Bug 1988164
| Summary: | openvswitch policy failures | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Colin Walters <walters> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | CentOS Stream | CC: | bstinson, jwboyer, lvrabec, miabbott, mmalik, nknazeko, plautrba, smilner, ssekidde, tredaelli |
| Target Milestone: | beta | Keywords: | Triaged |
| Target Release: | 9.1 | Flags: | miabbott:
needinfo-
|
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-34.1.40-1.el9 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: Missing SELinux policy rules in openvswitch
Consequence: SELinux is preventing openvswitch to search tracefs dirs, use its private tmpfs files and dirs and fsetid capability
Fix: Allow openvswitch search tracefs dirs, use its private tmpfs files and dirs and allow openvswitch fsetid capability
Result: No AVC denials
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-15 11:13:13 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1988161 | ||
Adding tredaelli who seems to maintain this. Timothy, is C9S/RHEL9 openvswitch on your radar? Colin, I have a few questions: Are there any additional audit records? Can you share steps to reproduce the issue? Is some particular openvswitch version or configuration changes required? To gather all information about audited events please follow these stepes: 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run the scenario 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today I'll look at gathering that, but if anyone else wants to reproduce this you can launch an OpenShift cluster from the latest release image linked here: https://github.com/travier/os/pull/1#issuecomment-889497506 Colin, Will you be able to provide the additional debugging data? Steve, Do you happen to have some inputs to work on, audit logs, which services stopped working, etc.? I launched a cluster from the release payload noted in https://github.com/openshift/os/issues/604 (Admittedly, this is not as straight-forward for folks not in the OCP org) ``` $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.9.0-0.nightly-2021-08-02-044755 True False 80m Cluster version is 4.9.0-0.nightly-2021-08-02-044755 $ oc get nodes -o wide NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME ip-10-0-138-131.us-west-2.compute.internal Ready master 107m v1.21.1+8268f88 10.0.138.131 <none> Red Hat Enterprise Linux CoreOS 49.90.202107301731-0 (Ootpa) 5.14.0-0.rc3.29.el9.x86_64 cri-o://1.22.0-19.rhaos4.9.git6ac8cee.el8 ip-10-0-154-160.us-west-2.compute.internal Ready worker 101m v1.21.1+8268f88 10.0.154.160 <none> Red Hat Enterprise Linux CoreOS 49.90.202107301731-0 (Ootpa) 5.14.0-0.rc3.29.el9.x86_64 cri-o://1.22.0-19.rhaos4.9.git6ac8cee.el8 ip-10-0-160-236.us-west-2.compute.internal Ready worker 99m v1.21.1+8268f88 10.0.160.236 <none> Red Hat Enterprise Linux CoreOS 49.90.202107301731-0 (Ootpa) 5.14.0-0.rc3.29.el9.x86_64 cri-o://1.22.0-19.rhaos4.9.git6ac8cee.el8 ip-10-0-180-252.us-west-2.compute.internal Ready master 108m v1.21.1+8268f88 10.0.180.252 <none> Red Hat Enterprise Linux CoreOS 49.90.202107301731-0 (Ootpa) 5.14.0-0.rc3.29.el9.x86_64 cri-o://1.22.0-19.rhaos4.9.git6ac8cee.el8 ip-10-0-203-20.us-west-2.compute.internal Ready worker 97m v1.21.1+8268f88 10.0.203.20 <none> Red Hat Enterprise Linux CoreOS 49.90.202107301731-0 (Ootpa) 5.14.0-0.rc3.29.el9.x86_64 cri-o://1.22.0-19.rhaos4.9.git6ac8cee.el8 ip-10-0-203-96.us-west-2.compute.internal Ready master 108m v1.21.1+8268f88 10.0.203.96 <none> Red Hat Enterprise Linux CoreOS 49.90.202107301731-0 (Ootpa) 5.14.0-0.rc3.29.el9.x86_64 cri-o://1.22.0-19.rhaos4.9.git6ac8cee.el8 ``` Edited the `audit.rules` as instructed, but was unable to restart `auditd.service` because of how the unit was defined, so I just rebooted the node. ``` $ oc debug node/ip-10-0-154-160.us-west-2.compute.internal Starting pod/ip-10-0-154-160us-west-2computeinternal-debug ... To use host binaries, run `chroot /host` Pod IP: 10.0.154.160 If you don't see a command prompt, try pressing enter. sh-4.4# sh-4.4# chroot /host sh-5.1# vi /etc/audit/rules.d/audit.rules sh-5.1# vi /etc/audit/rules.d/audit.rules sh-5.1# vi /etc/audit/rules.d/audit.rules sh-5.1# cat /etc/audit/rules.d/audit.rules ## First rule - delete all -D ## Increase the buffers to survive stress events. ## Make this bigger for busy systems -b 8192 ## This determine how long to wait in burst of events --backlog_wait_time 60000 ## Set failure mode to syslog -f 1 -w /etc/shadow -p w sh-5.1# systemctl restart auditd Failed to restart auditd.service: Operation refused, unit auditd.service may be requested by dependency only (it is configured to refuse manual start/stop). See system logs and 'systemctl status auditd.service' for details. sh-5.1# systemctl reboot sh-5.1# Removing debug pod ... ``` When the node came back healthy, went back into the node and gathered the output of `ausearch`. (I'm including everything reported, rather than just scoping to openvswitch): ``` $ oc debug node/ip-10-0-154-160.us-west-2.compute.internal Starting pod/ip-10-0-154-160us-west-2computeinternal-debug ... To use host binaries, run `chroot /host` Pod IP: 10.0.154.160 If you don't see a command prompt, try pressing enter. sh-4.4# chroot /host sh-5.1# rpm -q kernel openvswitch kernel-5.14.0-0.rc3.29.el9.x86_64 openvswitch-2.15.0-6.fc34.x86_64 sh-5.1# cat /etc/audit/rules.d/audit.rules ## First rule - delete all -D ## Increase the buffers to survive stress events. ## Make this bigger for busy systems -b 8192 ## This determine how long to wait in burst of events --backlog_wait_time 60000 ## Set failure mode to syslog -f 1 -w /etc/shadow -p w sh-5.1# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today ---- type=PROCTITLE msg=audit(08/25/21 19:03:49.504:146) : proctitle=install -d -m 755 -o openvswitch -g hugetlbfs /var/run/openvswitch type=SYSCALL msg=audit(08/25/21 19:03:49.504:146) : arch=x86_64 syscall=fchmod success=yes exit=0 a0=0x3 a1=0755 a2=0x0 a3=0x1000 items=0 ppid=892 pid=946 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=install exe=/usr/bin/install subj=system_u:sys tem_r:openvswitch_t:s0 key=(null) type=AVC msg=audit(08/25/21 19:03:49.504:146) : avc: denied { fsetid } for pid=946 comm=install capability=fsetid scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1 ---- type=PROCTITLE msg=audit(08/25/21 19:03:49.737:151) : proctitle=modprobe openvswitch type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=33 name=(null) inode=20011 dev=00:0c mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=32 name=(null) inode=20005 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=31 name=(null) inode=20010 dev=00:0c mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=30 name=(null) inode=20005 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=29 name=(null) inode=20009 dev=00:0c mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=28 name=(null) inode=20005 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=27 name=(null) inode=20008 dev=00:0c mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=26 name=(null) inode=20005 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=25 name=(null) inode=20007 dev=00:0c mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=24 name=(null) inode=20005 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=23 name=(null) inode=20006 dev=00:0c mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=22 name=(null) inode=20005 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=21 name=(null) inode=20005 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=20 name=(null) inode=21534 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=19 name=(null) inode=20004 dev=00:0c mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=18 name=(null) inode=19998 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=17 name=(null) inode=20003 dev=00:0c mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=16 name=(null) inode=19998 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=15 name=(null) inode=20002 dev=00:0c mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=14 name=(null) inode=19998 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=13 name=(null) inode=20001 dev=00:0c mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=12 name=(null) inode=19998 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=11 name=(null) inode=20000 dev=00:0c mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=10 name=(null) inode=19998 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=9 name=(null) inode=19999 dev=00:0c mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=8 name=(null) inode=19998 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=7 name=(null) inode=19998 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=6 name=(null) inode=21534 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=5 name=(null) inode=19997 dev=00:0c mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=4 name=(null) inode=21534 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=3 name=(null) inode=19996 dev=00:0c mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=2 name=(null) inode=21534 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=1 name=(null) inode=21534 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 19:03:49.737:151) : item=0 name=(null) inode=32 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(08/25/21 19:03:49.737:151) : cwd=/ type=SYSCALL msg=audit(08/25/21 19:03:49.737:151) : arch=x86_64 syscall=init_module success=yes exit=0 a0=0x562c629a4850 a1=0x55e38 a2=0x562c61f84962 a3=0x5 items=34 ppid=1016 pid=1020 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=modprobe exe=/us r/bin/kmod subj=system_u:system_r:openvswitch_t:s0 key=(null) type=AVC msg=audit(08/25/21 19:03:49.737:151) : avc: denied { search } for pid=1020 comm=modprobe name=events dev="tracefs" ino=32 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=1 ---- type=PROCTITLE msg=audit(08/25/21 19:03:55.600:174) : proctitle=iptables --version type=EXECVE msg=audit(08/25/21 19:03:55.600:174) : argc=2 a0=iptables a1=--version type=SYSCALL msg=audit(08/25/21 19:03:55.600:174) : arch=x86_64 syscall=execve success=yes exit=0 a0=0xc000365710 a1=0xc000930300 a2=0xc0000a0460 a3=0x8 items=0 ppid=1164 pid=1185 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iptables exe=/usr/sbi n/xtables-nft-multi subj=system_u:system_r:iptables_t:s0 key=(null) type=AVC msg=audit(08/25/21 19:03:55.600:174) : avc: denied { ioctl } for pid=1185 comm=iptables path=/sys/fs/cgroup dev="cgroup2" ino=1 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 ---- type=PROCTITLE msg=audit(08/25/21 19:04:01.595:181) : proctitle=iptables -w 5 -W 100000 -N KUBE-MARK-DROP -t nat type=EXECVE msg=audit(08/25/21 19:04:01.595:181) : argc=9 a0=iptables a1=-w a2=5 a3=-W a4=100000 a5=-N a6=KUBE-MARK-DROP a7=-t a8=nat type=SYSCALL msg=audit(08/25/21 19:04:01.595:181) : arch=x86_64 syscall=execve success=yes exit=0 a0=0xc000149428 a1=0xc000b9a5f0 a2=0xc00091a600 a3=0x8 items=0 ppid=1196 pid=1219 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iptables exe=/usr/sbi n/xtables-nft-multi subj=system_u:system_r:iptables_t:s0 key=(null) type=AVC msg=audit(08/25/21 19:04:01.595:181) : avc: denied { ioctl } for pid=1219 comm=iptables path=/sys/fs/cgroup dev="cgroup2" ino=1 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 ---- type=PROCTITLE msg=audit(08/25/21 19:04:50.495:206) : proctitle=iptables -w -A OUTPUT -p tcp -m tcp --dport 22623 --syn -j REJECT type=EXECVE msg=audit(08/25/21 19:04:50.495:206) : argc=13 a0=iptables a1=-w a2=-A a3=OUTPUT a4=-p a5=tcp a6=-m a7=tcp a8=--dport a9=22623 a10=--syn a11=-j a12=REJECT type=SYSCALL msg=audit(08/25/21 19:04:50.495:206) : arch=x86_64 syscall=execve success=yes exit=0 a0=0xc00001d1a0 a1=0xc0001900e0 a2=0xc0001a7d00 a3=0x8 items=0 ppid=2097 pid=2241 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iptables exe=/usr/sbi n/xtables-nft-multi subj=system_u:system_r:iptables_t:s0 key=(null) type=AVC msg=audit(08/25/21 19:04:50.495:206) : avc: denied { ioctl } for pid=2241 comm=iptables path=/sys/fs/cgroup dev="cgroup2" ino=1 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 ---- type=PROCTITLE msg=audit(08/25/21 19:05:05.709:218) : proctitle=iptables -w -A OUTPUT -p tcp -m tcp --dport 22623 --syn -j REJECT type=EXECVE msg=audit(08/25/21 19:05:05.709:218) : argc=13 a0=iptables a1=-w a2=-A a3=OUTPUT a4=-p a5=tcp a6=-m a7=tcp a8=--dport a9=22623 a10=--syn a11=-j a12=REJECT type=SYSCALL msg=audit(08/25/21 19:05:05.709:218) : arch=x86_64 syscall=execve success=yes exit=0 a0=0xc000136a20 a1=0xc0001680e0 a2=0xc000143c80 a3=0x8 items=0 ppid=2783 pid=3039 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iptables exe=/usr/sbi n/xtables-nft-multi subj=system_u:system_r:iptables_t:s0 key=(null) type=AVC msg=audit(08/25/21 19:05:05.709:218) : avc: denied { ioctl } for pid=3039 comm=iptables path=/sys/fs/cgroup dev="cgroup2" ino=1 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 ---- type=PROCTITLE msg=audit(08/25/21 19:05:58.546:230) : proctitle=/usr/libexec/platform-python -Es /usr/sbin/tuned --no-dbus type=SYSCALL msg=audit(08/25/21 19:05:58.546:230) : arch=x86_64 syscall=write success=yes exit=4 a0=0x7 a1=0x7f86500157e0 a2=0x4 a3=0x0 items=0 ppid=1639 pid=4090 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=tuned exe=/usr/libexec/platform-python 3.6 subj=system_u:system_r:spc_t:s0 key=(null) type=AVC msg=audit(08/25/21 19:05:58.546:230) : avc: granted { setsecparam } for pid=4090 comm=tuned scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security ---- type=PROCTITLE msg=audit(08/25/21 20:49:15.050:331) : proctitle=/usr/libexec/platform-python -Es /usr/sbin/tuned --no-dbus type=SYSCALL msg=audit(08/25/21 20:49:15.050:331) : arch=x86_64 syscall=write success=yes exit=3 a0=0x5 a1=0x7f8650016880 a2=0x3 a3=0x0 items=0 ppid=1 pid=4090 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=tuned exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:spc_t:s0 key=(null) type=AVC msg=audit(08/25/21 20:49:15.050:331) : avc: granted { setsecparam } for pid=4090 comm=tuned scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security ---- type=PROCTITLE msg=audit(08/25/21 20:50:28.199:145) : proctitle=install -d -m 755 -o openvswitch -g hugetlbfs /var/run/openvswitch type=PATH msg=audit(08/25/21 20:50:28.199:145) : item=0 name=(null) inode=919 dev=00:19 mode=dir,700 ouid=openvswitch ogid=hugetlbfs rdev=00:00 obj=system_u:object_r:openvswitch_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(08/25/21 20:50:28.199:145) : cwd=/run type=SYSCALL msg=audit(08/25/21 20:50:28.199:145) : arch=x86_64 syscall=fchmod success=yes exit=0 a0=0x3 a1=0755 a2=0x0 a3=0x1000 items=1 ppid=900 pid=956 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=install exe=/usr/bin/install subj=system_u:sys tem_r:openvswitch_t:s0 key=(null) type=AVC msg=audit(08/25/21 20:50:28.199:145) : avc: denied { fsetid } for pid=956 comm=install capability=fsetid scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1 ---- type=PROCTITLE msg=audit(08/25/21 20:50:28.437:148) : proctitle=modprobe openvswitch type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=33 name=(null) inode=21762 dev=00:0c mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=32 name=(null) inode=21756 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=31 name=(null) inode=21761 dev=00:0c mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=30 name=(null) inode=21756 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=29 name=(null) inode=21760 dev=00:0c mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=28 name=(null) inode=21756 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=27 name=(null) inode=21759 dev=00:0c mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=26 name=(null) inode=21756 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=25 name=(null) inode=21758 dev=00:0c mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=24 name=(null) inode=21756 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=23 name=(null) inode=21757 dev=00:0c mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=22 name=(null) inode=21756 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=21 name=(null) inode=21756 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=20 name=(null) inode=21746 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=19 name=(null) inode=21755 dev=00:0c mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=18 name=(null) inode=21749 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=17 name=(null) inode=21754 dev=00:0c mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=16 name=(null) inode=21749 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=15 name=(null) inode=21753 dev=00:0c mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=14 name=(null) inode=21749 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=13 name=(null) inode=21752 dev=00:0c mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=12 name=(null) inode=21749 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=11 name=(null) inode=21751 dev=00:0c mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=10 name=(null) inode=21749 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=9 name=(null) inode=21750 dev=00:0c mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=8 name=(null) inode=21749 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=7 name=(null) inode=21749 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=6 name=(null) inode=21746 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=5 name=(null) inode=21748 dev=00:0c mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=4 name=(null) inode=21746 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=3 name=(null) inode=21747 dev=00:0c mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=2 name=(null) inode=21746 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=1 name=(null) inode=21746 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:28.437:148) : item=0 name=(null) inode=1038 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(08/25/21 20:50:28.437:148) : cwd=/ type=KERN_MODULE msg=audit(08/25/21 20:50:28.437:148) : name=openvswitch type=SYSCALL msg=audit(08/25/21 20:50:28.437:148) : arch=x86_64 syscall=init_module success=yes exit=0 a0=0x55b08b7cf850 a1=0x55e38 a2=0x55b08a7fd962 a3=0x5 items=34 ppid=1024 pid=1028 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=modprobe exe=/us r/bin/kmod subj=system_u:system_r:openvswitch_t:s0 key=(null) type=AVC msg=audit(08/25/21 20:50:28.437:148) : avc: denied { search } for pid=1028 comm=modprobe name=events dev="tracefs" ino=1038 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=1 ---- type=PROCTITLE msg=audit(08/25/21 20:50:34.674:175) : proctitle=iptables --version type=PATH msg=audit(08/25/21 20:50:34.674:175) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=28886573 dev=103:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:34.674:175) : item=0 name=/usr/sbin/iptables inode=29697786 dev=103:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:iptables_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(08/25/21 20:50:34.674:175) : cwd=/ type=EXECVE msg=audit(08/25/21 20:50:34.674:175) : argc=2 a0=iptables a1=--version type=SYSCALL msg=audit(08/25/21 20:50:34.674:175) : arch=x86_64 syscall=execve success=yes exit=0 a0=0xc000420168 a1=0xc0009fc150 a2=0xc0000a01e0 a3=0x8 items=2 ppid=1275 pid=1301 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iptables exe=/usr/sbi n/xtables-nft-multi subj=system_u:system_r:iptables_t:s0 key=(null) type=AVC msg=audit(08/25/21 20:50:34.674:175) : avc: denied { ioctl } for pid=1301 comm=iptables path=/sys/fs/cgroup dev="cgroup2" ino=1 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 ---- ype=PROCTITLE msg=audit(08/25/21 20:50:41.380:184) : proctitle=iptables -w 5 -W 100000 -A KUBE-FIREWALL -t filter -m comment --comment block incoming localnet connections --dst 127.0.0.0/8 ! type=PATH msg=audit(08/25/21 20:50:41.380:184) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=28886573 dev=103:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:50:41.380:184) : item=0 name=/usr/sbin/iptables inode=29697786 dev=103:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:iptables_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(08/25/21 20:50:41.380:184) : cwd=/ type=EXECVE msg=audit(08/25/21 20:50:41.380:184) : argc=25 a0=iptables a1=-w a2=5 a3=-W a4=100000 a5=-A a6=KUBE-FIREWALL a7=-t a8=filter a9=-m a10=comment a11=--comment a12=block incoming localnet connections a13=--dst a14=127.0.0.0/8 a15=! a16=--src a17=127.0.0.0/8 a18=-m a19=conntrack a20=! a21=--ctstate a22=RELATE D,ESTABLISHED,DNAT a23=-j a24=DROP type=SYSCALL msg=audit(08/25/21 20:50:41.380:184) : arch=x86_64 syscall=execve success=yes exit=0 a0=0xc000caa3d8 a1=0xc001057790 a2=0xc000c9a700 a3=0x8 items=2 ppid=1316 pid=1360 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iptables exe=/usr/sbi n/xtables-nft-multi subj=system_u:system_r:iptables_t:s0 key=(null) type=AVC msg=audit(08/25/21 20:50:41.380:184) : avc: denied { ioctl } for pid=1360 comm=iptables path=/sys/fs/cgroup dev="cgroup2" ino=1 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 ---- type=PROCTITLE msg=audit(08/25/21 20:51:04.987:222) : proctitle=iptables -w -A OUTPUT -p tcp -m tcp --dport 22623 --syn -j REJECT type=PATH msg=audit(08/25/21 20:51:04.987:222) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=28886573 dev=103:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:51:04.987:222) : item=0 name=/usr/sbin/iptables inode=29697786 dev=103:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:iptables_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(08/25/21 20:51:04.987:222) : cwd=/ type=EXECVE msg=audit(08/25/21 20:51:04.987:222) : argc=13 a0=iptables a1=-w a2=-A a3=OUTPUT a4=-p a5=tcp a6=-m a7=tcp a8=--dport a9=22623 a10=--syn a11=-j a12=REJECT type=SYSCALL msg=audit(08/25/21 20:51:04.987:222) : arch=x86_64 syscall=execve success=yes exit=0 a0=0xc0000205d0 a1=0xc00019e0e0 a2=0xc00006ab00 a3=0x8 items=2 ppid=2359 pid=2645 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iptables exe=/usr/sbi n/xtables-nft-multi subj=system_u:system_r:iptables_t:s0 key=(null) type=AVC msg=audit(08/25/21 20:51:04.987:222) : avc: denied { ioctl } for pid=2645 comm=iptables path=/sys/fs/cgroup dev="cgroup2" ino=1 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 ---- type=PROCTITLE msg=audit(08/25/21 20:51:12.148:257) : proctitle=/usr/libexec/platform-python -Es /usr/sbin/tuned --no-dbus type=SYSCALL msg=audit(08/25/21 20:51:12.148:257) : arch=x86_64 syscall=write success=yes exit=4 a0=0x7 a1=0x7fea64014f20 a2=0x4 a3=0x0 items=0 ppid=1868 pid=3981 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=tuned exe=/usr/libexec/platform-python 3.6 subj=system_u:system_r:spc_t:s0 key=(null) type=AVC msg=audit(08/25/21 20:51:12.148:257) : avc: granted { setsecparam } for pid=3981 comm=tuned scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security ---- type=PROCTITLE msg=audit(08/25/21 20:51:57.046:264) : proctitle=iptables -w 5 -W 100000 -S KUBE-KUBELET-CANARY -t mangle type=PATH msg=audit(08/25/21 20:51:57.046:264) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=28886573 dev=103:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/25/21 20:51:57.046:264) : item=0 name=/usr/sbin/iptables inode=29697786 dev=103:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:iptables_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(08/25/21 20:51:57.046:264) : cwd=/ type=EXECVE msg=audit(08/25/21 20:51:57.046:264) : argc=9 a0=iptables a1=-w a2=5 a3=-W a4=100000 a5=-S a6=KUBE-KUBELET-CANARY a7=-t a8=mangle type=SYSCALL msg=audit(08/25/21 20:51:57.046:264) : arch=x86_64 syscall=execve success=yes exit=0 a0=0xc001bfe8d0 a1=0xc002b72d20 a2=0xc0014d1f00 a3=0x8 items=2 ppid=1390 pid=5628 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iptables exe=/usr/sbi n/xtables-nft-multi subj=system_u:system_r:iptables_t:s0 key=(null) type=AVC msg=audit(08/25/21 20:51:57.046:264) : avc: denied { ioctl } for pid=5628 comm=iptables path=/sys/fs/cgroup dev="cgroup2" ino=1 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 ``` Hope this is helpful! It is helpful, thank you.
FYI systemctl cannot restart auditd, but the legacy service command does the trick (see #c2).
This denial:
Jul 29 19:58:32.669000 localhost audit[985]: AVC avc: denied { write } for pid=985 comm="ovsdb-server" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
was only in #c1 when details were missing, is the tmpfs /dev/shm?
This is the list of requested permissions:
allow iptables_t cgroup_t:dir ioctl;
allow openvswitch_t self:capability fsetid;
allow openvswitch_t tmpfs_t:dir write;
allow openvswitch_t tracefs_t:dir search;
I may need additional explanation later.
The first permission is present in upstream:
commit 72f789dd7c218919a18dd7130d37e92e7a92b994
Author: Zdenek Pytela <zpytela>
Date: Wed Feb 16 17:40:40 2022 +0100
Allow iptables list cgroup directories
The third one is as well:
# sesearch -A -s openvswitch_t -t tmpfs_t -c dir -p write
allow domain tmpfs_t:dir { add_name getattr ioctl lock open read remove_name search write };
For the other two, it needs to be assessed if they should be addressed in selinux-policy or openvswitch.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:8283 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |
Part of C9S/RHEL9 work for OpenShift 4. We have at least these two denials: ``` Jul 29 19:58:32.648000 localhost audit[983]: AVC avc: denied { fsetid } for pid=983 comm="install" capability=4 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0 Jul 29 19:58:32.669000 localhost audit[985]: AVC avc: denied { write } for pid=985 comm="ovsdb-server" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 ``` This isn't the first time here of course: https://www.google.com/search?client=firefox-b-1-d&q=openvswitch+selinux+site%3Abugzilla.redhat.com I notice in RHEL8 they use an `openvswitch-selinux-extra-policy` package. It'd be great if we can avoid that for RHEL9. (I tried the Fedora package rather than trying the RHEL8 package on RHEL9, but maybe it's worth trying the latter) Anyways, let's just add whatever openvswitch needs to the base policy?