Bug 918721

Summary: swift replication in /srv/node produces AVC denials
Product: Red Hat OpenStack Reporter: Lon Hohberger <lhh>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED ERRATA QA Contact: Martina Kollarova <mkollaro>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 2.1CC: derekh, dwalsh, mgrepl, ncredi
Target Milestone: snapshot5Keywords: Triaged
Target Release: 2.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.1.2-8.el6ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 922787 (view as bug list) Environment:
Last Closed: 2013-04-04 18:01:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 885529    
Bug Blocks: 918549, 922787    
Attachments:
Description Flags
Patch against master_contrib branch of selinux-policy
none
Patch against master_contrib branch of selinux-policy
none
Patch against master_contrib branch of selinux-policy
none
Patch against master_contrib branch of selinux-policy
none
Fix typo
none
Patch against master_contrib branch of selinux-policy
none
Spec file patch to call restorecon on /srv none

Description Lon Hohberger 2013-03-06 18:21:52 UTC
Created attachment 706193 [details]
Patch against master_contrib branch of selinux-policy

Description of problem:

type=AVC msg=audit(1362499871.862:4753): avc:  denied  { write } for  pid=26757 comm="rsync" name="160573" dev=vdb ino=360455 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir
type=AVC msg=audit(1362499871.862:4753): avc:  denied  { add_name } for  pid=26757 comm="rsync" name="cbf" scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir
type=AVC msg=audit(1362499871.862:4753): avc:  denied  { create } for  pid=26757 comm="rsync" name="cbf" scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir
type=AVC msg=audit(1362499871.862:4754): avc:  denied  { setattr } for  pid=26757 comm="rsync" name="cbf" dev=vdb ino=360460 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir
type=AVC msg=audit(1362499871.866:4755): avc:  denied  { create } for  pid=26758 comm="rsync" name=".1362499777.99721.data.actL9H" scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1362499871.866:4755): avc:  denied  { read write open } for  pid=26758 comm="rsync" name=".1362499777.99721.data.actL9H" dev=vdb ino=360464 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1362499871.867:4756): avc:  denied  { setattr } for  pid=26758 comm="rsync" name=".1362499777.99721.data.actL9H" dev=vdb ino=360464 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1362499871.867:4757): avc:  denied  { getattr } for  pid=26758 comm="rsync" path="/srv/node/device2/objects/160573/cbf/9ccf550c695fcec8e85e12c10a45ecbf/.1362499777.99721.data.actL9H" dev=vdb ino=360464 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1362499871.868:4758): avc:  denied  { remove_name } for  pid=26758 comm="rsync" name=".1362499777.99721.data.actL9H" dev=vdb ino=360464 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir
type=AVC msg=audit(1362499871.868:4758): avc:  denied  { rename } for  pid=26758 comm="rsync" name=".1362499777.99721.data.actL9H" dev=vdb ino=360464 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file

Version-Release number of selected component (if applicable): openstack-selinux-0.1.2-6

These AVCs are caused by incorrect labelling on /srv/node/* and /srv/loopback-device/*.

Here is a workaround for testing environments:

  # semanage fcontext -a -t rsync_data_t '/srv/node(/.*)?'
  # semanage fcontext -a -t rsync_data_t '/srv/loopback-device(/.*)?'
  # restorecon -Rv /srv/*
  # sesetbool rsync_client on

A more appropriate solution involving assigning a specific file context to /srv/node and /srv/loopback-device.

branch).

Comment 1 Lon Hohberger 2013-03-06 18:24:25 UTC
Rather, a more appropriate solution involving assigning a specific file context to /srv/node and /srv/loopback-device is attached.

This:
  - defines swift_rsync_t
  - allows rsync_t and swift_t to read/write/manage swift_rsync_t 
  - defines /srv/node and /srv/loopback-device as swift_rsync_t 
    context

Comment 4 Lon Hohberger 2013-03-06 20:37:58 UTC
Created attachment 706232 [details]
Patch against master_contrib branch of selinux-policy

Changes the new type to match convention with other modules.

Comment 5 Lon Hohberger 2013-03-06 20:39:24 UTC
Created attachment 706233 [details]
Patch against master_contrib branch of selinux-policy

Remove extraneous whitespace change.

Comment 6 Lon Hohberger 2013-03-06 21:03:13 UTC
Created attachment 706261 [details]
Patch against master_contrib branch of selinux-policy

Include Pete Zaitcev's notes from https://bugzilla.redhat.com/show_bug.cgi?id=885529#c21

Comment 9 Lon Hohberger 2013-03-06 21:19:32 UTC
Created attachment 706268 [details]
Fix typo

Comment 12 Lon Hohberger 2013-03-06 22:59:33 UTC
Created attachment 706287 [details]
Patch against master_contrib branch of selinux-policy

Add rather critical missing files_type(swift_data_t) assignment.

I did some cursory tests on Derek's machine with the RHOS-port of this patch.

Comment 13 Lon Hohberger 2013-03-06 23:02:49 UTC
Dan / Miroslav - can I get a review of that patch in comment #12 ?  I think it's mostly ready to go.

Comment 15 Miroslav Grepl 2013-03-07 10:31:59 UTC
So openstack-selinux-0.1.2-7.el6ost.noarch.rpm is right version?

Comment 19 Martina Kollarova 2013-03-18 12:38:14 UTC
I'm not sure what is meant by "incorrect labelling on /srv/node/*", so far I tried this:

$ rpm -qa |grep openstack-selinux
openstack-selinux-0.1.2-7.el6ost.noarch
$ mv /srv/node/device1/{accounts,accountsx}

With selinux disabled, the 'accounts' dir gets re-created withing a minute (but the 'accountsx' dir stays there). With selinux enabled, I get avc denials similar to those in the bug description.

Comment 20 Lon Hohberger 2013-03-18 13:14:22 UTC
/srv/* is mislabeled.  The following:

   restorecon -Rv /srv/*

...should fix it.

Comment 21 Lon Hohberger 2013-03-18 13:29:43 UTC
We'll call this from the rpm spec file.

Comment 22 Lon Hohberger 2013-03-18 13:36:25 UTC
Created attachment 711952 [details]
Spec file patch to call restorecon on /srv

Comment 23 Lon Hohberger 2013-03-18 13:41:48 UTC
This should break things:

  chcon -R unconfined_u:object_r:file_t:s0 /srv/node/*

Updating to the -8 rpm should fix things:

  rpm -Uvh openstack-selinux-0.1.2-8.el6ost.noarch.rpm

Comment 25 Martina Kollarova 2013-03-18 13:56:49 UTC
Seems to work. 

$ ls -lZ /srv/node
drwxr-xr-x. swift swift unconfined_u:object_r:swift_data_t:s0 device1
drwxr-xr-x. swift swift unconfined_u:object_r:swift_data_t:s0 device2

(In reply to comment #23)
> This should break things:
> 
>   chcon -R unconfined_u:object_r:file_t:s0 /srv/node/*
> 
> Updating to the -8 rpm should fix things:
> 
>   rpm -Uvh openstack-selinux-0.1.2-8.el6ost.noarch.rpm

Comment 26 errata-xmlrpc 2013-04-04 18:01:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0706.html