Bug 980063
Summary: | SELinux / netns related messages during update | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jaroslav Henner <jhenner> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED NOTABUG | QA Contact: | Milos Malik <mmalik> | ||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 7.0 | CC: | dwalsh, jhenner, lhh, lvrabec, mgrepl, mmalik, myllynen, plautrba, pvrabec, ssekidde, t.h.amundsen, vcojot | ||||
Target Milestone: | rc | Keywords: | Reopened | ||||
Target Release: | 7.1 | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-07-16 10:40:47 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Jaroslav Henner
2013-07-01 10:43:46 UTC
Are you able to reproduce it? # matchpathcon /var/run/netns # ls -dZ /var/run/netns How is /var/run/netns/qdhcp-* created? Reproduce it? I will try. I don't know why I have written 2/2 in "How reproducible". [root@controller ~(keystone_admin)]$ service qpidd restart Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: [ OK ] Full path required for exclude: net:[19969]. Full path required for exclude: net:[28804]. Full path required for exclude: net:[30612]. [root@controller ~(keystone_admin)]$ matchpathcon /var/run/netns /var/run/netns system_u:object_r:ifconfig_var_run_t:s0 [root@controller ~(keystone_admin)]$ ls -dZ /var/run/netns drwxr-xr-x. root root system_u:object_r:ifconfig_var_run_t:s0 /var/run/netns [root@controller ~(keystone_admin)]$ service qpidd restart Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: [ OK ] Full path required for exclude: net:[19969]. Full path required for exclude: net:[28804]. Full path required for exclude: net:[30612]. It seems it is created by quantum. Yes I am able to reproduce. It seems it creates a /var/run/netns/qdhc* per network or subnet you have defined. The same holds for the message: Full path required for exclude: net:[30612]. Lon, any idea? Any chance to re-test it with selinux-policy-targeted-3.7.19-195.el6_4.9 I don't have one yet -- I'll take a look at this today, but I think it's going to need to be fixed with the rest of netns in selinux-policy Can you attach the AVCs when possible? Created attachment 788337 [details]
audit.log
There are no avc's in this file. (In reply to Daniel Walsh from comment #11) > There are no avc's in this file. Hmm, so I think they got rate-limited. How can I reset the rate-limiting counters? This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. Well if you are running in permissive mode you can change it via setenforce 1; setenforce 0 Otherwise I know of no ratelimiting for AVC messages. I'm still seeing this everytime selinux-policy* packages are updates on an RHEL OSP 5.0 controller/network host. I don't see any AVC or USER_AVC or SELINUX_ERR in the attachment mentioned in comment#17. I see these kinds of messages when upgrading or downgrading selinux-policy: Full path required for exclude: net:[4026532585]. Full path required for exclude: net:[4026532585]. Full path required for exclude: net:[4026532684]. Full path required for exclude: net:[4026532684]. I see similar messages also when doing: # restorecon -R /run/netns Full path required for exclude: net:[4026532585]. Full path required for exclude: net:[4026532585]. Full path required for exclude: net:[4026532684]. Full path required for exclude: net:[4026532684]. restorecon set context /run/netns/qdhcp-abc->system_u:object_r:ifconfig_var_run_t:s0 failed:'Operation not supported' restorecon set context /run/netns/qrouter-123->system_u:object_r:ifconfig_var_run_t:s0 failed:'Operation not supported' Thanks. What does if you run # setenforce 1;setenforce 0 re-test it and run # ausearch -m avc,user_avc -ts recent Like this? # setenforce 1 ; setenforce 0 ; # restorecon -R /run/netns/ Full path required for exclude: net:[4026532588]. Full path required for exclude: net:[4026532588]. Full path required for exclude: net:[4026532681]. Full path required for exclude: net:[4026532681]. restorecon set context /run/netns/qdhcp-ea8b2188-ef22-42cb-b9da-f15936b0edff->system_u:object_r:ifconfig_var_run_t:s0 failed:'Operation not supported' restorecon set context /run/netns/qrouter-0647e05a-3d3f-4b0d-98dc-fd30b032ea9c->system_u:object_r:ifconfig_var_run_t:s0 failed:'Operation not supported' # ausearch -m avc,user_avc -ts recent ---- time->Mon Jan 26 16:38:01 2015 type=USER_AVC msg=audit(1422283081.922:18734): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=1) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Mon Jan 26 16:38:01 2015 type=USER_AVC msg=audit(1422283081.922:18735): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' # Thanks. How is /run/netns mounted? (In reply to Miroslav Grepl from comment #23) > How is /run/netns mounted? # mount | grep netns tmpfs on /run/netns type tmpfs (rw,nosuid,nodev,seclabel,mode=755) proc on /run/netns/qrouter-0647e05a-3d3f-4b0d-98dc-fd30b032ea9c type proc (rw,nosuid,nodev,noexec,relatime) proc on /run/netns/qrouter-0647e05a-3d3f-4b0d-98dc-fd30b032ea9c type proc (rw,nosuid,nodev,noexec,relatime) proc on /run/netns/qdhcp-ea8b2188-ef22-42cb-b9da-f15936b0edff type proc (rw,nosuid,nodev,noexec,relatime) proc on /run/netns/qdhcp-ea8b2188-ef22-42cb-b9da-f15936b0edff type proc (rw,nosuid,nodev,noexec,relatime) Lon, is this expected to have proc mounted here? Marko, does everything work correctly? (In reply to Miroslav Grepl from comment #25) > > Marko, > does everything work correctly? Yes. This setup has been generated by RHEL OSP 5.0 packstack so I presume in general there are no issues caused by this. Thanks. Why do you need to run # restorecon -R /run/netns/ (In reply to Miroslav Grepl from comment #27) > Why do you need to run > > # restorecon -R /run/netns/ Please read comment 20 - it was the most simple step to reproduce this instead of doing package upgrade. And in any case, I think restorecon should not produce errors. Thanks. I don't see it as a bug. restorecon tells us the correct info. (In reply to Miroslav Grepl from comment #29) > I don't see it as a bug. restorecon tells us the correct info. So why are the messages printed then during selinux-policy upgrade? |