Bug 980063

Summary: SELinux / netns related messages during update
Product: Red Hat Enterprise Linux 7 Reporter: Jaroslav Henner <jhenner>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: low    
Version: 7.0CC: dwalsh, jhenner, lhh, lvrabec, mgrepl, mmalik, myllynen, plautrba, pvrabec, ssekidde, t.h.amundsen, vcojot
Target Milestone: rcKeywords: Reopened
Target Release: 7.1   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-16 10:40:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit.log none

Description Jaroslav Henner 2013-07-01 10:43:46 UTC 
Description of problem:
I've found that qpid repots problem when restarting
/etc/init.d/qpidd restart
Full path required for exclude: net:[15374].
Full path required for exclude: net:[15458].

which is because the init script does
+ /sbin/restorecon /var/run/qpidd.pid

I found that
[root@controller ~]# /sbin/restorecon -vR /var/
Full path required for exclude: net:[15374].
Full path required for exclude: net:[15458].
...
/sbin/restorecon reset /var/run/netns/qdhcp-40f1ff90-2c80-4fce-b845-febaa2ee2a76 context system_u:object_r:proc_t:s0->system_u:object_r:ifconfig_var_run_t:s0
/sbin/restorecon set context /var/run/netns/qdhcp-40f1ff90-2c80-4fce-b845-febaa2ee2a76->system_u:object_r:ifconfig_var_run_t:s0 failed:'Operation not supported'
...

Version-Release number of selected component (if applicable):
[root@controller ~]# rpm -q openstack-selinux selinux-policy-targetted selinux-policy qpid-cpp-server openstack-nova-common
openstack-selinux-0.1.2-10.el6ost.noarch
package selinux-policy-targetted is not installed
selinux-policy-3.7.19-195.el6_4.12.noarch
qpid-cpp-server-0.14-22.el6_3.x86_64
openstack-nova-common-2013.1.2-2.el6ost.noarch


How reproducible:
2/2

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:
No problem reported


Additional info:
Comment 2 Miroslav Grepl 2013-07-01 12:03:49 UTC 
Are you able to reproduce it?

# matchpathcon /var/run/netns

# ls -dZ /var/run/netns

How is /var/run/netns/qdhcp-* created?
Comment 3 Jaroslav Henner 2013-07-10 08:13:44 UTC 
Reproduce it? I will try. I don't know why I have written 2/2 in "How reproducible".

[root@controller ~(keystone_admin)]$ service qpidd restart
Stopping Qpid AMQP daemon:                                 [  OK  ]
Starting Qpid AMQP daemon:                                 [  OK  ]
Full path required for exclude: net:[19969].
Full path required for exclude: net:[28804].
Full path required for exclude: net:[30612].
[root@controller ~(keystone_admin)]$ matchpathcon /var/run/netns
/var/run/netns	system_u:object_r:ifconfig_var_run_t:s0
[root@controller ~(keystone_admin)]$ ls -dZ /var/run/netns
drwxr-xr-x. root root system_u:object_r:ifconfig_var_run_t:s0 /var/run/netns
[root@controller ~(keystone_admin)]$ service qpidd restart
Stopping Qpid AMQP daemon:                                 [  OK  ]
Starting Qpid AMQP daemon:                                 [  OK  ]
Full path required for exclude: net:[19969].
Full path required for exclude: net:[28804].
Full path required for exclude: net:[30612].

It seems it is created by quantum.
Comment 4 Jaroslav Henner 2013-07-11 16:45:22 UTC 
Yes I am able to reproduce. It seems it creates a /var/run/netns/qdhc* per network or subnet you have defined. The same holds for the message:
Full path required for exclude: net:[30612].
Comment 5 Miroslav Grepl 2013-07-12 12:49:48 UTC 
Lon,
any idea?
Comment 6 Miroslav Grepl 2013-07-12 13:20:13 UTC 
Any chance to re-test it with 

selinux-policy-targeted-3.7.19-195.el6_4.9
Comment 7 Lon Hohberger 2013-07-15 15:25:44 UTC 
I don't have one yet -- I'll take a look at this today, but I think it's going to need to be fixed with the rest of netns in selinux-policy
Comment 9 Lon Hohberger 2013-07-15 18:56:52 UTC 
Can you attach the AVCs when possible?
Comment 10 Jaroslav Henner 2013-08-20 06:51:09 UTC 
Created attachment 788337 [details]
audit.log
Comment 11 Daniel Walsh 2013-08-28 17:23:52 UTC 
There are no avc's in this file.
Comment 12 Jaroslav Henner 2013-08-29 08:39:24 UTC 
(In reply to Daniel Walsh from comment #11)
> There are no avc's in this file.

Hmm, so I think they got rate-limited. How can I reset the rate-limiting counters?
Comment 13 RHEL Program Management 2013-10-14 03:15:19 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 14 Daniel Walsh 2013-10-15 17:39:21 UTC 
Well if you are running in permissive mode you can change it via setenforce 1; setenforce 0

Otherwise I know of no ratelimiting for AVC messages.
Comment 16 Marko Myllynen 2015-01-23 07:49:12 UTC 
I'm still seeing this everytime selinux-policy* packages are updates on an RHEL OSP 5.0 controller/network host.
Comment 19 Milos Malik 2015-01-23 08:16:40 UTC 
I don't see any AVC or USER_AVC or SELINUX_ERR in the attachment mentioned in comment#17.
Comment 20 Marko Myllynen 2015-01-23 08:27:05 UTC 
I see these kinds of messages when upgrading or downgrading selinux-policy:

Full path required for exclude: net:[4026532585].
Full path required for exclude: net:[4026532585].
Full path required for exclude: net:[4026532684].
Full path required for exclude: net:[4026532684].

I see similar messages also when doing:

# restorecon -R /run/netns
Full path required for exclude: net:[4026532585].
Full path required for exclude: net:[4026532585].
Full path required for exclude: net:[4026532684].
Full path required for exclude: net:[4026532684].
restorecon set context /run/netns/qdhcp-abc->system_u:object_r:ifconfig_var_run_t:s0 failed:'Operation not supported'
restorecon set context /run/netns/qrouter-123->system_u:object_r:ifconfig_var_run_t:s0 failed:'Operation not supported'

Thanks.
Comment 21 Miroslav Grepl 2015-01-26 12:20:41 UTC 
What does if you run

# setenforce 1;setenforce 0

re-test it and run

# ausearch -m avc,user_avc -ts recent
Comment 22 Marko Myllynen 2015-01-26 14:41:05 UTC 
Like this?

# setenforce 1 ; setenforce 0 ;
# restorecon -R /run/netns/
Full path required for exclude: net:[4026532588].
Full path required for exclude: net:[4026532588].
Full path required for exclude: net:[4026532681].
Full path required for exclude: net:[4026532681].
restorecon set context /run/netns/qdhcp-ea8b2188-ef22-42cb-b9da-f15936b0edff->system_u:object_r:ifconfig_var_run_t:s0 failed:'Operation not supported'
restorecon set context /run/netns/qrouter-0647e05a-3d3f-4b0d-98dc-fd30b032ea9c->system_u:object_r:ifconfig_var_run_t:s0 failed:'Operation not supported'
# ausearch -m avc,user_avc -ts recent
----
time->Mon Jan 26 16:38:01 2015
type=USER_AVC msg=audit(1422283081.922:18734): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Mon Jan 26 16:38:01 2015
type=USER_AVC msg=audit(1422283081.922:18735): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
# 

Thanks.
Comment 23 Miroslav Grepl 2015-01-27 09:22:26 UTC 
How is /run/netns mounted?
Comment 24 Marko Myllynen 2015-01-27 10:15:45 UTC 
(In reply to Miroslav Grepl from comment #23)
> How is /run/netns mounted?

# mount | grep netns
tmpfs on /run/netns type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
proc on /run/netns/qrouter-0647e05a-3d3f-4b0d-98dc-fd30b032ea9c type proc (rw,nosuid,nodev,noexec,relatime)
proc on /run/netns/qrouter-0647e05a-3d3f-4b0d-98dc-fd30b032ea9c type proc (rw,nosuid,nodev,noexec,relatime)
proc on /run/netns/qdhcp-ea8b2188-ef22-42cb-b9da-f15936b0edff type proc (rw,nosuid,nodev,noexec,relatime)
proc on /run/netns/qdhcp-ea8b2188-ef22-42cb-b9da-f15936b0edff type proc (rw,nosuid,nodev,noexec,relatime)
Comment 25 Miroslav Grepl 2015-01-27 13:25:10 UTC 
Lon,
is this expected to have proc mounted here?

Marko,
does everything work correctly?
Comment 26 Marko Myllynen 2015-01-27 13:29:32 UTC 
(In reply to Miroslav Grepl from comment #25)
> 
> Marko,
> does everything work correctly?

Yes. This setup has been generated by RHEL OSP 5.0 packstack so I presume in general there are no issues caused by this. Thanks.
Comment 27 Miroslav Grepl 2015-04-09 14:22:59 UTC 
Why do you need to run

# restorecon -R /run/netns/
Comment 28 Marko Myllynen 2015-04-10 05:51:26 UTC 
(In reply to Miroslav Grepl from comment #27)
> Why do you need to run
> 
> # restorecon -R /run/netns/

Please read comment 20 - it was the most simple step to reproduce this instead of doing package upgrade. And in any case, I think restorecon should not produce errors.

Thanks.
Comment 29 Miroslav Grepl 2015-07-16 10:40:47 UTC 
I don't see it as a bug. restorecon tells us the correct info.
Comment 30 Marko Myllynen 2015-07-16 10:44:23 UTC 
(In reply to Miroslav Grepl from comment #29)
> I don't see it as a bug. restorecon tells us the correct info.

So why are the messages printed then during selinux-policy upgrade?