Bug 966106 - AVC denials when using netns
AVC denials when using netns
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.4
All Linux
urgent Severity urgent
: rc
: 6.5
Assigned To: Miroslav Grepl
Michal Trunecka
: ZStream
: 964071 966104 (view as bug list)
Depends On:
Blocks: 969043 1003621
  Show dependency treegraph
 
Reported: 2013-05-22 09:37 EDT by Lon Hohberger
Modified: 2013-11-21 05:28 EST (History)
10 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-205.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1003621 (view as bug list)
Environment:
Last Closed: 2013-11-21 05:28:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Audit log (4.77 MB, text/plain)
2013-05-22 09:39 EDT, Lon Hohberger
no flags Details
New logs (965.45 KB, text/plain)
2013-05-22 12:04 EDT, Lon Hohberger
no flags Details
Audit log (714.04 KB, text/plain)
2013-05-22 14:21 EDT, Lon Hohberger
no flags Details
Audit log after patching with Dan's patch (581.59 KB, text/plain)
2013-05-22 16:58 EDT, Lon Hohberger
no flags Details
audit.log with Dan's and Miroslav's patches (1002.02 KB, text/plain)
2013-05-28 16:52 EDT, Lon Hohberger
no flags Details
audit file when running in permissive mode (5.82 MB, text/plain)
2013-06-06 11:52 EDT, Gary Kotton
no flags Details

  None (edit)
Description Lon Hohberger 2013-05-22 09:37:22 EDT
When using Quantum 2013.1.1 with netns support, SELinux denies various operations, which causes Quantum to fail.  AVCs do not appear unless in permissive mode, leading me to think there is a 'dontaudit' rule for these operations.
Comment 1 Lon Hohberger 2013-05-22 09:39:11 EDT
Created attachment 751727 [details]
Audit log
Comment 2 Lon Hohberger 2013-05-22 09:39:25 EDT
type=AVC msg=audit(1369229234.839:1873038): avc:  denied  { unmount } for  pid=30160 comm="ip" scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem
type=AVC msg=audit(1369229234.840:1873039): avc:  denied  { mounton } for  pid=30160 comm="ip" path="/sys" dev=dm-0 ino=1048577 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1369229234.840:1873039): avc:  denied  { mount } for  pid=30160 comm="ip" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem
type=AVC msg=audit(1369229234.840:1873040): avc:  denied  { execute_no_trans } for  pid=30160 comm="ip" path="/sbin/ip" dev=dm-0 ino=3149293 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1369229313.003:1874918): avc:  denied  { unmount } for  pid=31401 comm="ip" scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem
type=AVC msg=audit(1369229313.003:1874919): avc:  denied  { mounton } for  pid=31401 comm="ip" path="/sys" dev=dm-0 ino=1048577 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1369229313.003:1874919): avc:  denied  { mount } for  pid=31401 comm="ip" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem
type=AVC msg=audit(1369229313.003:1874920): avc:  denied  { execute_no_trans } for  pid=31401 comm="ip" path="/sbin/ip" dev=dm-0 ino=3149293 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1369229330.881:1875349): avc:  denied  { execute_no_trans } for  pid=31685 comm="ip" path="/sbin/ip" dev=dm-0 ino=3149293 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1369229402.879:1877068): avc:  denied  { unmount } for  pid=351 comm="ip" scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem
type=AVC msg=audit(1369229402.879:1877069): avc:  denied  { mount } for  pid=351 comm="ip" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem
Comment 3 Lon Hohberger 2013-05-22 10:26:39 EDT
*** Bug 966104 has been marked as a duplicate of this bug. ***
Comment 4 Lon Hohberger 2013-05-22 12:04:28 EDT
Created attachment 751772 [details]
New logs
Comment 5 Lon Hohberger 2013-05-22 12:57:59 EDT
type=SYSCALL msg=audit(05/22/2013 11:54:51.081:347918) : arch=x86_64 syscall=set
ns success=no exit=-1(Operation not permitted) a0=0x4 a1=CLONE_NEWNET a2=0x3e898db400 a3=0x0 items=0 ppid=23224 pid=23228 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ip exe=/sbin/ip subj=system_u:system_r:ifconfig_t:s0 key=(null) 
type=AVC msg=audit(05/22/2013 11:54:51.081:347918) : type=SYSCALL msg=audit(05/22/2013 11:54:51.081:347918) : arch=x86_64 syscall=set
ns success=no exit=-1(Operation not permitted) a0=0x4 a1=CLONE_NEWNET a2=0x3e898db400 a3=0x0 items=0 ppid=23224 pid=23228 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ip exe=/sbin/ip subj=system_u:system_r:ifconfig_t:s0 key=(null) 
type=AVC msg=audit(05/22/2013 11:54:51.081:347918) : avc:  denied  { sys_admin } for  pid=23228 comm=ip capability=sys_admin  scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability 
avc:  denied  { sys_admin } for  pid=23228 comm=ip capability=sys_admin  scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability 

This is the 'setns(2)' syscall.
Comment 6 Chris Wright 2013-05-22 13:52:38 EDT
* Gary Kotton (gkotton@redhat.com) wrote:
> The following are steps for reproducing the namespace issue:
> 1. Use RDO/RHOS 3.0 with kernel + route 2

URLs:  kernel[1] iproute2[2]

$ uname -r
2.6.32-358.11.1.el6.netns130517.x86_64

$ rpm -qf /sbin/ip
iproute-2.6.32-23.el6_4.netns.1.x86_64

> 2. Install all in one packstack
> 3. https://fedoraproject.org/wiki/Packstack_to_Quantum
> 4. Install quantum with plumbing -
>     https://fedoraproject.org/wiki/Quantum
>     - need to set the root wrap in quantum.conf
>     [AGENT]
>     root_helper = sudo /usr/bin/quantum-rootwrap /etc/quantum/rootwrap.conf

I used most recent packstack[3] which allows me to skip 3 and 4 and
gives me:

I have quantum.conf [DEFAULT]
root_helper=sudo quantum-rootwrap /etc/quantum/rootwrap.conf
And dhcp-agent.init [DEFAULT]
root_helper=sudo /usr/bin/quantum-rootwrap /etc/quantum/rootwrap.conf
And l3_agent.ini [DEFAULT]
root_helper=sudo /usr/bin/quantum-rootwrap /etc/quantum/rootwrap.conf
> 5. Start all services
> 6. Create a network - quantum net-create heh
> 7. Create a subnet - quantum subnet create heh 10.0.0.0/24
> 8. Deploy a VM - this is requirN    ed as the DHCP agent will only try and
> create a namespace when the first port is created

(I used net1, not heh)
$ nova list
+--------------------------------------+------+--------+---------------+
| ID                                   | Name | Status | Networks      |
+--------------------------------------+------+--------+---------------+
| 146ae902-7f74-47ea-be31-cd7583c4d5fe | f16  | ACTIVE | net1=10.0.0.2 |
+--------------------------------------+------+--------+---------------+
$ ip netns list
qdhcp-79a10e01-05ec-48df-bcf7-9c0ea8527c4d
$ sudo ip netns exec qdhcp-79a10e01-05ec-48df-bcf7-9c0ea8527c4d bash
# ping 10.0.0.2
64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=0.035 ms
...
# ssh 10.0.0.2
root@10.0.0.2's password:
Last login: Tue May 21 07:48:01 2013 from 10.0.0.3
[root@10-0-0-2 ~]#

# nova delete f16
# quantum net-delete net1
# setenforce enforcing <--- trouble starts here
# quantum net-create net1 
# quantum subnet-create net1 10.0.0.0/29
# nova boot f16 --flavor 1 --image f16

No namespace created.

# nova delete f16
# quantum net-delete net1
# setenforce permissive <--- trouble ends here
# quantum net-create net1 
# quantum subnet-create net1 10.0.0.0/29
# nova boot f16 --flavor 1 --image f16
# ip netns exec qdhcp-70f49ef4-807a-47d3-83f6-2a5f9ea780b8 ping 10.0.0.2
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.352 ms
...

This looks like an SELinux problem.

Dan, the call flow is like this:

service started at bootup
- /etc/init.d/quantum-dhcp-agent
  - daemon --user quanutm /usr/bin/dhcp-agent...
    - sudo /usr/bin/quantum-rootwrap /etc/quantum/rootwrap.conf ip netns add...
      - open(/var/run/netns/qdhcp-..., O_RDONLY|O_CREAT|O_EXCL, 0);
        ^^^ fails -EPERM

So, the open() syscall fails creating a new file in /var/run/netns
despite the syscall running in the context of uid 0 (via sudo).  I don't
see any AVC's, perhaps dac is stopping beforehand.  Any ideas on policy
tweaks needed to ensure sudo properly escalates privileges?

$ ls -ldZ /var/run/netns
drwxr-xr-x. root root unconfined_u:object_r:var_run_t:s0 /var/run/netns
$ ls -lZ /etc/init.d/quantum-dhcp-agent
-rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0
/etc/init.d/quantum-dhcp-agent
$ ls -lZ /usr/bin/quantum-dhcp-agent
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/quantum-dhcp-agent

thanks,
-chris

[1] kernel brew build: https://brewweb.devel.redhat.com/taskinfo?taskID=5792543
[2] iproute2 http://et.redhat.com/~chrisw/rhel6/6.4/bz869004/iproute/netns.1/
[3] git clone --recursive git://github.com/stackforge/packstack.git
Comment 7 Lon Hohberger 2013-05-22 14:21:36 EDT
Created attachment 751800 [details]
Audit log

The machine I was using was missing the openstack-selinux package and current releases of selinux-policy* packages.  This is the same machine's audit log after a reboot with those packages installed/updated; 2/3 of the AVCs disappeared.
Comment 8 Chris Wright 2013-05-22 14:23:35 EDT
In the context of ip netns add foo....ip will do this:

mkdir("/var/run/netns", S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
open("/var/run/netns/foo", O_RDONLY|O_CREAT|O_EXCL, 0);
unshare(CLONE_NEWNET);
mount("/proc/self/ns/net", "/var/run/netns/foo", "none", MS_BIND, NULL)

Later we will need to execute things in that namespace, for example:
ip netns exec foo bash

netns = open("/var/run/netns/foo", O_RDONLY);
setns(netns, CLONE_NEWNET); /* capable(CAP_SYS_ADMIN) */
unshare(CLONE_NEWNS)
umount2("/sys", MNT_DETACH); /* capable(CAP_SYS_ADMIN) */
mount(name, "/sys", "sysfs", 0, NULL) < 0); /* capable(CAP_SYS_ADMIN) */
if there's stuff in /etc/netns/foo/ if will go through and bind mount
all to /etc/ (override global network config files)...like:
mount("/etc/netns/foo/bar.conf", "/etc/bar.conf", "none", MS_BIND, NULL)

And finally delete it...ip netns delete foo

umount2("/var/run/netns/foo", MNT_DETACH);
unlink("/var/run/netns/foo")
Comment 9 Lon Hohberger 2013-05-22 16:57:24 EDT
So, I think Dan's patch from upstream:

https://git.fedorahosted.org/cgit/selinux-policy.git/commit/?id=3e61cdbe384652759fc420b157d3fe50f8692bfa

Solves the AVCs around netns.  At least, I built a test RPM with a backported version of that patch, and those went away.

I think there are other necessary changes for Grizzlhy, though, as I'm still hitting some AVCs from dnsmasq.
Comment 10 Lon Hohberger 2013-05-22 16:58:08 EDT
Created attachment 751904 [details]
Audit log after patching with Dan's patch
Comment 11 Lon Hohberger 2013-05-22 17:08:25 EDT
type=AVC msg=audit(1369254600.399:1221): avc:  denied  { mounton } for  pid=3862 comm="ip" path="/var/run/netns/qdhcp-b3243f7e-39d7-4091-917d-0f0ceed595ee" dev=dm-0 ino=3146963 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:ifconfig_var_run_t:s0 tclass=file

^ Except this one.  Looks like we'd need:

files_mountpoint(ifconfig_var_run_t)
Comment 12 Miroslav Grepl 2013-05-23 04:54:34 EDT
I added additional fixes

9d9265766bd0c4c8bac53aeced9c562db5f7e267
4d67b983e794acaf9129987e284aa53d6e87383e
626c3c9d929b0998ea5d38da949a8671bf091381
dd02206c14f2e8bc2ba31519d2cfda165dd087ae
Comment 13 Lon Hohberger 2013-05-23 11:29:25 EDT
Thanks, Mirek - I'll give those a spin.
Comment 14 Miroslav Grepl 2013-05-28 03:11:38 EDT
Did it work?
Comment 15 Lon Hohberger 2013-05-28 11:29:44 EDT
I haven't built a package yet. :(  I'll try to get it done today.
Comment 18 Lon Hohberger 2013-05-28 16:49:49 EDT
Closer:

[root@dhcp-4-126 ~(keystone_admin)]# grep -i AVC /var/log/audit/audit.log
type=AVC msg=audit(1369773799.697:250681): avc:  denied  { mounton } for  pid=3336 comm="ip" path="/var/run/netns/qdhcp-744b6324-95d8-4d32-9e43-8ffdff31af4d" dev=dm-0 ino=2627861 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:ifconfig_var_run_t:s0 tclass=file
type=AVC msg=audit(1369773802.022:250766): avc:  denied  { read } for  pid=3392 comm="dnsmasq" path="pipe:[22384]" dev=pipefs ino=22384 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:quantum_t:s0 tclass=fifo_file
type=AVC msg=audit(1369773802.022:250766): avc:  denied  { write } for  pid=3392 comm="dnsmasq" path="pipe:[22385]" dev=pipefs ino=22385 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:quantum_t:s0 tclass=fifo_file
type=AVC msg=audit(1369773802.026:250767): avc:  denied  { ioctl } for  pid=3393 comm="sh" path="pipe:[22384]" dev=pipefs ino=22384 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:quantum_t:s0 tclass=fifo_file
type=AVC msg=audit(1369773802.031:250768): avc:  denied  { sigchld } for  pid=3389 comm="python" scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:quantum_t:s0 tclass=process
type=AVC msg=audit(1369773802.037:250769): avc:  denied  { getattr } for  pid=3393 comm="python" path="pipe:[22384]" dev=pipefs ino=22384 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:quantum_t:s0 tclass=fifo_file
type=AVC msg=audit(1369773802.237:250775): avc:  denied  { execute } for  pid=3399 comm="sh" name="ldconfig" dev=dm-0 ino=2359855 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1369773802.237:250775): avc:  denied  { read open } for  pid=3399 comm="sh" name="ldconfig" dev=dm-0 ino=2359855 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1369773802.237:250775): avc:  denied  { execute_no_trans } for  pid=3399 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=2359855 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
Comment 19 Lon Hohberger 2013-05-28 16:52:46 EDT
Created attachment 754089 [details]
audit.log with Dan's and Miroslav's patches

The mounton line I suggested may be incorrect:

#============= dnsmasq_t ==============
allow dnsmasq_t ldconfig_exec_t:file { read execute open execute_no_trans };
allow dnsmasq_t quantum_t:fifo_file { read write ioctl getattr };
allow dnsmasq_t quantum_t:process sigchld;

#============= ifconfig_t ==============
allow ifconfig_t ifconfig_var_run_t:file mounton;
Comment 20 Lon Hohberger 2013-05-28 17:04:56 EDT
The other 3 allow lines could be potentially be moved in to openstack-selinux for the time being, but the ifconfig bit (or perhaps a better version?) is needed in selinux-policy.

Basically, when running with quantum, we expect the host to be an openstack node, so it's probably okay to allow some or all of those lines.

Any thoughts, Miroslav?  The line I find most concerning is how/why dnsmasq is running ldconfig.  I don't know why that occurs.
Comment 21 Miroslav Grepl 2013-05-29 07:18:46 EDT
Ok, I added fixes to Fedora. Now we need to get all acks and we can do a z-stream clone.
Comment 22 Miroslav Grepl 2013-05-30 03:02:59 EDT
Fixed in selinux-policy-3.7.19-201.el6
Comment 26 Ofer Blaut 2013-06-04 08:42:13 EDT
The bug is still there on latest puddle 31.5

  3 13:16:28 puma05 kernel: type=1400 audit(1370254588.164:62): avc:  denied  { sys_admin } for  pid=7771 comm="ip" capability=21  scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
Jun  3 13:16:59 puma05 kernel: type=1400 audit(1370254619.239:63): avc:  denied  { sys_admin } for  pid=7856 comm="ip" capability=21  scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
Jun  3 13:17:30 puma05 kernel: type=1400 audit(1370254650.272:64): avc:  denied  { sys_admin } for  pid=7944 comm="ip" capability=21  scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
Jun  3 13:18:01 puma05 kernel: type=1400 audit(1370254681.366:65): avc:  denied  { sys_admin } for  pid=8029 comm="ip" capability=21  scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
Jun  3 13:18:32 puma05 kernel: type=1400 audit(1370254712.434:66): avc:  denied  { sys_admin } for  pid=8117 comm="ip" capability=21  scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
Jun  3 13:19:03 puma05 kernel: type=1400 audit(1370254743.469:67): avc:  denied  { sys_admin } for  pid=8199 comm="ip" capability=21  scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
Jun  3 13:19:34 puma05 kernel: type=1400 audit(1370254774.758:68): avc:  denied  { sys_admin } for  pid=8287 comm="ip" capability=21  scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
Jun  3 13:20:05 puma05 kernel: type=1400 audit(1370254805.816:69): avc:  denied  { sys_admin } for  pid=8375 comm="ip" capability=21  scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability
Comment 27 Miroslav Grepl 2013-06-04 11:16:54 EDT
#============= ifconfig_t ==============

#!!!! This avc is allowed in the current policy
allow ifconfig_t self:capability sys_admin;


We need to back port it.
Comment 28 Ofer Blaut 2013-06-04 11:28:35 EDT
All Quantum  ip netns commands fails when selinux is in enforcing mode ,
only permissive mode allows quantum to work
Comment 29 Eduard Benes 2013-06-04 11:37:44 EDT
(In reply to Ofer Blaut from comment #28)
> All Quantum  ip netns commands fails when selinux is in enforcing mode ,
> only permissive mode allows quantum to work

What selinux-policy version are you using?
Could you please provide logs with AVC failures you are seeing?
Comment 30 Ofer Blaut 2013-06-05 02:57:43 EDT
Hi

policies : 

selinux-policy-3.7.19-195.el6_4.7.noarch
selinux-policy-targeted-3.7.19-195.el6_4.7.noarch
openstack-selinux-0.1.2-10.el6ost.noarch

Audit logs 
http://pastebin.test.redhat.com/145610
Comment 32 Miroslav Grepl 2013-06-05 05:56:47 EDT
So it needs more fixes.
Comment 35 Miroslav Grepl 2013-06-05 07:54:40 EDT
RHEL6.5 builds:

https://brewweb.devel.redhat.com/buildinfo?buildID=275584

RHEL6.4.z scratch build:

https://brewweb.devel.redhat.com/taskinfo?taskID=5866723
Comment 36 Ofer Blaut 2013-06-05 09:15:57 EDT
Hi

I have used rpms from 
https://brewweb.devel.redhat.com/taskinfo?taskID=5866723 on working setup.

got the following AVCs

http://pastebin.test.redhat.com/145672


moving to permissive mode again, since some features on quantum stopped working ( floating ip and routes )
Comment 37 Ofer Blaut 2013-06-05 09:33:06 EDT
more info

http://pastebin.test.redhat.com/145685

configure selinux to permissive and quantum works again
Comment 38 Alan Pevec 2013-06-05 09:48:42 EDT
(In reply to Ofer Blaut from comment #36)
> got the following AVCs
> http://pastebin.test.redhat.com/145672

#============= iptables_t ==============
allow iptables_t quantum_t:fifo_file { read write };
allow iptables_t quantum_t:process sigchld;
Comment 39 Miroslav Grepl 2013-06-05 10:24:01 EDT
Could you add this local policy

# cat mypol.te

require{
 type iptables_t;
 type quantum_t;
}

allow iptables_t quantum_t:fifo_file { read write };
allow iptables_t quantum_t:process sigchld;


and run

# make -f /usr/share/selinux/devel/Makefile mypol.pp
# semodule -i mypol.pp

and re-test it.
Comment 40 Alan Pevec 2013-06-05 19:57:21 EDT
Here are complete instructions for the uninitiated:
cat > mypol.te <<EOF
module mypol 1.0;

require {
        type iptables_t;
        type quantum_t;
        class process sigchld;
        class fifo_file { read write };
}

allow iptables_t quantum_t:fifo_file { read write };
allow iptables_t quantum_t:process sigchld;
EOF
checkmodule -M -m -o mypol.mod mypol.te
semodule_package -o mypol.pp -m mypol.mod
semodule -i mypol.pp
Comment 42 Miroslav Grepl 2013-06-06 02:27:33 EDT
The policy z-stream errata has been updated for re-testing.
Comment 43 Gary Kotton 2013-06-06 09:35:23 EDT
I am still getting problems which result in:

2013-06-06 09:23:54    ERROR [quantum.agent.dhcp_agent] Unable to reload_allocations dhcp.
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/quantum/agent/dhcp_agent.py", line 129, in call_driver
    getattr(driver, action)()
  File "/usr/lib/python2.6/site-packages/quantum/agent/linux/dhcp.py", line 315, in reload_allocations
    ip_wrapper.netns.execute(cmd)
  File "/usr/lib/python2.6/site-packages/quantum/agent/linux/ip_lib.py", line 414, in execute
    check_exit_code=check_exit_code)
  File "/usr/lib/python2.6/site-packages/quantum/agent/linux/utils.py", line 61, in execute
    raise RuntimeError(m)
RuntimeError:
Command: ['sudo', 'quantum-rootwrap', '/etc/quantum/rootwrap.conf', 'ip', 'netns', 'exec', 'qdhcp-92c91fd2-06be-46b6-aa41-a824fae8e7af', 'kill', '-HUP', '4511']
Exit code: 1
Stdout: ''
Stderr: 'kill 4511: Operation not permitted\n'

The audit log is (hope I have this correct):
type=SYSCALL msg=audit(1370525156.812:378894): arch=c000003e syscall=62 success=no exit=-1 a0=119f a1=1 a2=1 a3=119f items=0 ppid=7200 pid=7207 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:ifconfig_t:s0 key=(null)
type=USER_END msg=audit(1370525156.836:378895): user pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:quantum_t:s0 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1370525156.836:378896): user pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:quantum_t:s0 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1370525156.972:378897): user pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:quantum_t:s0 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1370525156.972:378898): user pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:quantum_t:s0 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
Comment 44 Miroslav Grepl 2013-06-06 09:48:16 EDT
And does it work in permissive mode? Any AVC msgs?
Comment 45 Gary Kotton 2013-06-06 11:51:03 EDT
*** Bug 964071 has been marked as a duplicate of this bug. ***
Comment 46 Gary Kotton 2013-06-06 11:52:37 EDT
Created attachment 757732 [details]
audit file when running in permissive mode
Comment 47 Gary Kotton 2013-06-06 14:29:02 EDT
https://brewweb.devel.redhat.com/taskinfo?taskID=5874281
resolve all issues that i encountered
Thanks
Gary
Comment 48 Terry Wilson 2013-06-10 17:49:20 EDT
I still get a few avc denials when launching an instance. To reproduce, install via packstack from laptop to a target VM. Log into VM and:

quantum net-create net1
quantum subnet-create net1 10.0.0.0/24 --name subnet1

Then in horizon set up keypair and cirros 0.3.0 image and launch an instance, selecting net1 as the network.

AVCs:
type=AVC msg=audit(1370900696.344:2773): avc:  denied  { read } for  pid=4326 comm="qemu-kvm" name="disk" dev=dm-0 ino=7303 scontext=system_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file
type=AVC msg=audit(1370900696.344:2773): avc:  denied  { open } for  pid=4326 comm="qemu-kvm" name="disk" dev=dm-0 ino=7303 scontext=system_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file
type=AVC msg=audit(1370900696.349:2774): avc:  denied  { ioctl } for  pid=4326 comm="qemu-kvm" path="/var/lib/nova/instances/d326667b-2b03-4449-9f26-ad49766c0512/disk" dev=dm-0 ino=7303 scontext=system_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file
type=AVC msg=audit(1370900696.349:2775): avc:  denied  { getattr } for  pid=4326 comm="qemu-kvm" path="/var/lib/nova/instances/d326667b-2b03-4449-9f26-ad49766c0512/disk" dev=dm-0 ino=7303 scontext=system_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file
type=AVC msg=audit(1370900696.349:2776): avc:  denied  { write } for  pid=4326 comm="qemu-kvm" name="disk" dev=dm-0 ino=7303 scontext=system_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file
Comment 53 errata-xmlrpc 2013-11-21 05:28:39 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html

Note You need to log in before you can comment on or make changes to this bug.