980063 – SELinux / netns related messages during update

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 980063 - SELinux / netns related messages during update

Summary: SELinux / netns related messages during update

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.0
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	7.1
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-07-01 10:43 UTC by Jaroslav Henner
Modified:	2016-06-17 14:59 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-07-16 10:40:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
audit.log (1.99 KB, text/plain) 2013-08-20 06:51 UTC, Jaroslav Henner	no flags	Details
View All

Description Jaroslav Henner 2013-07-01 10:43:46 UTC

Description of problem:
I've found that qpid repots problem when restarting
/etc/init.d/qpidd restart
Full path required for exclude: net:[15374].
Full path required for exclude: net:[15458].

which is because the init script does
+ /sbin/restorecon /var/run/qpidd.pid

I found that
[root@controller ~]# /sbin/restorecon -vR /var/
Full path required for exclude: net:[15374].
Full path required for exclude: net:[15458].
...
/sbin/restorecon reset /var/run/netns/qdhcp-40f1ff90-2c80-4fce-b845-febaa2ee2a76 context system_u:object_r:proc_t:s0->system_u:object_r:ifconfig_var_run_t:s0
/sbin/restorecon set context /var/run/netns/qdhcp-40f1ff90-2c80-4fce-b845-febaa2ee2a76->system_u:object_r:ifconfig_var_run_t:s0 failed:'Operation not supported'
...

Version-Release number of selected component (if applicable):
[root@controller ~]# rpm -q openstack-selinux selinux-policy-targetted selinux-policy qpid-cpp-server openstack-nova-common
openstack-selinux-0.1.2-10.el6ost.noarch
package selinux-policy-targetted is not installed
selinux-policy-3.7.19-195.el6_4.12.noarch
qpid-cpp-server-0.14-22.el6_3.x86_64
openstack-nova-common-2013.1.2-2.el6ost.noarch


How reproducible:
2/2

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:
No problem reported


Additional info:

Comment 2 Miroslav Grepl 2013-07-01 12:03:49 UTC

Are you able to reproduce it?

# matchpathcon /var/run/netns

# ls -dZ /var/run/netns

How is /var/run/netns/qdhcp-* created?

Comment 3 Jaroslav Henner 2013-07-10 08:13:44 UTC

Reproduce it? I will try. I don't know why I have written 2/2 in "How reproducible".

[root@controller ~(keystone_admin)]$ service qpidd restart
Stopping Qpid AMQP daemon:                                 [  OK  ]
Starting Qpid AMQP daemon:                                 [  OK  ]
Full path required for exclude: net:[19969].
Full path required for exclude: net:[28804].
Full path required for exclude: net:[30612].
[root@controller ~(keystone_admin)]$ matchpathcon /var/run/netns
/var/run/netns	system_u:object_r:ifconfig_var_run_t:s0
[root@controller ~(keystone_admin)]$ ls -dZ /var/run/netns
drwxr-xr-x. root root system_u:object_r:ifconfig_var_run_t:s0 /var/run/netns
[root@controller ~(keystone_admin)]$ service qpidd restart
Stopping Qpid AMQP daemon:                                 [  OK  ]
Starting Qpid AMQP daemon:                                 [  OK  ]
Full path required for exclude: net:[19969].
Full path required for exclude: net:[28804].
Full path required for exclude: net:[30612].

It seems it is created by quantum.

Comment 4 Jaroslav Henner 2013-07-11 16:45:22 UTC

Yes I am able to reproduce. It seems it creates a /var/run/netns/qdhc* per network or subnet you have defined. The same holds for the message:
Full path required for exclude: net:[30612].

Comment 5 Miroslav Grepl 2013-07-12 12:49:48 UTC

Lon,
any idea?

Comment 6 Miroslav Grepl 2013-07-12 13:20:13 UTC

Any chance to re-test it with 

selinux-policy-targeted-3.7.19-195.el6_4.9

Comment 7 Lon Hohberger 2013-07-15 15:25:44 UTC

I don't have one yet -- I'll take a look at this today, but I think it's going to need to be fixed with the rest of netns in selinux-policy

Comment 9 Lon Hohberger 2013-07-15 18:56:52 UTC

Can you attach the AVCs when possible?

Comment 10 Jaroslav Henner 2013-08-20 06:51:09 UTC

Created attachment 788337 [details]
audit.log

Comment 11 Daniel Walsh 2013-08-28 17:23:52 UTC

There are no avc's in this file.

Comment 12 Jaroslav Henner 2013-08-29 08:39:24 UTC

(In reply to Daniel Walsh from comment #11)
> There are no avc's in this file.

Hmm, so I think they got rate-limited. How can I reset the rate-limiting counters?

Comment 13 RHEL Program Management 2013-10-14 03:15:19 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 14 Daniel Walsh 2013-10-15 17:39:21 UTC

Well if you are running in permissive mode you can change it via setenforce 1; setenforce 0

Otherwise I know of no ratelimiting for AVC messages.

Comment 16 Marko Myllynen 2015-01-23 07:49:12 UTC

I'm still seeing this everytime selinux-policy* packages are updates on an RHEL OSP 5.0 controller/network host.

Comment 19 Milos Malik 2015-01-23 08:16:40 UTC

I don't see any AVC or USER_AVC or SELINUX_ERR in the attachment mentioned in comment#17.

Comment 20 Marko Myllynen 2015-01-23 08:27:05 UTC

I see these kinds of messages when upgrading or downgrading selinux-policy:

Full path required for exclude: net:[4026532585].
Full path required for exclude: net:[4026532585].
Full path required for exclude: net:[4026532684].
Full path required for exclude: net:[4026532684].

I see similar messages also when doing:

# restorecon -R /run/netns
Full path required for exclude: net:[4026532585].
Full path required for exclude: net:[4026532585].
Full path required for exclude: net:[4026532684].
Full path required for exclude: net:[4026532684].
restorecon set context /run/netns/qdhcp-abc->system_u:object_r:ifconfig_var_run_t:s0 failed:'Operation not supported'
restorecon set context /run/netns/qrouter-123->system_u:object_r:ifconfig_var_run_t:s0 failed:'Operation not supported'

Thanks.

Comment 21 Miroslav Grepl 2015-01-26 12:20:41 UTC

What does if you run

# setenforce 1;setenforce 0

re-test it and run

# ausearch -m avc,user_avc -ts recent

Comment 22 Marko Myllynen 2015-01-26 14:41:05 UTC

Like this?

# setenforce 1 ; setenforce 0 ;
# restorecon -R /run/netns/
Full path required for exclude: net:[4026532588].
Full path required for exclude: net:[4026532588].
Full path required for exclude: net:[4026532681].
Full path required for exclude: net:[4026532681].
restorecon set context /run/netns/qdhcp-ea8b2188-ef22-42cb-b9da-f15936b0edff->system_u:object_r:ifconfig_var_run_t:s0 failed:'Operation not supported'
restorecon set context /run/netns/qrouter-0647e05a-3d3f-4b0d-98dc-fd30b032ea9c->system_u:object_r:ifconfig_var_run_t:s0 failed:'Operation not supported'
# ausearch -m avc,user_avc -ts recent
----
time->Mon Jan 26 16:38:01 2015
type=USER_AVC msg=audit(1422283081.922:18734): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Mon Jan 26 16:38:01 2015
type=USER_AVC msg=audit(1422283081.922:18735): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
# 

Thanks.

Comment 23 Miroslav Grepl 2015-01-27 09:22:26 UTC

How is /run/netns mounted?

Comment 24 Marko Myllynen 2015-01-27 10:15:45 UTC

(In reply to Miroslav Grepl from comment #23)
> How is /run/netns mounted?

# mount | grep netns
tmpfs on /run/netns type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
proc on /run/netns/qrouter-0647e05a-3d3f-4b0d-98dc-fd30b032ea9c type proc (rw,nosuid,nodev,noexec,relatime)
proc on /run/netns/qrouter-0647e05a-3d3f-4b0d-98dc-fd30b032ea9c type proc (rw,nosuid,nodev,noexec,relatime)
proc on /run/netns/qdhcp-ea8b2188-ef22-42cb-b9da-f15936b0edff type proc (rw,nosuid,nodev,noexec,relatime)
proc on /run/netns/qdhcp-ea8b2188-ef22-42cb-b9da-f15936b0edff type proc (rw,nosuid,nodev,noexec,relatime)

Comment 25 Miroslav Grepl 2015-01-27 13:25:10 UTC

Lon,
is this expected to have proc mounted here?

Marko,
does everything work correctly?

Comment 26 Marko Myllynen 2015-01-27 13:29:32 UTC

(In reply to Miroslav Grepl from comment #25)
> 
> Marko,
> does everything work correctly?

Yes. This setup has been generated by RHEL OSP 5.0 packstack so I presume in general there are no issues caused by this. Thanks.

Comment 27 Miroslav Grepl 2015-04-09 14:22:59 UTC

Why do you need to run

# restorecon -R /run/netns/

Comment 28 Marko Myllynen 2015-04-10 05:51:26 UTC

(In reply to Miroslav Grepl from comment #27)
> Why do you need to run
> 
> # restorecon -R /run/netns/

Please read comment 20 - it was the most simple step to reproduce this instead of doing package upgrade. And in any case, I think restorecon should not produce errors.

Thanks.

Comment 29 Miroslav Grepl 2015-07-16 10:40:47 UTC

I don't see it as a bug. restorecon tells us the correct info.

Comment 30 Marko Myllynen 2015-07-16 10:44:23 UTC

(In reply to Miroslav Grepl from comment #29)
> I don't see it as a bug. restorecon tells us the correct info.

So why are the messages printed then during selinux-policy upgrade?

Note You need to log in before you can comment on or make changes to this bug.