Bug 718214

Summary: Not ready for SELinux enforcement
Product: [Retired] CloudForms Cloud Engine Reporter: Steve Reichard <sreichar>
Component: DistributionAssignee: Francesco Vollero <fvollero>
Status: CLOSED CURRENTRELEASE QA Contact: wes hayutin <whayutin>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 1.0.0CC: deltacloud-maint, matt.wagner, mgrepl, morazi, scollier, vvaldez
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-30 17:15:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Steve Reichard 2011-07-01 12:48:03 UTC
Description of problem:

While running various aeolus activities  ( add providers, account, realms, - build and pushing images, and launch deployments) an array of SELinux alerts are encountered

The audit.log will be attached.


[root@cf-aeolus ~]# ausearch -m avc | wc
    280    3590   46867
[root@cf-aeolus ~]# 

[root@cf-aeolus ~]# ausearch -m avc | wc
    280    3590   46867
[root@cf-aeolus ~]# cp /var/log/audit/audit.log /pub/tmp/
[root@cf-aeolus ~]# audit2allow < /var/log/audit/audit.log 


#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_can_network_connect'

allow httpd_t ntop_port_t:tcp_socket name_connect;

#============= iptables_t ==============
allow iptables_t anon_inodefs_t:file write;
allow iptables_t virt_tmp_t:file { read write };

#============= qemu_t ==============
allow qemu_t boot_t:file { read getattr open };
#!!!! The source type 'qemu_t' can write to a 'file' of the following types:
# virt_cache_t, qemu_tmp_t, qemu_image_t, qemu_tmpfs_t, qemu_var_run_t, anon_inodefs_t, virt_image_type, tmpfs_t, xen_image_t, cifs_t, dosfs_t, nfs_t, usbfs_t

allow qemu_t virt_tmp_t:file { read write ioctl open getattr };
allow qemu_t virt_tmp_t:lnk_file read;
allow qemu_t virt_tmp_t:sock_file write;

#============= sshd_t ==============
allow sshd_t admin_home_t:file { read getattr open };


Version-Release number of selected component (if applicable):

[root@cf-aeolus ~]# audit2allow < /var/log/audit/audit.log 


#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_can_network_connect'

allow httpd_t ntop_port_t:tcp_socket name_connect;

#============= iptables_t ==============
allow iptables_t anon_inodefs_t:file write;
allow iptables_t virt_tmp_t:file { read write };

#============= qemu_t ==============
allow qemu_t boot_t:file { read getattr open };
#!!!! The source type 'qemu_t' can write to a 'file' of the following types:
# virt_cache_t, qemu_tmp_t, qemu_image_t, qemu_tmpfs_t, qemu_var_run_t, anon_inodefs_t, virt_image_type, tmpfs_t, xen_image_t, cifs_t, dosfs_t, nfs_t, usbfs_t

allow qemu_t virt_tmp_t:file { read write ioctl open getattr };
allow qemu_t virt_tmp_t:lnk_file read;
allow qemu_t virt_tmp_t:sock_file write;

#============= sshd_t ==============
allow sshd_t admin_home_t:file { read getattr open };
[root@cf-aeolus ~]# ausearch -m avc | wc
    280    3590   46867
[root@cf-aeolus ~]# 



Versions



[root@cf-aeolus ~]# /pub/scripts/cf-versions 
Red Hat Enterprise Linux Server release 6.1 (Santiago)
Linux cf-aeolus.cloud.lab.eng.bos.redhat.com 2.6.32-131.4.1.el6.x86_64 #1 SMP Fri Jun 10 10:54:26 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
postgresql-8.4.7-2.el6.x86_64
mongodb-1.6.4-3.el6_0.x86_64
euca2ools-1.3.1-4.el6_0.noarch
package gsoap is not installed
ruby-1.8.7.299-7.el6_1.1.x86_64
rubygems-1.3.7-1.el6.noarch
deltacloud-core-0.3.9999-1308927004.el6.noarch
rubygem-deltacloud-client-0.1.0-2.el6_0.noarch
libdeltacloud-0.9-1.el6.x86_64
hail-0.8-0.2.gf9c5b967.el6_0.x86_64
puppet-2.6.6-1.el6_0.noarch
aeolus-configure-2.0.1-0.el6.20110628141215gitb8aaf85.noarch
condor-7.6.0-4dcloud.el6.x86_64
iwhd-0.96.1.9e86-1.el6.x86_64
rubygem-image_factory_console-0.4.0-1.el6.20110629151206git0ca429a.noarch
rubygem-image_factory_connector-0.0.3-1.el6.20110628135944git2a88782.noarch
imagefactory-0.2.2-1.el6.noarch
aeolus-conductor-daemons-0.3.0-0.el6.20110628135944git2a88782.noarch
aeolus-conductor-0.3.0-0.el6.20110628135944git2a88782.noarch
[root@cf-aeolus ~]# 

How reproducible:



Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Miroslav Grepl 2011-09-22 13:20:36 UTC
I need to see raw AVC messages. 

It looks like there are some leaks.

Comment 2 Francesco Vollero 2011-09-22 13:21:30 UTC
Great, but Miroslav, in our policies or what?

Comment 3 Miroslav Grepl 2011-09-22 13:25:00 UTC
Also I need to know your version of the policy

# rpm -q selinux-policy

Comment 4 wes hayutin 2011-09-28 16:41:53 UTC
making sure all the bugs are at the right version for future queries

Comment 6 Francesco Vollero 2011-09-28 20:16:49 UTC
We're currently working on this case with Miroslav Grepl.

Comment 8 wes hayutin 2012-02-10 22:26:20 UTC
[root@qeblade32 ~]# ps -efZ|grep initrc
system_u:system_r:initrc_t:s0   root      5179     1  0 08:38 ?        00:00:00 /usr/bin/python /usr/bin/beah-srv
system_u:system_r:initrc_t:s0   root      5200     1  0 08:38 ?        00:00:00 /usr/bin/python /usr/bin/beah-beaker-backend
system_u:system_r:initrc_t:s0   root      5212     1  0 08:38 ?        00:00:00 /usr/bin/python /usr/bin/beah-fwd-backend
system_u:system_r:initrc_t:s0   root      6042  5179  0 08:39 ?        00:00:04 /usr/bin/python /usr/bin/beah-rhts-task
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 15852 16622  0 17:25 pts/0 00:00:00 grep initrc
[root@qeblade32 ~]# ausearch -m avc | wc
<no matches>
      0       0       0
[root@qeblade32 ~]# cat /var/log/audit/audit.log | grep -i denied
[root@qeblade32 ~]# 

[root@qeblade32 ~]# rpm -qa | grep aeolus
aeolus-conductor-daemons-0.8.0-25.el6.noarch
aeolus-conductor-doc-0.8.0-25.el6.noarch
aeolus-configure-2.5.0-12.el6.noarch
rubygem-aeolus-image-0.3.0-7.el6.noarch
aeolus-conductor-0.8.0-25.el6.noarch
rubygem-aeolus-cli-0.3.0-8.el6.noarch
aeolus-all-0.8.0-25.el6.noarch
[root@qeblade32 ~]# rpm -qa | grep selinux
libselinux-ruby-2.0.94-5.2.el6.x86_64
libselinux-devel-2.0.94-5.2.el6.x86_64
selinux-policy-3.7.19-126.el6.noarch
libselinux-2.0.94-5.2.el6.x86_64
selinux-policy-targeted-3.7.19-126.el6.noarch
libselinux-utils-2.0.94-5.2.el6.x86_64
[root@qeblade32 ~]#