Bug 1872651
Summary: | update selinux policy to allow timemaster service and sockets for ptp ports | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Haresh Khandelwal <hakhande> | ||||
Component: | openstack-selinux | Assignee: | Julie Pichon <jpichon> | ||||
Status: | CLOSED ERRATA | QA Contact: | nlevinki <nlevinki> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 16.1 (Train) | CC: | lhh, lvrabec | ||||
Target Milestone: | z2 | Keywords: | Triaged | ||||
Target Release: | 16.1 (Train on RHEL 8.2) | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | openstack-selinux-0.8.24-1.20200907103359.f6ad869.el8ost | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2020-10-28 15:46:35 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1825895, 1944618, 1944622 | ||||||
Attachments: |
|
Description
Haresh Khandelwal
2020-08-26 09:50:35 UTC
Hi. Please reproduce the issue in permissive mode, and attach the resulting audit.log file to this bug. Thanks! Thank you for the update, although it would be helpful to also have the full log file with context :) It's strange, the timemaster files don't seem to be labelled correctly (system_u:object_r:unlabeled_t:s0) and I think that's causing at least some of these denials. I don't think we can add a rule to allow stuff on unlabelled files so we need to figure out what is labelled wrong. The timemaster labels appear to be defined in the main policy: https://github.com/fedora-selinux/selinux-policy-contrib/blob/rawhide/linuxptp.fc How is this installed? Can you paste the results of ls -lZ /usr/sbin/timemaster ? (In reply to Julie Pichon from comment #3) > Thank you for the update, although it would be helpful to also have the full > log file with context :) > Sure, will upload to BZ. I need to recreate it though. > It's strange, the timemaster files don't seem to be labelled correctly > (system_u:object_r:unlabeled_t:s0) and I think that's causing at least some > of these denials. I don't think we can add a rule to allow stuff on > unlabelled files so we need to figure out what is labelled wrong. > > The timemaster labels appear to be defined in the main policy: > https://github.com/fedora-selinux/selinux-policy-contrib/blob/rawhide/ > linuxptp.fc > So story is, linuxptp is not part of overcloud image we are shipping it today. For my RFE work, i modified overcloud image. However, i am discussing with release team how to add this package rightfully in overcloud image. Also note, linuxptp is not being shipped along with rhel. > How is this installed? Can you paste the results of ls -lZ > /usr/sbin/timemaster ? -rwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0 65344 May 16 2019 /usr/sbin/timemaster Thanks for the answer! (In reply to Haresh Khandelwal from comment #4) > (In reply to Julie Pichon from comment #3) > > Thank you for the update, although it would be helpful to also have the full > > log file with context :) > > > > Sure, will upload to BZ. I need to recreate it though. Cool, that's not urgent - we can wait until we've fixed the unlabelled error and see what denials remains then. > > How is this installed? Can you paste the results of ls -lZ > > /usr/sbin/timemaster ? > > -rwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0 65344 May 16 2019 > /usr/sbin/timemaster Right, that's the problem for at least 2 of the denials. `$ restorecon -v /usr/sbin/timemaster` should resolve this, although restorecon should likely be run for every file that timemaster installs. (In reply to Haresh Khandelwal from comment #4) > So story is, linuxptp is not part of overcloud image we are shipping it > today. For my RFE work, i modified overcloud image. However, i am discussing > with release team how to add this package rightfully in overcloud image. > Also note, linuxptp is not being shipped along with rhel. Are you using virt-customize? I was just told about the --selinux-relabel flag which should resolve the issue with the wrong labels on install. Once you have timemaster labelled correctly (confirmed with ls -lZ), please try to reproduce the issue in the description. If it still fails, please reproduce in permissive mode and provide the new audit logs with the denials. Thank you! Created attachment 1713200 [details]
audit log
(In reply to Julie Pichon from comment #6) > (In reply to Haresh Khandelwal from comment #4) > > So story is, linuxptp is not part of overcloud image we are shipping it > > today. For my RFE work, i modified overcloud image. However, i am discussing > > with release team how to add this package rightfully in overcloud image. > > Also note, linuxptp is not being shipped along with rhel. > > Are you using virt-customize? I was just told about the --selinux-relabel > flag which should resolve the issue with the wrong labels on install. Yes, using --selinux-relable with virt-customize let timemaster service run. However, timemaster implicit run ptp4l which acquire sockets and failed. > > Once you have timemaster labelled correctly (confirmed with ls -lZ), please > try to reproduce the issue in the description. If it still fails, please > reproduce in permissive mode and provide the new audit logs with the > denials. Thank you! I have attached audit.log with permissive. ptp4l fails to create socket. Thank you for the update, glad the relabel worked. It looks like the missing rules remaining are as follow: #============= ptp4l_t ============== allow ptp4l_t self:capability sys_admin; allow ptp4l_t self:packet_socket create_socket_perms; It looks like the second rule is already shipped in Fedora, and the first one will be soon - this is basically a duplicate of bug 1759214 which will be fixed in RHEL. I don't know if the fix will be backported to 8.2 though, so we can carry the rules in openstack-selinux too until then. I'll prepare a patch. There is a RPM available with the missing rules from the audit logs provided. Would you be able to test it and confirm that it resolves the issue? Thank you! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: openstack-selinux security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:4381 |