1093297 – selinux AVC RHEL7 and RDO - Neutron

RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/

Bug 1093297 - selinux AVC RHEL7 and RDO - Neutron

Summary: selinux AVC RHEL7 and RDO - Neutron

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	RDO
Classification:	Community
Component:	openstack-selinux
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Target Release:	---
Assignee:	Lon Hohberger
QA Contact:	Ofer Blaut
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-05-01 08:40 UTC by Ofer Blaut
Modified:	2015-08-18 19:44 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-08-18 19:44:27 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
neutron AVCs (4.51 KB, text/plain) 2014-05-01 08:40 UTC, Ofer Blaut	no flags	Details
audit.log in permissive mode (351.56 KB, text/plain) 2014-05-07 16:46 UTC, Terry Wilson	no flags	Details
policy generated by audit2allow (555 bytes, text/plain) 2014-05-07 17:14 UTC, Terry Wilson	no flags	Details
View All

Description Ofer Blaut 2014-05-01 08:40:36 UTC

Created attachment 891408 [details]
neutron AVCs

Description of problem:

There are different selinux AVCs on using neutron 
RDO on RHEL 7

attached 
Version-Release number of selected component (if applicable):


libselinux-2.2.2-6.el7.x86_64
libselinux-utils-2.2.2-6.el7.x86_64
selinux-policy-targeted-3.12.1-153.el7.noarch
libselinux-ruby-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64
selinux-policy-3.12.1-153.el7.noarch


How reproducible:


Steps to Reproduce:
1.set selinux to enforcing 
2.deploy  VM using network created by neutron (OVS )
3.check /var/log/messages  

Actual results:


Expected results:


Additional info:

Comment 1 Terry Wilson 2014-05-07 16:46:00 UTC

Created attachment 893389 [details]
audit.log in permissive mode

audit.log after installing via packstack --allinone and switching to permissive mode and rebooting.

Comment 2 Terry Wilson 2014-05-07 17:14:01 UTC

Created attachment 893403 [details]
policy generated by audit2allow

Comment 3 Lon Hohberger 2014-05-07 17:21:19 UTC

This mostly looks reasonable:

#============= neutron_t ==============
allow neutron_t netutils_exec_t:file { read execute open execute_no_trans };
allow neutron_t self:packet_socket { bind create getattr };
allow neutron_t self:process setcap;

#============= nova_scheduler_t ==============
allow nova_scheduler_t passwd_file_t:file { read getattr open };

... except the setcap.  Miroslav, didn't we find that this usually happened with too many forks or something like that last year - so ulimits were wrong?  It seems familiar.

Comment 4 Lon Hohberger 2014-05-07 17:30:01 UTC

type=AVC msg=audit(1399480702.628:913): avc:  denied  { setcap } for  pid=4476 comm="arping" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=process
type=SYSCALL msg=audit(1399480702.628:913): arch=c000003e syscall=126 success=yes exit=0 a0=7f34e4be7014 a1=7f34e4be701c a2=1 a3=7fff3b9b7f80 items=0 ppid=4473 pid=4476 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="arping" exe="/usr/sbin/arping" subj=system_u:system_r:neutron_t:s0 key=(null)

Ah, nevermind - it's from calling arping.  Perhaps we simply need to transition when called.

Comment 5 Miroslav Grepl 2014-05-12 06:21:29 UTC

Yes

netutils_domtrans(neutron_t)

Comment 6 Miroslav Grepl 2014-05-12 06:24:33 UTC

But actually, we should go with

netutils_exec(neutron_t)
allow neutron_t self:packet_socket { bind create getattr };
allow neutron_t self:process setcap;

Comment 7 Miroslav Grepl 2014-05-15 14:04:17 UTC

I added it to F20/rawhide and also will back port to RHEL7.

Note You need to log in before you can comment on or make changes to this bug.