1168526 – SELinux prevents Neutron from spawning radvd

Bug 1168526 - SELinux prevents Neutron from spawning radvd

Summary: SELinux prevents Neutron from spawning radvd

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	6.0 (Juno)
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	ga
Target Release:	6.0 (Juno)
Assignee:	Ryan Hallisey
QA Contact:	Nir Magnezi
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1177797 (view as bug list)
Depends On:
Blocks:	1044271 1046786 1083891 1174215 1179756 1195356
TreeView+	depends on / blocked

Reported:	2014-11-27 08:51 UTC by Nir Magnezi
Modified:	2023-02-22 23:02 UTC (History)
CC List:	12 users (show)
Fixed In Version:	openstack-selinux-0.6.7-1.el7ost
Doc Type:	Bug Fix
Doc Text:	SELinux did not allow OpenStack Networking to spawn radvd, leading to OpenStack Networking failing to run properly. With this update, SELinux is given the 'allow' rules so that OpenStack Networking can successfully spawn radvd.
Clone Of:
Environment:
Last Closed:	2015-02-09 14:21:55 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
l3-agent.log (4.11 KB, text/plain) 2014-11-27 08:51 UTC, Nir Magnezi	no flags	Details
/usr/share/neutron/rootwrap (20.00 KB, application/x-tar) 2014-11-27 08:54 UTC, Nir Magnezi	no flags	Details
Logs (6.18 KB, text/plain) 2014-12-29 12:09 UTC, Nir Magnezi	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2015:0144	0	normal	SHIPPED_LIVE	Red Hat Enterprise Linux OpenStack Platform 6.0 Enhancement Advisory	2015-02-09 19:20:08 UTC

Description Nir Magnezi 2014-11-27 08:51:44 UTC

Created attachment 961908 [details]
l3-agent.log

Description of problem:
=======================
While testing IPv6, I noticed radvd is not spawned.
This looks like a permissions issue related to rootwrap.

Version-Release number of selected component (if applicable):
=============================================================
openstack-neutron-2014.2-11.el7ost.noarch
python-neutron-2014.2-11.el7ost.noarch

How reproducible:
=================
2/2

Steps to Reproduce:
===================
1. Create Neutron router:
   # neutron router-create router1

2. Create network:
   # neutron net-create tenant_a_radvd_stateless --shared --provider:physical_network=ipv6_vlan_range --provider:network_type=vlan --provider:segmentation_id=65

3. Create IPv6 Subnet (must not be provider):
   # neutron subnet-create <network_id> 2001:66:66:66::1/64 --name tenant_a_provider_stateless_subnet --ipv6-address-mode dhcpv6-stateless --gateway fe80::6664:9bff:fe17:b401 --dns-nameserver 2001:4860:4860::8888 --ip-version 6

4. Attach The subnet to the router you have created:
   # neutron router-interface-add <router_id> <subnet_id>

Actual results:
===============
Unauthorized command: ip netns exec qrouter-e21ca082-ce79-47f2-9a0b-0b6261ee96db radvd -C /var/lib/neutron/ra/e21ca082-ce79-47f2-9a0b-0b6261ee96db.radvd.conf -p /var/lib/neutron/external/pids/e21ca082-ce79-47f2-9a0b-0b6261ee96db.pid.radvd (no filter matched)\n'

Expected results:
=================
neutron should be able to spawn radvd with no issues.

Additional info:
================
1. Tested with RHEL7
2. I executed this manually with root and it worked fine:
   # sudo neutron-rootwrap /etc/neutron/rootwrap.conf ip netns exec qrouter-e21ca082-ce79-47f2-9a0b-0b6261ee96db radvd -C /var/lib/neutron/ra/e21ca082-ce79-47f2-9a0b-0b6261ee96db.radvd.conf -p /var/lib/neutron/external/pids/e21ca082-ce79-47f2-9a0b-0b6261ee96db.pid.radvd

Comment 1 Nir Magnezi 2014-11-27 08:54:04 UTC

Created attachment 961909 [details]
/usr/share/neutron/rootwrap

Comment 3 Ihar Hrachyshka 2014-11-27 12:02:06 UTC

It's a SELinux issue:

type=AVC msg=audit(1417089038.047:151800): avc:  denied  { execute } for  pid=9179 comm="neutron-rootwra" name="radvd" dev="sda5" ino=22025167 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:radvd_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1417089038.047:151800): arch=c000003e syscall=21 success=no exit=-13 a0=1a8a0e0 a1=1 a2=7f38a7db1f88 a3=7fff293c1620 items=0 ppid=9177 pid=9179 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="neutron-rootwra" exe="/usr/bin/python2.7" subj=system_u:system_r:neutron_t:s0 key=(null)
type=AVC msg=audit(1417089038.047:151801): avc:  denied  { execute } for  pid=9179 comm="neutron-rootwra" name="radvd" dev="sda5" ino=22025167 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:radvd_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1417089038.047:151801): arch=c000003e syscall=21 success=no exit=-13 a0=1a8a0e0 a1=1 a2=7f38a7db1f88 a3=0 items=0 ppid=9177 pid=9179 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="neutron-rootwra" exe="/usr/bin/python2.7" subj=system_u:system_r:neutron_t:s0 key=(null)

I suspect that the same issue may be present for other binaries introduced in Juno: keepalived for DVR and conntrack for Floating IPs disassociated.

Comment 4 Nir Magnezi 2014-11-27 12:41:20 UTC

Additional Information:
Source Context                system_u:system_r:neutron_t:s0
Target Context                system_u:object_r:radvd_exec_t:s0
Target Objects                 [ file ]
Source                        neutron-rootwra
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           python-2.7.5-16.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-153.el7_0.11.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     <FQDN>
Platform                      Linux <FQDN>
                              3.10.0-123.9.3.el7.x86_64 #1 SMP Thu Oct 30
                              00:16:40 EDT 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-11-27 13:50:38 IST
Last Seen                     2014-11-27 13:50:38 IST
Local ID                      189ab333-7e9c-4dff-97fd-f37dc0c38056

Raw Audit Messages
type=AVC msg=audit(1417089038.47:151800): avc:  denied  { execute } for  pid=9179 comm="neutron-rootwra" name="radvd" dev="sda5" ino=22025167 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:radvd_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1417089038.47:151800): arch=x86_64 syscall=access success=no exit=EACCES a0=1a8a0e0 a1=1 a2=7f38a7db1f88 a3=7fff293c1620 items=0 ppid=9177 pid=9179 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=neutron-rootwra exe=/usr/bin/python2.7 subj=system_u:system_r:neutron_t:s0 key=(null)

Hash: neutron-rootwra,neutron_t,radvd_exec_t,file,execute

Comment 5 Nir Magnezi 2014-11-27 12:53:48 UTC

# cat /var/log/audit/audit.log | audit2allow -R

require {
	type radvd_exec_t;
	type neutron_t;
	class file execute;
}

#============= neutron_t ==============
allow neutron_t radvd_exec_t:file execute;

Comment 6 Ryan Hallisey 2014-12-01 22:05:38 UTC

allow neutron_t radvd_exec_t:file execute;

What do you think Miroslav?

Comment 7 Miroslav Grepl 2014-12-08 11:00:06 UTC

This is just access check. Does it do access checks on binaries?

Comment 11 Ryan Hallisey 2014-12-23 17:22:05 UTC

Already built for 6.0 needs acks to build in 5.0.

Comment 12 Nir Magnezi 2014-12-29 12:09:19 UTC

Created attachment 973995 [details]
Logs

Reopening.
Reproduced with NVR: openstack-selinux-0.6.6-1.el7ost

Result:
=======
Same as before: TRACE neutron.agent.l3_agent Stderr: 'exec of "radvd" failed: Permission denied\n'


Additional Info:
================
[root@puma07 audit]# cat /var/log/audit/audit.log | audit2allow -R

require {
	type radvd_exec_t;
	type neutron_t;
	class file { read open execute_no_trans };
}

#============= neutron_t ==============
allow neutron_t radvd_exec_t:file { read open execute_no_trans };
[root@puma07 audit]# cat /var/log/audit/audit.log.1 | audit2allow -R

require {
	type radvd_exec_t;
	type neutron_t;
	class file { read open };
}

#============= neutron_t ==============
allow neutron_t radvd_exec_t:file { read open };

Comment 13 Ryan Hallisey 2014-12-29 20:09:37 UTC

Can you retest in permissive?  When you test in enforcing it will only gather the first AVC that breaks the test.  It is possible that these two additional rules will fix the issue, but just to be sure attach your results after running in permissive in case there are more AVCs.

Comment 14 Nir Magnezi 2014-12-30 07:56:08 UTC

(In reply to Ryan Hallisey from comment #13)
> Can you retest in permissive?  When you test in enforcing it will only
> gather the first AVC that breaks the test.  It is possible that these two
> additional rules will fix the issue, but just to be sure attach your results
> after running in permissive in case there are more AVCs.

Done.

[root@puma07 ~]# getenforce 
Permissive
[root@puma07 ~]# sealert -a /var/log/audit/audit.log
 99% done'list' object has no attribute 'split'
string index out of range
100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/radvd from 'read, open' accesses on the file .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that radvd should be allowed read open access on the  file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep radvd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:neutron_t:s0
Target Context                system_u:object_r:radvd_exec_t:s0
Target Objects                 [ file ]
Source                        radvd
Source Path                   /usr/sbin/radvd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           radvd-1.9.2-7.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-153.el7_0.13.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     puma07
Platform                      Linux puma07
                              3.10.0-123.13.2.el7.x86_64 #1 SMP Fri Dec 12
                              19:51:03 EST 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-12-30 09:54:00 IST
Last Seen                     2014-12-30 09:54:00 IST
Local ID                      05547aa0-04c1-4e0b-ad17-677c6faa1199

Raw Audit Messages
type=AVC msg=audit(1419926040.12:174465): avc:  denied  { read open } for  pid=16738 comm="ip" path="/usr/sbin/radvd" dev="sda5" ino=26219408 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:radvd_exec_t:s0 tclass=file


type=AVC msg=audit(1419926040.12:174465): avc:  denied  { execute_no_trans } for  pid=16738 comm="ip" path="/usr/sbin/radvd" dev="sda5" ino=26219408 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:radvd_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1419926040.12:174465): arch=x86_64 syscall=execve success=yes exit=0 a0=7fff2fe897b8 a1=7fff2fe8da38 a2=7fff2fe8da68 a3=7fff2fe89630 items=0 ppid=16736 pid=16738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=radvd exe=/usr/sbin/radvd subj=system_u:system_r:neutron_t:s0 key=(null)

Hash: radvd,neutron_t,radvd_exec_t,file,read,open

[root@puma07 ~]# cat /var/log/audit/audit.log | audit2allow -R

require {
	type radvd_exec_t;
	type neutron_t;
	class file { read open execute_no_trans };
}

#============= neutron_t ==============
allow neutron_t radvd_exec_t:file { read open execute_no_trans };

Comment 15 Ihar Hrachyshka 2015-01-05 15:47:56 UTC

*** Bug 1177797 has been marked as a duplicate of this bug. ***

Comment 17 Nir Magnezi 2015-01-11 12:34:51 UTC

Verified NVR: openstack-selinux-0.6.11-1.el7ost.noarch

Steps:
======
Repeated the steps mentioned in comment #0

1. Network:
   # neutron net-create radvd_stateless

2. Subnet:
   # neutron subnet-create <net_id> 2001:66:66:66::1/64 --name tenant_a_provider_stateless_subnet --ipv6-address-mode dhcpv6-stateless --dns-nameserver 2001:4860:4860::8888 --ip-version 6

3. Router interface attachment:
   # neutron router-interface-add <router_id> <subnet_id>


Result:
=======
1. radvd spawned:  
# ps -ef | grep radvd
root     27877     1  0 14:29 ?        00:00:00 radvd -C /var/lib/neutron/ra/d3386c80-c14e-4a4c-b906-ce7704a16a0b.radvd.conf -p /var/lib/neutron/external/pids/d3386c80-c14e-4a4c-b906-ce7704a16a0b.pid.radvd
root     27879     1  0 14:29 ?        00:00:00 radvd -C /var/lib/neutron/ra/d3386c80-c14e-4a4c-b906-ce7704a16a0b.radvd.conf -p /var/lib/neutron/external/pids/d3386c80-c14e-4a4c-b906-ce7704a16a0b.pid.radvd

2. No SELinux related messages in audit.log

Comment 19 errata-xmlrpc 2015-02-09 14:21:55 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-0144.html

Note You need to log in before you can comment on or make changes to this bug.