Bug 1568993 – undercloud dnsmasq avc denied messages are in the audit.log

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1568993 - undercloud dnsmasq avc denied messages are in the audit.log

Summary:	undercloud dnsmasq avc denied messages are in the audit.log

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux (Show other bugs)
Sub Component:
Version:	13.0 (Queens)
Hardware:	Unspecified Unspecified

Priority	high Severity high
Target Milestone:	beta
Target Release:	13.0 (Queens)
Assigned To:	Lon Hohberger
QA Contact:	Udi Shkalim
Docs Contact:

URL:
Whiteboard:
Keywords:	Triaged

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2018-04-18 09:33 EDT by Attila Fazekas
Modified:	2018-08-03 14:35 EDT (History)
CC List:	8 users (show)

See Also:
Fixed In Version:	openstack-selinux-0.8.14-2.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-06-27 09:52:00 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2018:2086	None	None	None	2018-06-27 09:52 EDT

Groups: None (edit)

Description Attila Fazekas 2018-04-18 09:33:26 EDT

Description of problem:
We had trouble in booting up overcloud nodes and we noticed avc: denial messages in the audit.log

Version-Release number of selected component (if applicable):
openstack-selinux.noarch          0.8.14-1.el7ost       @rhelosp-13.0-puddle    

type=AVC msg=audit(1523966763.994:1875): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966763.995:1876): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:45:98:9f" dev="vda1" ino=113286650 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966763.995:1877): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966776.468:1910): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966781.458:1911): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

Comment 2 Lon Hohberger 2018-04-18 11:55:51 EDT

Also reported:

type=AVC msg=audit(1523966763.994:1875): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966763.995:1876): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:45:98:9f" dev="vda1" ino=113286650 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966763.995:1877): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966776.468:1910): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966781.458:1911): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966786.453:1912): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:45:98:9f" dev="vda1" ino=113286650 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966887.636:1963): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966893.099:1964): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523966899.002:1965): avc:  denied  { read } for  pid=16973 comm="dnsmasq" name="52:54:00:45:98:9f" dev="vda1" ino=113286650 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523990351.136:7704): avc:  denied  { getattr } for  pid=31332 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523990351.136:7705): avc:  denied  { getattr } for  pid=31332 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:45:98:9f" dev="vda1" ino=113286650 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523990351.136:7706): avc:  denied  { getattr } for  pid=31332 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523990360.012:7719): avc:  denied  { read } for  pid=31332 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=114077529 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523990360.013:7720): avc:  denied  { read } for  pid=31332 comm="dnsmasq" name="52:54:00:45:98:9f" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1523990360.013:7721): avc:  denied  { read } for  pid=31332 comm="dnsmasq" name="52:54:00:6b:18:f3" dev="vda1" ino=113286650 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

It looks like /var/lib/ironic-inspector/dhcp-hostsdir should be virt_var_lib_t ?

Comment 3 Lon Hohberger 2018-04-18 11:57:01 EDT

Or - dnsmasq_lease_t

Comment 4 Lon Hohberger 2018-04-18 12:06:56 EDT

./ironic_inspector/pxe_filter/dnsmasq.py - unlinks files from that directory, reads, opens, etc.

Comment 5 Lon Hohberger 2018-04-18 12:21:47 EDT

dnsmasq_t already has:

allow daemon var_lib_t:dir { getattr open search };
allow daemon var_lib_t:dir { getattr open search }; [ daemons_enable_cluster_mode ]:False
allow daemon var_lib_t:dir { getattr open search }; [ daemons_enable_cluster_mode ]:True
allow dnsmasq_t file_type:filesystem getattr;
allow dnsmasq_t var_lib_t:dir { add_name getattr ioctl lock open read remove_name search write };
allow domain base_file_type:dir { getattr open search };
allow domain var_lib_t:dir { getattr open search };
allow nsswitch_domain var_lib_t:dir { getattr ioctl lock open read search };

Comment 6 Pavel Sedlák 2018-04-18 13:35:16 EDT

btw for completeness i see these three cases (obv. open in addition to read and getattr) when retried in permissive

> type=AVC msg=audit(...): avc:  denied  { getattr } for  pid=8168 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:7c:b5:00" dev="vda1" ino=114077529 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> type=AVC msg=audit(...): avc:  denied  { open } for  pid=8168 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:7c:b5:00" dev="vda1" ino=114077529 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> type=AVC msg=audit(...): avc:  denied  { read } for  pid=8168 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=114077529 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

Comment 7 Lon Hohberger 2018-04-18 14:57:50 EDT

Instead of creating potential side-issues by changing the file context, I think the least potentially destabilizing thing is to give dnsmasq_t manage_file_perms for var_lib_t. This isn't ideal, obviously, however, it is a simple short-term fix.

Comment 10 Lon Hohberger 2018-04-18 16:22:48 EDT

openstack-selinux-0.8.14-2.el7ost

Comment 17 Harald Jensås 2018-04-27 07:14:55 EDT

*** Bug 1572537 has been marked as a duplicate of this bug. ***

Comment 19 Lon Hohberger 2018-06-14 15:51:53 EDT

This passed the regression tests based on the reported AVCs.

Comment 21 errata-xmlrpc 2018-06-27 09:52:00 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086

Note You need to log in before you can comment on or make changes to this bug.