1447779 – Need to make significant changes to SElinux policy in order to accommodate glance with solidfire cinder backend

Bug 1447779 - Need to make significant changes to SElinux policy in order to accommodate glance with solidfire cinder backend

Summary: Need to make significant changes to SElinux policy in order to accommodate gl...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	10.0 (Newton)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	ga
Target Release:	12.0 (Pike)
Assignee:	Lon Hohberger
QA Contact:	Mike Abrams
Docs Contact:
URL:
Whiteboard:
Depends On:	1293435 1646932
Blocks:
TreeView+	depends on / blocked

Reported:	2017-05-03 19:28 UTC by Andreas Karis
Modified:	2021-02-08 20:18 UTC (History)
CC List:	11 users (show)
Fixed In Version:	openstack-selinux-0.8.8-0.20170804200925.ad96ed3.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-12-13 21:25:26 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Just the AVCs. (10.92 KB, text/plain) 2017-05-23 20:20 UTC, Lon Hohberger	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2017:3462	0	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 12.0 Enhancement Advisory	2018-02-16 01:43:25 UTC

Description Andreas Karis 2017-05-03 19:28:56 UTC

Description of problem:
Need to make significant changes to SElinux policy in order to accommodate glance with solidfire cinder backend

Using newest openstack-selinux from brew:
[root@overcloud-controller-1 ~]# rpm -qa | grep openstack-sel
openstack-selinux-0.8.6-2.el7ost.noarch

Need to run this script to disable all blocking selinux policies:

[stack@director images]$ cat selinux.sh 
#!/bin/bash -x

ssh heat-admin.159.25 "sudo yum install setroubleshoot -y"

while `glance --os-image-api-version 1 image-create --container-format bare --disk-format qcow2 --store cinder --progress --file ubuntu-14.04-server-cloudimg-amd64-disk1.img --name test-sf 2>&1 | grep -iq '500 internal'`;do

ssh heat-admin.159.25 "sudo sealert -a /var/log/audit/audit.log 2>/dev/null" >> /tmp/selinux.log

ssh heat-admin.159.25 "sudo sealert -a /var/log/audit/audit.log 2>/dev/null | grep ausearch | sed 's/^#//' | xargs -I {} bash -c 'sudo {}' 2>/dev/null | grep semodule | xargs -I {} bash -c 'sudo {}'"

done



The following policies need to be installed: see attachment

Also, I get this to work once with the script, but then it fails again when it tries to access different block devices:


SELinux is preventing /usr/bin/python2.7 from write access on the blk_file sdg.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that python2.7 should be allowed write access on the sdg blk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'glance-api' --raw | audit2allow -M my-glanceapi
# semodule -i my-glanceapi.pp


Additional Information:
Source Context                system_u:system_r:glance_api_t:s0
Target Context                system_u:object_r:fixed_disk_device_t:s0
Target Objects                sdg [ blk_file ]
Source                        glance-api
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           python-2.7.5-48.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-102.el7_3.7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     overcloud-controller-1.localdomain
Platform                      Linux overcloud-controller-1.localdomain
                              3.10.0-514.2.2.el7.x86_64 #1 SMP Wed Nov 16
                              13:15:13 EST 2016 x86_64 x86_64
Alert Count                   3
First Seen                    2017-05-03 19:20:05 UTC
Last Seen                     2017-05-03 19:23:39 UTC
Local ID                      791ded87-5adf-41ec-81fe-9ba464a6e1ed

Raw Audit Messages
type=AVC msg=audit(1493839419.340:970800): avc:  denied  { write } for  pid=309367 comm="glance-api" name="sdg" dev="devtmpfs" ino=248221658 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file


type=SYSCALL msg=audit(1493839419.340:970800): arch=x86_64 syscall=open success=no exit=EACCES a0=6541290 a1=241 a2=1b6 a3=24 items=0 ppid=309062 pid=309367 auid=4294967295 uid=161 gid=161 euid=161 suid=161 fsuid=161 egid=161 sgid=161 fsgid=161 tty=(none) ses=4294967295 comm=glance-api exe=/usr/bin/python2.7 subj=system_u:system_r:glance_api_t:s0 key=(null)

Hash: glance-api,glance_api_t,fixed_disk_device_t,blk_file,write

--------------------------------------------------------------------------------

SELinux is preventing /usr/bin/python2.7 from execute_no_trans access on the file /usr/sbin/blockdev.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that python2.7 should be allowed execute_no_trans access on the blockdev file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'privsep-helper' --raw | audit2allow -M my-privsephelper
# semodule -i my-privsephelper.pp


Additional Information:
Source Context                system_u:system_r:glance_api_t:s0
Target Context                unconfined_u:object_r:fsadm_exec_t:s0
Target Objects                /usr/sbin/blockdev [ file ]
Source                        privsep-helper
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           python-2.7.5-48.el7.x86_64
Target RPM Packages           util-linux-2.23.2-33.el7.x86_64
Policy RPM                    selinux-policy-3.13.1-102.el7_3.7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     overcloud-controller-1.localdomain
Platform                      Linux overcloud-controller-1.localdomain
                              3.10.0-514.2.2.el7.x86_64 #1 SMP Wed Nov 16
                              13:15:13 EST 2016 x86_64 x86_64
Alert Count                   4
First Seen                    2017-05-03 19:20:08 UTC
Last Seen                     2017-05-03 19:23:39 UTC
Local ID                      b26635bc-075f-4a3e-9604-6933eb6a177b

Raw Audit Messages
type=AVC msg=audit(1493839419.588:970802): avc:  denied  { execute_no_trans } for  pid=688072 comm="privsep-helper" path="/usr/sbin/blockdev" dev="sda2" ino=13125550 scontext=system_u:system_r:glance_api_t:s0 tcontext=unconfined_u:object_r:fsadm_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1493839419.588:970802): arch=x86_64 syscall=execve success=no exit=EACCES a0=249e020 a1=24a0cb0 a2=7fff395cf710 a3=7fff395cd070 items=0 ppid=600880 pid=688072 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=privsep-helper exe=/usr/bin/python2.7 subj=system_u:system_r:glance_api_t:s0 key=(null)

Hash: privsep-helper,glance_api_t,fsadm_exec_t,file,execute_no_trans

--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/iscsiadm from unlink access on the file 192.168.52.9,3260.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that iscsiadm should be allowed unlink access on the 192.168.52.9,3260 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'iscsiadm' --raw | audit2allow -M my-iscsiadm
# semodule -i my-iscsiadm.pp


Additional Information:
Source Context                system_u:system_r:glance_api_t:s0
Target Context                system_u:object_r:iscsi_var_lib_t:s0
Target Objects                192.168.52.9,3260 [ file ]
Source                        iscsiadm
Source Path                   /usr/sbin/iscsiadm
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           iscsi-initiator-utils-6.2.0.873-35.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-102.el7_3.7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     overcloud-controller-1.localdomain
Platform                      Linux overcloud-controller-1.localdomain
                              3.10.0-514.2.2.el7.x86_64 #1 SMP Wed Nov 16
                              13:15:13 EST 2016 x86_64 x86_64
Alert Count                   15
First Seen                    2017-05-03 19:20:10 UTC
Last Seen                     2017-05-03 19:23:44 UTC
Local ID                      2852be15-8f21-4239-a661-549c5bb56d0c

Raw Audit Messages
type=AVC msg=audit(1493839424.705:970827): avc:  denied  { unlink } for  pid=688442 comm="iscsiadm" name="192.168.52.9,3260" dev="sda2" ino=3183513081 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:iscsi_var_lib_t:s0 tclass=file


type=SYSCALL msg=audit(1493839424.705:970827): arch=x86_64 syscall=unlink success=no exit=EACCES a0=7f625e61bfa0 a1=7ffc383c4c40 a2=7ffc383c4c40 a3=0 items=0 ppid=600880 pid=688442 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=iscsiadm exe=/usr/sbin/iscsiadm subj=system_u:system_r:glance_api_t:s0 key=(null)

Hash: iscsiadm,glance_api_t,iscsi_var_lib_t,file,unlink

Comment 2 Lon Hohberger 2017-05-05 18:53:12 UTC

Do you

Comment 3 Andreas Karis 2017-05-05 19:06:06 UTC

yes, I do ;-)

Joke aside, something still doesn't seem to be right with the policies for glance with a cinder backend (although we did have problems with the installation of the latest opesntack-selinux policies, so this probably didn't help, neither).

Comment 4 Lon Hohberger 2017-05-23 20:18:21 UTC

Whoops - what I meant was - do you have the full AVC logs? :)

Comment 5 Lon Hohberger 2017-05-23 20:20:04 UTC

Created attachment 1281730 [details]
Just the AVCs.

Comment 6 Lon Hohberger 2017-05-23 20:22:24 UTC

It looks like there needs to be an ability to execute domain transitions to:
 - fsadm_exec_t
 - iscsid_exec_t
 - sudo_exec_t
   ^ Need to look more at this one.

Comment 7 Paul Grist 2017-06-12 21:53:07 UTC

Adding a dependent BZ.  Glance Cinder backends is an RFE for OSP12

Comment 9 Lon Hohberger 2017-08-04 19:03:13 UTC

https://github.com/redhat-openstack/openstack-selinux/commit/5002b373a03c3910cc7a5fbd94468e8e3b84d55c

Comment 18 errata-xmlrpc 2017-12-13 21:25:26 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462

Note You need to log in before you can comment on or make changes to this bug.