Bug 995780

Summary: OpenStack runs into SELinux AVC issues
Product: [Fedora] Fedora Reporter: Sandro Mathys <sandro>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: dwalsh, lvrabec, sandro, zaitcev
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-73.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-24 22:28:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit.log of a different system with a similar installation none

Description Sandro Mathys 2013-08-11 02:58:33 UTC
Description of problem:
With RDO Havana, F19 is showing quite some SELinux AVC denials when running OpenStack (as installed by Packstack).

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.12.1-69.fc19.noarch

How reproducible:
dunno

Steps to Reproduce:
1. packstack --all-in-one --os-quantum-install=n
2. cat /var/log/audit/audit.log | audit2allow
3.

Actual results:
#============= glance_registry_t ==============
allow glance_registry_t sysfs_t:dir read;

#============= nova_cert_t ==============
allow nova_cert_t devlog_t:sock_file write;
allow nova_cert_t ifconfig_exec_t:file { read execute open execute_no_trans };
allow nova_cert_t kernel_t:unix_dgram_socket sendto;
allow nova_cert_t proc_net_t:file read;
allow nova_cert_t self:capability { setuid sys_resource setgid audit_write };
allow nova_cert_t self:key write;
allow nova_cert_t self:netlink_audit_socket { nlmsg_relay create };
allow nova_cert_t self:process { setsched setrlimit };
allow nova_cert_t self:unix_dgram_socket { ioctl create connect };
allow nova_cert_t sudo_exec_t:file { read execute open execute_no_trans };

#============= nova_console_t ==============
allow nova_console_t devlog_t:sock_file write;
allow nova_console_t ifconfig_exec_t:file { read execute open execute_no_trans };
allow nova_console_t kernel_t:unix_dgram_socket sendto;
allow nova_console_t proc_net_t:file read;
allow nova_console_t self:capability { setuid sys_resource setgid audit_write };
allow nova_console_t self:key write;
allow nova_console_t self:netlink_audit_socket { nlmsg_relay create };
allow nova_console_t self:process { setsched setrlimit };
allow nova_console_t self:unix_dgram_socket { ioctl create connect };
allow nova_console_t sudo_exec_t:file { read execute open execute_no_trans };

#============= rsync_t ==============

#!!!! This avc can be allowed using the boolean 'rsync_full_access'
allow rsync_t var_lock_t:dir write;

#============= swift_t ==============
allow swift_t file_t:dir { write getattr read remove_name create open add_name };
allow swift_t file_t:file { rename write getattr read lock create open };
allow swift_t home_root_t:dir search;
allow swift_t proc_net_t:file read;
allow swift_t self:process signal;

#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow swift_t self:tcp_socket { accept listen };
allow swift_t user_home_dir_t:dir search;
allow swift_t var_t:dir { write remove_name add_name };
allow swift_t var_t:file { rename read lock create write getattr unlink open };
allow swift_t xserver_port_t:tcp_socket name_bind;

Expected results:
OpenStack running just fine with the default policy :)

Additional info:
I reported those pieces that can be allowed through SELinux booleans in a separate bug against Packstack already, see bug #995779.

Comment 1 Miroslav Grepl 2013-08-19 12:22:53 UTC
Could you please attach compressed /var/log/audit/audit.log?

Comment 2 Sandro Mathys 2013-08-19 13:53:05 UTC
Created attachment 788076 [details]
audit.log of a different system with a similar installation

Comment 3 Miroslav Grepl 2013-08-20 11:48:51 UTC
Thank you. I am adding fixes for nova domains.

Comment 4 Sandro Mathys 2013-08-20 11:51:04 UTC
What about Swift? (the things than can't be enabled through nis_enabled)

Comment 5 Miroslav Grepl 2013-08-20 11:55:56 UTC
Yes, just going thru swift issues.

Also pls run 

# restorecon -Rv /srv/node

which will fix some of them.

Comment 6 Miroslav Grepl 2013-08-20 12:07:16 UTC
Lukas,
we need to add fixes related to swift and /var/cache.

Comment 7 Miroslav Grepl 2013-08-20 12:16:19 UTC
Any idea why 

allow swift_t xserver_port_t:tcp_socket name_bind;

is needed.

Comment 8 Sandro Mathys 2013-08-20 12:28:03 UTC
Because Swift uses, by default, the same ports as xserver does:

[root@openstack ~]# grep "600." -R /etc/swift/
/etc/swift/object-server.conf:bind_port = 6000
/etc/swift/account-server.conf:bind_port = 6002
/etc/swift/container-server.conf:bind_port = 6001

[root@openstack ~]# netstat -tulpn | grep "600."
tcp        0      0 192.168.0.158:6000      0.0.0.0:*               LISTEN      330/python          
tcp        0      0 192.168.0.158:6001      0.0.0.0:*               LISTEN      392/python          
tcp        0      0 192.168.0.158:6002      0.0.0.0:*               LISTEN      390/python          

[root@openstack ~]# ps -fp330,392,390 
UID        PID  PPID  C STIME TTY          TIME CMD
swift      330     1  0 08:52 ?        00:00:00 /usr/bin/python /usr/bin/swift-object-server /etc/swift/object-server.conf
swift      390     1  0 08:52 ?        00:00:00 /usr/bin/python /usr/bin/swift-account-server /etc/swift/account-server.conf
swift      392     1  0 08:52 ?        00:00:00 /usr/bin/python /usr/bin/swift-container-server /etc/swift/container-server.conf

Comment 10 Fedora Update System 2013-08-23 15:12:58 UTC
selinux-policy-3.12.1-73.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-73.fc19

Comment 11 Fedora Update System 2013-08-23 23:59:36 UTC
Package selinux-policy-3.12.1-73.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-73.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15219/selinux-policy-3.12.1-73.fc19
then log in and leave karma (feedback).

Comment 12 Fedora Update System 2013-08-24 22:28:58 UTC
selinux-policy-3.12.1-73.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.