Bug 1020391 - openshift-iptables-port-proxy service doesnt start because of selinux
openshift-iptables-port-proxy service doesnt start because of selinux
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Containers (Show other bugs)
2.0.0
All Linux
unspecified Severity high
: ---
: ---
Assigned To: Miciah Dashiel Butler Masters
libra bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-17 11:00 EDT by Jeremy Eder
Modified: 2017-03-08 12 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-16 04:11:23 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 2 Miciah Dashiel Butler Masters 2013-10-17 16:22:07 EDT
To expand a little on what is happening here:

    # service openshift-iptables-port-proxy start
    Can't open /dev/fd/63: Permission denied
    Can't open /dev/fd/63: Permission denied

Here's the code that fails:

    #!/bin/bash
    # openshift-iptables-port-proxy
    #
    ### BEGIN INIT INFO
    # Short-Description:  Script to apply the openshift port proxy iptables rules.
    # Description: Script to apply the openshift port proxy iptables rules.
    ### END INIT INFO
    
    case "$1" in
        start)
            if [ -f /etc/openshift/iptables.filter.rules ]; then
               iptables-restore -n <(echo "*filter"; cat /etc/openshift/iptables.filter.rules; echo "COMMIT")

The iptables-restore executable has a context transition:

    # ls -lZlZH /sbin/iptables-restore
    -rwxr-xr-x. root root system_u:object_r:iptables_exec_t:s0 /sbin/iptables-restore

However, Bash creates the fifo from the command substitution in the context of the initscript (this can be verified using strace -f).  The <() command substitution expands to /dev/fd/63, which is passed to the iptables-restore process in its arguments list, iptables-restore tries to open /dev/fd/63, and it fails because iptables-restore has type iptables_t in its context whereas the pipe has type initrc_t  in its context:


    # ausearch -m avc -ts recent -i
    ----
    type=SYSCALL msg=audit(10/17/2013 16:15:29.601:131102) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7fff73720f66 a1=80000 a2=1b6 a3=0 items=0 ppid=25304 pid=25306 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=iptables-restor exe=/sbin/iptables-multi-1.4.7 subj=unconfined_u:system_r:iptables_t:s0 key=(null)
    type=AVC msg=audit(10/17/2013 16:15:29.601:131102) : avc:  denied  { open } for  pid=25306 comm=iptables-restor name= dev=pipefs ino=285957 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=fifo_file
    ----
    type=SYSCALL msg=audit(10/17/2013 16:15:29.620:131103) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7fff05cd1f66 a1=80000 a2=1b6 a3=0 items=0 ppid=25304 pid=25309 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=iptables-restor exe=/sbin/iptables-multi-1.4.7 subj=unconfined_u:system_r:iptables_t:s0 key=(null)
    type=AVC msg=audit(10/17/2013 16:15:29.620:131103) : avc:  denied  { open } for  pid=25309 comm=iptables-restor name= dev=pipefs ino=285968 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=fifo_file
Comment 3 Miciah Dashiel Butler Masters 2013-10-17 16:57:01 EDT
Pull request:   https://github.com/openshift/origin-server/pull/3922
Comment 4 openshift-github-bot 2013-10-17 18:48:43 EDT
Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/19156f6032dad670ab43550eae0d5601c8f50768
oo-admin-ctl-iptables-port-proxy: SELinux fix

Give input to iptables-restore on standard input instead of using command
substitution.

Bash was expanding the <(...) command-substitution to a fifo, which
oo-admin-ctl-iptables-port-proxy was then passing to the iptables-restore
command as a command-line argument.  If oo-admin-ctl-iptables-port-proxy
was being run from the /etc/init.d/openshift-iptables-port-proxy
initscript, then Bash would have an SELinux context with type initrc_t, and
it thus would create the fifo also with type initrc_t.  However,
iptables-restore transitions SELinux contexts so that it is running with
the iptables_t type.  The iptables-restore command would thus fail when it
tried to open the fifo because SELinux policy blocks processes with type
iptables_t from reading fifos with type initrc_t.

(Interestingly, the manpage for iptables-restore does not indicate that
iptables-restore is even supposed to take a filename as an argument.)

This commit fixes bug 1020391.
Comment 6 Johnny Liu 2013-10-25 06:59:10 EDT
Verified this bug with rubygem-openshift-origin-node-1.16.2-1.git.31.04b2e87.el6op.noarch in 2.0/2013-10-23.2 puddle, and PASS.


# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain rhc-app-comm (0 references)
target     prot opt source               destination         
[root@node1 ~]# /etc/init.d/openshift-iptables-port-proxy start
[root@node1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain rhc-app-comm (0 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             127.1.245.2         ctstate NEW tcp dpt:webcache /* 38042 */ 
ACCEPT     tcp  --  anywhere             127.1.245.2         tcp dpt:webcache /* 38042 */ 
ACCEPT     tcp  --  anywhere             127.1.245.1         ctstate NEW tcp dpt:webcache /* 38041 */ 
ACCEPT     tcp  --  anywhere             127.1.245.1         tcp dpt:webcache /* 38041 */ 
ACCEPT     tcp  --  anywhere             127.1.244.129       ctstate NEW tcp dpt:mysql /* 38036 */ 
ACCEPT     tcp  --  anywhere             127.1.244.129       tcp dpt:mysql /* 38036 */ 
ACCEPT     tcp  --  anywhere             127.1.244.2         ctstate NEW tcp dpt:webcache /* 38032 */ 
ACCEPT     tcp  --  anywhere             127.1.244.2         tcp dpt:webcache /* 38032 */ 
ACCEPT     tcp  --  anywhere             127.1.244.1         ctstate NEW tcp dpt:webcache /* 38031 */ 
ACCEPT     tcp  --  anywhere             127.1.244.1         tcp dpt:webcache /* 38031 */

Note You need to log in before you can comment on or make changes to this bug.