1732578 – (selinux-osp-container) Unable to access host directory from within container : getting permission denied

Bug 1732578 - (selinux-osp-container) Unable to access host directory from within container : getting permission denied

Summary: (selinux-osp-container) Unable to access host directory from within container...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	15.0 (Stein)
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	ga
Target Release:	15.0 (Stein)
Assignee:	Julie Pichon
QA Contact:	Pavan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1624491
TreeView+	depends on / blocked

Reported:	2019-07-23 19:17 UTC by Pavan
Modified:	2019-09-27 10:44 UTC (History)
CC List:	10 users (show)
Fixed In Version:	openstack-selinux-0.8.20-0.20190904140454.936ea4f.el8ost ansible-role-thales-hsm-0.2.1-0.20190906180426.1d88cc9.el8ost
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-09-21 11:24:01 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
selinux-permissive-audit.log (5.51 KB, text/plain) 2019-07-23 19:17 UTC, Pavan	no flags	Details
audit log for setup prrocess (3.91 MB, text/plain) 2019-08-29 20:04 UTC, Ade Lee	no flags	Details
audit log for restarting barbican containers (28.00 KB, text/plain) 2019-08-29 20:05 UTC, Ade Lee	no flags	Details
audit log for using barbican to store secrets (81.78 KB, text/plain) 2019-08-29 20:06 UTC, Ade Lee	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Github	redhat-openstack openstack-selinux pull 39	'None'	'closed'	'Add off-by-default boolean for barbican containers'	2019-11-25 21:24:53 UTC
OpenStack gerrit	680419	'None'	'MERGED'	'Allow barbican to access /opt/nfast when selinux is enforcing'	2019-11-25 21:24:52 UTC
OpenStack gerrit	680743	'None'	'MERGED'	'Fix typo in distro test'	2019-11-25 21:24:52 UTC
OpenStack gerrit	680744	'None'	'MERGED'	'Fix typo in distro test'	2019-11-25 21:24:52 UTC
Red Hat Product Errata	RHEA-2019:2811	None	None	None	2019-09-21 11:24:19 UTC

Description Pavan 2019-07-23 19:17:01 UTC

Created attachment 1592951 [details]
selinux-permissive-audit.log

Description of problem:
We are trying to integrate Thales HSM with Barbican enabled OSP-15 to verify the feature request per BZ#1624491. The OSP overcloud nodes are clients to the external Thales HSM server. 

During the client setup, the barbican conatiners are unable to access the HSM software directory in a volume mount on the controller. 

Path to the thales HSM software directory on the controller: /opt/nfast

Version-Release number of selected component (if applicable):
RHOS_TRUNK-15.0-RHEL-8-20190716.n.0

How reproducible:
always

Steps to Reproduce:
Please reach out to pkesavar (IRC: pkesavar) to request access to the setup environment. Alternatively,

Actual results:

TASK [Debug output for task: Start containers for step 3] **********************
Tuesday 23 July 2019  11:24:03 -0400 (0:02:31.766)       0:22:08.397 ********** 
fatal: [controller-0]: FAILED! => {
    "failed_when_result": true,
    "outputs.stdout_lines | default([]) | union(outputs.stderr_lines | default([]))": [
        "stdout: b064ce367f1b168f09851887bee2dc631c6e6e224cfa006b98aa519987f9cdea",
        "",
        "stderr: Trying to pull 192.168.24.1:8787/rhosp15/openstack-barbican-keystone-listener:20190715.1...Getting image source signatures",
        "Copying blob sha256:3fd1d6bddf52f5739ebe7a52906714c0142e430b2305e8e9e663ee8d19c5d5fd",
        "Copying blob sha256:3b3d402417deac332eda774ac4b9fbc0e7f4da02558b0b3a0ba54dc283203047",
        "Copying blob sha256:6bc8d2c3e35d7762fdc45ab9ac14c152b308d183680ac0b5bb85f17bd0962dbf",
        "Copying blob sha256:7e6d96886d31073321faaa33829e2ebad3bab4f9a191cd0525f13ff68049cf24",
        "Copying blob sha256:2eb5ba0f0924ad1409909670a3a81b68e19f5df70104562d40daed36eacb5311",
        "Copying blob sha256:2c45bd68b2019a24f251d7e1ed8d01c7c130ab25d651b92ce0bf25851cafa27c",
        "Copying config sha256:b064ce367f1b168f09851887bee2dc631c6e6e224cfa006b98aa519987f9cdea",
        "Writing manifest to image destination",
        "Storing signatures",
        "stdout: 8e883f50668d97facb9a641ea697b6bf1be78e90c29291c95dac920abaf91d29",
        "stderr: Trying to pull 192.168.24.1:8787/rhosp15/openstack-barbican-worker:20190715.1...Getting image source signatures",
        "Copying blob sha256:259622067d4bf397fc83a9d1daca958ee70e5b8aaab48e05fbacab595bc884bd",
        "Copying config sha256:8e883f50668d97facb9a641ea697b6bf1be78e90c29291c95dac920abaf91d29",
        "stdout: 6f88da4868a74fef03b1f19b904fac3c20abeced7115eaf9fd90c7206706c74e",
        "stderr: Trying to pull 192.168.24.1:8787/rhosp15/openstack-ceilometer-notification:20190715.1...Getting image source signatures",
        "Copying blob sha256:c04a2527fb85406031cf16ce66d162a0885b78ead000099d66072551aa8eef21",
        "Copying blob sha256:0b020ea55d84549cdab4e61407bee184ab899da140e7fd0fe512bdf1621301f2",
        "Copying config sha256:6f88da4868a74fef03b1f19b904fac3c20abeced7115eaf9fd90c7206706c74e",
        "stdout: a27e203f425253441e7b2aac51a4118f4f461d10c9bca2ea6cb7c5b55d175e80",
        "stderr: Trying to pull 192.168.24.1:8787/rhosp15/openstack-swift-account:20190715.1...Getting image source signatures",
        "Copying blob sha256:26c5ed8f4ac3ef16f8eb4fe15bb616932c813115a965d87113da4f41d7c7f968",
        "Copying blob sha256:1a6777b48b0e00f2274c27a2c3bd08bf12eae14b23fa44be0ac5cdc220ef20f7",
        "Copying config sha256:a27e203f425253441e7b2aac51a4118f4f461d10c9bca2ea6cb7c5b55d175e80",
        "stdout: f6f045d9e4fee14fe2388e304c37143a5a37115d5b4c085b51e120c8ecfe89e5",
        "stderr: Trying to pull 192.168.24.1:8787/rhosp15/openstack-swift-object:20190715.1...Getting image source signatures",
        "Copying blob sha256:b9ec1307f768121778943be317023b4c0fdec3ec53200a7ee7664777b4a4cdf7",
        "Copying config sha256:f6f045d9e4fee14fe2388e304c37143a5a37115d5b4c085b51e120c8ecfe89e5",
        "stdout: ",
        "stderr: ",
        "Error running ['podman', 'run', '--name', 'barbican_api_create_hmac', '--label', 'config_id=tripleo_step3', '--label', 'container_name=barbican_api_create_hmac', '--label', 'managed_by=paunch', '--label
', 'config_data={\"command\": \"/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c \\'/usr/bin/barbican-manage  hsm check_hmac --library-path /opt/nfast/toolkits/pkcs11/libcknfast.so --slot-id
 492971158 --passphrase pew2noises --label titan94_hmac_10 --key-type CKK_SHA256_HMAC || /usr/bin/barbican-manage hsm gen_hmac --library-path /opt/nfast/toolkits/pkcs11/libcknfast.so --slot-id 492971158 --passp$
rase pew2noises --label titan94_hmac_10 --key-type CKK_SHA256_HMAC --mechanism CKM_NC_SHA256_HMAC_KEY_GEN \\'\", \"detach\": false, \"environment\": [\"TRIPLEO_DEPLOY_IDENTIFIER=1563893401\"], \"image\": \"192.$
68.24.1:8787/rhosp15/openstack-barbican-api:20190715.1\", \"net\": \"host\", \"start_order\": 0, \"user\": \"root\", \"volumes\": [\"/etc/hosts:/etc/hosts:ro\", \"/etc/localtime:/etc/localtime:ro\", \"/etc/pki/$
a-trust/extracted:/etc/pki/ca-trust/extracted:ro\", \"/etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro\", \"/etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro\", \"/etc/pki$
tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro\", \"/etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro\", \"/dev/log:/dev/log\", \"/etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro\", \"$
etc/puppet:/etc/puppet:ro\", \"/var/log/containers/barbican:/var/log/barbican:z\", \"/var/log/containers/httpd/barbican-api:/var/log/httpd:z\", \"/var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro\", 
\"/var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro\", \"/opt/nfast:/opt/nfast\"]}', '--conmon-pidfile=/var/run/barbican_api_create_hmac.pid', '--log-driver', 'json-file', '--log-opt', 'path=/var/lo$
/containers/stdouts/barbican_api_create_hmac.log', '--env=TRIPLEO_DEPLOY_IDENTIFIER=1563893401', '--net=host', '--user=root', '--volume=/etc/hosts:/etc/hosts:ro', '--volume=/etc/localtime:/etc/localtime:ro', '-$
volume=/etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro', '--volume=/etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro', '--volume=/etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs$
ca-bundle.crt:ro', '--volume=/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro', '--volume=/etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro', '--volume=/dev/log:/dev/log', '--volume$
/etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro', '--volume=/etc/puppet:/etc/puppet:ro', '--volume=/var/log/containers/barbican:/var/log/barbican:z', '--volume=/var/log/containers/httpd/barbican-api:/var/l$
g/httpd:z', '--volume=/var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro', '--volume=/var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro', '--volume=/opt/nfast:/opt/nfast', '192.168.24.1:87$
7/rhosp15/openstack-barbican-api:20190715.1', '/usr/bin/bootstrap_host_exec', 'barbican_api', 'su', 'barbican', '-s', '/bin/bash', '-c', \"'/usr/bin/barbican-manage\", 'hsm', 'check_hmac', '--library-path', '/o$
t/nfast/toolkits/pkcs11/libcknfast.so', '--slot-id', '492971158', '--passphrase', 'pew2noises', '--label', 'titan94_hmac_10', '--key-type', 'CKK_SHA256_HMAC', '||', '/usr/bin/barbican-manage', 'hsm', 'gen_hmac'$
 '--library-path', '/opt/nfast/toolkits/pkcs11/libcknfast.so', '--slot-id', '492971158', '--passphrase', 'pew2noises', '--label', 'titan94_hmac_10', '--key-type', 'CKK_SHA256_HMAC', '--mechanism', 'CKM_NC_SHA25$
_HMAC_KEY_GEN', \"'\"]. [1]",
        "stderr: ERROR: cannot load library '/opt/nfast/toolkits/pkcs11/libcknfast.so': /opt/nfast/toolkits/pkcs11/libcknfast.so: cannot open shared object file: Permission denied.  Additionally, ctypes.util.fi$
d_library() did not manage to locate a library called '/opt/nfast/toolkits/pkcs11/libcknfast.so'",
        "ERROR: cannot load library '/opt/nfast/toolkits/pkcs11/libcknfast.so': /opt/nfast/toolkits/pkcs11/libcknfast.so: cannot open shared object file: Permission denied.  Additionally, ctypes.util.find_libra$
y() did not manage to locate a library called '/opt/nfast/toolkits/pkcs11/libcknfast.so'"


Expected results:
Barbican conatiners are able to access the HSM software directory on the controller. 


Additional info:

1) I tried to manually execute the command when 'selinux=enforcing'

[root@controller-0 audit]# getenforce 
Enforcing

[root@controller-0 audit]# podman run --rm --net host --user root --volume=/opt/nfast:/opt/nfast 1d6b1ad73a9b ls -alFZ /opt/nfast
ls: cannot open directory '/opt/nfast': Permission denied


2) when 'selinux=permissive' the command executed with success

[root@controller-0 audit]# setenforce 0
[root@controller-0 audit]# getenforce 
Permissive

[root@controller-0 audit]# podman run --rm --net host --user root --volume=/opt/nfast:/opt/nfast 1d6b1ad73a9b ls -alFZ /opt/nfast
total 40
drwxrwxr-x. 24 root root system_u:object_r:pki_common_t:s0               4096 Jul 23 15:13 ./
drwxr-xr-x.  1 root root system_u:object_r:container_file_t:s0:c354,c371   19 Jul 23 19:12 ../
-rw-r--r--.  1 2061 2061 system_u:object_r:pki_common_t:s0                 18 Jan 14  2019 .bash_logout
-rw-r--r--.  1 2061 2061 system_u:object_r:pki_common_t:s0                141 Jan 14  2019 .bash_profile
-rw-r--r--.  1 2061 2061 system_u:object_r:pki_common_t:s0                312 Jan 14  2019 .bashrc
drwxr-xr-x.  2 root root unconfined_u:object_r:pki_common_t:s0           4096 Nov  2  2017 bin/
drwxrwsr-x.  4 2061 2061 unconfined_u:object_r:pki_common_t:s0             27 Nov  2  2017 c/
-rw-r--r--.  1 root root system_u:object_r:pki_common_t:s0                 50 Jul 23 15:13 cknfastrc
drwxrwxr-x.  3 root root unconfined_u:object_r:pki_common_t:s0             19 Nov  2  2017 document/
drwxr-xr-x.  3 root root unconfined_u:object_r:pki_common_t:s0           4096 Nov  2  2017 driver/
drwxr-xr-x.  3 root root unconfined_u:object_r:pki_common_t:s0             18 Nov  2  2017 etc/
drwxrwsr-x.  2 2061 2061 unconfined_u:object_r:pki_common_t:s0             67 Nov  2  2017 femcerts/
drwxrwxr-x.  8 root root unconfined_u:object_r:pki_common_t:s0            106 Nov  2  2017 java/
drwxrwsr-x.  9 2061 2061 unconfined_u:object_r:pki_common_t:s0            122 Jul 12  2018 kmdata/
drwxr-xr-x.  5 root root unconfined_u:object_r:pki_common_t:s0           4096 Nov  2  2017 lib/
drwxrwsr-x.  2 2061 2061 unconfined_u:object_r:pki_common_t:s0            201 Jul 23 15:14 log/
drwxrwxr-x.  4 root root unconfined_u:object_r:pki_common_t:s0             49 Nov  2  2017 nethsm-firmware/
drwxr-xr-x.  3 root root unconfined_u:object_r:pki_common_t:s0             17 Nov  2  2017 openssl/
drwxrwxr-x.  9 root root unconfined_u:object_r:pki_common_t:s0            113 Nov  2  2017 python/
drwxr-xr-x.  2 root root unconfined_u:object_r:pki_common_t:s0            120 Nov  2  2017 sbin/
drwxr-xr-x. 12 root root unconfined_u:object_r:pki_common_t:s0            159 Jul 23 15:13 scripts/
drwxrwxr-x.  5 root root unconfined_u:object_r:pki_common_t:s0             51 Nov  2  2017 share/
drwxr-sr-x.  3 2061 2061 unconfined_u:object_r:pki_common_t:s0             33 Jul 23 15:14 sockets/
drwxr-xr-x.  2 root root unconfined_u:object_r:pki_common_t:s0             23 Nov  2  2017 sslclient/
drwxr-xr-x.  2 root root unconfined_u:object_r:pki_common_t:s0             98 Nov  2  2017 sslproxy/
drwxr-xr-x.  7 root root unconfined_u:object_r:pki_common_t:s0            114 Nov  2  2017 tcl/
drwxr-xr-x.  2 root root unconfined_u:object_r:pki_common_t:s0           4096 Nov  2  2017 testdata/
drwxr-xr-x.  6 root root unconfined_u:object_r:pki_common_t:s0             62 Nov  2  2017 toolkits/
[root@controller-0 audit]# 

3) I have attached the audit logs when selinux was on permissive mode

Comment 4 Julie Pichon 2019-07-24 09:24:34 UTC

audit2allow output for the first log:

#============= container_t ==============
allow container_t pki_common_t:dir read;
allow container_t pki_common_t:file { execute open read };


audit2allow for the controller log:

#============= svirt_lxc_net_t ==============
allow svirt_lxc_net_t cert_t:dir { relabelto setattr };
allow svirt_lxc_net_t cert_t:file { relabelto setattr };

#!!!! This avc is allowed in the current policy
allow svirt_lxc_net_t svirt_sandbox_file_t:dir relabelto;

#!!!! This avc is allowed in the current policy
allow svirt_lxc_net_t user_tmp_t:file open;
allow svirt_lxc_net_t user_tmp_t:file { relabelto setattr };
allow svirt_lxc_net_t var_lib_t:dir { add_name create relabelfrom setattr write };
allow svirt_lxc_net_t var_lib_t:file { create ioctl open read relabelfrom setattr write };
allow svirt_lxc_net_t var_lib_t:lnk_file { create setattr };


svirt_lxc_net_t appears to be an alias for container_t. pki_common_t and cert_t are both defined in selinux-policy-contrib.

Comment 5 Lon Hohberger 2019-07-29 18:37:04 UTC

Julie's correct on container_t being an alias for svirt_lxc_net_t.

I think this is allowable:

  allow container_t pki_common_t:dir read;
  allow container_t pki_common_t:file { execute open read };


I think these are also allowable:

  #!!!! This avc is allowed in the current policy # Probably later Fedora version?
  allow svirt_lxc_net_t svirt_sandbox_file_t:dir relabelto;

  #!!!! This avc is allowed in the current policy # Probably later Fedora version? This is read-only access
  allow svirt_lxc_net_t user_tmp_t:file open;


I don't like these at all.  These give svirt_lxc_net_t domains - i.e. all containers - write access to files in /etc/pki, /var/lib, and /tmp on the host, whenever they are bind-mounted:

  allow svirt_lxc_net_t cert_t:dir { relabelto setattr };
  allow svirt_lxc_net_t cert_t:file { relabelto setattr };

  allow svirt_lxc_net_t user_tmp_t:file { relabelto setattr };
  allow svirt_lxc_net_t var_lib_t:dir { add_name create relabelfrom setattr write };
  allow svirt_lxc_net_t var_lib_t:file { create ioctl open read relabelfrom setattr write };
  allow svirt_lxc_net_t var_lib_t:lnk_file { create setattr };


It sounds like these plugins need some cleanup or we need to mount the files used by the Barbican container another way.

Comment 6 Lon Hohberger 2019-07-29 19:14:16 UTC

So:

a) /var/lib/docker-puppet needs a label that can be accessed from within containers

b) We can allow the first couple of things there

c) ... what to do with cert_t?

d) ... what to do with user_tmp_t?

Comment 7 Julie Pichon 2019-07-30 08:52:13 UTC

(In reply to Lon Hohberger from comment #5)
>   #!!!! This avc is allowed in the current policy # Probably later Fedora
> version?

Strangely, I see the same 2 notices on a fresh RHEL8, with the following package versions:

selinux-policy-3.14.1-61.el8.noarch
selinux-policy-targeted-3.14.1-61.el8.noarch

Not sure what versions are on the host here?

Comment 8 Julie Pichon 2019-07-30 10:08:46 UTC

The user_tmp_t AVC denials seem related to a single file that's actually under /etc/, config.pp. Not sure what/how it gets created?

type=AVC msg=audit(1494425221.284:3946): avc: denied { open } for pid=225041 comm="puppet" path="/etc/config.pp" dev="vda2" ino=6660370 scontext=system_u:system_r:svirt_lxc_net_t:s0:c152,c463 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1494425234.138:4062): avc: denied { relabelto } for pid=227574 comm="cp" name="config.pp" dev="vda2" ino=113262756 scontext=system_u:system_r:svirt_lxc_net_t:s0:c199,c215 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1494425248.558:4230): avc: denied { setattr } for pid=229229 comm="cp" name="config.pp" dev="vda2" ino=12608319 scontext=system_u:system_r:svirt_lxc_net_t:s0:c201,c464 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

The cert_t denials mostly seem to have something to do with a README file...?!

type=AVC msg=audit(1494425226.461:3985): avc: denied { relabelto } for pid=226767 comm="cp" name="README" dev="vda2" ino=88081659 scontext=system_u:system_r:svirt_lxc_net_t:s0:c237,c579 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1494425246.443:4214): avc: denied { setattr } for pid=229163 comm="cp" name="README" dev="vda2" ino=93664 scontext=system_u:system_r:svirt_lxc_net_t:s0:c160,c538 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file

Perhaps that can safely be ignored...? (The plugin cleanup you mentioned?) The others have something to do with Java:

type=AVC msg=audit(1494425246.443:4216): avc:  denied  { setattr } for  pid=229163 comm="cp" name="java" dev="vda2" ino=101215 scontext=system_u:system_r:svirt_lxc_net_t:s0:c160,c538 tcontext=unconfined_u:object_r:cert_t:s0 tclass=dir
type=AVC msg=audit(1494425248.588:4233): avc:  denied  { relabelto } for  pid=229229 comm="cp" name="java" dev="vda2" ino=6663604 scontext=system_u:system_r:svirt_lxc_net_t:s0:c201,c464 tcontext=unconfined_u:object_r:cert_t:s0 tclass=dir

Many of the var_lib_t denials appear related to many other services:

type=AVC msg=audit(1494425236.873:4136): avc: denied { create } for pid=228172 comm="mkdir" name="nova_placement" scontext=system_u:system_r:svirt_lxc_net_t:s0:c283,c857 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1494425234.822:4099): avc: denied { write open } for pid=227724 comm="cp" path="/var/lib/config-data/heat/etc/DIR_COLORS" dev="vda2" ino=25167830 scontext=system_u:system_r:svirt_lxc_net_t:s0:c289,c681 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1494425227.577:3995): avc: denied { write open } for pid=226869 comm="cp" path="/var/lib/config-data/glance_api/etc/DIR_COLORS" dev="vda2" ino=41943518 scontext=system_u:system_r:svirt_lxc_net_t:s0:c369,c443 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1494425211.894:3920): avc: denied { read } for pid=224733 comm="docker-puppet-m" name="docker-puppet-mongodb.sh" dev="vda2" ino=54526155 scontext=system_u:system_r:svirt_lxc_net_t:s0:c783,c1002 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1494425246.388:4202): avc: denied { create } for pid=229162 comm="mkdir" name="gnocchi" scontext=system_u:system_r:svirt_lxc_net_t:s0:c160,c538 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir

And also some var_lib_t ld/symlink failures:

type=AVC msg=audit(1494425251.457:4261): avc:  denied  { create } for  pid=229342 comm="cp" name="ld" scontext=system_u:system_r:svirt_lxc_net_t:s0:c859,c898 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file
type=AVC msg=audit(1494425251.457:4262): avc:  denied  { setattr } for  pid=229342 comm="cp" name="ld" dev="vda2" ino=62947241 scontext=system_u:system_r:svirt_lxc_net_t:s0:c859,c898 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file

There's also a bunch of dispatcher.d errors which seem related to NetworkManager but probably should already be covered by the rules under "This avc is allowed in the current policy" mentioned above, e.g.

type=AVC msg=audit(1494425251.130:4243): avc: denied { relabelto } for pid=229305 comm="cp" name="dispatcher.d" dev="vda2" ino=20974255 scontext=system_u:system_r:svirt_lxc_net_t:s0:c410,c840 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c410,c840 tclass=dir

(In reply to Lon Hohberger from comment #6)
> So:
> 
> a) /var/lib/docker-puppet needs a label that can be accessed from within
> containers
> 
> b) We can allow the first couple of things there
> 
> c) ... what to do with cert_t?
> 
> d) ... what to do with user_tmp_t?

I am not sure about a) and what creates it, but I wonder if doing b) would be sufficient at this point to resolve the issue with the command that's explicitly mentioned in the description, at least?

Comment 9 Lon Hohberger 2019-08-02 17:06:26 UTC

Yeah, that sounds like a good, simple plan to start with.

Comment 10 Julie Pichon 2019-08-06 10:47:55 UTC

https://github.com/redhat-openstack/openstack-selinux/pull/34

Comment 11 Lon Hohberger 2019-08-12 19:12:18 UTC

Merged upstream; awaiting build

Comment 25 Ade Lee 2019-08-29 20:04:26 UTC

Created attachment 1609683 [details]
audit log for setup prrocess

This include setup + restart of container + storing secrets

Comment 26 Ade Lee 2019-08-29 20:05:45 UTC

Created attachment 1609684 [details]
audit log for restarting barbican containers

Just for restarting the barbican_api, barbican_worker, barbican_keystone_listener with podman restart ...

Comment 27 Ade Lee 2019-08-29 20:06:30 UTC

Created attachment 1609685 [details]
audit log for using barbican to store secrets

Container is already running here.

Comment 28 Julie Pichon 2019-08-30 15:44:46 UTC

Thank you for the logs. It looks like the cert_t denials that were there before (comment 4 / comment 2) no longer show up?

All the rules from the denials in those last 3 logs look like this:

#============= chronyd_t ==============
allow chronyd_t cloud_init_t:unix_dgram_socket sendto;

#============= container_t ==============
allow container_t init_t:dbus send_msg;
allow container_t initrc_t:unix_stream_socket connectto;
allow container_t pki_common_t:dir { add_name remove_name write };
allow container_t pki_common_t:file { append create lock rename write };
allow container_t pki_common_t:sock_file write;
allow container_t system_dbusd_t:dbus send_msg;

#============= init_t ==============
allow init_t container_t:dbus send_msg;

I suspect chronyd_t is unrelated and can be safely ignored at this point.

The pki_common_t ones are obviously necessary and directly reference /opt/nfast.

"allow container_t initrc_t:unix_stream_socket connectto;" seems related to barbican-manage as well.

The 3 dbus / systemd are USER_AVCs that seem unrelated to barbican commands.

Comment 29 Julie Pichon 2019-09-02 11:28:24 UTC

PR is up to add a boolean that is off-by-default and adds the permissions above: https://github.com/redhat-openstack/openstack-selinux/pull/39

As discussed on IRC on Friday, the boolean will need to be enabled during the installation process for that plug-in. If in THT, there are some examples on how to do that (e.g. https://opendev.org/openstack/tripleo-heat-templates/src/branch/master/deployment/logrotate/logrotate-crond-container-puppet.yaml#L75)

Comment 34 Lon Hohberger 2019-09-05 14:31:18 UTC

Requires:

https://review.opendev.org/#/c/680419/

Comment 35 Lon Hohberger 2019-09-05 14:31:53 UTC

This has a correlative fix in ansible-role-thales-hsm --- moving to POST.

Comment 36 Lon Hohberger 2019-09-05 15:05:27 UTC

The build is now available: ansible-role-thales-hsm-0.2.1-0.20190905145234.1b2df10.el8ost

Comment 53 errata-xmlrpc 2019-09-21 11:24:01 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:2811

Note You need to log in before you can comment on or make changes to this bug.