1872651 – update selinux policy to allow timemaster service and sockets for ptp ports

Bug 1872651 - update selinux policy to allow timemaster service and sockets for ptp ports

Summary: update selinux policy to allow timemaster service and sockets for ptp ports

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	16.1 (Train)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	high
Target Milestone:	z2
Target Release:	16.1 (Train on RHEL 8.2)
Assignee:	Julie Pichon
QA Contact:	nlevinki
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1825895 1944618 1944622
TreeView+	depends on / blocked

Reported:	2020-08-26 09:50 UTC by Haresh Khandelwal
Modified:	2021-03-30 11:25 UTC (History)
CC List:	2 users (show)
Fixed In Version:	openstack-selinux-0.8.24-1.20200907103359.f6ad869.el8ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-10-28 15:46:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
audit log (320.63 KB, text/plain) 2020-08-31 18:42 UTC, Haresh Khandelwal	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	redhat-openstack openstack-selinux pull 69	0	None	closed	Allow timemaster/ptp4l_t to create sockets	2021-02-01 09:50:37 UTC
Red Hat Product Errata	RHSA-2020:4381	0	None	None	None	2020-10-28 15:46:46 UTC

Description Haresh Khandelwal 2020-08-26 09:50:35 UTC

Description of problem:
default selinux policy for nfv node is "enforcing" and prevent timemaster service running on overcloud nodes. 

Look below. 

[root@hareshcomputesriov-0 heat-admin]# systemctl status timemaster
● timemaster.service - Synchronize system clock to NTP and PTP time sources
   Loaded: loaded (/usr/lib/systemd/system/timemaster.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue 2020-08-25 18:31:00 UTC; 34min ago
 Main PID: 8527 (code=exited, status=203/EXEC)

Aug 25 18:31:00 hareshcomputesriov-0 systemd[1]: Started Synchronize system clock to NTP and PTP time sources.
Aug 25 18:31:00 hareshcomputesriov-0 systemd[1]: timemaster.service: Main process exited, code=exited, status=203/EXEC
Aug 25 18:31:00 hareshcomputesriov-0 systemd[1]: timemaster.service: Failed with result 'exit-code'.

After disabling selinux
[root@hareshcomputesriov-0 heat-admin]# systemctl status timemaster
● timemaster.service - Synchronize system clock to NTP and PTP time sources
   Loaded: loaded (/usr/lib/systemd/system/timemaster.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2020-08-25 19:10:18 UTC; 2min 6s ago
 Main PID: 2573 (timemaster)
    Tasks: 6 (limit: 357097)
   Memory: 5.1M
   CGroup: /system.slice/timemaster.service
           ├─2573 /usr/sbin/timemaster -f /etc/timemaster.conf
           ├─2577 /usr/sbin/chronyd -n -f /var/run/timemaster/chrony.conf
           ├─2582 /usr/sbin/ptp4l -l 5 -f /var/run/timemaster/ptp4l.0.conf -H -i eno1
           ├─2583 /usr/sbin/phc2sys -l 5 -a -r -R 1.00 -z /var/run/timemaster/ptp4l.0.socket -t [0:eno1] -n 0 -E ntpshm -M 0
           ├─2587 /usr/sbin/ptp4l -l 5 -f /var/run/timemaster/ptp4l.1.conf -H -i eno2
           └─2588 /usr/sbin/phc2sys -l 5 -a -r -R 1.00 -z /var/run/timemaster/ptp4l.1.socket -t [0:eno2] -n 0 -E ntpshm -M 1

Aug 25 19:11:53 hareshcomputesriov-0 ptp4l[2587]: [152.562] [0:eno2] selected local clock e4434b.fffe.4a0c24 as best master
Aug 25 19:11:53 hareshcomputesriov-0 ptp4l[2582]: [153.196] [0:eno1] selected local clock e4434b.fffe.4a0c22 as best master
Aug 25 19:12:00 hareshcomputesriov-0 ptp4l[2582]: [160.025] [0:eno1] selected local clock e4434b.fffe.4a0c22 as best master
Aug 25 19:12:01 hareshcomputesriov-0 ptp4l[2587]: [160.405] [0:eno2] selected local clock e4434b.fffe.4a0c24 as best master
Aug 25 19:12:07 hareshcomputesriov-0 ptp4l[2587]: [166.422] [0:eno2] selected local clock e4434b.fffe.4a0c24 as best master
Aug 25 19:12:08 hareshcomputesriov-0 ptp4l[2582]: [167.671] [0:eno1] selected local clock e4434b.fffe.4a0c22 as best master
Aug 25 19:12:13 hareshcomputesriov-0 ptp4l[2587]: [172.930] [0:eno2] selected local clock e4434b.fffe.4a0c24 as best master
Aug 25 19:12:15 hareshcomputesriov-0 ptp4l[2582]: [174.455] [0:eno1] selected local clock e4434b.fffe.4a0c22 as best master
Aug 25 19:12:20 hareshcomputesriov-0 ptp4l[2587]: [180.331] [0:eno2] selected local clock e4434b.fffe.4a0c24 as best master
Aug 25 19:12:21 hareshcomputesriov-0 ptp4l[2582]: [180.978] [0:eno1] selected local clock e4434b.fffe.4a0c22 as best master

Also, timemaster creates sockets to run ptp which are blocked to selinux policy

[root@hareshcomputesriov-0 heat-admin]# systemctl status timemaster
● timemaster.service - Synchronize system clock to NTP and PTP time sources
   Loaded: loaded (/usr/lib/systemd/system/timemaster.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2020-08-11 17:24:45 UTC; 3s ago
 Main PID: 544428 (timemaster)
    Tasks: 4 (limit: 357097)
   Memory: 2.4M
   CGroup: /system.slice/timemaster.service
           ├─544428 /usr/sbin/timemaster -f /etc/timemaster.conf
           ├─544429 /usr/sbin/chronyd -n -f /var/run/timemaster/chrony.conf
           ├─544430 /usr/sbin/ptp4l -l 5 -f /var/run/timemaster/ptp4l.0.conf -H -i eno1
           └─544431 /usr/sbin/phc2sys -l 5 -a -r -R 1.00 -z /var/run/timemaster/ptp4l.0.socket -t [0:eno1] -n 0 -E ntpshm -M 0

Aug 11 17:24:45 hareshcomputesriov-0 timemaster[544428]: [2873884.889] process 544429 started: /usr/sbin/chronyd -n -f /var/run/timemaster/chrony.conf
Aug 11 17:24:45 hareshcomputesriov-0 timemaster[544428]: [2873884.890] process 544430 started: /usr/sbin/ptp4l -l 5 -f /var/run/timemaster/ptp4l.0.conf -H -i eno1
Aug 11 17:24:45 hareshcomputesriov-0 timemaster[544428]: [2873884.890] process 544431 started: /usr/sbin/phc2sys -l 5 -a -r -R 1.00 -z /var/run/timemaster/ptp4l.0.socket -t [0:eno1] -n 0 -E ntpshm -M 0
Aug 11 17:24:45 hareshcomputesriov-0 chronyd[544429]: chronyd version 3.5 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 +DEBUG)
Aug 11 17:24:45 hareshcomputesriov-0 phc2sys[544431]: [2873884.891] [0:eno1] uds: sendto failed: No such file or directory
Aug 11 17:24:45 hareshcomputesriov-0 ptp4l[544430]: [2873884.891] [0:eno1] socket failed: Permission denied  <<<<<<<<<<<<<<<<<<
Aug 11 17:24:45 hareshcomputesriov-0 ptp4l[544430]: [2873884.891] [0:eno1] port 1: INITIALIZING to FAULTY on FAULT_DETECTED (FT_UNSPECIFIED)
Aug 11 17:24:45 hareshcomputesriov-0 ptp4l[544430]: [2873884.891] [0:eno1] port 0: INITIALIZING to LISTENING on INIT_COMPLETE
Aug 11 17:24:45 hareshcomputesriov-0 chronyd[544429]: Frequency 4.437 +/- 0.044 ppm read from /var/lib/chrony/drift
Aug 11 17:24:46 hareshcomputesriov-0 phc2sys[544431]: [2873885.891] [0:eno1] Waiting for ptp4l...
[root@hareshcomputesriov-0 heat-admin]# 

[root@hareshcomputesriov-0 heat-admin]# systemctl status timemaster
● timemaster.service - Synchronize system clock to NTP and PTP time sources
   Loaded: loaded (/usr/lib/systemd/system/timemaster.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2020-08-11 17:33:22 UTC; 5s ago
 Main PID: 5377 (timemaster)
    Tasks: 4 (limit: 357097)
   Memory: 3.1M
   CGroup: /system.slice/timemaster.service
           ├─5377 /usr/sbin/timemaster -f /etc/timemaster.conf
           ├─5378 /usr/sbin/chronyd -n -f /var/run/timemaster/chrony.conf
           ├─5379 /usr/sbin/ptp4l -l 5 -f /var/run/timemaster/ptp4l.0.conf -H -i eno1
           └─5380 /usr/sbin/phc2sys -l 5 -a -r -R 1.00 -z /var/run/timemaster/ptp4l.0.socket -t [0:eno1] -n 0 -E ntpshm -M 0

Aug 11 17:33:22 hareshcomputesriov-0 timemaster[5377]: [231.831] process 5379 started: /usr/sbin/ptp4l -l 5 -f /var/run/timemaster/ptp4l.0.conf -H -i eno1
Aug 11 17:33:22 hareshcomputesriov-0 chronyd[5378]: chronyd version 3.5 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 +DEBUG)
Aug 11 17:33:22 hareshcomputesriov-0 timemaster[5377]: [231.831] process 5380 started: /usr/sbin/phc2sys -l 5 -a -r -R 1.00 -z /var/run/timemaster/ptp4l.0.socket -t [0:eno1] -n 0 -E ntpshm -M 0
Aug 11 17:33:22 hareshcomputesriov-0 chronyd[5378]: Frequency 4.372 +/- 0.325 ppm read from /var/lib/chrony/drift
Aug 11 17:33:22 hareshcomputesriov-0 phc2sys[5380]: [231.832] [0:eno1] uds: sendto failed: No such file or directory
Aug 11 17:33:22 hareshcomputesriov-0 ptp4l[5379]: [231.850] [0:eno1] port 1: INITIALIZING to LISTENING on INIT_COMPLETE
Aug 11 17:33:22 hareshcomputesriov-0 ptp4l[5379]: [231.850] [0:eno1] port 0: INITIALIZING to LISTENING on INIT_COMPLETE
Aug 11 17:33:23 hareshcomputesriov-0 phc2sys[5380]: [232.833] [0:eno1] Waiting for ptp4l...
Aug 11 17:33:24 hareshcomputesriov-0 ptp4l[5379]: [233.875] [0:eno1] port 1: new foreign master e4434b.fffe.499fda-1
Aug 11 17:33:26 hareshcomputesriov-0 chronyd[5378]: Selected source 10.11.160.238

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.install linuxptp on overcloud
2. start timemaster service
3. check the status

Actual results:
We need to update selinux policy due to this RFE.
https://bugzilla.redhat.com/show_bug.cgi?id=1825895

This provides support for timemaster service implementation with tripleO

Expected results:


Additional info:

Comment 1 Julie Pichon 2020-08-26 10:21:01 UTC

Hi. Please reproduce the issue in permissive mode, and attach the resulting audit.log file to this bug. Thanks!

Comment 3 Julie Pichon 2020-08-26 12:38:11 UTC

Thank you for the update, although it would be helpful to also have the full log file with context :)

It's strange, the timemaster files don't seem to be labelled correctly (system_u:object_r:unlabeled_t:s0) and I think that's causing at least some of these denials. I don't think we can add a rule to allow stuff on unlabelled files so we need to figure out what is labelled wrong.

The timemaster labels appear to be defined in the main policy: https://github.com/fedora-selinux/selinux-policy-contrib/blob/rawhide/linuxptp.fc

How is this installed? Can you paste the results of ls -lZ /usr/sbin/timemaster ?

Comment 4 Haresh Khandelwal 2020-08-26 12:49:22 UTC

(In reply to Julie Pichon from comment #3)
> Thank you for the update, although it would be helpful to also have the full
> log file with context :)
> 

Sure, will upload to BZ. I need to recreate it though.  

> It's strange, the timemaster files don't seem to be labelled correctly
> (system_u:object_r:unlabeled_t:s0) and I think that's causing at least some
> of these denials. I don't think we can add a rule to allow stuff on
> unlabelled files so we need to figure out what is labelled wrong.
> 
> The timemaster labels appear to be defined in the main policy:
> https://github.com/fedora-selinux/selinux-policy-contrib/blob/rawhide/
> linuxptp.fc
> 

So story is, linuxptp is not part of overcloud image we are shipping it today. For my RFE work, i modified overcloud image. However, i am discussing with release team how to add this package rightfully in overcloud image. Also note, linuxptp is not being shipped along with rhel. 

> How is this installed? Can you paste the results of ls -lZ
> /usr/sbin/timemaster ?

-rwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0 65344 May 16  2019 /usr/sbin/timemaster

Comment 5 Julie Pichon 2020-08-26 13:06:23 UTC

Thanks for the answer!

(In reply to Haresh Khandelwal from comment #4)
> (In reply to Julie Pichon from comment #3)
> > Thank you for the update, although it would be helpful to also have the full
> > log file with context :)
> > 
> 
> Sure, will upload to BZ. I need to recreate it though.  

Cool, that's not urgent - we can wait until we've fixed the unlabelled error and see what denials remains then.

> > How is this installed? Can you paste the results of ls -lZ
> > /usr/sbin/timemaster ?
> 
> -rwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0 65344 May 16  2019
> /usr/sbin/timemaster

Right, that's the problem for at least 2 of the denials. `$ restorecon -v /usr/sbin/timemaster` should resolve this, although restorecon should likely be run for every file that timemaster installs.

Comment 6 Julie Pichon 2020-08-28 13:44:22 UTC

(In reply to Haresh Khandelwal from comment #4)
> So story is, linuxptp is not part of overcloud image we are shipping it
> today. For my RFE work, i modified overcloud image. However, i am discussing
> with release team how to add this package rightfully in overcloud image.
> Also note, linuxptp is not being shipped along with rhel. 

Are you using virt-customize? I was just told about the --selinux-relabel flag which should resolve the issue with the wrong labels on install.

Once you have timemaster labelled correctly (confirmed with ls -lZ), please try to reproduce the issue in the description. If it still fails, please reproduce in permissive mode and provide the new audit logs with the denials. Thank you!

Comment 7 Haresh Khandelwal 2020-08-31 18:42:37 UTC

Created attachment 1713200 [details]
audit log

Comment 8 Haresh Khandelwal 2020-08-31 18:44:42 UTC

(In reply to Julie Pichon from comment #6)
> (In reply to Haresh Khandelwal from comment #4)
> > So story is, linuxptp is not part of overcloud image we are shipping it
> > today. For my RFE work, i modified overcloud image. However, i am discussing
> > with release team how to add this package rightfully in overcloud image.
> > Also note, linuxptp is not being shipped along with rhel. 
> 
> Are you using virt-customize? I was just told about the --selinux-relabel
> flag which should resolve the issue with the wrong labels on install.

Yes, using --selinux-relable with virt-customize let timemaster service run. 
However, timemaster implicit run ptp4l which acquire sockets and failed. 

> 
> Once you have timemaster labelled correctly (confirmed with ls -lZ), please
> try to reproduce the issue in the description. If it still fails, please
> reproduce in permissive mode and provide the new audit logs with the
> denials. Thank you!

I have attached audit.log with permissive. ptp4l fails to create socket.

Comment 9 Julie Pichon 2020-09-03 17:44:43 UTC

Thank you for the update, glad the relabel worked. It looks like the missing rules remaining are as follow:

#============= ptp4l_t ==============
allow ptp4l_t self:capability sys_admin;
allow ptp4l_t self:packet_socket create_socket_perms;

It looks like the second rule is already shipped in Fedora, and the first one will be soon - this is basically a duplicate of bug 1759214 which will be fixed in RHEL. I don't know if the fix will be backported to 8.2 though, so we can carry the rules in openstack-selinux too until then. I'll prepare a patch.

Comment 10 Julie Pichon 2020-09-07 13:52:17 UTC

There is a RPM available with the missing rules from the audit logs provided. Would you be able to test it and confirm that it resolves the issue? Thank you!

Comment 24 errata-xmlrpc 2020-10-28 15:46:35 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: openstack-selinux security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4381

Note You need to log in before you can comment on or make changes to this bug.