Bug 918721 - swift replication in /srv/node produces AVC denials
swift replication in /srv/node produces AVC denials
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux (Show other bugs)
2.1
Unspecified Unspecified
urgent Severity urgent
: snapshot5
: 2.1
Assigned To: Lon Hohberger
Martina Kollarova
: Triaged
Depends On: 885529
Blocks: 918549 922787
  Show dependency treegraph
 
Reported: 2013-03-06 13:21 EST by Lon Hohberger
Modified: 2014-10-06 20:16 EDT (History)
4 users (show)

See Also:
Fixed In Version: openstack-selinux-0.1.2-8.el6ost
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 922787 (view as bug list)
Environment:
Last Closed: 2013-04-04 14:01:15 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Patch against master_contrib branch of selinux-policy (2.15 KB, patch)
2013-03-06 13:21 EST, Lon Hohberger
no flags Details | Diff
Patch against master_contrib branch of selinux-policy (2.14 KB, patch)
2013-03-06 15:37 EST, Lon Hohberger
no flags Details | Diff
Patch against master_contrib branch of selinux-policy (2.05 KB, patch)
2013-03-06 15:39 EST, Lon Hohberger
no flags Details | Diff
Patch against master_contrib branch of selinux-policy (3.14 KB, patch)
2013-03-06 16:03 EST, Lon Hohberger
no flags Details | Diff
Fix typo (3.14 KB, patch)
2013-03-06 16:19 EST, Lon Hohberger
no flags Details | Diff
Patch against master_contrib branch of selinux-policy (3.17 KB, patch)
2013-03-06 17:59 EST, Lon Hohberger
no flags Details | Diff
Spec file patch to call restorecon on /srv (1.43 KB, patch)
2013-03-18 09:36 EDT, Lon Hohberger
no flags Details | Diff

  None (edit)
Description Lon Hohberger 2013-03-06 13:21:52 EST
Created attachment 706193 [details]
Patch against master_contrib branch of selinux-policy

Description of problem:

type=AVC msg=audit(1362499871.862:4753): avc:  denied  { write } for  pid=26757 comm="rsync" name="160573" dev=vdb ino=360455 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir
type=AVC msg=audit(1362499871.862:4753): avc:  denied  { add_name } for  pid=26757 comm="rsync" name="cbf" scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir
type=AVC msg=audit(1362499871.862:4753): avc:  denied  { create } for  pid=26757 comm="rsync" name="cbf" scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir
type=AVC msg=audit(1362499871.862:4754): avc:  denied  { setattr } for  pid=26757 comm="rsync" name="cbf" dev=vdb ino=360460 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir
type=AVC msg=audit(1362499871.866:4755): avc:  denied  { create } for  pid=26758 comm="rsync" name=".1362499777.99721.data.actL9H" scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1362499871.866:4755): avc:  denied  { read write open } for  pid=26758 comm="rsync" name=".1362499777.99721.data.actL9H" dev=vdb ino=360464 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1362499871.867:4756): avc:  denied  { setattr } for  pid=26758 comm="rsync" name=".1362499777.99721.data.actL9H" dev=vdb ino=360464 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1362499871.867:4757): avc:  denied  { getattr } for  pid=26758 comm="rsync" path="/srv/node/device2/objects/160573/cbf/9ccf550c695fcec8e85e12c10a45ecbf/.1362499777.99721.data.actL9H" dev=vdb ino=360464 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1362499871.868:4758): avc:  denied  { remove_name } for  pid=26758 comm="rsync" name=".1362499777.99721.data.actL9H" dev=vdb ino=360464 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir
type=AVC msg=audit(1362499871.868:4758): avc:  denied  { rename } for  pid=26758 comm="rsync" name=".1362499777.99721.data.actL9H" dev=vdb ino=360464 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file

Version-Release number of selected component (if applicable): openstack-selinux-0.1.2-6

These AVCs are caused by incorrect labelling on /srv/node/* and /srv/loopback-device/*.

Here is a workaround for testing environments:

  # semanage fcontext -a -t rsync_data_t '/srv/node(/.*)?'
  # semanage fcontext -a -t rsync_data_t '/srv/loopback-device(/.*)?'
  # restorecon -Rv /srv/*
  # sesetbool rsync_client on

A more appropriate solution involving assigning a specific file context to /srv/node and /srv/loopback-device.

branch).
Comment 1 Lon Hohberger 2013-03-06 13:24:25 EST
Rather, a more appropriate solution involving assigning a specific file context to /srv/node and /srv/loopback-device is attached.

This:
  - defines swift_rsync_t
  - allows rsync_t and swift_t to read/write/manage swift_rsync_t 
  - defines /srv/node and /srv/loopback-device as swift_rsync_t 
    context
Comment 4 Lon Hohberger 2013-03-06 15:37:58 EST
Created attachment 706232 [details]
Patch against master_contrib branch of selinux-policy

Changes the new type to match convention with other modules.
Comment 5 Lon Hohberger 2013-03-06 15:39:24 EST
Created attachment 706233 [details]
Patch against master_contrib branch of selinux-policy

Remove extraneous whitespace change.
Comment 6 Lon Hohberger 2013-03-06 16:03:13 EST
Created attachment 706261 [details]
Patch against master_contrib branch of selinux-policy

Include Pete Zaitcev's notes from https://bugzilla.redhat.com/show_bug.cgi?id=885529#c21
Comment 9 Lon Hohberger 2013-03-06 16:19:32 EST
Created attachment 706268 [details]
Fix typo
Comment 12 Lon Hohberger 2013-03-06 17:59:33 EST
Created attachment 706287 [details]
Patch against master_contrib branch of selinux-policy

Add rather critical missing files_type(swift_data_t) assignment.

I did some cursory tests on Derek's machine with the RHOS-port of this patch.
Comment 13 Lon Hohberger 2013-03-06 18:02:49 EST
Dan / Miroslav - can I get a review of that patch in comment #12 ?  I think it's mostly ready to go.
Comment 15 Miroslav Grepl 2013-03-07 05:31:59 EST
So openstack-selinux-0.1.2-7.el6ost.noarch.rpm is right version?
Comment 19 Martina Kollarova 2013-03-18 08:38:14 EDT
I'm not sure what is meant by "incorrect labelling on /srv/node/*", so far I tried this:

$ rpm -qa |grep openstack-selinux
openstack-selinux-0.1.2-7.el6ost.noarch
$ mv /srv/node/device1/{accounts,accountsx}

With selinux disabled, the 'accounts' dir gets re-created withing a minute (but the 'accountsx' dir stays there). With selinux enabled, I get avc denials similar to those in the bug description.
Comment 20 Lon Hohberger 2013-03-18 09:14:22 EDT
/srv/* is mislabeled.  The following:

   restorecon -Rv /srv/*

...should fix it.
Comment 21 Lon Hohberger 2013-03-18 09:29:43 EDT
We'll call this from the rpm spec file.
Comment 22 Lon Hohberger 2013-03-18 09:36:25 EDT
Created attachment 711952 [details]
Spec file patch to call restorecon on /srv
Comment 23 Lon Hohberger 2013-03-18 09:41:48 EDT
This should break things:

  chcon -R unconfined_u:object_r:file_t:s0 /srv/node/*

Updating to the -8 rpm should fix things:

  rpm -Uvh openstack-selinux-0.1.2-8.el6ost.noarch.rpm
Comment 25 Martina Kollarova 2013-03-18 09:56:49 EDT
Seems to work. 

$ ls -lZ /srv/node
drwxr-xr-x. swift swift unconfined_u:object_r:swift_data_t:s0 device1
drwxr-xr-x. swift swift unconfined_u:object_r:swift_data_t:s0 device2

(In reply to comment #23)
> This should break things:
> 
>   chcon -R unconfined_u:object_r:file_t:s0 /srv/node/*
> 
> Updating to the -8 rpm should fix things:
> 
>   rpm -Uvh openstack-selinux-0.1.2-8.el6ost.noarch.rpm
Comment 26 errata-xmlrpc 2013-04-04 14:01:15 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0706.html

Note You need to log in before you can comment on or make changes to this bug.