Bug 1044960 - Selinux denied
Summary: Selinux denied
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: openstack-selinux
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Ryan Hallisey
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-12-19 10:16 UTC by Matthias Runge
Modified: 2015-04-29 07:30 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-04-29 07:30:42 UTC
Type: Bug

Attachments (Terms of Use)
audit.log (116.27 KB, text/x-log)
2014-05-05 09:53 UTC, Matthias Runge 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Matthias Runge 2013-12-19 10:16:57 UTC 
Description of problem:

type=AVC msg=audit(1387448001.608:3473): avc:  denied  { nlmsg_write } for  pid=1382 comm="ip" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1387448001.608:3473): arch=c000003e syscall=44 success=no exit=-13 a0=3 a1=7fff56c5e780 a2=20 a3=0 items=0 ppid=1381 pid=1382 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:neutron_t:s0 key=(null)
type=AVC msg=audit(1387448001.608:3474): avc:  denied  { read } for  pid=1382 comm="ip" name="unix" dev="proc" ino=4026532014 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=SYSCALL msg=audit(1387448001.608:3474): arch=c000003e syscall=21 success=no exit=-13 a0=7fff56c5e630 a1=4 a2=7fff56c5e63e a3=0 items=0 ppid=1381 pid=1382 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:neutron_t:s0 key=(null)
type=AVC msg=audit(1387448001.608:3475): avc:  denied  { nlmsg_write } for  pid=1382 comm="ip" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1387448001.608:3475): arch=c000003e syscall=46 success=no exit=-13 a0=3 a1=7fff56c5a680 a2=0 a3=0 items=0 ppid=1381 pid=1382 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:neutron_t:s0 key=(null)


Version-Release number of selected component (if applicable):
openstack-neutron-2013.2-3.fc20.noarch

How reproducible:
100%

Steps to Reproduce:
1. start neutron
2.
3.

Actual results:
selinux denied

Expected results:
accept ip calls from neutron.

Additional info:
Comment 1 Matthias Runge 2013-12-19 10:19:01 UTC 
ah, an additional catch from /var/log/audit/audit.log:
type=AVC msg=audit(1387448032.477:3536): avc:  denied  { dac_override } for  pid=1536 comm="dnsmasq" capability=1  scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=capability
type=SYSCALL msg=audit(1387448032.477:3536): arch=c000003e syscall=2 success=yes exit=9 a0=7f5637897cb0 a1=2c1 a2=1a4 a3=0 items=0 ppid=1 pid=1536 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="dnsmasq" exe="/usr/sbin/dnsmasq" subj=system_u:system_r:neutron_t:s0 key=(null)
Comment 2 Matthias Runge 2014-04-30 08:12:04 UTC 
Still valid.

openstack-neutron-2014.1-11.fc21.noarch

type=AVC msg=audit(1398845091.192:13719): avc:  denied  { create } for  pid=32682 comm="ip" name="qdhcp-ec26f5c8-6eaa-44cf-96c6-146780ddeaaf" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1398845091.192:13719): avc:  denied  { read open } for  pid=32682 comm="ip" path="/run/netns/qdhcp-ec26f5c8-6eaa-44cf-96c6-146780ddeaaf" dev="tmpfs" ino=743854 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
Comment 3 Jakub Libosvar 2014-04-30 08:46:21 UTC 
I think policies are implemented in openstack-selinux. Changing component.
Comment 4 Ryan Hallisey 2014-04-30 18:13:21 UTC 
Can you repoduce the problem in permissive and attach /var/log/audit/audit.log please.  SELinux is clearly denying something, but it's possible that there could be more AVCs than that.  The log file will give me all of the AVCs so I can fix all the denials.
Comment 5 Miroslav Grepl 2014-05-02 10:17:01 UTC 
#============= neutron_t ==============

#!!!! This avc is allowed in the current policy
allow neutron_t proc_net_t:file read;

#!!!! This avc is allowed in the current policy
allow neutron_t self:netlink_route_socket nlmsg_write;

I believe you need to update the selinux-policy pkgs.

# yum update selinux-policy-targeted
Comment 6 Miroslav Grepl 2014-05-02 10:17:41 UTC 
We have also

type_transition neutron_t var_run_t : dir ifconfig_var_run_t "netns";
Comment 7 Matthias Runge 2014-05-05 09:53:36 UTC 
Created attachment 892485 [details]
audit.log
Comment 10 Ryan Hallisey 2014-06-04 20:09:04 UTC 
The new policy should fix these avcs.

test with selinux-policy-3.12.1-166.fc20.noarch
Note You need to log in before you can comment on or make changes to this bug.