Description of problem: We had trouble in booting up overcloud nodes and we noticed avc: denial messages in the audit.log Version-Release number of selected component (if applicable): openstack-selinux.noarch 0.8.14-1.el7ost @rhelosp-13.0-puddle type=AVC msg=audit(1523966763.994:1875): avc: denied { read } for pid=16973 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1523966763.995:1876): avc: denied { read } for pid=16973 comm="dnsmasq" name="52:54:00:45:98:9f" dev="vda1" ino=113286650 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1523966763.995:1877): avc: denied { read } for pid=16973 comm="dnsmasq" name="52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1523966776.468:1910): avc: denied { read } for pid=16973 comm="dnsmasq" name="52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1523966781.458:1911): avc: denied { read } for pid=16973 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
Also reported: type=AVC msg=audit(1523966763.994:1875): avc: denied { read } for pid=16973 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1523966763.995:1876): avc: denied { read } for pid=16973 comm="dnsmasq" name="52:54:00:45:98:9f" dev="vda1" ino=113286650 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1523966763.995:1877): avc: denied { read } for pid=16973 comm="dnsmasq" name="52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1523966776.468:1910): avc: denied { read } for pid=16973 comm="dnsmasq" name="52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1523966781.458:1911): avc: denied { read } for pid=16973 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1523966786.453:1912): avc: denied { read } for pid=16973 comm="dnsmasq" name="52:54:00:45:98:9f" dev="vda1" ino=113286650 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1523966887.636:1963): avc: denied { read } for pid=16973 comm="dnsmasq" name="52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1523966893.099:1964): avc: denied { read } for pid=16973 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1523966899.002:1965): avc: denied { read } for pid=16973 comm="dnsmasq" name="52:54:00:45:98:9f" dev="vda1" ino=113286650 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1523990351.136:7704): avc: denied { getattr } for pid=31332 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1523990351.136:7705): avc: denied { getattr } for pid=31332 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:45:98:9f" dev="vda1" ino=113286650 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1523990351.136:7706): avc: denied { getattr } for pid=31332 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1523990360.012:7719): avc: denied { read } for pid=31332 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=114077529 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1523990360.013:7720): avc: denied { read } for pid=31332 comm="dnsmasq" name="52:54:00:45:98:9f" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1523990360.013:7721): avc: denied { read } for pid=31332 comm="dnsmasq" name="52:54:00:6b:18:f3" dev="vda1" ino=113286650 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file It looks like /var/lib/ironic-inspector/dhcp-hostsdir should be virt_var_lib_t ?
Or - dnsmasq_lease_t
./ironic_inspector/pxe_filter/dnsmasq.py - unlinks files from that directory, reads, opens, etc.
dnsmasq_t already has: allow daemon var_lib_t:dir { getattr open search }; allow daemon var_lib_t:dir { getattr open search }; [ daemons_enable_cluster_mode ]:False allow daemon var_lib_t:dir { getattr open search }; [ daemons_enable_cluster_mode ]:True allow dnsmasq_t file_type:filesystem getattr; allow dnsmasq_t var_lib_t:dir { add_name getattr ioctl lock open read remove_name search write }; allow domain base_file_type:dir { getattr open search }; allow domain var_lib_t:dir { getattr open search }; allow nsswitch_domain var_lib_t:dir { getattr ioctl lock open read search };
btw for completeness i see these three cases (obv. open in addition to read and getattr) when retried in permissive > type=AVC msg=audit(...): avc: denied { getattr } for pid=8168 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:7c:b5:00" dev="vda1" ino=114077529 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file > type=AVC msg=audit(...): avc: denied { open } for pid=8168 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:7c:b5:00" dev="vda1" ino=114077529 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file > type=AVC msg=audit(...): avc: denied { read } for pid=8168 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=114077529 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
Instead of creating potential side-issues by changing the file context, I think the least potentially destabilizing thing is to give dnsmasq_t manage_file_perms for var_lib_t. This isn't ideal, obviously, however, it is a simple short-term fix.
openstack-selinux-0.8.14-2.el7ost
*** Bug 1572537 has been marked as a duplicate of this bug. ***
This passed the regression tests based on the reported AVCs.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:2086