Bug 1153656
| Summary: | there are many (new) denials after running tempest | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Jaroslav Henner <jhenner> | ||||
| Component: | openstack-selinux | Assignee: | Ryan Hallisey <rhallise> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Jaroslav Henner <jhenner> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 5.0 (RHEL 7) | CC: | lhh, mgrepl, mlopes, rhallise, scohen, yeylon | ||||
| Target Milestone: | z2 | Keywords: | ZStream | ||||
| Target Release: | 5.0 (RHEL 7) | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | openstack-selinux-0.5.19-1.el7ost | Doc Type: | Bug Fix | ||||
| Doc Text: |
Prior to this update, the OpenStack Networking (neutron) service was generating AVC alerts.
This update addresses this issue by allowing OpenStack Networking to kill processes labeled as dnsmasq_t.
Consequently, OpenStack Networking runs with no AVC alerts.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-11-03 05:54:37 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 947591 [details]
audit logs
type=AVC msg=audit(1413422314.326:70130): avc: denied { sigkill } for pid=11884 comm="kill" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=process
^ same AVC repeated over and over. It's a new one.
This is caused by a change in neutron. So, it's not a regression. Ryan pointed out that this doesn't affect rhel 6.6. allow neutron_t dnsmasq_t:process sigkill; Its been added in selinx-policy for F20 but hasn't got into rhel7 yet. Adding to openstack-selinux. So it's about
#============= haproxy_t ==============
#!!!! This avc is allowed in the current policy
allow haproxy_t proc_t:file read;
#============= neutron_t ==============
allow neutron_t dnsmasq_t:process sigkill;
commit cdd75e9842a7705eb6f27a9b9b8e88875bf1d3a5
Author: Miroslav Grepl <mgrepl>
Date: Thu Oct 16 16:45:55 2014 +0200
Allow neutron_t to send sigkill to dnsmasq.
23_denials in puddle 2014-10-21.1. It is back to the previous state. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2014-1780.html |
Description of problem: The number of selinux denials increased recently from about 20 to more than 1000. Version-Release number of selected component (if applicable): How reproducible: 100% after Sep 26, 2014 12:25:00 AM runs Steps to Reproduce: 1. run tempest on packstack-deployed openstack 2. 3. Actual results: >100 denials Expected results: ~0 denials Additional info: