Bug 1120869 - AVCs from astapor install
Summary: AVCs from astapor install
Keywords:
Status: CLOSED EOL
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: foreman-selinux
Version: 5.0 (RHEL 7)
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: Installer
Assignee: Mike Burns
QA Contact: Shai Revivo
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-17 21:43 UTC by Steve Reichard
Modified: 2016-09-29 13:26 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-29 13:26:59 UTC


Attachments (Terms of Use)
audit.log (162.64 KB, text/x-log)
2014-07-17 21:43 UTC, Steve Reichard
no flags Details

Description Steve Reichard 2014-07-17 21:43:26 UTC
Created attachment 918841 [details]
audit.log

Description of problem:


After installing as documented here: https://mojo.redhat.com/docs/DOC-975597

This is for the AVC on the foreman/astapor node.


audit.log will be attached.

Version-Release number of selected component (if applicable):



[root@ospha-inst ~]# yum list installed | grep -e puppet -e foreman -e selinux
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
foreman.noarch                      1.6.0.21-1.el6sat  @RHEL-6-Server-OS-Foreman
foreman-installer.noarch            1:1.5.0-0.4.RC2.el6ost
foreman-mysql2.noarch               1.6.0.21-1.el6sat  @RHEL-6-Server-OS-Foreman
foreman-proxy.noarch                1.6.0.8-1.el6sat   @RHEL-6-Server-OS-Foreman
foreman-selinux.noarch              1.6.0-2.el6sat     @RHEL-6-Server-OS-Foreman
libselinux.x86_64                   2.0.94-5.3.el6_4.1 @anaconda-RedHatEnterpriseLinux-201311111358.x86_64/6.5
libselinux-python.x86_64            2.0.94-5.3.el6_4.1 @rhel-x86_64-server-6    
libselinux-ruby.x86_64              2.0.94-5.3.el6_4.1 @rhel-x86_64-server-6    
libselinux-utils.x86_64             2.0.94-5.3.el6_4.1 @anaconda-RedHatEnterpriseLinux-201311111358.x86_64/6.5
openstack-foreman-installer.noarch  2.0.15-1.el6ost    @RHEL-6-Server-OS-Foreman
openstack-puppet-modules.noarch     2014.1-19.1.el6ost @RHEL-6-Server-OS-Foreman
puppet.noarch                       3.6.2-1.1.el6      @RHEL-6-Server-OS-Foreman
puppet-server.noarch                3.6.2-1.1.el6      @RHEL-6-Server-OS-Foreman
ruby193-rubygem-foreman_openstack_simplify.noarch
rubygem-foreman_api.noarch          0.1.11-4.el6sat    @RHEL-6-Server-OS-Foreman
rubygem-hammer_cli_foreman.noarch   0.1.0-6.el6sat     @RHEL-6-Server-OS-Foreman
rubygem-hammer_cli_foreman-doc.noarch
selinux-policy.noarch               3.7.19-231.el6_5.3 @rhel-x86_64-server-6    
selinux-policy-targeted.noarch      3.7.19-231.el6_5.3 @rhel-x86_64-server-6    
[root@ospha-inst ~]# 




How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 3 Mike Burns 2015-04-30 18:29:28 UTC
Hey Steve,  is this still an issue?

Comment 4 Steve Reichard 2015-05-11 15:36:28 UTC

I just checked, and see a bunch(all the same) with iptables:

[root@rhos-foreman ~]# grep -i avc /var/log/audit/audit.log 
type=USER_AVC msg=audit(1430918017.424:160): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1430918017.424:161): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1430918017.424:162): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=4)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1430920386.226:267): avc:  denied  { getattr } for  pid=8788 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430920386.226:268): avc:  denied  { getattr } for  pid=8788 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430920386.226:269): avc:  denied  { getattr } for  pid=8788 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430920386.226:270): avc:  denied  { getattr } for  pid=8788 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430920386.226:271): avc:  denied  { getattr } for  pid=8788 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430920386.227:272): avc:  denied  { getattr } for  pid=8788 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430920386.227:273): avc:  denied  { getattr } for  pid=8788 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430920386.227:274): avc:  denied  { getattr } for  pid=8788 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430920393.889:275): avc:  denied  { getattr } for  pid=14138 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430920393.889:276): avc:  denied  { getattr } for  pid=14138 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430920393.889:277): avc:  denied  { getattr } for  pid=14138 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430920393.889:278): avc:  denied  { getattr } for  pid=14138 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430920393.889:279): avc:  denied  { getattr } for  pid=14138 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430920393.889:280): avc:  denied  { getattr } for  pid=14138 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430920393.889:281): avc:  denied  { getattr } for  pid=14138 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430920393.889:282): avc:  denied  { getattr } for  pid=14138 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430920396.047:283): avc:  denied  { getattr } for  pid=8776 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430920396.047:284): avc:  denied  { getattr } for  pid=8776 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430920396.048:285): avc:  denied  { getattr } for  pid=8776 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430920396.048:286): avc:  denied  { getattr } for  pid=8776 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430920396.048:287): avc:  denied  { getattr } for  pid=8776 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430920396.048:288): avc:  denied  { getattr } for  pid=8776 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430920396.048:289): avc:  denied  { getattr } for  pid=8776 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430920396.048:290): avc:  denied  { getattr } for  pid=8776 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430922988.611:354): avc:  denied  { getattr } for  pid=12519 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430922988.611:355): avc:  denied  { getattr } for  pid=12519 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430922988.611:356): avc:  denied  { getattr } for  pid=12519 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430922988.611:357): avc:  denied  { getattr } for  pid=12519 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430922988.611:358): avc:  denied  { getattr } for  pid=12519 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430922988.611:359): avc:  denied  { getattr } for  pid=12519 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430922988.611:360): avc:  denied  { getattr } for  pid=12519 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430922988.611:361): avc:  denied  { getattr } for  pid=12519 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430922995.408:362): avc:  denied  { getattr } for  pid=13830 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430922995.408:363): avc:  denied  { getattr } for  pid=13830 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430922995.408:364): avc:  denied  { getattr } for  pid=13830 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430922995.408:365): avc:  denied  { getattr } for  pid=13830 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430922995.408:366): avc:  denied  { getattr } for  pid=13830 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430922995.408:367): avc:  denied  { getattr } for  pid=13830 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430922995.408:368): avc:  denied  { getattr } for  pid=13830 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1430922995.408:369): avc:  denied  { getattr } for  pid=13830 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
[root@rhos-foreman ~]# 

Not sure if this is because I have IPtables disabled though

Comment 6 Tommy McNeely 2016-01-05 07:04:56 UTC
We are seeing this as well... 

# ls -l /usr/sbin/iptables
lrwxrwxrwx. 1 root root 13 Dec 23 10:48 /usr/sbin/iptables -> xtables-multi

The puppetlabs/firewall module runs "iptables --version" command (at least), but I am still not sure why it would be run *on* the puppetmaster.


# grep xtables /var/log/audit/audit.log | audit2allow


#============= passenger_t ==============
allow passenger_t iptables_exec_t:file { read getattr open execute execute_no_trans };

... so as long as you are OK with puppetmaster running iptables, note that since its running as a non-root user it cannot even "read" the iptables rules), you could use a policy like this:

# grep xtables /var/log/audit/audit.log | audit2allow -M puppet-iptables
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i puppet-iptables.pp

[root@lark-foreman-01 ~]# cat puppet-iptables.te 
<pre>

module puppet-iptables 1.0;

require {
	type passenger_t;
	type iptables_exec_t;
	class file { read getattr open execute execute_no_trans };
}

#============= passenger_t ==============
allow passenger_t iptables_exec_t:file { read getattr open execute execute_no_trans };
<pre>




I assume this should be a bug against foreman-selinux.

Tommy

Comment 8 Jaromir Coufal 2016-09-29 13:26:59 UTC
Closing list of bugs for RHEL OSP Installer since its support cycle has already ended [0]. If there is some bug closed by mistake, feel free to re-open.

For new deployments, please, use RHOSP director (starting with version 7).

-- Jaromir Coufal
-- Sr. Product Manager
-- Red Hat OpenStack Platform

[0] https://access.redhat.com/support/policy/updates/openstack/platform


Note You need to log in before you can comment on or make changes to this bug.