Created attachment 1641564 [details] all log info Description of problem: RHVH 4.4: AVC denied errors (dac_override) in audit.log Version-Release number of selected component (if applicable): redhat-virtualization-host-4.4.0-20191201.0.el8_1 How reproducible: 80% Steps to Reproduce: 1. RHVH-4.4-20191201.7-RHVH-x86_64-dvd1.iso installed successful. Selinux in enforcing mode as default. 2. Login to RHVH and run "grep "avc: denied" /var/log/audit/audit.log". 3. Actual results: # grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1575354047.697:51): avc: denied { dac_override } for pid=2882 comm="firewalld" capability=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability permissive=0 Expected results: No AVC denied errors in audit.log Additional info:
Update with the latest 4.4 host. # imgbase w You are on rhvh-4.4.0.12-0.20200205.0+1 # grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1580981055.672:35): avc: denied { create } for pid=1653 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1580981055.672:36): avc: denied { create } for pid=1653 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1580981057.796:49): avc: denied { dac_override } for pid=1616 comm="firewalld" capability=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability permissive=0
# imgbase w You are on rhvh-4.4.0.14-0.20200226.0+1 [root@hp-dl385g8-03 ~]# grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1582791550.957:34): avc: denied { create } for pid=1820 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1582791550.957:35): avc: denied { create } for pid=1820 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1582791551.878:46): avc: denied { dac_override } for pid=1605 comm="firewalld" capability=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability permissive=0
Still can reproduce this issue with the latest RHVH 4.4. # imgbase w You are on rhvh-4.4.0.21-0.20200518.0+1 [root@hp-bl460cg9-01 ~]# grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1589858781.058:35): avc: denied { create } for pid=1948 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1589858781.058:36): avc: denied { create } for pid=1948 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1589858781.448:39): avc: denied { dac_override } for pid=1708 comm="firewalld" capability=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability permissive=0
Gobinda can you please have a look?
This is looks like there may be some selinux policy missing for gluster rdma. it looks like a denial for the rdma socket. If we try to start glusterd using "glusterd" command and systemctl interchangeably then this error seen. @Sanju Can you please confirm?
AVC denials doesn't seem to harm functionality, postponing to 4.4.3
Lev any update on this?
(In reply to Sandro Bonazzola from comment #10) > Lev any update on this? No, not yet.
On the latest RHVH we get: type=AVC msg=audit(1606825452.994:32): avc: denied { create } for pid=2240 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
Sent a patch to selinux-policy repo: https://github.com/fedora-selinux/selinux-policy/pull/496
After further debugging while adding more permissions it appears that that we get the following errors: type=AVC msg=audit(1606825452.994:32): avc: denied { create } for pid=2240 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1606825452.994:33): avc: denied { create } for pid=2240 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1607334511.266:32): avc: denied { setopt } for pid=2341 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1607334511.266:33): avc: denied { setopt } for pid=2341 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1607336313.918:31): avc: denied { bind } for pid=2379 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1607336313.919:32): avc: denied { bind } for pid=2379 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 Thus the full list of the permissions required are: allow glusterd_t self:netlink_rdma_socket { bind create setopt }
Update: After clear the audit log on this same machine, and then reboot / un-register to engine, the AVC errors does not re-appear. So I will verify this bug after got new build which included the fixed patch.
Lev see comment in your PR "consider cherry-picking to https://github.com/gluster/glusterfs-selinux/"
Als, Lev, do you know in which rpm your fix will be included?
(In reply to Sandro Bonazzola from comment #17) > Lev see comment in your PR "consider cherry-picking to > https://github.com/gluster/glusterfs-selinux/" Ported the patch and pushed a PR to glusterfs-selinux repo as well: https://github.com/gluster/glusterfs-selinux/pull/18
(In reply to Sandro Bonazzola from comment #18) > Als, Lev, do you know in which rpm your fix will be included? I expected the fix to be included in the next release of selinux-policy-targeted, however checking the builds made after the fix was merged it's still not there. Contacting the selinux-policy package maintainer (that builds the -targeted as well) for clarifications.
If I understand correctly, the fix will be delivered as a part of bz#1937300 so no further selinux-policy backport is needed.
# imgbase w You are on rhvh-4.4.5.4-0.20210330.0+1 # grep "avc: denied" /var/log/audit/audit.log type=AVC msg=audit(1617263279.650:39): avc: denied { create } for pid=2474 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1617263279.651:40): avc: denied { create } for pid=2474 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
redhat-virtualization-host-4.4.6-20210402.2.el8_4 contains glusterfs-selinux-1.0-3.el8rhgs.noarch
Test version: rhvh-4.4.6.1-0.20210409.0+1 glusterfs-selinux-1.0-4.el8rhgs.noarch Test steps: 1. Install RHVH-4.4.6 successful. Selinux in enforcing mode as default. 2. Register to engine. 3. Login to RHVH and run "grep "avc: denied" /var/log/audit/audit.log". Test result: No AVC denied errors in audit.log So the bug is fixed, change bug status to VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Red Hat Virtualization Host security update [ovirt-4.4.6]), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2239