1667276 – Selinux - bunch of "avc: denied" messages in logs on rhel8.

Bug 1667276 - Selinux - bunch of "avc: denied" messages in logs on rhel8.

Summary: Selinux - bunch of "avc: denied" messages in logs on rhel8.

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	rhosp-director
Sub Component:
Version:	15.0 (Stein)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Cédric Jeanneret
QA Contact:	Gurenko Alex
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-01-17 23:06 UTC by Alexander Chuzhoy
Modified:	2019-01-29 14:21 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-01-29 14:21:14 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	redhat-openstack openstack-selinux pull 22	0	None	closed	Allow openvswitch to manage its files/sockets in a container context	2021-01-14 19:48:16 UTC
Red Hat Bugzilla	1651531	0	high	CLOSED	avc: denied { write } for pid=27097 comm="sss_cache" name="config.ldb" dev="dm-0"	2021-02-22 00:41:40 UTC

Description Alexander Chuzhoy 2019-01-17 23:06:13 UTC

Selinux - bunch of "avc:  denied" messages in logs on rhel8.

Environment:
rpm-plugin-selinux-4.14.2-4.el8.x86_64
libselinux-utils-2.8-5.el8.x86_64
libselinux-2.8-5.el8.x86_64
selinux-policy-3.14.1-47.el8.noarch
python3-libselinux-2.8-5.el8.x86_64
selinux-policy-targeted-3.14.1-47.el8.noarch
container-selinux-2.73-3.el8+1838+91f7e486.noarch
libselinux-ruby-2.8-5.el8.x86_64
openstack-selinux-0.8.17-0.20190116195130.faef39f.fc28.noarch


Steps to reproduce:
Deploy underclod and check the selinux logs

type=AVC msg=audit(1547761255.316:344): avc:  denied  { write } for  pid=3343 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547761255.330:345): avc:  denied  { write } for  pid=3345 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547761255.373:347): avc:  denied  { write } for  pid=3352 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547761255.388:348): avc:  denied  { write } for  pid=3355 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547761255.429:352): avc:  denied  { write } for  pid=3361 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547761255.442:353): avc:  denied  { write } for  pid=3363 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547761255.472:356): avc:  denied  { write } for  pid=3367 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547761255.486:357): avc:  denied  { write } for  pid=3370 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547761256.334:360): avc:  denied  { write } for  pid=3385 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547761256.347:361): avc:  denied  { write } for  pid=3387 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547761256.425:363): avc:  denied  { write } for  pid=3392 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547761256.439:364): avc:  denied  { write } for  pid=3395 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547761304.199:368): avc:  denied  { write } for  pid=3493 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547761304.212:369): avc:  denied  { write } for  pid=3497 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547761304.252:371): avc:  denied  { write } for  pid=3502 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547761304.267:372): avc:  denied  { write } for  pid=3505 comm="sss_cache" name="config.ldb" dev="vda3" ino=366466 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547762083.217:965): avc:  denied  { net_broadcast } for  pid=14942 comm="ovs-vswitchd" capability=11  scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1547763361.789:1450): avc:  denied  { relabelto } for  pid=59015 comm="cp" name="account.ring.gz" dev="vda3" ino=46502778 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547763361.790:1451): avc:  denied  { relabelto } for  pid=59015 comm="cp" name="container.ring.gz" dev="vda3" ino=46502783 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547763361.790:1452): avc:  denied  { relabelto } for  pid=59015 comm="cp" name="object.ring.gz" dev="vda3" ino=46507314 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547763361.790:1453): avc:  denied  { relabelto } for  pid=59015 comm="cp" name="account.builder" dev="vda3" ino=46507315 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547763361.791:1454): avc:  denied  { relabelto } for  pid=59015 comm="cp" name="container.builder" dev="vda3" ino=46507316 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547763361.791:1455): avc:  denied  { relabelto } for  pid=59015 comm="cp" name="object.builder" dev="vda3" ino=46507317 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547763361.792:1456): avc:  denied  { relabelto } for  pid=59015 comm="cp" name="1547762819.object.builder" dev="vda3" ino=14865268 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547763361.792:1457): avc:  denied  { relabelto } for  pid=59015 comm="cp" name="1547762820.account.builder" dev="vda3" ino=14865269 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547763361.792:1458): avc:  denied  { relabelto } for  pid=59015 comm="cp" name="1547762821.container.builder" dev="vda3" ino=14865270 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547763361.793:1459): avc:  denied  { relabelto } for  pid=59015 comm="cp" name="1547762827.object.builder" dev="vda3" ino=14865271 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547763361.793:1460): avc:  denied  { relabelto } for  pid=59015 comm="cp" name="1547762827.object.ring.gz" dev="vda3" ino=14865272 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547763361.793:1461): avc:  denied  { relabelto } for  pid=59015 comm="cp" name="1547762828.account.builder" dev="vda3" ino=14865273 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547763361.794:1462): avc:  denied  { relabelto } for  pid=59015 comm="cp" name="1547762828.account.ring.gz" dev="vda3" ino=14865274 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547763361.794:1463): avc:  denied  { relabelto } for  pid=59015 comm="cp" name="1547762828.container.builder" dev="vda3" ino=14865275 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547763361.794:1464): avc:  denied  { relabelto } for  pid=59015 comm="cp" name="1547762828.container.ring.gz" dev="vda3" ino=14865276 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547763361.795:1465): avc:  denied  { relabelto } for  pid=59015 comm="cp" name="backups" dev="vda3" ino=14865267 scontext=system_u:system_r:container_t:s0:c10,c841 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1547763998.684:1784): avc:  denied  { connectto } for  pid=76566 comm="sudo" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:container_t:s0:c333,c682 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1547764002.141:1796): avc:  denied  { connectto } for  pid=76989 comm="sudo" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:container_t:s0:c306,c376 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1547764004.893:1808): avc:  denied  { connectto } for  pid=77403 comm="sudo" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:container_t:s0:c13,c548 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1547764015.418:1851): avc:  denied  { connectto } for  pid=78837 comm="sudo" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:container_t:s0:c83,c217 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1547764064.026:2076): avc:  denied  { connectto } for  pid=86089 comm="sudo" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:container_t:s0:c416,c485 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1547766061.463:5904): avc:  denied  { setexec } for  pid=208019 comm="crond" scontext=system_u:system_r:container_t:s0:c560,c816 tcontext=system_u:system_r:container_t:s0:c560,c816 tclass=process permissive=0
type=AVC msg=audit(1547766061.594:5912): avc:  denied  { setexec } for  pid=208040 comm="crond" scontext=system_u:system_r:container_t:s0:c962,c1010 tcontext=system_u:system_r:container_t:s0:c962,c1010 tclass=process permissive=0
type=AVC msg=audit(1547766061.894:5929): avc:  denied  { setexec } for  pid=208127 comm="crond" scontext=system_u:system_r:container_t:s0:c384,c548 tcontext=system_u:system_r:container_t:s0:c384,c548 tclass=process permissive=0
type=AVC msg=audit(1547766061.905:5931): avc:  denied  { setexec } for  pid=208125 comm="crond" scontext=system_u:system_r:container_t:s0:c384,c548 tcontext=system_u:system_r:container_t:s0:c384,c548 tclass=process permissive=0

Comment 2 Cédric Jeanneret 2019-01-18 10:25:15 UTC

Hello!

So, the relabelto will stay - it doesn't block the copy of the backup/config things, and allowing them is a security breach we don't want to see.

The connectto might be OK, although I'd like to know a bit more about that: any idea of the container(s) wantin to connect? Apparently, some "sudo" command from within a container are issued.. ?

The setexec might be OK, I think it might be accepted as an `openstack-selinux' patch

Finally, the write from sss_cache needs some investigation in order to check what's going on in there (like the connectto).

I'll check with the security team and openstack-selinux maintainers for patches, acceptable changes and the like.

Comment 3 Juan Antonio Osorio 2019-01-22 12:34:19 UTC

I agree with Cédric. Lets not let the container be able to relabel files.

Comment 4 Cédric Jeanneret 2019-01-29 13:00:38 UTC

Quick update: the "net_broadcast" should be taken care in openstack-selinux with https://github.com/redhat-openstack/openstack-selinux/pull/22

Comment 5 Cédric Jeanneret 2019-01-29 13:19:18 UTC

Another quick update: the AVC regarding sss are known, and apparently fixed with selinux-policy-3.14.1-48.el8 (see https://bugzilla.redhat.com/show_bug.cgi?id=1651531)

Comment 6 Cédric Jeanneret 2019-01-29 13:30:23 UTC

Also, this one is weird:
type=AVC msg=audit(1547766061.463:5904): avc:  denied  { setexec } for  pid=208019 comm="crond" scontext=system_u:system_r:container_t:s0:c560,c816 tcontext=system_u:system_r:container_t:s0:c560,c816 tclass=process permissive=0

According to https://github.com/containers/container-selinux/blob/master/container.te#L663 this is allowed...

Comment 7 Cédric Jeanneret 2019-01-29 13:35:38 UTC

OK, container-selinux package is probably too old:
https://github.com/containers/container-selinux/commit/de8020d4441bbd80e2f2c1646a34d60a15c3c270
I was the one adding this permission 3 months ago.

You might still be using a pretty old podman as well, care to share its version (podman --version or, even better, podman --info)?

Comment 8 Alexander Chuzhoy 2019-01-29 14:16:57 UTC

podman version 0.10.1.3

Comment 9 Cédric Jeanneret 2019-01-29 14:21:14 UTC

Hey,

As discussed: pretty old versions, we target podman 1.x on rhel8.

There's just the "relabelto" which is "valid", but as stated, we won't add new policy for this one. It's tracked in LP https://bugs.launchpad.net/tripleo/+bug/1813313 (I'm still digging the reasons). It doesn't prevent the deploy or use.

Cheers,

C.

Note You need to log in before you can comment on or make changes to this bug.