Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2013194

Summary: SELinux denies container_t to manage files (at least read/write) in swift_var_cache_t context
Product: Red Hat OpenStack Reporter: Cédric Jeanneret <cjeanner>
Component: openstack-selinuxAssignee: Julie Pichon <jpichon>
Status: CLOSED ERRATA QA Contact: nlevinki <nlevinki>
Severity: high Docs Contact:
Priority: high    
Version: 16.1 (Train)CC: lhh, lvrabec, mciecier
Target Milestone: zstreamKeywords: Triaged
Target Release: 16.1 (Train on RHEL 8.2)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.8.24-1.20211103103446.26243bf.el8ost Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-24 11:01:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit.log none

Description Cédric Jeanneret 2021-10-12 10:58:36 UTC 
Created attachment 1832177 [details]
audit.log

Description of problem:
While checking an env for other reasons, I saw the following denials:


type=AVC msg=audit(1633990096.040:24220): avc:  denied  { read write } for  pid=5337 comm="swift-container" name="container.recon" dev="vda2" ino=46373631 scontext=system_u:system_r:container_t:s0:c50,c57 tcontext=system_u:object_r:swift_var_cache_t:s0 tclass=file permissive=0
type=AVC msg=audit(1633990097.840:24236): avc:  denied  { read write } for  pid=4797 comm="swift-account-r" name="account.recon" dev="vda2" ino=46374461 scontext=system_u:system_r:container_t:s0:c215,c621 tcontext=system_u:object_r:swift_var_cache_t:s0 tclass=file permissive=0
type=AVC msg=audit(1633990107.831:24305): avc:  denied  { read write } for  pid=4841 comm="swift-object-ex" name="object.recon" dev="vda2" ino=46388962 scontext=system_u:system_r:container_t:s0:c101,c624 tcontext=system_u:object_r:swift_var_cache_t:s0 tclass=file permissive=0
type=AVC msg=audit(1633990116.957:24344): avc:  denied  { read write } for  pid=5113 comm="swift-object-re" name="object.recon" dev="vda2" ino=46388962 scontext=system_u:system_r:container_t:s0:c79,c396 tcontext=system_u:object_r:swift_var_cache_t:s0 tclass=file permissive=0
type=AVC msg=audit(1633990119.147:24371): avc:  denied  { read write } for  pid=616455 comm="swift-object-au" name="object.recon" dev="vda2" ino=46388962 scontext=system_u:system_r:container_t:s0:c784,c938 tcontext=system_u:object_r:swift_var_cache_t:s0 tclass=file permissive=0

It's in enforcing, so we might expect other file-related (and, probably, directory-related) denials.

After some discussions, it appears openstack-selinux sets a specific sfcontext:
https://github.com/redhat-openstack/openstack-selinux/commit/28132e322371bceac95b00cdfdd8affbd22b3eed

But there isn't anything allowing container_t on that context.

Not sure if it's really relevant, since we didn't have any issue in QE, maybe it's temporary things only, but still...

I'm attaching the full audit.log - you can `grep denied audit.log.4' to list all the things.
Comment 1 Julie Pichon 2021-10-12 11:09:46 UTC 
From what I can tell, this directory should be mounted as container_file_t in THT [1]. It's also mounted with :z for at least one container in this file though not the others (not sure if this may cause conflicts). I wonder if it's possible a restorecon was run? This could explain why the problem didn't come up before.

[1] https://github.com/openstack/tripleo-heat-templates/blob/36d706/deployment/swift/swift-storage-container-puppet.yaml#L678
[2] https://github.com/openstack/tripleo-heat-templates/blob/36d706/deployment/swift/swift-storage-container-puppet.yaml#L524

Did the environment stop mid-update? This sounds like it could be similar to bug 1748885 - if the update stopped then the proper contexts wouldn't be reapplied.
Comment 4 Julie Pichon 2021-10-12 13:37:40 UTC 
We may want to add these permissions for similar reasons to https://github.com/redhat-openstack/openstack-selinux/commit/d1e3cb.
Comment 5 Julie Pichon 2021-10-29 13:27:23 UTC 
https://github.com/redhat-openstack/openstack-selinux/pull/81
Comment 14 errata-xmlrpc 2022-03-24 11:01:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.1.8 bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:0986