| Summary: | Not ready for SELinux enforcement | ||
|---|---|---|---|
| Product: | [Retired] CloudForms Cloud Engine | Reporter: | Steve Reichard <sreichar> |
| Component: | Distribution | Assignee: | Francesco Vollero <fvollero> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | wes hayutin <whayutin> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 1.0.0 | CC: | deltacloud-maint, matt.wagner, mgrepl, morazi, scollier, vvaldez |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-08-30 17:15:58 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
I need to see raw AVC messages. It looks like there are some leaks. Great, but Miroslav, in our policies or what? Also I need to know your version of the policy # rpm -q selinux-policy making sure all the bugs are at the right version for future queries We're currently working on this case with Miroslav Grepl. [root@qeblade32 ~]# ps -efZ|grep initrc
system_u:system_r:initrc_t:s0 root 5179 1 0 08:38 ? 00:00:00 /usr/bin/python /usr/bin/beah-srv
system_u:system_r:initrc_t:s0 root 5200 1 0 08:38 ? 00:00:00 /usr/bin/python /usr/bin/beah-beaker-backend
system_u:system_r:initrc_t:s0 root 5212 1 0 08:38 ? 00:00:00 /usr/bin/python /usr/bin/beah-fwd-backend
system_u:system_r:initrc_t:s0 root 6042 5179 0 08:39 ? 00:00:04 /usr/bin/python /usr/bin/beah-rhts-task
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 15852 16622 0 17:25 pts/0 00:00:00 grep initrc
[root@qeblade32 ~]# ausearch -m avc | wc
<no matches>
0 0 0
[root@qeblade32 ~]# cat /var/log/audit/audit.log | grep -i denied
[root@qeblade32 ~]#
[root@qeblade32 ~]# rpm -qa | grep aeolus
aeolus-conductor-daemons-0.8.0-25.el6.noarch
aeolus-conductor-doc-0.8.0-25.el6.noarch
aeolus-configure-2.5.0-12.el6.noarch
rubygem-aeolus-image-0.3.0-7.el6.noarch
aeolus-conductor-0.8.0-25.el6.noarch
rubygem-aeolus-cli-0.3.0-8.el6.noarch
aeolus-all-0.8.0-25.el6.noarch
[root@qeblade32 ~]# rpm -qa | grep selinux
libselinux-ruby-2.0.94-5.2.el6.x86_64
libselinux-devel-2.0.94-5.2.el6.x86_64
selinux-policy-3.7.19-126.el6.noarch
libselinux-2.0.94-5.2.el6.x86_64
selinux-policy-targeted-3.7.19-126.el6.noarch
libselinux-utils-2.0.94-5.2.el6.x86_64
[root@qeblade32 ~]#
|
Description of problem: While running various aeolus activities ( add providers, account, realms, - build and pushing images, and launch deployments) an array of SELinux alerts are encountered The audit.log will be attached. [root@cf-aeolus ~]# ausearch -m avc | wc 280 3590 46867 [root@cf-aeolus ~]# [root@cf-aeolus ~]# ausearch -m avc | wc 280 3590 46867 [root@cf-aeolus ~]# cp /var/log/audit/audit.log /pub/tmp/ [root@cf-aeolus ~]# audit2allow < /var/log/audit/audit.log #============= httpd_t ============== #!!!! This avc can be allowed using the boolean 'httpd_can_network_connect' allow httpd_t ntop_port_t:tcp_socket name_connect; #============= iptables_t ============== allow iptables_t anon_inodefs_t:file write; allow iptables_t virt_tmp_t:file { read write }; #============= qemu_t ============== allow qemu_t boot_t:file { read getattr open }; #!!!! The source type 'qemu_t' can write to a 'file' of the following types: # virt_cache_t, qemu_tmp_t, qemu_image_t, qemu_tmpfs_t, qemu_var_run_t, anon_inodefs_t, virt_image_type, tmpfs_t, xen_image_t, cifs_t, dosfs_t, nfs_t, usbfs_t allow qemu_t virt_tmp_t:file { read write ioctl open getattr }; allow qemu_t virt_tmp_t:lnk_file read; allow qemu_t virt_tmp_t:sock_file write; #============= sshd_t ============== allow sshd_t admin_home_t:file { read getattr open }; Version-Release number of selected component (if applicable): [root@cf-aeolus ~]# audit2allow < /var/log/audit/audit.log #============= httpd_t ============== #!!!! This avc can be allowed using the boolean 'httpd_can_network_connect' allow httpd_t ntop_port_t:tcp_socket name_connect; #============= iptables_t ============== allow iptables_t anon_inodefs_t:file write; allow iptables_t virt_tmp_t:file { read write }; #============= qemu_t ============== allow qemu_t boot_t:file { read getattr open }; #!!!! The source type 'qemu_t' can write to a 'file' of the following types: # virt_cache_t, qemu_tmp_t, qemu_image_t, qemu_tmpfs_t, qemu_var_run_t, anon_inodefs_t, virt_image_type, tmpfs_t, xen_image_t, cifs_t, dosfs_t, nfs_t, usbfs_t allow qemu_t virt_tmp_t:file { read write ioctl open getattr }; allow qemu_t virt_tmp_t:lnk_file read; allow qemu_t virt_tmp_t:sock_file write; #============= sshd_t ============== allow sshd_t admin_home_t:file { read getattr open }; [root@cf-aeolus ~]# ausearch -m avc | wc 280 3590 46867 [root@cf-aeolus ~]# Versions [root@cf-aeolus ~]# /pub/scripts/cf-versions Red Hat Enterprise Linux Server release 6.1 (Santiago) Linux cf-aeolus.cloud.lab.eng.bos.redhat.com 2.6.32-131.4.1.el6.x86_64 #1 SMP Fri Jun 10 10:54:26 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux postgresql-8.4.7-2.el6.x86_64 mongodb-1.6.4-3.el6_0.x86_64 euca2ools-1.3.1-4.el6_0.noarch package gsoap is not installed ruby-1.8.7.299-7.el6_1.1.x86_64 rubygems-1.3.7-1.el6.noarch deltacloud-core-0.3.9999-1308927004.el6.noarch rubygem-deltacloud-client-0.1.0-2.el6_0.noarch libdeltacloud-0.9-1.el6.x86_64 hail-0.8-0.2.gf9c5b967.el6_0.x86_64 puppet-2.6.6-1.el6_0.noarch aeolus-configure-2.0.1-0.el6.20110628141215gitb8aaf85.noarch condor-7.6.0-4dcloud.el6.x86_64 iwhd-0.96.1.9e86-1.el6.x86_64 rubygem-image_factory_console-0.4.0-1.el6.20110629151206git0ca429a.noarch rubygem-image_factory_connector-0.0.3-1.el6.20110628135944git2a88782.noarch imagefactory-0.2.2-1.el6.noarch aeolus-conductor-daemons-0.3.0-0.el6.20110628135944git2a88782.noarch aeolus-conductor-0.3.0-0.el6.20110628135944git2a88782.noarch [root@cf-aeolus ~]# How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: