Bug 918721
Summary: | swift replication in /srv/node produces AVC denials | |||
---|---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Lon Hohberger <lhh> | |
Component: | openstack-selinux | Assignee: | Lon Hohberger <lhh> | |
Status: | CLOSED ERRATA | QA Contact: | Martina Kollarova <mkollaro> | |
Severity: | urgent | Docs Contact: | ||
Priority: | urgent | |||
Version: | 2.1 | CC: | derekh, dwalsh, mgrepl, ncredi | |
Target Milestone: | snapshot5 | Keywords: | Triaged | |
Target Release: | 2.1 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | openstack-selinux-0.1.2-8.el6ost | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 922787 (view as bug list) | Environment: | ||
Last Closed: | 2013-04-04 18:01:15 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 885529 | |||
Bug Blocks: | 918549, 922787 | |||
Attachments: |
Rather, a more appropriate solution involving assigning a specific file context to /srv/node and /srv/loopback-device is attached. This: - defines swift_rsync_t - allows rsync_t and swift_t to read/write/manage swift_rsync_t - defines /srv/node and /srv/loopback-device as swift_rsync_t context Created attachment 706232 [details]
Patch against master_contrib branch of selinux-policy
Changes the new type to match convention with other modules.
Created attachment 706233 [details]
Patch against master_contrib branch of selinux-policy
Remove extraneous whitespace change.
Created attachment 706261 [details] Patch against master_contrib branch of selinux-policy Include Pete Zaitcev's notes from https://bugzilla.redhat.com/show_bug.cgi?id=885529#c21 Created attachment 706268 [details]
Fix typo
Created attachment 706287 [details]
Patch against master_contrib branch of selinux-policy
Add rather critical missing files_type(swift_data_t) assignment.
I did some cursory tests on Derek's machine with the RHOS-port of this patch.
Dan / Miroslav - can I get a review of that patch in comment #12 ? I think it's mostly ready to go. So openstack-selinux-0.1.2-7.el6ost.noarch.rpm is right version? I'm not sure what is meant by "incorrect labelling on /srv/node/*", so far I tried this: $ rpm -qa |grep openstack-selinux openstack-selinux-0.1.2-7.el6ost.noarch $ mv /srv/node/device1/{accounts,accountsx} With selinux disabled, the 'accounts' dir gets re-created withing a minute (but the 'accountsx' dir stays there). With selinux enabled, I get avc denials similar to those in the bug description. /srv/* is mislabeled. The following: restorecon -Rv /srv/* ...should fix it. We'll call this from the rpm spec file. Created attachment 711952 [details]
Spec file patch to call restorecon on /srv
This should break things: chcon -R unconfined_u:object_r:file_t:s0 /srv/node/* Updating to the -8 rpm should fix things: rpm -Uvh openstack-selinux-0.1.2-8.el6ost.noarch.rpm Seems to work. $ ls -lZ /srv/node drwxr-xr-x. swift swift unconfined_u:object_r:swift_data_t:s0 device1 drwxr-xr-x. swift swift unconfined_u:object_r:swift_data_t:s0 device2 (In reply to comment #23) > This should break things: > > chcon -R unconfined_u:object_r:file_t:s0 /srv/node/* > > Updating to the -8 rpm should fix things: > > rpm -Uvh openstack-selinux-0.1.2-8.el6ost.noarch.rpm Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0706.html |
Created attachment 706193 [details] Patch against master_contrib branch of selinux-policy Description of problem: type=AVC msg=audit(1362499871.862:4753): avc: denied { write } for pid=26757 comm="rsync" name="160573" dev=vdb ino=360455 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir type=AVC msg=audit(1362499871.862:4753): avc: denied { add_name } for pid=26757 comm="rsync" name="cbf" scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir type=AVC msg=audit(1362499871.862:4753): avc: denied { create } for pid=26757 comm="rsync" name="cbf" scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir type=AVC msg=audit(1362499871.862:4754): avc: denied { setattr } for pid=26757 comm="rsync" name="cbf" dev=vdb ino=360460 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir type=AVC msg=audit(1362499871.866:4755): avc: denied { create } for pid=26758 comm="rsync" name=".1362499777.99721.data.actL9H" scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file type=AVC msg=audit(1362499871.866:4755): avc: denied { read write open } for pid=26758 comm="rsync" name=".1362499777.99721.data.actL9H" dev=vdb ino=360464 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file type=AVC msg=audit(1362499871.867:4756): avc: denied { setattr } for pid=26758 comm="rsync" name=".1362499777.99721.data.actL9H" dev=vdb ino=360464 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file type=AVC msg=audit(1362499871.867:4757): avc: denied { getattr } for pid=26758 comm="rsync" path="/srv/node/device2/objects/160573/cbf/9ccf550c695fcec8e85e12c10a45ecbf/.1362499777.99721.data.actL9H" dev=vdb ino=360464 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file type=AVC msg=audit(1362499871.868:4758): avc: denied { remove_name } for pid=26758 comm="rsync" name=".1362499777.99721.data.actL9H" dev=vdb ino=360464 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir type=AVC msg=audit(1362499871.868:4758): avc: denied { rename } for pid=26758 comm="rsync" name=".1362499777.99721.data.actL9H" dev=vdb ino=360464 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file Version-Release number of selected component (if applicable): openstack-selinux-0.1.2-6 These AVCs are caused by incorrect labelling on /srv/node/* and /srv/loopback-device/*. Here is a workaround for testing environments: # semanage fcontext -a -t rsync_data_t '/srv/node(/.*)?' # semanage fcontext -a -t rsync_data_t '/srv/loopback-device(/.*)?' # restorecon -Rv /srv/* # sesetbool rsync_client on A more appropriate solution involving assigning a specific file context to /srv/node and /srv/loopback-device. branch).