1336104 – SElinux alerts on Cinder Newton

Bug 1336104 - SElinux alerts on Cinder Newton

Summary: SElinux alerts on Cinder Newton

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	10.0 (Newton)
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Lon Hohberger
QA Contact:	Udi Shkalim
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-05-14 09:11 UTC by Emilien Macchi
Modified:	2016-12-21 15:14 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-12-21 15:14:37 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Emilien Macchi 2016-05-14 09:11:36 UTC

found 2 alerts in /var/log/audit/audit.log

http://logs.openstack.org/66/316266/1/check/gate-puppet-openstack-integration-3-scenario002-tempest-centos-7/8cc9138/console.html#_2016-05-13_20_44_45_381

2016-05-13 20:44:45.381 | --------------------------------------------------------------------------------
2016-05-13 20:44:45.381 | 
2016-05-13 20:44:45.381 | SELinux is preventing /usr/sbin/httpd from write access on the directory cinder.
2016-05-13 20:44:45.381 | 
2016-05-13 20:44:45.382 | *****  Plugin catchall (100. confidence) suggests   **************************
2016-05-13 20:44:45.382 | 
2016-05-13 20:44:45.382 | If you believe that httpd should be allowed write access on the cinder directory by default.
2016-05-13 20:44:45.382 | Then you should report this as a bug.
2016-05-13 20:44:45.382 | You can generate a local policy module to allow this access.
2016-05-13 20:44:45.382 | Do
2016-05-13 20:44:45.382 | allow this access for now by executing:
2016-05-13 20:44:45.382 | # grep httpd /var/log/audit/audit.log | audit2allow -M mypol
2016-05-13 20:44:45.382 | # semodule -i mypol.pp
2016-05-13 20:44:45.382 | 
2016-05-13 20:44:45.382 | 
2016-05-13 20:44:45.383 | Additional Information:
2016-05-13 20:44:45.383 | Source Context                system_u:system_r:httpd_t:s0
2016-05-13 20:44:45.383 | Target Context                system_u:object_r:cinder_log_t:s0
2016-05-13 20:44:45.383 | Target Objects                cinder [ dir ]
2016-05-13 20:44:45.383 | Source                        httpd
2016-05-13 20:44:45.383 | Source Path                   /usr/sbin/httpd
2016-05-13 20:44:45.383 | Port                          <Unknown>
2016-05-13 20:44:45.383 | Host                          <Unknown>
2016-05-13 20:44:45.383 | Source RPM Packages           httpd-2.4.6-40.el7.centos.1.x86_64
2016-05-13 20:44:45.383 | Target RPM Packages           
2016-05-13 20:44:45.383 | Policy RPM                    selinux-policy-3.13.1-60.el7_2.3.noarch
2016-05-13 20:44:45.383 | Selinux Enabled               True
2016-05-13 20:44:45.384 | Policy Type                   targeted
2016-05-13 20:44:45.384 | Enforcing Mode                Permissive
2016-05-13 20:44:45.384 | Host Name                     centos-7-rax-ord-766673
2016-05-13 20:44:45.384 | Platform                      Linux centos-7-rax-ord-766673
2016-05-13 20:44:45.384 |                               3.10.0-327.13.1.el7.x86_64 #1 SMP Thu Mar 31
2016-05-13 20:44:45.384 |                               16:04:38 UTC 2016 x86_64 x86_64
2016-05-13 20:44:45.384 | Alert Count                   1
2016-05-13 20:44:45.384 | First Seen                    2016-05-13 20:26:05 UTC
2016-05-13 20:44:45.384 | Last Seen                     2016-05-13 20:26:05 UTC
2016-05-13 20:44:45.384 | Local ID                      88bec376-5012-4d58-b0a3-27021acee167
2016-05-13 20:44:45.384 | 
2016-05-13 20:44:45.384 | Raw Audit Messages
2016-05-13 20:44:45.385 | type=AVC msg=audit(1463171165.77:545): avc:  denied  { write } for  pid=11096 comm="httpd" name="cinder" dev="xvda1" ino=3168128 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_log_t:s0 tclass=dir
2016-05-13 20:44:45.385 | 
2016-05-13 20:44:45.385 | 
2016-05-13 20:44:45.385 | type=AVC msg=audit(1463171165.77:545): avc:  denied  { add_name } for  pid=11096 comm="httpd" name="cinder-api.log" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_log_t:s0 tclass=dir
2016-05-13 20:44:45.385 | 
2016-05-13 20:44:45.385 | 
2016-05-13 20:44:45.385 | type=AVC msg=audit(1463171165.77:545): avc:  denied  { create } for  pid=11096 comm="httpd" name="cinder-api.log" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_log_t:s0 tclass=file
2016-05-13 20:44:45.385 | 
2016-05-13 20:44:45.385 | 
2016-05-13 20:44:45.385 | type=AVC msg=audit(1463171165.77:545): avc:  denied  { open } for  pid=11096 comm="httpd" path="/var/log/cinder/cinder-api.log" dev="xvda1" ino=3178477 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_log_t:s0 tclass=file
2016-05-13 20:44:45.385 | 
2016-05-13 20:44:45.385 | 
2016-05-13 20:44:45.386 | type=SYSCALL msg=audit(1463171165.77:545): arch=x86_64 syscall=open success=yes exit=ENOEXEC a0=7fa56cfa0c00 a1=441 a2=1b6 a3=24 items=0 ppid=11048 pid=11096 auid=4294967295 uid=165 gid=165 euid=165 suid=165 fsuid=165 egid=165 sgid=165 fsgid=165 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
2016-05-13 20:44:45.386 | 
2016-05-13 20:44:45.386 | Hash: httpd,httpd_t,cinder_log_t,dir,write
2016-05-13 20:44:45.386 | 
2016-05-13 20:44:45.386 | --------------------------------------------------------------------------------
2016-05-13 20:44:45.386 | 
2016-05-13 20:44:45.386 | SELinux is preventing /usr/sbin/httpd from open access on the file /var/log/cinder/cinder-api.log.
2016-05-13 20:44:45.386 | 
2016-05-13 20:44:45.386 | *****  Plugin catchall (100. confidence) suggests   **************************
2016-05-13 20:44:45.386 | 
2016-05-13 20:44:45.386 | If you believe that httpd should be allowed open access on the cinder-api.log file by default.
2016-05-13 20:44:45.387 | Then you should report this as a bug.
2016-05-13 20:44:45.387 | You can generate a local policy module to allow this access.
2016-05-13 20:44:45.387 | Do
2016-05-13 20:44:45.387 | allow this access for now by executing:
2016-05-13 20:44:45.387 | # grep httpd /var/log/audit/audit.log | audit2allow -M mypol
2016-05-13 20:44:45.387 | # semodule -i mypol.pp
2016-05-13 20:44:45.387 | 
2016-05-13 20:44:45.387 | 
2016-05-13 20:44:45.387 | Additional Information:
2016-05-13 20:44:45.387 | Source Context                system_u:system_r:httpd_t:s0
2016-05-13 20:44:45.387 | Target Context                system_u:object_r:cinder_log_t:s0
2016-05-13 20:44:45.387 | Target Objects                /var/log/cinder/cinder-api.log [ file ]
2016-05-13 20:44:45.388 | Source                        httpd
2016-05-13 20:44:45.388 | Source Path                   /usr/sbin/httpd
2016-05-13 20:44:45.388 | Port                          <Unknown>
2016-05-13 20:44:45.388 | Host                          <Unknown>
2016-05-13 20:44:45.388 | Source RPM Packages           httpd-2.4.6-40.el7.centos.1.x86_64
2016-05-13 20:44:45.388 | Target RPM Packages           
2016-05-13 20:44:45.418 | Policy RPM                    selinux-policy-3.13.1-60.el7_2.3.noarch
2016-05-13 20:44:45.418 | Selinux Enabled               True
2016-05-13 20:44:45.418 | Policy Type                   targeted
2016-05-13 20:44:45.418 | Enforcing Mode                Permissive
2016-05-13 20:44:45.418 | Host Name                     centos-7-rax-ord-766673
2016-05-13 20:44:45.418 | Platform                      Linux centos-7-rax-ord-766673
2016-05-13 20:44:45.418 |                               3.10.0-327.13.1.el7.x86_64 #1 SMP Thu Mar 31
2016-05-13 20:44:45.418 |                               16:04:38 UTC 2016 x86_64 x86_64
2016-05-13 20:44:45.418 | Alert Count                   3
2016-05-13 20:44:45.419 | First Seen                    2016-05-13 20:26:11 UTC
2016-05-13 20:44:45.419 | Last Seen                     2016-05-13 20:36:16 UTC
2016-05-13 20:44:45.419 | Local ID                      12291b08-11fe-485a-ab72-2ab2285aa485
2016-05-13 20:44:45.419 | 
2016-05-13 20:44:45.419 | Raw Audit Messages
2016-05-13 20:44:45.419 | type=AVC msg=audit(1463171776.998:2602): avc:  denied  { open } for  pid=14022 comm="httpd" path="/var/log/cinder/cinder-api.log" dev="xvda1" ino=3178477 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_log_t:s0 tclass=file
2016-05-13 20:44:45.419 | 
2016-05-13 20:44:45.419 | 
2016-05-13 20:44:45.419 | type=SYSCALL msg=audit(1463171776.998:2602): arch=x86_64 syscall=open success=yes exit=ENOEXEC a0=7f1cc8fa3f60 a1=441 a2=1b6 a3=24 items=0 ppid=13991 pid=14022 auid=4294967295 uid=165 gid=165 euid=165 suid=165 fsuid=165 egid=165 sgid=165 fsgid=165 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
2016-05-13 20:44:45.419 | 
2016-05-13 20:44:45.419 | Hash: httpd,httpd_t,cinder_log_t,file,open

Comment 2 Emilien Macchi 2016-05-14 09:14:54 UTC

The version was openstack-selinux-0.6.58-1.el7.noarch because we used OpenStack Infra mirror, not synced correctly.

Comment 3 Mike Burns 2016-12-21 15:07:39 UTC

Emilien, is this still breaking?

Comment 4 Emilien Macchi 2016-12-21 15:14:37 UTC

Mike, no. It looks good to me now, I can close it.

Note You need to log in before you can comment on or make changes to this bug.