Bug 2081636
| Summary: | various denials on openvswitch / ipsec | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Sandro Bonazzola <sbonazzo> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | CentOS Stream | CC: | amoralej, amusil, bstinson, eraviv, jwboyer, lvrabec, mburman, mmalik, mperina, msheena, nknazeko, pparasur |
| Target Milestone: | rc | Keywords: | Regression, Triaged |
| Target Release: | 9.3 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-07-17 06:48:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1986335, 2100965 | ||
Retargeting to 9.2. If you need to have it resolved earlier, please put down a justification. Some of the problems will be addressed with the fix for bz#1988164. Hi, it is possible to generate ipsec.conf in the /etc/ipsec.d/ instead of /etc/ dir? Thanks, Nikola Redirecting the needinfo to @mperina This report is very old, in the meantime BZ2102567 has been fixed and we have been asked to upgrade to OVS 2.17 / OVN 2022 on CS9 as 2.15 is not supported on CS9. Moshe is going to update the bug with all current details. Hi, please edit the /etc/audit/rules.d/audit.rules file from the comment 8. Then collect AVC messages # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today and attach output here in bz. Thank you Hi Nikola, I'm no longer working on the project and I won't have capacity for doing the tests here. Also, ovirt moved to openvswitch-2.17 in the meanwhile so I'm not even sure this is still an issue. I'm closing this with insufficient data resolution. I assume that if someone hit selinux denials again, they will open a new bz providing the updated information you'll need to get it fixed. |
This has been observed on CentOS Stream 9: ---- time->Wed May 4 08:52:12 2022 type=PROCTITLE msg=audit(1651654332.305:3395): proctitle=6D6F6470726F6265006F70656E76737769746368 type=SYSCALL msg=audit(1651654332.305:3395): arch=c000003e syscall=175 success=yes exit=0 a0=55c1a29f78d0 a1=570d8 a2=55c1a170c962 a3=5 items=0 ppid=46405 pid=46413 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:openvswitch_load_module_t:s0 key=(null) type=AVC msg=audit(1651654332.305:3395): avc: denied { search } for pid=46413 comm="modprobe" name="events" dev="tracefs" ino=51 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1651654332.305:3395): avc: denied { search } for pid=46413 comm="modprobe" name="events" dev="tracefs" ino=51 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0 ---- time->Wed May 4 08:52:38 2022 type=PROCTITLE msg=audit(1651654358.535:4262): proctitle=706B31327574696C002D69002F746D702F6F76735F636572746B65795F6E6F64653435656C392E6C61622E703132002D640073716C3A2F6574632F69707365632E642F002D57 type=SYSCALL msg=audit(1651654358.535:4262): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=55ec05811100 a2=442 a3=180 items=0 ppid=50198 pid=50215 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pk12util" exe="/usr/bin/pk12util" subj=system_u:system_r:openvswitch_t:s0 key=(null) type=AVC msg=audit(1651654358.535:4262): avc: denied { append } for pid=50215 comm="pk12util" path="/etc/ipsec.d/pkcs11.txt" dev="dm-0" ino=34268480 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_key_file_t:s0 tclass=file permissive=1 ---- time->Wed May 4 08:59:33 2022 type=PROCTITLE msg=audit(1651654773.742:42): proctitle=6D6F6470726F6265006F70656E76737769746368 type=SYSCALL msg=audit(1651654773.742:42): arch=c000003e syscall=175 success=yes exit=0 a0=55e3c7777730 a1=570d8 a2=55e3c53f9962 a3=5 items=0 ppid=1073 pid=1080 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:openvswitch_load_module_t:s0 key=(null) type=AVC msg=audit(1651654773.742:42): avc: denied { search } for pid=1080 comm="modprobe" name="events" dev="tracefs" ino=51 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1651654773.742:42): avc: denied { search } for pid=1080 comm="modprobe" name="events" dev="tracefs" ino=51 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0 ---- time->Wed May 4 08:59:34 2022 type=PROCTITLE msg=audit(1651654774.149:63): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F73686172652F6F70656E767377697463682F736372697074732F6F76732D6D6F6E69746F722D6970736563002D2D70696466696C653D2F7661722F72756E2F6F70656E767377697463682F6F76732D6D6F6E69746F722D69707365632E706964002D2D696B652D646165 type=PATH msg=audit(1651654774.149:63): item=0 name="/etc/ipsec.conf" inode=102974960 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ipsec_conf_file_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1651654774.149:63): cwd="/" type=SYSCALL msg=audit(1651654774.149:63): arch=c000003e syscall=257 success=yes exit=6 a0=ffffff9c a1=7ff029b00d70 a2=80241 a3=1b6 items=1 ppid=1117 pid=1142 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-monitor-ips" exe="/usr/bin/python3.9" subj=system_u:system_r:openvswitch_t:s0 key=(null) type=AVC msg=audit(1651654774.149:63): avc: denied { create } for pid=1142 comm="ovs-monitor-ips" name="ipsec.conf" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1651654774.149:63): avc: denied { add_name } for pid=1142 comm="ovs-monitor-ips" name="ipsec.conf" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 ---- Involved packages: # dnf list installed "*selinux*" Installed Packages container-selinux.noarch 3:2.183.0-1.el9 @AppStream ipa-selinux.noarch 4.9.8-8.el9 @appstream libselinux.x86_64 3.3-2.el9 @anaconda libselinux-utils.x86_64 3.3-2.el9 @anaconda openvswitch-selinux-extra-policy.noarch 1.0-31.el9s @centos-nfv-openvswitch python3-libselinux.x86_64 3.3-2.el9 @AppStream rpm-plugin-selinux.x86_64 4.16.1.3-11.el9 @anaconda selinux-policy.noarch 34.1.30-2.el9 @anaconda selinux-policy-targeted.noarch 34.1.30-2.el9 @anaconda # dnf list installed "*openvswitch*" Installed Packages centos-release-nfv-openvswitch.noarch 1-4.el9s @extras-common openvswitch-selinux-extra-policy.noarch 1.0-31.el9s @centos-nfv-openvswitch openvswitch2.15.x86_64 2.15.0-81.el9s @centos-nfv-openvswitch openvswitch2.15-ipsec.x86_64 2.15.0-81.el9s @centos-nfv-openvswitch ovirt-openvswitch.noarch 2.15-3.el9 @centos-ovirt45 ovirt-openvswitch-ipsec.noarch 2.15-3.el9 @centos-ovirt45 ovirt-openvswitch-ovn.noarch 2.15-3.el9 @centos-ovirt45 ovirt-openvswitch-ovn-common.noarch 2.15-3.el9 @centos-ovirt45 ovirt-openvswitch-ovn-host.noarch 2.15-3.el9 @centos-ovirt45 ovirt-python-openvswitch.noarch 2.15-3.el9 @centos-ovirt45 python3-openvswitch2.15.x86_64 2.15.0-81.el9s @centos-nfv-openvswitch Not sure if this is on openvswitch-selinux-extra-policy or on selinux-policy-targeted.noarch.