Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2000945

Summary: Reduce dac_override usage
Product: Red Hat OpenStack Reporter: Julie Pichon <jpichon>
Component: openstack-selinuxAssignee: Julie Pichon <jpichon>
Status: CLOSED MIGRATED QA Contact: nlevinki <nlevinki>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cjeanner, jjoyce, lhh, lvrabec
Target Milestone: betaKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-01-05 21:39:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Julie Pichon 2021-09-03 11:00:22 UTC 
dac_override is a very broad SELinux capability that allows a process with the given label to bypass file permissions and access a file regardless of its permissions.

In most cases, allowing something this wide shouldn't be necessary. A change in code or deployment setting (e.g. to adjust the permission of a required file) should be sufficient to resolve the denial, as opposed to giving blanket permission to ignore file access checks across the entire system.

Both the issue, why it should be fixed, and how to debug it is explained in more details in this blog post from Dan Walsh: https://danwalsh.livejournal.com/79643.html

A few services have this capability in OpenStack. As part of our efforts to tighten security, we want to get rid of this really broad rule. This will likely require changes in the services, although it's also possible that some of these are no longer needed with the move to containers.


The five services currently requiring dac_override:

1. In os-glance.te:

        allow glance_api_t self:capability { dac_override };

This was added in commit [1] due to bug 1475378 and bug 1447779 (around glance and cinder interoperability).

[1] https://github.com/redhat-openstack/openstack-selinux/commit/5002b373 (2017)

2. In os-keepalived.te:

        allow keepalived_t self:capability { dac_override };

This was added in commit [2], for bug 1180881 from what I can tell based on the dates and logs, related to HA - VRRP.

[2] https://github.com/redhat-openstack/openstack-selinux/commit/8d5d6bb (2015)

3. In os-nova.te:

        allow virtlogd_t self:capability dac_override;

This was added in commit [3] as part of the work to resolve bug 1377272 and related duplicates around VMs not booting.

[3] https://github.com/redhat-openstack/openstack-selinux/commit/36861f0 (2016)

4. In os-octavia.te:

        allow haproxy_t self:capability { dac_override };

This was added in commit [4] as part of the work to resolve bug 1715492 related to Amphora/HAProxy not starting.

[4] https://github.com/redhat-openstack/openstack-selinux/commit/38c2a78a (2019)

5. In os-ovs.te:

        allow openvswitch_t self:capability { dac_override };

This was added in commit [5] for bug 1498797 around ovsdb not starting. (It looks like the upstream openvswitch policy also carries this setting [6] since the first commit [7].)

[5] https://github.com/redhat-openstack/openstack-selinux/commit/2775ec70 (2017)
[6] https://pagure.io/openvswitch-selinux-policy/blob/5c172a5/f/openvswitch-custom.te#_59
[7] https://pagure.io/openvswitch-selinux-policy/c/eac9842


---

The first part of the work will be to move each of these rules behind booleans that are enabled by default (aka a noop for now). Then we can turn them off individually as they get fixed.
Comment 1 Julie Pichon 2021-09-03 11:12:22 UTC 
Noop patch to move the rules behind booleans so that they can be worked on individually: https://github.com/redhat-openstack/openstack-selinux/pull/77/