (that builds the -targeted as well) for clarifications. If I understand correctly, the fix will be delivered as a part of bz#1937300 so no further selinux-policy backport is needed. # imgbase w
You are on rhvh-4.4.5.4-0.20210330.0+1
# grep "avc: denied" /var/log/audit/audit.log
type=AVC msg=audit(1617263279.650:39): avc: denied { create } for pid=2474 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
type=AVC msg=audit(1617263279.651:40): avc: denied { create } for pid=2474 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
redhat-virtualization-host-4.4.6-20210402.2.el8_4 contains glusterfs-selinux-1.0-3.el8rhgs.noarch Test version: rhvh-4.4.6.1-0.20210409.0+1 glusterfs-selinux-1.0-4.el8rhgs.noarch Test steps: 1. Install RHVH-4.4.6 successful. Selinux in enforcing mode as default. 2. Register to engine. 3. Login to RHVH and run "grep "avc: denied" /var/log/audit/audit.log". Test result: No AVC denied errors in audit.log So the bug is fixed, change bug status to VERIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Red Hat Virtualization Host security update [ovirt-4.4.6]), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2239 |
Created attachment 1641564 [details] all log info Description of problem: RHVH 4.4: AVC denied errors (dac_override) in audit.log Version-Release number of selected component (if applicable): redhat-virtualization-host-4.4.0-20191201.0.el8_1 How reproducible: 80% Steps to Reproduce: 1. RHVH-4.4-20191201.7-RHVH-x86_64-dvd1.iso installed successful. Selinux in enforcing mode as default. 2. Login to RHVH and run "grep "avc: denied" /var/log/audit/audit.log". 3. Actual results: # grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1575354047.697:51): avc: denied { dac_override } for pid=2882 comm="firewalld" capability=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability permissive=0 Expected results: No AVC denied errors in audit.log Additional info: