Description of problem: ======================= A RHEL8 Beta Amphora image with SELinux in permissive mode, produced AVC denied errors. audit2allows shows the following policies are missing: #============= haproxy_t ============== #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow haproxy_t bin_t:file map; allow haproxy_t bin_t:file execute; allow haproxy_t unconfined_service_t:file { open read }; #============= ifconfig_t ============== allow ifconfig_t usermodehelper_t:file { getattr open write }; #============= keepalived_t ============== allow keepalived_t bin_t:file entrypoint; allow keepalived_t keepalived_exec_t:file execute_no_trans; Version-Release number of selected component (if applicable): ============================================================= OSP15-trunk: openstack-selinux-0.8.18-0.20190212133159.282e8a1.el8ost.noarch How reproducible: ================ 100% Steps to Reproduce: =================== 1. Create a loadbalancer in Octavia while using an RHEL8 Beta image 2. Create listeners pools and members 3. Inspect audit and run audit2allow Additional info: ================ audit log attached to this bug
Created attachment 1540296 [details] amphora audit log
Created attachment 1540297 [details] amphora audit log UDP Configuring the Octavia loadbalancer to serve UDP traffic produced the following: #============= ifconfig_t ============== allow ifconfig_t usermodehelper_t:file { getattr open write }; #============= keepalived_t ============== allow keepalived_t keepalived_exec_t:file execute_no_trans; allow keepalived_t var_run_t:dir { create mounton }; Needed policies mentioned here were already listed in comment 0, aside from allow keepalived_t var_run_t:dir { create mounton }; which should also be added.
Julie, I started to write a patch[1] for this bug but noticed that openstack-selinux does not have an EL8 branch. Anyhow, I wrote this and would appreciate your feedback. I still need to add tests and then I'll propose a pull request (not sure to which branch since, as mentioned, no EL8 branch): The current tests are not happy with the following: os-octavia.te:33:ERROR 'unknown type usermodehelper_t' at token ';' on line 3383: I'll take a deeper look on that one. [1] https://github.com/nmagnezi/openstack-selinux/commit/9c21cf25f87b60f8dd13ecd4a757fd0373391c6b
Hi Nir, Is the missing branch causing an issue (i.e. this wouldn't work on EL7)? I'll look into it. For now openstack-selinux is working as a branchless package we cross-tag to every supported release. About the breaking test, you probably need to "require" (kinda like "import") usermodehelper_t at the top of the file. I did that and that cleared the error, although the tests then failed on missing keepalived_exec_t so I guess there are a few others missing! While working on this patch, could you also include the denied AVCs into a test file? See under /tests/ for examples. That way we can make sure the denials are indeed fixed and avoid regressions in the future. Thanks!
Also, from the description one of the AVCs can be resolved by setting a boolean ("This avc can be allowed using the boolean 'domain_can_mmap_files'") so it would be better to enable the boolean for that one ( https://github.com/redhat-openstack/openstack-selinux/blob/282e8a1/local_settings.sh.in#L159-L181 ) rather than write a new rule.
Thanks for the feedback, Julie. I incorporated your suggestion, as well as added AVC tests for the additions I made to the policy. See: https://github.com/redhat-openstack/openstack-selinux/pull/28 I also noticed some Nova SELinux related issues while testing locally on RHEL8, captured it on bug 1686004.
Removing needinfo. We don't seem to be actively using el6/7 branches so I don't think we need to worry about the lack of el8 branch for now. Working against master is fine. I'll look into bug 1686004 as well.
For documentation purposes, I'll attach the following to this bug: audit.log audit2allow output audit2why output
Created attachment 1541441 [details] audit.log audit.log on RHEL8
Created attachment 1541443 [details] audit2allow
Created attachment 1541444 [details] audit2why
https://bugzilla.redhat.com/show_bug.cgi?id=1687485#c4
PR merged: https://github.com/redhat-openstack/openstack-selinux/pull/28
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2019:2811