Description of problem: default selinux policy for nfv node is "enforcing" and prevent timemaster service running on overcloud nodes. Look below. [root@hareshcomputesriov-0 heat-admin]# systemctl status timemaster ● timemaster.service - Synchronize system clock to NTP and PTP time sources Loaded: loaded (/usr/lib/systemd/system/timemaster.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Tue 2020-08-25 18:31:00 UTC; 34min ago Main PID: 8527 (code=exited, status=203/EXEC) Aug 25 18:31:00 hareshcomputesriov-0 systemd[1]: Started Synchronize system clock to NTP and PTP time sources. Aug 25 18:31:00 hareshcomputesriov-0 systemd[1]: timemaster.service: Main process exited, code=exited, status=203/EXEC Aug 25 18:31:00 hareshcomputesriov-0 systemd[1]: timemaster.service: Failed with result 'exit-code'. After disabling selinux [root@hareshcomputesriov-0 heat-admin]# systemctl status timemaster ● timemaster.service - Synchronize system clock to NTP and PTP time sources Loaded: loaded (/usr/lib/systemd/system/timemaster.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2020-08-25 19:10:18 UTC; 2min 6s ago Main PID: 2573 (timemaster) Tasks: 6 (limit: 357097) Memory: 5.1M CGroup: /system.slice/timemaster.service ├─2573 /usr/sbin/timemaster -f /etc/timemaster.conf ├─2577 /usr/sbin/chronyd -n -f /var/run/timemaster/chrony.conf ├─2582 /usr/sbin/ptp4l -l 5 -f /var/run/timemaster/ptp4l.0.conf -H -i eno1 ├─2583 /usr/sbin/phc2sys -l 5 -a -r -R 1.00 -z /var/run/timemaster/ptp4l.0.socket -t [0:eno1] -n 0 -E ntpshm -M 0 ├─2587 /usr/sbin/ptp4l -l 5 -f /var/run/timemaster/ptp4l.1.conf -H -i eno2 └─2588 /usr/sbin/phc2sys -l 5 -a -r -R 1.00 -z /var/run/timemaster/ptp4l.1.socket -t [0:eno2] -n 0 -E ntpshm -M 1 Aug 25 19:11:53 hareshcomputesriov-0 ptp4l[2587]: [152.562] [0:eno2] selected local clock e4434b.fffe.4a0c24 as best master Aug 25 19:11:53 hareshcomputesriov-0 ptp4l[2582]: [153.196] [0:eno1] selected local clock e4434b.fffe.4a0c22 as best master Aug 25 19:12:00 hareshcomputesriov-0 ptp4l[2582]: [160.025] [0:eno1] selected local clock e4434b.fffe.4a0c22 as best master Aug 25 19:12:01 hareshcomputesriov-0 ptp4l[2587]: [160.405] [0:eno2] selected local clock e4434b.fffe.4a0c24 as best master Aug 25 19:12:07 hareshcomputesriov-0 ptp4l[2587]: [166.422] [0:eno2] selected local clock e4434b.fffe.4a0c24 as best master Aug 25 19:12:08 hareshcomputesriov-0 ptp4l[2582]: [167.671] [0:eno1] selected local clock e4434b.fffe.4a0c22 as best master Aug 25 19:12:13 hareshcomputesriov-0 ptp4l[2587]: [172.930] [0:eno2] selected local clock e4434b.fffe.4a0c24 as best master Aug 25 19:12:15 hareshcomputesriov-0 ptp4l[2582]: [174.455] [0:eno1] selected local clock e4434b.fffe.4a0c22 as best master Aug 25 19:12:20 hareshcomputesriov-0 ptp4l[2587]: [180.331] [0:eno2] selected local clock e4434b.fffe.4a0c24 as best master Aug 25 19:12:21 hareshcomputesriov-0 ptp4l[2582]: [180.978] [0:eno1] selected local clock e4434b.fffe.4a0c22 as best master Also, timemaster creates sockets to run ptp which are blocked to selinux policy [root@hareshcomputesriov-0 heat-admin]# systemctl status timemaster ● timemaster.service - Synchronize system clock to NTP and PTP time sources Loaded: loaded (/usr/lib/systemd/system/timemaster.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2020-08-11 17:24:45 UTC; 3s ago Main PID: 544428 (timemaster) Tasks: 4 (limit: 357097) Memory: 2.4M CGroup: /system.slice/timemaster.service ├─544428 /usr/sbin/timemaster -f /etc/timemaster.conf ├─544429 /usr/sbin/chronyd -n -f /var/run/timemaster/chrony.conf ├─544430 /usr/sbin/ptp4l -l 5 -f /var/run/timemaster/ptp4l.0.conf -H -i eno1 └─544431 /usr/sbin/phc2sys -l 5 -a -r -R 1.00 -z /var/run/timemaster/ptp4l.0.socket -t [0:eno1] -n 0 -E ntpshm -M 0 Aug 11 17:24:45 hareshcomputesriov-0 timemaster[544428]: [2873884.889] process 544429 started: /usr/sbin/chronyd -n -f /var/run/timemaster/chrony.conf Aug 11 17:24:45 hareshcomputesriov-0 timemaster[544428]: [2873884.890] process 544430 started: /usr/sbin/ptp4l -l 5 -f /var/run/timemaster/ptp4l.0.conf -H -i eno1 Aug 11 17:24:45 hareshcomputesriov-0 timemaster[544428]: [2873884.890] process 544431 started: /usr/sbin/phc2sys -l 5 -a -r -R 1.00 -z /var/run/timemaster/ptp4l.0.socket -t [0:eno1] -n 0 -E ntpshm -M 0 Aug 11 17:24:45 hareshcomputesriov-0 chronyd[544429]: chronyd version 3.5 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 +DEBUG) Aug 11 17:24:45 hareshcomputesriov-0 phc2sys[544431]: [2873884.891] [0:eno1] uds: sendto failed: No such file or directory Aug 11 17:24:45 hareshcomputesriov-0 ptp4l[544430]: [2873884.891] [0:eno1] socket failed: Permission denied <<<<<<<<<<<<<<<<<< Aug 11 17:24:45 hareshcomputesriov-0 ptp4l[544430]: [2873884.891] [0:eno1] port 1: INITIALIZING to FAULTY on FAULT_DETECTED (FT_UNSPECIFIED) Aug 11 17:24:45 hareshcomputesriov-0 ptp4l[544430]: [2873884.891] [0:eno1] port 0: INITIALIZING to LISTENING on INIT_COMPLETE Aug 11 17:24:45 hareshcomputesriov-0 chronyd[544429]: Frequency 4.437 +/- 0.044 ppm read from /var/lib/chrony/drift Aug 11 17:24:46 hareshcomputesriov-0 phc2sys[544431]: [2873885.891] [0:eno1] Waiting for ptp4l... [root@hareshcomputesriov-0 heat-admin]# [root@hareshcomputesriov-0 heat-admin]# systemctl status timemaster ● timemaster.service - Synchronize system clock to NTP and PTP time sources Loaded: loaded (/usr/lib/systemd/system/timemaster.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2020-08-11 17:33:22 UTC; 5s ago Main PID: 5377 (timemaster) Tasks: 4 (limit: 357097) Memory: 3.1M CGroup: /system.slice/timemaster.service ├─5377 /usr/sbin/timemaster -f /etc/timemaster.conf ├─5378 /usr/sbin/chronyd -n -f /var/run/timemaster/chrony.conf ├─5379 /usr/sbin/ptp4l -l 5 -f /var/run/timemaster/ptp4l.0.conf -H -i eno1 └─5380 /usr/sbin/phc2sys -l 5 -a -r -R 1.00 -z /var/run/timemaster/ptp4l.0.socket -t [0:eno1] -n 0 -E ntpshm -M 0 Aug 11 17:33:22 hareshcomputesriov-0 timemaster[5377]: [231.831] process 5379 started: /usr/sbin/ptp4l -l 5 -f /var/run/timemaster/ptp4l.0.conf -H -i eno1 Aug 11 17:33:22 hareshcomputesriov-0 chronyd[5378]: chronyd version 3.5 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 +DEBUG) Aug 11 17:33:22 hareshcomputesriov-0 timemaster[5377]: [231.831] process 5380 started: /usr/sbin/phc2sys -l 5 -a -r -R 1.00 -z /var/run/timemaster/ptp4l.0.socket -t [0:eno1] -n 0 -E ntpshm -M 0 Aug 11 17:33:22 hareshcomputesriov-0 chronyd[5378]: Frequency 4.372 +/- 0.325 ppm read from /var/lib/chrony/drift Aug 11 17:33:22 hareshcomputesriov-0 phc2sys[5380]: [231.832] [0:eno1] uds: sendto failed: No such file or directory Aug 11 17:33:22 hareshcomputesriov-0 ptp4l[5379]: [231.850] [0:eno1] port 1: INITIALIZING to LISTENING on INIT_COMPLETE Aug 11 17:33:22 hareshcomputesriov-0 ptp4l[5379]: [231.850] [0:eno1] port 0: INITIALIZING to LISTENING on INIT_COMPLETE Aug 11 17:33:23 hareshcomputesriov-0 phc2sys[5380]: [232.833] [0:eno1] Waiting for ptp4l... Aug 11 17:33:24 hareshcomputesriov-0 ptp4l[5379]: [233.875] [0:eno1] port 1: new foreign master e4434b.fffe.499fda-1 Aug 11 17:33:26 hareshcomputesriov-0 chronyd[5378]: Selected source 10.11.160.238 Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.install linuxptp on overcloud 2. start timemaster service 3. check the status Actual results: We need to update selinux policy due to this RFE. https://bugzilla.redhat.com/show_bug.cgi?id=1825895 This provides support for timemaster service implementation with tripleO Expected results: Additional info:
Hi. Please reproduce the issue in permissive mode, and attach the resulting audit.log file to this bug. Thanks!
Thank you for the update, although it would be helpful to also have the full log file with context :) It's strange, the timemaster files don't seem to be labelled correctly (system_u:object_r:unlabeled_t:s0) and I think that's causing at least some of these denials. I don't think we can add a rule to allow stuff on unlabelled files so we need to figure out what is labelled wrong. The timemaster labels appear to be defined in the main policy: https://github.com/fedora-selinux/selinux-policy-contrib/blob/rawhide/linuxptp.fc How is this installed? Can you paste the results of ls -lZ /usr/sbin/timemaster ?
(In reply to Julie Pichon from comment #3) > Thank you for the update, although it would be helpful to also have the full > log file with context :) > Sure, will upload to BZ. I need to recreate it though. > It's strange, the timemaster files don't seem to be labelled correctly > (system_u:object_r:unlabeled_t:s0) and I think that's causing at least some > of these denials. I don't think we can add a rule to allow stuff on > unlabelled files so we need to figure out what is labelled wrong. > > The timemaster labels appear to be defined in the main policy: > https://github.com/fedora-selinux/selinux-policy-contrib/blob/rawhide/ > linuxptp.fc > So story is, linuxptp is not part of overcloud image we are shipping it today. For my RFE work, i modified overcloud image. However, i am discussing with release team how to add this package rightfully in overcloud image. Also note, linuxptp is not being shipped along with rhel. > How is this installed? Can you paste the results of ls -lZ > /usr/sbin/timemaster ? -rwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0 65344 May 16 2019 /usr/sbin/timemaster
Thanks for the answer! (In reply to Haresh Khandelwal from comment #4) > (In reply to Julie Pichon from comment #3) > > Thank you for the update, although it would be helpful to also have the full > > log file with context :) > > > > Sure, will upload to BZ. I need to recreate it though. Cool, that's not urgent - we can wait until we've fixed the unlabelled error and see what denials remains then. > > How is this installed? Can you paste the results of ls -lZ > > /usr/sbin/timemaster ? > > -rwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0 65344 May 16 2019 > /usr/sbin/timemaster Right, that's the problem for at least 2 of the denials. `$ restorecon -v /usr/sbin/timemaster` should resolve this, although restorecon should likely be run for every file that timemaster installs.
(In reply to Haresh Khandelwal from comment #4) > So story is, linuxptp is not part of overcloud image we are shipping it > today. For my RFE work, i modified overcloud image. However, i am discussing > with release team how to add this package rightfully in overcloud image. > Also note, linuxptp is not being shipped along with rhel. Are you using virt-customize? I was just told about the --selinux-relabel flag which should resolve the issue with the wrong labels on install. Once you have timemaster labelled correctly (confirmed with ls -lZ), please try to reproduce the issue in the description. If it still fails, please reproduce in permissive mode and provide the new audit logs with the denials. Thank you!
Created attachment 1713200 [details] audit log
(In reply to Julie Pichon from comment #6) > (In reply to Haresh Khandelwal from comment #4) > > So story is, linuxptp is not part of overcloud image we are shipping it > > today. For my RFE work, i modified overcloud image. However, i am discussing > > with release team how to add this package rightfully in overcloud image. > > Also note, linuxptp is not being shipped along with rhel. > > Are you using virt-customize? I was just told about the --selinux-relabel > flag which should resolve the issue with the wrong labels on install. Yes, using --selinux-relable with virt-customize let timemaster service run. However, timemaster implicit run ptp4l which acquire sockets and failed. > > Once you have timemaster labelled correctly (confirmed with ls -lZ), please > try to reproduce the issue in the description. If it still fails, please > reproduce in permissive mode and provide the new audit logs with the > denials. Thank you! I have attached audit.log with permissive. ptp4l fails to create socket.
Thank you for the update, glad the relabel worked. It looks like the missing rules remaining are as follow: #============= ptp4l_t ============== allow ptp4l_t self:capability sys_admin; allow ptp4l_t self:packet_socket create_socket_perms; It looks like the second rule is already shipped in Fedora, and the first one will be soon - this is basically a duplicate of bug 1759214 which will be fixed in RHEL. I don't know if the fix will be backported to 8.2 though, so we can carry the rules in openstack-selinux too until then. I'll prepare a patch.
There is a RPM available with the missing rules from the audit logs provided. Would you be able to test it and confirm that it resolves the issue? Thank you!
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: openstack-selinux security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:4381