1924869 – selinux avc deny after installing OCP 4.7

Bug 1924869 - selinux avc deny after installing OCP 4.7

Summary: selinux avc deny after installing OCP 4.7

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	RHCOS
Sub Component:
Version:	4.7
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	low
Target Milestone:	---
Target Release:	4.8.0
Assignee:	Timothée Ravier
QA Contact:	Michael Nguyen
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1900898 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-02-03 19:12 UTC by Qian Cai
Modified:	2021-11-19 00:30 UTC (History)
CC List:	10 users (show)
Fixed In Version:	4.8
Doc Type:	Bug Fix
Doc Text:	Cause: The script setting up platform specific chrony configuration may be executed multiple times on a system. Consequence: Every execution after the first one fails as the script can no longer alter the configuration after the first execution due to (valid) SELinux restrictions. Fix: Only perform the configuration setup the first time. Result: No SELinux issues are raised.
Clone Of:
Environment:
Last Closed:	2021-07-27 22:40:58 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	coreos fedora-coreos-config pull 845	0	None	open	overlay.d/20platform-chrony: Exit early if already run	2021-02-16 20:57:40 UTC
Red Hat Product Errata	RHSA-2021:2438	0	None	None	None	2021-07-27 22:41:22 UTC

Description Qian Cai 2021-02-03 19:12:56 UTC

Description of problem:
Saw those on every node:

# ausearch -m avc
----
time->Wed Feb  3 15:04:19 2021
type=PROCTITLE msg=audit(1612364659.672:57): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D4573002F7573722F7362696E2F74756E6564002D2D6E6F2D64627573
type=SYSCALL msg=audit(1612364659.672:57): arch=c000003e syscall=1 success=yes exit=4 a0=7 a1=7f5cc8015b80 a2=4 a3=0 items=0 ppid=2436 pid=3381 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:spc_t:s0 key=(null)
type=AVC msg=audit(1612364659.672:57): avc:  granted  { setsecparam } for  pid=3381 comm="tuned" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security
----
time->Wed Feb  3 15:18:26 2021
type=PROCTITLE msg=audit(1612365506.616:87): proctitle=2F62696E2F62617368002F7573722F6C69622F73797374656D642F73797374656D2D67656E657261746F72732F636F72656F732D706C6174666F726D2D6368726F6E79002F72756E2F73797374656D642F67656E657261746F72002F72756E2F73797374656D642F67656E657261746F722E6561726C79002F72756E2F737973
type=SYSCALL msg=audit(1612365506.616:87): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55994eb11160 a2=241 a3=1b6 items=0 ppid=19773 pid=19801 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="coreos-platform" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1612365506.616:87): avc:  denied  { write } for  pid=19801 comm="coreos-platform" name="coreos-platform-chrony.conf" dev="tmpfs" ino=16092 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
----
time->Wed Feb  3 15:18:26 2021
type=PROCTITLE msg=audit(1612365506.616:88): proctitle=2F62696E2F62617368002F7573722F6C69622F73797374656D642F73797374656D2D67656E657261746F72732F636F72656F732D706C6174666F726D2D6368726F6E79002F72756E2F73797374656D642F67656E657261746F72002F72756E2F73797374656D642F67656E657261746F722E6561726C79002F72756E2F737973
type=SYSCALL msg=audit(1612365506.616:88): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55994eb11160 a2=201 a3=0 items=0 ppid=19773 pid=19801 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="coreos-platform" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1612365506.616:88): avc:  denied  { write } for  pid=19801 comm="coreos-platform" name="coreos-platform-chrony.conf" dev="tmpfs" ino=16092 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
----
time->Wed Feb  3 15:18:26 2021
type=PROCTITLE msg=audit(1612365506.986:89): proctitle=2F62696E2F62617368002F7573722F6C69622F73797374656D642F73797374656D2D67656E657261746F72732F636F72656F732D706C6174666F726D2D6368726F6E79002F72756E2F73797374656D642F67656E657261746F72002F72756E2F73797374656D642F67656E657261746F722E6561726C79002F72756E2F737973
type=SYSCALL msg=audit(1612365506.986:89): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55eb57719160 a2=241 a3=1b6 items=0 ppid=19815 pid=19842 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="coreos-platform" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1612365506.986:89): avc:  denied  { write } for  pid=19842 comm="coreos-platform" name="coreos-platform-chrony.conf" dev="tmpfs" ino=16092 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
----
time->Wed Feb  3 15:18:26 2021
type=PROCTITLE msg=audit(1612365506.986:90): proctitle=2F62696E2F62617368002F7573722F6C69622F73797374656D642F73797374656D2D67656E657261746F72732F636F72656F732D706C6174666F726D2D6368726F6E79002F72756E2F73797374656D642F67656E657261746F72002F72756E2F73797374656D642F67656E657261746F722E6561726C79002F72756E2F737973
type=SYSCALL msg=audit(1612365506.986:90): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55eb57719160 a2=201 a3=0 items=0 ppid=19815 pid=19842 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="coreos-platform" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1612365506.986:90): avc:  denied  { write } for  pid=19842 comm="coreos-platform" name="coreos-platform-chrony.conf" dev="tmpfs" ino=16092 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
----
time->Wed Feb  3 15:18:27 2021
type=PROCTITLE msg=audit(1612365507.413:91): proctitle=2F62696E2F62617368002F7573722F6C69622F73797374656D642F73797374656D2D67656E657261746F72732F636F72656F732D706C6174666F726D2D6368726F6E79002F72756E2F73797374656D642F67656E657261746F72002F72756E2F73797374656D642F67656E657261746F722E6561726C79002F72756E2F737973
type=SYSCALL msg=audit(1612365507.413:91): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=562e2bfa7160 a2=241 a3=1b6 items=0 ppid=19863 pid=19894 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="coreos-platform" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1612365507.413:91): avc:  denied  { write } for  pid=19894 comm="coreos-platform" name="coreos-platform-chrony.conf" dev="tmpfs" ino=16092 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
----
time->Wed Feb  3 15:18:27 2021
type=PROCTITLE msg=audit(1612365507.413:92): proctitle=2F62696E2F62617368002F7573722F6C69622F73797374656D642F73797374656D2D67656E657261746F72732F636F72656F732D706C6174666F726D2D6368726F6E79002F72756E2F73797374656D642F67656E657261746F72002F72756E2F73797374656D642F67656E657261746F722E6561726C79002F72756E2F737973
type=SYSCALL msg=audit(1612365507.413:92): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=562e2bfa7160 a2=201 a3=0 items=0 ppid=19863 pid=19894 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="coreos-platform" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1612365507.413:92): avc:  denied  { write } for  pid=19894 comm="coreos-platform" name="coreos-platform-chrony.conf" dev="tmpfs" ino=16092 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
----
time->Wed Feb  3 15:18:27 2021
type=PROCTITLE msg=audit(1612365507.775:93): proctitle=2F62696E2F62617368002F7573722F6C69622F73797374656D642F73797374656D2D67656E657261746F72732F636F72656F732D706C6174666F726D2D6368726F6E79002F72756E2F73797374656D642F67656E657261746F72002F72756E2F73797374656D642F67656E657261746F722E6561726C79002F72756E2F737973
type=SYSCALL msg=audit(1612365507.775:93): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55b9dff8d160 a2=241 a3=1b6 items=0 ppid=19905 pid=19936 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="coreos-platform" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1612365507.775:93): avc:  denied  { write } for  pid=19936 comm="coreos-platform" name="coreos-platform-chrony.conf" dev="tmpfs" ino=16092 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
----
time->Wed Feb  3 15:18:27 2021
type=PROCTITLE msg=audit(1612365507.775:94): proctitle=2F62696E2F62617368002F7573722F6C69622F73797374656D642F73797374656D2D67656E657261746F72732F636F72656F732D706C6174666F726D2D6368726F6E79002F72756E2F73797374656D642F67656E657261746F72002F72756E2F73797374656D642F67656E657261746F722E6561726C79002F72756E2F737973
type=SYSCALL msg=audit(1612365507.775:94): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55b9dff8d160 a2=201 a3=0 items=0 ppid=19905 pid=19936 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="coreos-platform" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1612365507.775:94): avc:  denied  { write } for  pid=19936 comm="coreos-platform" name="coreos-platform-chrony.conf" dev="tmpfs" ino=16092 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
----
time->Wed Feb  3 15:40:56 2021
type=PROCTITLE msg=audit(1612366856.347:194): proctitle=2F62696E2F62617368002F7573722F6C69622F73797374656D642F73797374656D2D67656E657261746F72732F636F72656F732D706C6174666F726D2D6368726F6E79002F72756E2F73797374656D642F67656E657261746F72002F72756E2F73797374656D642F67656E657261746F722E6561726C79002F72756E2F737973
type=SYSCALL msg=audit(1612366856.347:194): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55bf27900160 a2=241 a3=1b6 items=0 ppid=50453 pid=50483 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="coreos-platform" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1612366856.347:194): avc:  denied  { write } for  pid=50483 comm="coreos-platform" name="coreos-platform-chrony.conf" dev="tmpfs" ino=16092 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
----
time->Wed Feb  3 15:40:56 2021
type=PROCTITLE msg=audit(1612366856.347:195): proctitle=2F62696E2F62617368002F7573722F6C69622F73797374656D642F73797374656D2D67656E657261746F72732F636F72656F732D706C6174666F726D2D6368726F6E79002F72756E2F73797374656D642F67656E657261746F72002F72756E2F73797374656D642F67656E657261746F722E6561726C79002F72756E2F737973
type=SYSCALL msg=audit(1612366856.347:195): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55bf27900160 a2=201 a3=0 items=0 ppid=50453 pid=50483 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="coreos-platform" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1612366856.347:195): avc:  denied  { write } for  pid=50483 comm="coreos-platform" name="coreos-platform-chrony.conf" dev="tmpfs" ino=16092 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
----
time->Wed Feb  3 15:40:56 2021
type=PROCTITLE msg=audit(1612366856.741:196): proctitle=2F62696E2F62617368002F7573722F6C69622F73797374656D642F73797374656D2D67656E657261746F72732F636F72656F732D706C6174666F726D2D6368726F6E79002F72756E2F73797374656D642F67656E657261746F72002F72756E2F73797374656D642F67656E657261746F722E6561726C79002F72756E2F737973
type=SYSCALL msg=audit(1612366856.741:196): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55fb548f3160 a2=241 a3=1b6 items=0 ppid=50495 pid=50527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="coreos-platform" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1612366856.741:196): avc:  denied  { write } for  pid=50527 comm="coreos-platform" name="coreos-platform-chrony.conf" dev="tmpfs" ino=16092 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
----
time->Wed Feb  3 15:40:56 2021
type=PROCTITLE msg=audit(1612366856.741:197): proctitle=2F62696E2F62617368002F7573722F6C69622F73797374656D642F73797374656D2D67656E657261746F72732F636F72656F732D706C6174666F726D2D6368726F6E79002F72756E2F73797374656D642F67656E657261746F72002F72756E2F73797374656D642F67656E657261746F722E6561726C79002F72756E2F737973
type=SYSCALL msg=audit(1612366856.741:197): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55fb548f3160 a2=201 a3=0 items=0 ppid=50495 pid=50527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="coreos-platform" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1612366856.741:197): avc:  denied  { write } for  pid=50527 comm="coreos-platform" name="coreos-platform-chrony.conf" dev="tmpfs" ino=16092 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
----
time->Wed Feb  3 15:40:57 2021
type=PROCTITLE msg=audit(1612366857.111:198): proctitle=2F62696E2F62617368002F7573722F6C69622F73797374656D642F73797374656D2D67656E657261746F72732F636F72656F732D706C6174666F726D2D6368726F6E79002F72756E2F73797374656D642F67656E657261746F72002F72756E2F73797374656D642F67656E657261746F722E6561726C79002F72756E2F737973
type=SYSCALL msg=audit(1612366857.111:198): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=561317128160 a2=241 a3=1b6 items=0 ppid=50538 pid=50568 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="coreos-platform" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1612366857.111:198): avc:  denied  { write } for  pid=50568 comm="coreos-platform" name="coreos-platform-chrony.conf" dev="tmpfs" ino=16092 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
----
time->Wed Feb  3 15:40:57 2021
type=PROCTITLE msg=audit(1612366857.111:199): proctitle=2F62696E2F62617368002F7573722F6C69622F73797374656D642F73797374656D2D67656E657261746F72732F636F72656F732D706C6174666F726D2D6368726F6E79002F72756E2F73797374656D642F67656E657261746F72002F72756E2F73797374656D642F67656E657261746F722E6561726C79002F72756E2F737973
type=SYSCALL msg=audit(1612366857.111:199): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=561317128160 a2=201 a3=0 items=0 ppid=50538 pid=50568 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="coreos-platform" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1612366857.111:199): avc:  denied  { write } for  pid=50568 comm="coreos-platform" name="coreos-platform-chrony.conf" dev="tmpfs" ino=16092 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
----
time->Wed Feb  3 15:40:57 2021
type=PROCTITLE msg=audit(1612366857.455:200): proctitle=2F62696E2F62617368002F7573722F6C69622F73797374656D642F73797374656D2D67656E657261746F72732F636F72656F732D706C6174666F726D2D6368726F6E79002F72756E2F73797374656D642F67656E657261746F72002F72756E2F73797374656D642F67656E657261746F722E6561726C79002F72756E2F737973
type=SYSCALL msg=audit(1612366857.455:200): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=556e5fe05160 a2=241 a3=1b6 items=0 ppid=50580 pid=50615 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="coreos-platform" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1612366857.455:200): avc:  denied  { write } for  pid=50615 comm="coreos-platform" name="coreos-platform-chrony.conf" dev="tmpfs" ino=16092 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
----
time->Wed Feb  3 15:40:57 2021
type=PROCTITLE msg=audit(1612366857.455:201): proctitle=2F62696E2F62617368002F7573722F6C69622F73797374656D642F73797374656D2D67656E657261746F72732F636F72656F732D706C6174666F726D2D6368726F6E79002F72756E2F73797374656D642F67656E657261746F72002F72756E2F73797374656D642F67656E657261746F722E6561726C79002F72756E2F737973
type=SYSCALL msg=audit(1612366857.455:201): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=556e5fe05160 a2=201 a3=0 items=0 ppid=50580 pid=50615 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="coreos-platform" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1612366857.455:201): avc:  denied  { write } for  pid=50615 comm="coreos-platform" name="coreos-platform-chrony.conf" dev="tmpfs" ino=16092 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
----
time->Wed Feb  3 15:42:19 2021
type=PROCTITLE msg=audit(1612366939.584:74): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D4573002F7573722F7362696E2F74756E6564002D2D6E6F2D64627573
type=SYSCALL msg=audit(1612366939.584:74): arch=c000003e syscall=1 success=yes exit=4 a0=7 a1=7fd210015e40 a2=4 a3=0 items=0 ppid=5605 pid=7299 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:spc_t:s0 key=(null)
type=AVC msg=audit(1612366939.584:74): avc:  granted  { setsecparam } for  pid=7299 comm="tuned" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security
----
time->Wed Feb  3 17:36:54 2021
type=PROCTITLE msg=audit(1612373814.960:93): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D4573002F7573722F7362696E2F74756E6564002D2D6E6F2D64627573
type=SYSCALL msg=audit(1612373814.960:93): arch=c000003e syscall=1 success=yes exit=3 a0=5 a1=7fd21001f8f0 a2=3 a3=0 items=0 ppid=5605 pid=7299 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:spc_t:s0 key=(null)
type=AVC msg=audit(1612373814.960:93): avc:  granted  { setsecparam } for  pid=7299 comm="tuned" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security
----
time->Wed Feb  3 17:37:03 2021
type=PROCTITLE msg=audit(1612373823.231:94): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D4573002F7573722F7362696E2F74756E6564002D2D6E6F2D64627573
type=SYSCALL msg=audit(1612373823.231:94): arch=c000003e syscall=1 success=yes exit=4 a0=7 a1=7f0080012a90 a2=4 a3=0 items=0 ppid=149575 pid=149756 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:spc_t:s0 key=(null)
type=AVC msg=audit(1612373823.231:94): avc:  granted  { setsecparam } for  pid=149756 comm="tuned" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security
sh-4.4# audit2allow -a


#============= init_t ==============
allow init_t etc_t:file write;

#============= systemd_hostnamed_t ==============
allow systemd_hostnamed_t initrc_t:dbus send_msg;

Version-Release number of selected component (if applicable):
Server Version: 4.7.0-0.nightly-2021-02-03-124048
Kubernetes Version: v1.20.0+e761892

How reproducible:
unknown

Comment 1 Micah Abbott 2021-02-03 19:27:44 UTC

@qcai what platform/architecture was this?  Could you provide the precise RHCOS version?  Is the cluster impacted/unusable by this problem?


I'm unable to reproduce this on a single node of RHCOS via qemu, so something in the cluster is running `tuned`.

The `coreos-platform-chrony.conf` hint points to https://github.com/coreos/fedora-coreos-config/blob/testing-devel/overlay.d/20platform-chrony/usr/lib/systemd/system-generators/coreos-platform-chrony

It would be good to confirm that the correct NTP settings are being used on whatever platform, per the file above

Comment 2 Qian Cai 2021-02-03 19:48:27 UTC

(In reply to Micah Abbott from comment #1)
> @qcai what platform/architecture was this?  Could you provide the precise
> RHCOS version?  Is the cluster impacted/unusable by this problem?

x86_64. My understand is that any AVC messages are serious that needs to be fixed. Not even to mention that those "noise" could even hide real issues.

# rpm-ostree status
State: idle
Deployments:
* pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:3e69e47f215c7c803f96cf736cf24d328302e3093d1e262a2421fdc0e5d4f9cd
              CustomOrigin: Managed by machine-config-operator
                   Version: 47.83.202102021844-0 (2021-02-02T18:47:55Z)

> 
> I'm unable to reproduce this on a single node of RHCOS via qemu, so
> something in the cluster is running `tuned`.
> 
> The `coreos-platform-chrony.conf` hint points to
> https://github.com/coreos/fedora-coreos-config/blob/testing-devel/overlay.d/
> 20platform-chrony/usr/lib/systemd/system-generators/coreos-platform-chrony
> 
> It would be good to confirm that the correct NTP settings are being used on
> whatever platform, per the file above

Comment 3 Qian Cai 2021-02-03 20:00:13 UTC

BTW, the cluster was installed in GCP if that is ever matters.

Comment 4 Micah Abbott 2021-02-03 21:12:16 UTC

I booted 4.7.0-fc.5 on GCP before I got the precise RHCOS version and only saw the `tuned` message (which was was a "granted" message):

```
$ oc get clusterversion
NAME      VERSION      AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-fc.5   True        False         5m54s   Cluster version is 4.7.0-fc.5

$ oc get nodes
NAME                                       STATUS   ROLES    AGE   VERSION
ci-ln-h8k8tvb-f76d1-6266l-master-0         Ready    master   27m   v1.20.0+3b90e69
ci-ln-h8k8tvb-f76d1-6266l-master-1         Ready    master   27m   v1.20.0+3b90e69
ci-ln-h8k8tvb-f76d1-6266l-master-2         Ready    master   27m   v1.20.0+3b90e69
ci-ln-h8k8tvb-f76d1-6266l-worker-b-zt7kj   Ready    worker   18m   v1.20.0+3b90e69
ci-ln-h8k8tvb-f76d1-6266l-worker-c-dvz9x   Ready    worker   19m   v1.20.0+3b90e69
ci-ln-h8k8tvb-f76d1-6266l-worker-d-x7w48   Ready    worker   19m   v1.20.0+3b90e69

$ oc debug node/ci-ln-h8k8tvb-f76d1-6266l-worker-b-zt7kj
Creating debug namespace/openshift-debug-node-94826 ...
Starting pod/ci-ln-h8k8tvb-f76d1-6266l-worker-b-zt7kj-debug ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.32.3
If you don't see a command prompt, try pressing enter.
sh-4.4# chroot /host
sh-4.4# rpm-ostree status
State: idle
Deployments:
* pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:2bbe912426dbb7062b2780b94a5c163e602ec649974a0f52f8522ada81ac5b17
              CustomOrigin: Managed by machine-config-operator
                   Version: 47.83.202101301239-0 (2021-01-30T12:42:16Z)

  ostree://8e87a86b9444784ab29e7917fa82e00d5e356f18b19449946b687ee8dc27c51a
                   Version: 47.83.202101161239-0 (2021-01-16T12:43:01Z)
sh-4.4# ausearch -m avc
----
time->Wed Feb  3 20:44:29 2021
type=PROCTITLE msg=audit(1612385069.742:57): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D4573002F7573722F7362696E2F74756E6564002D2D6E6F2D64627573
type=SYSCALL msg=audit(1612385069.742:57): arch=c000003e syscall=1 success=yes exit=4 a0=7 a1=7f54080158d0 a2=4 a3=0 items=0 ppid=2470 pid=3230 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:spc_t:s0 key=(null)
type=AVC msg=audit(1612385069.742:57): avc:  granted  { setsecparam } for  pid=3230 comm="tuned" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security
```


Looks like the original report was with something newer, so I'll try to repeat the test with a newer version.

Comment 5 Micah Abbott 2021-02-03 22:10:12 UTC

Using the latest 4.7.0-0.nightly on GCP , couldn't reproduce the errors:

```
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.nightly-2021-02-03-165316   True        False         10m     Cluster version is 4.7.0-0.nightly-2021-02-03-165316

$ oc get nodes
NAME                                       STATUS   ROLES    AGE   VERSION
ci-ln-jmidrn2-f76d1-cnrf2-master-0         Ready    master   30m   v1.20.0+e761892
ci-ln-jmidrn2-f76d1-cnrf2-master-1         Ready    master   30m   v1.20.0+e761892
ci-ln-jmidrn2-f76d1-cnrf2-master-2         Ready    master   30m   v1.20.0+e761892
ci-ln-jmidrn2-f76d1-cnrf2-worker-b-6zr4q   Ready    worker   21m   v1.20.0+e761892
ci-ln-jmidrn2-f76d1-cnrf2-worker-c-r49rf   Ready    worker   21m   v1.20.0+e761892
ci-ln-jmidrn2-f76d1-cnrf2-worker-d-fcqkj   Ready    worker   21m   v1.20.0+e761892

$ oc debug node/ci-ln-jmidrn2-f76d1-cnrf2-worker-b-6zr4q
Creating debug namespace/openshift-debug-node-5pfbt ...
Starting pod/ci-ln-jmidrn2-f76d1-cnrf2-worker-b-6zr4q-debug ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.32.2
If you don't see a command prompt, try pressing enter.
sh-4.4# chroot /host
sh-4.4# rpm-ostree status
State: idle
Deployments:
* pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:11e0e55d2cc0284cdd8c7dff8db26a25e8146daf6a71ce5abc26fa2f17f2b639
              CustomOrigin: Managed by machine-config-operator
                   Version: 47.83.202102031122-0 (2021-02-03T11:25:46Z)

  ostree://8e87a86b9444784ab29e7917fa82e00d5e356f18b19449946b687ee8dc27c51a
                   Version: 47.83.202101161239-0 (2021-01-16T12:43:01Z)
sh-4.4# ausearch -m avc
----
time->Wed Feb  3 21:35:18 2021
type=PROCTITLE msg=audit(1612388118.584:57): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D4573002F7573722F7362696E2F74756E6564002D2D6E6F2D64627573
type=SYSCALL msg=audit(1612388118.584:57): arch=c000003e syscall=1 success=yes exit=4 a0=7 a1=7fc9bc0158d0 a2=4 a3=0 items=0 ppid=2407 pid=3269 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:spc_t:s0 key=(null)
type=AVC msg=audit(1612388118.584:57): avc:  granted  { setsecparam } for  pid=3269 comm="tuned" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security
```

If a reliable reproducer can be provided, we can continue to triage this further.  Until then, going to bump the priority down to medium and target 4.8

Comment 6 Qian Cai 2021-02-04 12:21:36 UTC

From the original report, those coreos-platform AVC always happen some time later after the installation. Did you wait for a while (a few hours) to check to see if it is reproducible that way?

Comment 7 Qian Cai 2021-02-04 12:45:35 UTC

I would also think we should shut up those "granted" messages as well. Otherwise, those "noise" could make customers checking real issues difficult.

Comment 9 Daniel Walsh 2021-02-05 21:32:43 UTC

The AVCs show a service launched by systemd named coreos-platform attempting to write coreos-platform-chrony.conf in etc?

Comment 10 Micah Abbott 2021-02-07 20:14:05 UTC

Needs further investigation

Comment 11 Timothée Ravier 2021-02-08 16:45:26 UTC

*** Bug 1900898 has been marked as a duplicate of this bug. ***

Comment 12 Timothée Ravier 2021-02-08 16:56:01 UTC

My current guess here is that this happens when the coreos-platform-chrony generator is re-triggered by systemd. The context will be etc_t as expected and init_t does not have write permission to that. This does not happen the first time as we change the context after writing to the file so this works.

One option is to skip writing to the file if it already exists or if the content matches what would be generated.

Comment 13 Timothée Ravier 2021-02-08 16:57:33 UTC

From https://www.freedesktop.org/software/systemd/man/systemd.generator.html:

Generators should only be used to generate unit files and symlinks to them, not any other kind of configuration. Due to the lifecycle logic mentioned above, generators are not a good fit to generate dynamic configuration for other services. If you need to generate dynamic configuration for other services, do so in normal services you order before the service in question.

Comment 14 Timothée Ravier 2021-02-08 17:20:16 UTC

Posted potential fix (needs testing).

Comment 15 Timothée Ravier 2021-02-11 15:47:12 UTC

I tested the previously mentioned PR in AWS and this solves this issue. You can reproduce this issue by running `systemctl daemon-reload` on an instance in AWS/GCP/Azure.

Comment 16 Timothée Ravier 2021-02-18 14:10:41 UTC

The fix is making its way through Fedora CoreOS streams and will be in RHCOS for 4.8.

Setting as low severity as this is not a security issue nor a functional bug as the functionality is working as expected.

Feel free to request a 4.7 backport if you think this is needed.

Comment 17 Timothée Ravier 2021-03-08 16:38:01 UTC

This should be ready for testing with the latest RHCOS images. You do not need a full cluster to test that but only to be on AWS/GCP/Azure and call `systemctl daemon-reload` to re-trigger the generator script execution.

Comment 19 Michael Nguyen 2021-03-08 19:31:47 UTC

Verified on 4.8.0-0.nightly-2021-03-08-133419 which runs RHCOS 48.83.202103080317-0. 

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.nightly-2021-03-08-133419   True        False         31m     Cluster version is 4.8.0-0.nightly-2021-03-08-133419
$ oc get nodes
NAME                                         STATUS   ROLES    AGE   VERSION
ip-10-0-134-237.us-west-2.compute.internal   Ready    master   54m   v1.20.0+aa519d9
ip-10-0-149-29.us-west-2.compute.internal    Ready    worker   46m   v1.20.0+aa519d9
ip-10-0-162-236.us-west-2.compute.internal   Ready    worker   47m   v1.20.0+aa519d9
ip-10-0-185-140.us-west-2.compute.internal   Ready    master   54m   v1.20.0+aa519d9
ip-10-0-196-203.us-west-2.compute.internal   Ready    worker   47m   v1.20.0+aa519d9
ip-10-0-211-226.us-west-2.compute.internal   Ready    master   54m   v1.20.0+aa519d9
$ oc debug node/ip-10-0-196-203.us-west-2.compute.internal
Starting pod/ip-10-0-196-203us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`
If you don't see a command prompt, try pressing enter.
sh-4.2# chroot /host
sh-4.4# ausearch -m avc
----
time->Mon Mar  8 18:40:43 2021
type=PROCTITLE msg=audit(1615228843.769:51): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D4573002F7573722F7362696E2F74756E6564002D2D6E6F2D64627573
type=SYSCALL msg=audit(1615228843.769:51): arch=c000003e syscall=1 success=yes exit=4 a0=7 a1=7fd094014fb0 a2=4 a3=0 items=0 ppid=2336 pid=3030 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:spc_t:s0 key=(null)
type=AVC msg=audit(1615228843.769:51): avc:  granted  { setsecparam } for  pid=3030 comm="tuned" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security
sh-4.4# systemctl daemon-reload
sh-4.4# ausearch -m avc
----
time->Mon Mar  8 18:40:43 2021
type=PROCTITLE msg=audit(1615228843.769:51): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D4573002F7573722F7362696E2F74756E6564002D2D6E6F2D64627573
type=SYSCALL msg=audit(1615228843.769:51): arch=c000003e syscall=1 success=yes exit=4 a0=7 a1=7fd094014fb0 a2=4 a3=0 items=0 ppid=2336 pid=3030 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:spc_t:s0 key=(null)
type=AVC msg=audit(1615228843.769:51): avc:  granted  { setsecparam } for  pid=3030 comm="tuned" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security
sh-4.4# journalctl -b --no-pager | grep 'already exists; skipping'
Mar 08 19:28:13 ip-10-0-196-203 coreos-platform-chrony: /run/coreos-platform-chrony.conf already exists; skipping
sh-4.4# exit
exit
sh-4.2# exit
exit

Removing debug pod ...
$ oc debug node/ip-10-0-196-203.us-west-2.compute.internal -- chroot /host rpm-ostree status
Starting pod/ip-10-0-196-203us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`
State: idle
Deployments:
* pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e6a29805478181c58ee8922085fc919cd19a15617f6e32ca9b0580c086fcfb41
              CustomOrigin: Managed by machine-config-operator
                   Version: 48.83.202103080317-0 (2021-03-08T03:20:38Z)

  ostree://646a9832dd0dc9fe174a2fc005863a9582186518a5476522a0e9bdccc0e5252a
                   Version: 47.83.202102090044-0 (2021-02-09T00:47:36Z)

Removing debug pod ...

Comment 22 errata-xmlrpc 2021-07-27 22:40:58 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438

Note You need to log in before you can comment on or make changes to this bug.