Bug 1447779 – Need to make significant changes to SElinux policy in order to accommodate glance with solidfire cinder backend

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1447779 - Need to make significant changes to SElinux policy in order to accommodate glance with solidfire cinder backend [NEEDINFO]

Summary:	Need to make significant changes to SElinux policy in order to accommodate gl...

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux (Show other bugs)
Sub Component:
Version:	10.0 (Newton)
Hardware:	Unspecified Unspecified

Priority	medium Severity medium
Target Milestone:	ga
Target Release:	12.0 (Pike)
Assigned To:	Lon Hohberger
QA Contact:	Mike Abrams
Docs Contact:

URL:
Whiteboard:
Keywords:	Triaged, ZStream

Depends On:	1293435
Blocks:
	Show dependency tree / graph

Reported:	2017-05-03 15:28 EDT by Andreas Karis
Modified:	2018-02-05 14:07 EST (History)
CC List:	11 users (show)

See Also:
Fixed In Version:	openstack-selinux-0.8.8-0.20170804200925.ad96ed3.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-12-13 16:25:26 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Flags:	mabrams: needinfo? (lhh) mabrams: needinfo? (lhh)

Attachments	(Terms of Use)
Just the AVCs. (10.92 KB, text/plain) 2017-05-23 16:20 EDT, Lon Hohberger	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2017:3462	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 12.0 Enhancement Advisory	2018-02-15 20:43:25 EST

Groups: None (edit)

Description Andreas Karis 2017-05-03 15:28:56 EDT

Description of problem:
Need to make significant changes to SElinux policy in order to accommodate glance with solidfire cinder backend

Using newest openstack-selinux from brew:
[root@overcloud-controller-1 ~]# rpm -qa | grep openstack-sel
openstack-selinux-0.8.6-2.el7ost.noarch

Need to run this script to disable all blocking selinux policies:

[stack@director images]$ cat selinux.sh 
#!/bin/bash -x

ssh heat-admin@10.10.159.25 "sudo yum install setroubleshoot -y"

while `glance --os-image-api-version 1 image-create --container-format bare --disk-format qcow2 --store cinder --progress --file ubuntu-14.04-server-cloudimg-amd64-disk1.img --name test-sf 2>&1 | grep -iq '500 internal'`;do

ssh heat-admin@10.10.159.25 "sudo sealert -a /var/log/audit/audit.log 2>/dev/null" >> /tmp/selinux.log

ssh heat-admin@10.10.159.25 "sudo sealert -a /var/log/audit/audit.log 2>/dev/null | grep ausearch | sed 's/^#//' | xargs -I {} bash -c 'sudo {}' 2>/dev/null | grep semodule | xargs -I {} bash -c 'sudo {}'"

done



The following policies need to be installed: see attachment

Also, I get this to work once with the script, but then it fails again when it tries to access different block devices:


SELinux is preventing /usr/bin/python2.7 from write access on the blk_file sdg.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that python2.7 should be allowed write access on the sdg blk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'glance-api' --raw | audit2allow -M my-glanceapi
# semodule -i my-glanceapi.pp


Additional Information:
Source Context                system_u:system_r:glance_api_t:s0
Target Context                system_u:object_r:fixed_disk_device_t:s0
Target Objects                sdg [ blk_file ]
Source                        glance-api
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           python-2.7.5-48.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-102.el7_3.7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     overcloud-controller-1.localdomain
Platform                      Linux overcloud-controller-1.localdomain
                              3.10.0-514.2.2.el7.x86_64 #1 SMP Wed Nov 16
                              13:15:13 EST 2016 x86_64 x86_64
Alert Count                   3
First Seen                    2017-05-03 19:20:05 UTC
Last Seen                     2017-05-03 19:23:39 UTC
Local ID                      791ded87-5adf-41ec-81fe-9ba464a6e1ed

Raw Audit Messages
type=AVC msg=audit(1493839419.340:970800): avc:  denied  { write } for  pid=309367 comm="glance-api" name="sdg" dev="devtmpfs" ino=248221658 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file


type=SYSCALL msg=audit(1493839419.340:970800): arch=x86_64 syscall=open success=no exit=EACCES a0=6541290 a1=241 a2=1b6 a3=24 items=0 ppid=309062 pid=309367 auid=4294967295 uid=161 gid=161 euid=161 suid=161 fsuid=161 egid=161 sgid=161 fsgid=161 tty=(none) ses=4294967295 comm=glance-api exe=/usr/bin/python2.7 subj=system_u:system_r:glance_api_t:s0 key=(null)

Hash: glance-api,glance_api_t,fixed_disk_device_t,blk_file,write

--------------------------------------------------------------------------------

SELinux is preventing /usr/bin/python2.7 from execute_no_trans access on the file /usr/sbin/blockdev.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that python2.7 should be allowed execute_no_trans access on the blockdev file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'privsep-helper' --raw | audit2allow -M my-privsephelper
# semodule -i my-privsephelper.pp


Additional Information:
Source Context                system_u:system_r:glance_api_t:s0
Target Context                unconfined_u:object_r:fsadm_exec_t:s0
Target Objects                /usr/sbin/blockdev [ file ]
Source                        privsep-helper
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           python-2.7.5-48.el7.x86_64
Target RPM Packages           util-linux-2.23.2-33.el7.x86_64
Policy RPM                    selinux-policy-3.13.1-102.el7_3.7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     overcloud-controller-1.localdomain
Platform                      Linux overcloud-controller-1.localdomain
                              3.10.0-514.2.2.el7.x86_64 #1 SMP Wed Nov 16
                              13:15:13 EST 2016 x86_64 x86_64
Alert Count                   4
First Seen                    2017-05-03 19:20:08 UTC
Last Seen                     2017-05-03 19:23:39 UTC
Local ID                      b26635bc-075f-4a3e-9604-6933eb6a177b

Raw Audit Messages
type=AVC msg=audit(1493839419.588:970802): avc:  denied  { execute_no_trans } for  pid=688072 comm="privsep-helper" path="/usr/sbin/blockdev" dev="sda2" ino=13125550 scontext=system_u:system_r:glance_api_t:s0 tcontext=unconfined_u:object_r:fsadm_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1493839419.588:970802): arch=x86_64 syscall=execve success=no exit=EACCES a0=249e020 a1=24a0cb0 a2=7fff395cf710 a3=7fff395cd070 items=0 ppid=600880 pid=688072 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=privsep-helper exe=/usr/bin/python2.7 subj=system_u:system_r:glance_api_t:s0 key=(null)

Hash: privsep-helper,glance_api_t,fsadm_exec_t,file,execute_no_trans

--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/iscsiadm from unlink access on the file 192.168.52.9,3260.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that iscsiadm should be allowed unlink access on the 192.168.52.9,3260 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'iscsiadm' --raw | audit2allow -M my-iscsiadm
# semodule -i my-iscsiadm.pp


Additional Information:
Source Context                system_u:system_r:glance_api_t:s0
Target Context                system_u:object_r:iscsi_var_lib_t:s0
Target Objects                192.168.52.9,3260 [ file ]
Source                        iscsiadm
Source Path                   /usr/sbin/iscsiadm
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           iscsi-initiator-utils-6.2.0.873-35.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-102.el7_3.7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     overcloud-controller-1.localdomain
Platform                      Linux overcloud-controller-1.localdomain
                              3.10.0-514.2.2.el7.x86_64 #1 SMP Wed Nov 16
                              13:15:13 EST 2016 x86_64 x86_64
Alert Count                   15
First Seen                    2017-05-03 19:20:10 UTC
Last Seen                     2017-05-03 19:23:44 UTC
Local ID                      2852be15-8f21-4239-a661-549c5bb56d0c

Raw Audit Messages
type=AVC msg=audit(1493839424.705:970827): avc:  denied  { unlink } for  pid=688442 comm="iscsiadm" name="192.168.52.9,3260" dev="sda2" ino=3183513081 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:iscsi_var_lib_t:s0 tclass=file


type=SYSCALL msg=audit(1493839424.705:970827): arch=x86_64 syscall=unlink success=no exit=EACCES a0=7f625e61bfa0 a1=7ffc383c4c40 a2=7ffc383c4c40 a3=0 items=0 ppid=600880 pid=688442 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=iscsiadm exe=/usr/sbin/iscsiadm subj=system_u:system_r:glance_api_t:s0 key=(null)

Hash: iscsiadm,glance_api_t,iscsi_var_lib_t,file,unlink

Comment 2 Lon Hohberger 2017-05-05 14:53:12 EDT

Do you

Comment 3 Andreas Karis 2017-05-05 15:06:06 EDT

yes, I do ;-)

Joke aside, something still doesn't seem to be right with the policies for glance with a cinder backend (although we did have problems with the installation of the latest opesntack-selinux policies, so this probably didn't help, neither).

Comment 4 Lon Hohberger 2017-05-23 16:18:21 EDT

Whoops - what I meant was - do you have the full AVC logs? :)

Comment 5 Lon Hohberger 2017-05-23 16:20 EDT

Created attachment 1281730 [details]
Just the AVCs.

Comment 6 Lon Hohberger 2017-05-23 16:22:24 EDT

It looks like there needs to be an ability to execute domain transitions to:
 - fsadm_exec_t
 - iscsid_exec_t
 - sudo_exec_t
   ^ Need to look more at this one.

Comment 7 Paul Grist 2017-06-12 17:53:07 EDT

Adding a dependent BZ.  Glance Cinder backends is an RFE for OSP12

Comment 9 Lon Hohberger 2017-08-04 15:03:13 EDT

https://github.com/redhat-openstack/openstack-selinux/commit/5002b373a03c3910cc7a5fbd94468e8e3b84d55c

Comment 18 errata-xmlrpc 2017-12-13 16:25:26 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462

Note You need to log in before you can comment on or make changes to this bug.