Bug 966106
Summary: | AVC denials when using netns | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Lon Hohberger <lhh> | ||||||||||||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||||||||||
Status: | CLOSED ERRATA | QA Contact: | Michal Trunecka <mtruneck> | ||||||||||||||
Severity: | urgent | Docs Contact: | |||||||||||||||
Priority: | urgent | ||||||||||||||||
Version: | 6.4 | CC: | apevec, dwalsh, ebenes, lhh, mgrepl, mmalik, mtruneck, oblaut, sandro, twilson | ||||||||||||||
Target Milestone: | rc | Keywords: | ZStream | ||||||||||||||
Target Release: | 6.5 | ||||||||||||||||
Hardware: | All | ||||||||||||||||
OS: | Linux | ||||||||||||||||
Whiteboard: | |||||||||||||||||
Fixed In Version: | selinux-policy-3.7.19-205.el6 | Doc Type: | Bug Fix | ||||||||||||||
Doc Text: | Story Points: | --- | |||||||||||||||
Clone Of: | |||||||||||||||||
: | 1003621 (view as bug list) | Environment: | |||||||||||||||
Last Closed: | 2013-11-21 10:28:39 UTC | Type: | --- | ||||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||||
Documentation: | --- | CRM: | |||||||||||||||
Verified Versions: | Category: | --- | |||||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||
Embargoed: | |||||||||||||||||
Bug Depends On: | |||||||||||||||||
Bug Blocks: | 969043, 1003621 | ||||||||||||||||
Attachments: |
|
Description
Lon Hohberger
2013-05-22 13:37:22 UTC
Created attachment 751727 [details]
Audit log
type=AVC msg=audit(1369229234.839:1873038): avc: denied { unmount } for pid=30160 comm="ip" scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem type=AVC msg=audit(1369229234.840:1873039): avc: denied { mounton } for pid=30160 comm="ip" path="/sys" dev=dm-0 ino=1048577 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir type=AVC msg=audit(1369229234.840:1873039): avc: denied { mount } for pid=30160 comm="ip" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem type=AVC msg=audit(1369229234.840:1873040): avc: denied { execute_no_trans } for pid=30160 comm="ip" path="/sbin/ip" dev=dm-0 ino=3149293 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file type=AVC msg=audit(1369229313.003:1874918): avc: denied { unmount } for pid=31401 comm="ip" scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem type=AVC msg=audit(1369229313.003:1874919): avc: denied { mounton } for pid=31401 comm="ip" path="/sys" dev=dm-0 ino=1048577 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir type=AVC msg=audit(1369229313.003:1874919): avc: denied { mount } for pid=31401 comm="ip" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem type=AVC msg=audit(1369229313.003:1874920): avc: denied { execute_no_trans } for pid=31401 comm="ip" path="/sbin/ip" dev=dm-0 ino=3149293 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file type=AVC msg=audit(1369229330.881:1875349): avc: denied { execute_no_trans } for pid=31685 comm="ip" path="/sbin/ip" dev=dm-0 ino=3149293 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file type=AVC msg=audit(1369229402.879:1877068): avc: denied { unmount } for pid=351 comm="ip" scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem type=AVC msg=audit(1369229402.879:1877069): avc: denied { mount } for pid=351 comm="ip" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem *** Bug 966104 has been marked as a duplicate of this bug. *** Created attachment 751772 [details]
New logs
type=SYSCALL msg=audit(05/22/2013 11:54:51.081:347918) : arch=x86_64 syscall=set ns success=no exit=-1(Operation not permitted) a0=0x4 a1=CLONE_NEWNET a2=0x3e898db400 a3=0x0 items=0 ppid=23224 pid=23228 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ip exe=/sbin/ip subj=system_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(05/22/2013 11:54:51.081:347918) : type=SYSCALL msg=audit(05/22/2013 11:54:51.081:347918) : arch=x86_64 syscall=set ns success=no exit=-1(Operation not permitted) a0=0x4 a1=CLONE_NEWNET a2=0x3e898db400 a3=0x0 items=0 ppid=23224 pid=23228 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ip exe=/sbin/ip subj=system_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(05/22/2013 11:54:51.081:347918) : avc: denied { sys_admin } for pid=23228 comm=ip capability=sys_admin scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability avc: denied { sys_admin } for pid=23228 comm=ip capability=sys_admin scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability This is the 'setns(2)' syscall. * Gary Kotton (gkotton) wrote: > The following are steps for reproducing the namespace issue: > 1. Use RDO/RHOS 3.0 with kernel + route 2 URLs: kernel[1] iproute2[2] $ uname -r 2.6.32-358.11.1.el6.netns130517.x86_64 $ rpm -qf /sbin/ip iproute-2.6.32-23.el6_4.netns.1.x86_64 > 2. Install all in one packstack > 3. https://fedoraproject.org/wiki/Packstack_to_Quantum > 4. Install quantum with plumbing - > https://fedoraproject.org/wiki/Quantum > - need to set the root wrap in quantum.conf > [AGENT] > root_helper = sudo /usr/bin/quantum-rootwrap /etc/quantum/rootwrap.conf I used most recent packstack[3] which allows me to skip 3 and 4 and gives me: I have quantum.conf [DEFAULT] root_helper=sudo quantum-rootwrap /etc/quantum/rootwrap.conf And dhcp-agent.init [DEFAULT] root_helper=sudo /usr/bin/quantum-rootwrap /etc/quantum/rootwrap.conf And l3_agent.ini [DEFAULT] root_helper=sudo /usr/bin/quantum-rootwrap /etc/quantum/rootwrap.conf > 5. Start all services > 6. Create a network - quantum net-create heh > 7. Create a subnet - quantum subnet create heh 10.0.0.0/24 > 8. Deploy a VM - this is requirN ed as the DHCP agent will only try and > create a namespace when the first port is created (I used net1, not heh) $ nova list +--------------------------------------+------+--------+---------------+ | ID | Name | Status | Networks | +--------------------------------------+------+--------+---------------+ | 146ae902-7f74-47ea-be31-cd7583c4d5fe | f16 | ACTIVE | net1=10.0.0.2 | +--------------------------------------+------+--------+---------------+ $ ip netns list qdhcp-79a10e01-05ec-48df-bcf7-9c0ea8527c4d $ sudo ip netns exec qdhcp-79a10e01-05ec-48df-bcf7-9c0ea8527c4d bash # ping 10.0.0.2 64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=0.035 ms ... # ssh 10.0.0.2 root.0.2's password: Last login: Tue May 21 07:48:01 2013 from 10.0.0.3 [root@10-0-0-2 ~]# # nova delete f16 # quantum net-delete net1 # setenforce enforcing <--- trouble starts here # quantum net-create net1 # quantum subnet-create net1 10.0.0.0/29 # nova boot f16 --flavor 1 --image f16 No namespace created. # nova delete f16 # quantum net-delete net1 # setenforce permissive <--- trouble ends here # quantum net-create net1 # quantum subnet-create net1 10.0.0.0/29 # nova boot f16 --flavor 1 --image f16 # ip netns exec qdhcp-70f49ef4-807a-47d3-83f6-2a5f9ea780b8 ping 10.0.0.2 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.352 ms ... This looks like an SELinux problem. Dan, the call flow is like this: service started at bootup - /etc/init.d/quantum-dhcp-agent - daemon --user quanutm /usr/bin/dhcp-agent... - sudo /usr/bin/quantum-rootwrap /etc/quantum/rootwrap.conf ip netns add... - open(/var/run/netns/qdhcp-..., O_RDONLY|O_CREAT|O_EXCL, 0); ^^^ fails -EPERM So, the open() syscall fails creating a new file in /var/run/netns despite the syscall running in the context of uid 0 (via sudo). I don't see any AVC's, perhaps dac is stopping beforehand. Any ideas on policy tweaks needed to ensure sudo properly escalates privileges? $ ls -ldZ /var/run/netns drwxr-xr-x. root root unconfined_u:object_r:var_run_t:s0 /var/run/netns $ ls -lZ /etc/init.d/quantum-dhcp-agent -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 /etc/init.d/quantum-dhcp-agent $ ls -lZ /usr/bin/quantum-dhcp-agent -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/quantum-dhcp-agent thanks, -chris [1] kernel brew build: https://brewweb.devel.redhat.com/taskinfo?taskID=5792543 [2] iproute2 http://et.redhat.com/~chrisw/rhel6/6.4/bz869004/iproute/netns.1/ [3] git clone --recursive git://github.com/stackforge/packstack.git Created attachment 751800 [details]
Audit log
The machine I was using was missing the openstack-selinux package and current releases of selinux-policy* packages. This is the same machine's audit log after a reboot with those packages installed/updated; 2/3 of the AVCs disappeared.
In the context of ip netns add foo....ip will do this: mkdir("/var/run/netns", S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); open("/var/run/netns/foo", O_RDONLY|O_CREAT|O_EXCL, 0); unshare(CLONE_NEWNET); mount("/proc/self/ns/net", "/var/run/netns/foo", "none", MS_BIND, NULL) Later we will need to execute things in that namespace, for example: ip netns exec foo bash netns = open("/var/run/netns/foo", O_RDONLY); setns(netns, CLONE_NEWNET); /* capable(CAP_SYS_ADMIN) */ unshare(CLONE_NEWNS) umount2("/sys", MNT_DETACH); /* capable(CAP_SYS_ADMIN) */ mount(name, "/sys", "sysfs", 0, NULL) < 0); /* capable(CAP_SYS_ADMIN) */ if there's stuff in /etc/netns/foo/ if will go through and bind mount all to /etc/ (override global network config files)...like: mount("/etc/netns/foo/bar.conf", "/etc/bar.conf", "none", MS_BIND, NULL) And finally delete it...ip netns delete foo umount2("/var/run/netns/foo", MNT_DETACH); unlink("/var/run/netns/foo") So, I think Dan's patch from upstream: https://git.fedorahosted.org/cgit/selinux-policy.git/commit/?id=3e61cdbe384652759fc420b157d3fe50f8692bfa Solves the AVCs around netns. At least, I built a test RPM with a backported version of that patch, and those went away. I think there are other necessary changes for Grizzlhy, though, as I'm still hitting some AVCs from dnsmasq. Created attachment 751904 [details]
Audit log after patching with Dan's patch
type=AVC msg=audit(1369254600.399:1221): avc: denied { mounton } for pid=3862 comm="ip" path="/var/run/netns/qdhcp-b3243f7e-39d7-4091-917d-0f0ceed595ee" dev=dm-0 ino=3146963 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:ifconfig_var_run_t:s0 tclass=file ^ Except this one. Looks like we'd need: files_mountpoint(ifconfig_var_run_t) I added additional fixes 9d9265766bd0c4c8bac53aeced9c562db5f7e267 4d67b983e794acaf9129987e284aa53d6e87383e 626c3c9d929b0998ea5d38da949a8671bf091381 dd02206c14f2e8bc2ba31519d2cfda165dd087ae Thanks, Mirek - I'll give those a spin. Did it work? I haven't built a package yet. :( I'll try to get it done today. Closer: [root@dhcp-4-126 ~(keystone_admin)]# grep -i AVC /var/log/audit/audit.log type=AVC msg=audit(1369773799.697:250681): avc: denied { mounton } for pid=3336 comm="ip" path="/var/run/netns/qdhcp-744b6324-95d8-4d32-9e43-8ffdff31af4d" dev=dm-0 ino=2627861 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:ifconfig_var_run_t:s0 tclass=file type=AVC msg=audit(1369773802.022:250766): avc: denied { read } for pid=3392 comm="dnsmasq" path="pipe:[22384]" dev=pipefs ino=22384 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:quantum_t:s0 tclass=fifo_file type=AVC msg=audit(1369773802.022:250766): avc: denied { write } for pid=3392 comm="dnsmasq" path="pipe:[22385]" dev=pipefs ino=22385 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:quantum_t:s0 tclass=fifo_file type=AVC msg=audit(1369773802.026:250767): avc: denied { ioctl } for pid=3393 comm="sh" path="pipe:[22384]" dev=pipefs ino=22384 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:quantum_t:s0 tclass=fifo_file type=AVC msg=audit(1369773802.031:250768): avc: denied { sigchld } for pid=3389 comm="python" scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:quantum_t:s0 tclass=process type=AVC msg=audit(1369773802.037:250769): avc: denied { getattr } for pid=3393 comm="python" path="pipe:[22384]" dev=pipefs ino=22384 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:quantum_t:s0 tclass=fifo_file type=AVC msg=audit(1369773802.237:250775): avc: denied { execute } for pid=3399 comm="sh" name="ldconfig" dev=dm-0 ino=2359855 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file type=AVC msg=audit(1369773802.237:250775): avc: denied { read open } for pid=3399 comm="sh" name="ldconfig" dev=dm-0 ino=2359855 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file type=AVC msg=audit(1369773802.237:250775): avc: denied { execute_no_trans } for pid=3399 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=2359855 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file Created attachment 754089 [details]
audit.log with Dan's and Miroslav's patches
The mounton line I suggested may be incorrect:
#============= dnsmasq_t ==============
allow dnsmasq_t ldconfig_exec_t:file { read execute open execute_no_trans };
allow dnsmasq_t quantum_t:fifo_file { read write ioctl getattr };
allow dnsmasq_t quantum_t:process sigchld;
#============= ifconfig_t ==============
allow ifconfig_t ifconfig_var_run_t:file mounton;
The other 3 allow lines could be potentially be moved in to openstack-selinux for the time being, but the ifconfig bit (or perhaps a better version?) is needed in selinux-policy. Basically, when running with quantum, we expect the host to be an openstack node, so it's probably okay to allow some or all of those lines. Any thoughts, Miroslav? The line I find most concerning is how/why dnsmasq is running ldconfig. I don't know why that occurs. Ok, I added fixes to Fedora. Now we need to get all acks and we can do a z-stream clone. Fixed in selinux-policy-3.7.19-201.el6 The bug is still there on latest puddle 31.5 3 13:16:28 puma05 kernel: type=1400 audit(1370254588.164:62): avc: denied { sys_admin } for pid=7771 comm="ip" capability=21 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Jun 3 13:16:59 puma05 kernel: type=1400 audit(1370254619.239:63): avc: denied { sys_admin } for pid=7856 comm="ip" capability=21 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Jun 3 13:17:30 puma05 kernel: type=1400 audit(1370254650.272:64): avc: denied { sys_admin } for pid=7944 comm="ip" capability=21 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Jun 3 13:18:01 puma05 kernel: type=1400 audit(1370254681.366:65): avc: denied { sys_admin } for pid=8029 comm="ip" capability=21 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Jun 3 13:18:32 puma05 kernel: type=1400 audit(1370254712.434:66): avc: denied { sys_admin } for pid=8117 comm="ip" capability=21 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Jun 3 13:19:03 puma05 kernel: type=1400 audit(1370254743.469:67): avc: denied { sys_admin } for pid=8199 comm="ip" capability=21 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Jun 3 13:19:34 puma05 kernel: type=1400 audit(1370254774.758:68): avc: denied { sys_admin } for pid=8287 comm="ip" capability=21 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability Jun 3 13:20:05 puma05 kernel: type=1400 audit(1370254805.816:69): avc: denied { sys_admin } for pid=8375 comm="ip" capability=21 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability #============= ifconfig_t ============== #!!!! This avc is allowed in the current policy allow ifconfig_t self:capability sys_admin; We need to back port it. All Quantum ip netns commands fails when selinux is in enforcing mode , only permissive mode allows quantum to work (In reply to Ofer Blaut from comment #28) > All Quantum ip netns commands fails when selinux is in enforcing mode , > only permissive mode allows quantum to work What selinux-policy version are you using? Could you please provide logs with AVC failures you are seeing? Hi policies : selinux-policy-3.7.19-195.el6_4.7.noarch selinux-policy-targeted-3.7.19-195.el6_4.7.noarch openstack-selinux-0.1.2-10.el6ost.noarch Audit logs http://pastebin.test.redhat.com/145610 So it needs more fixes. RHEL6.5 builds: https://brewweb.devel.redhat.com/buildinfo?buildID=275584 RHEL6.4.z scratch build: https://brewweb.devel.redhat.com/taskinfo?taskID=5866723 Hi I have used rpms from https://brewweb.devel.redhat.com/taskinfo?taskID=5866723 on working setup. got the following AVCs http://pastebin.test.redhat.com/145672 moving to permissive mode again, since some features on quantum stopped working ( floating ip and routes ) more info http://pastebin.test.redhat.com/145685 configure selinux to permissive and quantum works again (In reply to Ofer Blaut from comment #36) > got the following AVCs > http://pastebin.test.redhat.com/145672 #============= iptables_t ============== allow iptables_t quantum_t:fifo_file { read write }; allow iptables_t quantum_t:process sigchld; Could you add this local policy # cat mypol.te require{ type iptables_t; type quantum_t; } allow iptables_t quantum_t:fifo_file { read write }; allow iptables_t quantum_t:process sigchld; and run # make -f /usr/share/selinux/devel/Makefile mypol.pp # semodule -i mypol.pp and re-test it. Here are complete instructions for the uninitiated: cat > mypol.te <<EOF module mypol 1.0; require { type iptables_t; type quantum_t; class process sigchld; class fifo_file { read write }; } allow iptables_t quantum_t:fifo_file { read write }; allow iptables_t quantum_t:process sigchld; EOF checkmodule -M -m -o mypol.mod mypol.te semodule_package -o mypol.pp -m mypol.mod semodule -i mypol.pp The policy z-stream errata has been updated for re-testing. I am still getting problems which result in: 2013-06-06 09:23:54 ERROR [quantum.agent.dhcp_agent] Unable to reload_allocations dhcp. Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/quantum/agent/dhcp_agent.py", line 129, in call_driver getattr(driver, action)() File "/usr/lib/python2.6/site-packages/quantum/agent/linux/dhcp.py", line 315, in reload_allocations ip_wrapper.netns.execute(cmd) File "/usr/lib/python2.6/site-packages/quantum/agent/linux/ip_lib.py", line 414, in execute check_exit_code=check_exit_code) File "/usr/lib/python2.6/site-packages/quantum/agent/linux/utils.py", line 61, in execute raise RuntimeError(m) RuntimeError: Command: ['sudo', 'quantum-rootwrap', '/etc/quantum/rootwrap.conf', 'ip', 'netns', 'exec', 'qdhcp-92c91fd2-06be-46b6-aa41-a824fae8e7af', 'kill', '-HUP', '4511'] Exit code: 1 Stdout: '' Stderr: 'kill 4511: Operation not permitted\n' The audit log is (hope I have this correct): type=SYSCALL msg=audit(1370525156.812:378894): arch=c000003e syscall=62 success=no exit=-1 a0=119f a1=1 a2=1 a3=119f items=0 ppid=7200 pid=7207 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:ifconfig_t:s0 key=(null) type=USER_END msg=audit(1370525156.836:378895): user pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:quantum_t:s0 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success' type=CRED_DISP msg=audit(1370525156.836:378896): user pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:quantum_t:s0 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success' type=USER_END msg=audit(1370525156.972:378897): user pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:quantum_t:s0 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success' type=CRED_DISP msg=audit(1370525156.972:378898): user pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:quantum_t:s0 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success' And does it work in permissive mode? Any AVC msgs? *** Bug 964071 has been marked as a duplicate of this bug. *** Created attachment 757732 [details]
audit file when running in permissive mode
https://brewweb.devel.redhat.com/taskinfo?taskID=5874281 resolve all issues that i encountered Thanks Gary I still get a few avc denials when launching an instance. To reproduce, install via packstack from laptop to a target VM. Log into VM and: quantum net-create net1 quantum subnet-create net1 10.0.0.0/24 --name subnet1 Then in horizon set up keypair and cirros 0.3.0 image and launch an instance, selecting net1 as the network. AVCs: type=AVC msg=audit(1370900696.344:2773): avc: denied { read } for pid=4326 comm="qemu-kvm" name="disk" dev=dm-0 ino=7303 scontext=system_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file type=AVC msg=audit(1370900696.344:2773): avc: denied { open } for pid=4326 comm="qemu-kvm" name="disk" dev=dm-0 ino=7303 scontext=system_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file type=AVC msg=audit(1370900696.349:2774): avc: denied { ioctl } for pid=4326 comm="qemu-kvm" path="/var/lib/nova/instances/d326667b-2b03-4449-9f26-ad49766c0512/disk" dev=dm-0 ino=7303 scontext=system_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file type=AVC msg=audit(1370900696.349:2775): avc: denied { getattr } for pid=4326 comm="qemu-kvm" path="/var/lib/nova/instances/d326667b-2b03-4449-9f26-ad49766c0512/disk" dev=dm-0 ino=7303 scontext=system_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file type=AVC msg=audit(1370900696.349:2776): avc: denied { write } for pid=4326 comm="qemu-kvm" name="disk" dev=dm-0 ino=7303 scontext=system_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html |