Bug 915370
| Summary: | oo-cgroup-read fails, generates AVC | ||
|---|---|---|---|
| Product: | OKD | Reporter: | Mark Lamourine <mlamouri> |
| Component: | Containers | Assignee: | Rob Millner <rmillner> |
| Status: | CLOSED DUPLICATE | QA Contact: | libra bugs <libra-bugs> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 2.x | CC: | mfisher |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-26 20:02:03 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Related to this bug: https://bugzilla.redhat.com/show_bug.cgi?id=912215 These changes lead to the new bug. We need the appropriate policy to run oo-ruby anyway. Bugzilla ticket 912215 will track solving the new SELinux denial. *** This bug has been marked as a duplicate of bug 912215 *** |
Description of problem: oo-cgroup-read is used to allow gear owners to check their cgroup settings and statistics. oo-cgroup-read is a shell script that attempts to run cgget. Current SELinux policy prevents oo-cgroup-read from executing additional programs. Version-Release number of selected component (if applicable): How reproducible: On Fedora 18 with Openshift Origin installed from source after Feb 19: commit: 2f82b1a6c25db57a5c7728c18bc22e2f7b6c7350 Run smoke tests Steps to Reproduce: 1. Try building a jbossas application 2. run 'oo-cgroup-read" Actual results: Tested on devenv_2829 Now, the LoadError is gone, the code uses oo-ruby instead of ruby to resolve the problem. But SELinux issues arose. The gear owner can not perform oo-cgroup-read [jbossas1-2829t.dev.rhcloud.com ~]\> oo-cgroup-read memory.memsw.limit_in_bytes /usr/bin/env: oo-ruby: Permission denied [root@ip-10-151-84-246 ~]# ll -Z /usr/bin/oo-cgroup-read -rwxr-xr-x. root root system_u:object_r:openshift_cgroup_read_exec_t:s0 /usr/bin/oo-cgroup-read Expected results: oo-cgroup-read prints the current value of memory.memsw.limit_in_bytes Additional info: The recent change added a call out to cgget, where before it used a file read. This requires that the script be able to execute an external program (cgget). I think we need the rule described below added to the openshift-origin policy. jhonce got us this diagnostic: type=AVC msg=audit(1361291623.691:128914): avc: denied { execute } for pid=4623 comm="oo-cgroup-read" name="bash" dev=xvde1 ino=29 scontext=unconfined_u:system_r:openshift_cgroup_read_t:s0:c0,c501 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. #============= openshift_cgroup_read_t ============== allow openshift_cgroup_read_t shell_exec_t:file execute;