Bug 1568993 - undercloud dnsmasq avc denied messages are in the audit.log
Summary: undercloud dnsmasq avc denied messages are in the audit.log
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: beta
: 13.0 (Queens)
Assignee: Lon Hohberger
QA Contact: Udi Shkalim
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-18 13:33 UTC by Attila Fazekas
Modified: 2018-08-03 18:35 UTC (History)
8 users (show)

Fixed In Version: openstack-selinux-0.8.14-2.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-27 13:52:00 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2018:2086 0 None None None 2018-06-27 13:52:54 UTC

Description Attila Fazekas 2018-04-18 13:33:26 UTC
Description of problem:
We had trouble in booting up overcloud nodes and we noticed avc: denial messages in the audit.log

Version-Release number of selected component (if applicable):
openstack-selinux.noarch          0.8.14-1.el7ost       @rhelosp-13.0-puddle    

type=AVC msg=audit(1523966763.994:1875): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966763.995:1876): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:45:98:9f" dev="vda1" ino=113286650 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966763.995:1877): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966776.468:1910): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966781.458:1911): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

Comment 2 Lon Hohberger 2018-04-18 15:55:51 UTC
Also reported:

type=AVC msg=audit(1523966763.994:1875): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966763.995:1876): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:45:98:9f" dev="vda1" ino=113286650 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966763.995:1877): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966776.468:1910): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966781.458:1911): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966786.453:1912): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:45:98:9f" dev="vda1" ino=113286650 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966887.636:1963): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966893.099:1964): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966899.002:1965): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:45:98:9f" dev="vda1" ino=113286650 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523990351.136:7704): avc:  denied  { getattr } for  pid=31332 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523990351.136:7705): avc:  denied  { getattr } for  pid=31332 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:45:98:9f" dev="vda1" ino=113286650 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523990351.136:7706): avc:  denied  { getattr } for  pid=31332 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523990360.012:7719): avc:  denied  { read } for  pid=31332 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=114077529 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523990360.013:7720): avc:  denied  { read } for  pid=31332 comm="dnsmasq" name="52:54:00:45:98:9f" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523990360.013:7721): avc:  denied  { read } for  pid=31332 comm="dnsmasq" name="52:54:00:6b:18:f3" dev="vda1" ino=113286650 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

It looks like /var/lib/ironic-inspector/dhcp-hostsdir should be virt_var_lib_t ?

Comment 3 Lon Hohberger 2018-04-18 15:57:01 UTC
Or - dnsmasq_lease_t

Comment 4 Lon Hohberger 2018-04-18 16:06:56 UTC
./ironic_inspector/pxe_filter/dnsmasq.py - unlinks files from that directory, reads, opens, etc.

Comment 5 Lon Hohberger 2018-04-18 16:21:47 UTC
dnsmasq_t already has:

allow daemon var_lib_t:dir { getattr open search };
allow daemon var_lib_t:dir { getattr open search }; [ daemons_enable_cluster_mode ]:False
allow daemon var_lib_t:dir { getattr open search }; [ daemons_enable_cluster_mode ]:True
allow dnsmasq_t file_type:filesystem getattr;
allow dnsmasq_t var_lib_t:dir { add_name getattr ioctl lock open read remove_name search write };
allow domain base_file_type:dir { getattr open search };
allow domain var_lib_t:dir { getattr open search };
allow nsswitch_domain var_lib_t:dir { getattr ioctl lock open read search };

Comment 6 Pavel Sedlák 2018-04-18 17:35:16 UTC
btw for completeness i see these three cases (obv. open in addition to read and getattr) when retried in permissive

> type=AVC msg=audit(...): avc:  denied  { getattr } for  pid=8168 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:7c:b5:00" dev="vda1" ino=114077529 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> type=AVC msg=audit(...): avc:  denied  { open } for  pid=8168 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:7c:b5:00" dev="vda1" ino=114077529 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> type=AVC msg=audit(...): avc:  denied  { read } for  pid=8168 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=114077529 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

Comment 7 Lon Hohberger 2018-04-18 18:57:50 UTC
Instead of creating potential side-issues by changing the file context, I think the least potentially destabilizing thing is to give dnsmasq_t manage_file_perms for var_lib_t. This isn't ideal, obviously, however, it is a simple short-term fix.

Comment 10 Lon Hohberger 2018-04-18 20:22:48 UTC
openstack-selinux-0.8.14-2.el7ost

Comment 17 Harald Jensås 2018-04-27 11:14:55 UTC
*** Bug 1572537 has been marked as a duplicate of this bug. ***

Comment 19 Lon Hohberger 2018-06-14 19:51:53 UTC
This passed the regression tests based on the reported AVCs.

Comment 21 errata-xmlrpc 2018-06-27 13:52:00 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086


Note You need to log in before you can comment on or make changes to this bug.