diff --git a/Makefile b/Makefile index 8dec6d1..2c9f9f9 100644 --- a/Makefile +++ b/Makefile @@ -1,9 +1,22 @@ -TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder +include /etc/os-release + +# De-quote, if quoted. +OS_ID=$(shell echo $(ID)) +OS_VER=$(shell echo $(VERSION_ID)) +OS_MAJ=$(shell OS_VER=$(OS_VER) && echo $${OS_VER/.*/}) + +# RHEL & rebuilds: if we match one of these, we do a version comparison. +ifneq (,$(findstring $(OS_ID),rhel centos rocky almalinux)) +endif # RHEL clones + +TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-barbican os-logrotate os-certmonger os-timemaster os-ceilometer os-net-config os-frr $(EXTRA_TARGETS) MODULES?=${TARGETS:=.pp.bz2} DATADIR?=/usr/share -#INSTALL=?=install +LOCALDIR?=/usr/share/openstack-selinux/master +INSTALL?=install +MODULE_TYPE?=services -all: ${TARGETS:=.pp.bz2} +all: ${TARGETS:=.pp.bz2} local_settings.sh %.pp.bz2: %.pp @echo Compressing $^ -\> $@ @@ -12,8 +25,12 @@ all: ${TARGETS:=.pp.bz2} %.pp: %.te make -f ${DATADIR}/selinux/devel/Makefile $@ +local_settings.sh: local_settings.sh.in + sed -e 's/@MODULES@/${TARGETS}/' $^ > $@ + chmod 0755 $@ + clean: - rm -f *~ *.if *.tc *.pp *.pp.bz2 + rm -f *~ *.if *.tc *.pp *.pp.bz2 local_settings.sh rm -rf tmp *.tar.gz tarball: .git/config @@ -57,9 +74,33 @@ local-tarball: .git/config fi ;\ fi +install: + # Install the setup script + ${INSTALL} -d ${LOCALDIR} + ${INSTALL} -m 0755 local_settings.sh ${LOCALDIR} + # Install tests + ${INSTALL} -d ${LOCALDIR}/tests + ${INSTALL} -m 0644 tests/bz* tests/lp* tests/osprh* tests/rdo* ${LOCALDIR}/tests + ${INSTALL} -m 0755 tests/check_all ${LOCALDIR}/tests -#install: -# ${INSTALL} -m 0644 ${TARGETS} \ -# ${DESTDIR}${DATADIR}/targeted/modules + # Install interfaces + ${INSTALL} -d ${DATADIR}/selinux/devel/include/${MODULE_TYPE} + ${INSTALL} -m 0644 ${TARGETS:=.if} ${DATADIR}/selinux/devel/include/${MODULE_TYPE} + # Install policy modules + ${INSTALL} -d ${DATADIR}/selinux/packages + ${INSTALL} -m 0644 ${TARGETS:=.pp.bz2} ${DATADIR}/selinux/packages + +# Note: You can't run this in a build system unless the build +# system has access to change the kernel SELinux policies +check: + cd ${LOCALDIR} && ./local_settings.sh ;\ + cd ${LOCALDIR}/tests && ./check_all ;\ + RET=$$? ;\ + cd ${LOCALDIR} && ./local_settings.sh -x ;\ + if [[ "$$RET" -ne 0 ]]; then \ + /bin/false ;\ + else \ + /bin/true ;\ + fi diff --git a/README b/README new file mode 100644 index 0000000..3b01980 --- /dev/null +++ b/README @@ -0,0 +1,20 @@ +This repository contains OpenStack policy workarounds +for EL6 and EL7 and derivatives. Each release has its +own corresponsing branch. + +Branch Operating System + master Red Hat Enterprise Linux 7, CentOS 7, and related + el6 Red Hat Enterprise Linux 6, CentOS 6, and related + +The policies here are not designed to replace - but augment - +the selinux-policy package from your operating system. + +Bugs may be filed against the 'openstack-selinux' package +in the 'RDO' or 'Red Hat OpenStack' products at +https://bugzilla.redhat.com/ + +Running the tests +----------------- + +See the doc/ directory for more information on reporting and fixing +bugs as well as troubleshooting tips. diff --git a/doc/CONTRIBUTING.md b/doc/CONTRIBUTING.md new file mode 100644 index 0000000..d3f9175 --- /dev/null +++ b/doc/CONTRIBUTING.md @@ -0,0 +1,53 @@ +How to report a bug +------------------- + +1. Set the system to Permissive and reproduce the issue (*) +2. When reporting the issue, include the permissive audit logs as well +3. The `audit2allow` output can be helpful to include in the report + when it's limited to the denials relevant to the issue, but it is + not enough on its own. It's essential to also include the actual AVC + denials (and ideally, the full permissive audit logs around the time + the issue is triggered.) + +If a bug doesn't already exist on Launchpad, Bugzilla or Jira, create a [RDO +bug](https://bugzilla.redhat.com/enter_bug.cgi?product=RDO) with the +`openstack-selinux` component. Having a bug number is necessary to add +unit tests. + +(*) In Enforcing mode, SELinux stops at the first denial which can hide + more of them. Permissive mode enables us to see the full list of + AVC denials, so that they can be resolved all at once rather than + one at a time. + +How to run the tests +-------------------- + +1. Install the `selinux-policy-devel` package +2. Ensure the path `/usr/share/openstack-selinux/master` exists +3. From your local openstack-selinux repository, run the following + command as root: + + $ make clean all install check + +It is recommended to use a VM for this. Note that it is not usually +possible nor recommended to develop or test SELinux policies from within +a container. + +Fixing an issue +---------------- + +If you are certain a new SELinux rule is necessary, consider a patch +with the minimum amount of new rules. If some of the rules are too +wide, the original code may need to change to allow more restricted +policy changes. If that's really not possible, the new rules may need +to be hidden behind a new boolean that stays turned off by default, +except in specific deployment scenarios. + +When preparing the patch, include the denials fixed by the new rule in +a test file under tests/ to confirm the fix and avoid future +regressions. + +Note: a test file won't help in the case of booleans turned off by +default. In that case, include the denials in the commit message +instead to help reviewers with understanding the issue being resolved +and keeping a record. diff --git a/doc/TROUBLESHOOTING.md b/doc/TROUBLESHOOTING.md new file mode 100644 index 0000000..7ccbe44 --- /dev/null +++ b/doc/TROUBLESHOOTING.md @@ -0,0 +1,45 @@ +Here is a list of common issues and tips on how to debug them. + +How to resolve 'SELinux boolean os_enable_vtpm does not exist.'? +---------------------------------------------------------------- +How to resolve 'Missing os-ovs! [...] Found XX missing modules' errors? +----------------------------------------------------------------------- + +Either of these errors means that the `openstack-selinux` package could +not be installed properly, which can happen for a number of +reasons. Usually, it indicates a missing dependency or that a symbol +required by a policy is not defined on the system. + +A few tips that may help to debug: + +* Try to reinstall the package and look carefully at the output. There + should be some kind of warning. If you need to open a bug, make sure + to include this output in the report as this is the real error. + + # dnf reinstall openstack-selinux + +* Confirm that `container-selinux` is present and also installed + correctly.` openstack-selinux` depends on the symbols defined in it + and will also fail if the package isn't properly installed on the + system. You can check that by running the following command (this may + require installing `setools-console`): + + $ seinfo --type | grep container + + This should return at least a dozen types. If seinfo only returns + three container symbols or less, `container-selinux` is missing or + not installed properly. You can try to reinstall the rpm to look for + a trace with more information. + +Switching to Permissive mode resolves my problem but there are no denials in the audit logs +------------------------------------------------------------------------------------------- + +You may be hitting an issue with `dontaudit` rules. You can temporarily +allow SELinux to log these with the following command: + + # semodule -DB + +This will rebuild the policy. Once you have reproduced the issue and +are able to check the logs, you can revert back with: + + # semodule -B diff --git a/local_settings.sh b/local_settings.sh deleted file mode 100755 index 686a7d5..0000000 --- a/local_settings.sh +++ /dev/null @@ -1,156 +0,0 @@ -#!/bin/bash - -QUIET=1 -MODE=0 -BINDIR=${BINDIR:-/usr/bin} -SBINDIR=${SBINDIR:-/sbin} -LOCALSTATEDIR=${LOCALSTATEDIR:-/var} -DATADIR=${DATADIR:-/usr/share} -SHAREDSTATEDIR=${SHAREDSTATEDIR:-/var/lib} -MODULES="" - - -do_echo() { - if [ $QUIET -eq 0 ]; then - return - fi - echo $* -} - - -relabel_files() -{ - do_echo "Relabeling files..." - $SBINDIR/restorecon -Rv $BINDIR/swift* \ - $LOCALSTATEDIR/run/swift \ - $SHAREDSTATEDIR/nova/.ssh \ - $SHAREDSTATEDIR/designate/bind9 \ - /srv \ - $BINDIR/neutron* \ - $LOCALSTATEDIR/run/redis \ - $LOCALSTATEDIR/log \ - &> /dev/null || : -} - - -install_policies() { - do_echo "Setting up ports..." - # - # Port rules - # - # bz#1107873 - $SBINDIR/semanage port -N -a -t amqp_port_t -p tcp 15672 &> /dev/null - - # bz#1118859 - $SBINDIR/semanage port -N -m -t mysqld_port_t -p tcp 4444 &> /dev/null - - # bz#1260202 - $SBINDIR/semanage port -N -m -t openvswitch_port_t -p tcp 6653 &> /dev/null - - # bz#1360434 - $SBINDIR/semanage port -N -m -t http_port_t -p tcp 8088 &> /dev/null - - # bz#1396553 - $SBINDIR/semanage port -N -m -t http_port_t -p tcp 8000 &> /dev/null - - # - # Booleans & file contexts - # - CR=$'\n' - INPUT="boolean -N -m --on virt_use_fusefs - boolean -N -m --on glance_use_fusefs - boolean -N -m --on haproxy_connect_any - boolean -N -m --on nis_enabled - boolean -N -m --on rsync_full_access - boolean -N -m --on rsync_client - boolean -N -m --on virt_use_execmem - boolean -N -m --on virt_use_nfs - boolean -N -m --on daemons_enable_cluster_mode - boolean -N -m --on glance_use_execmem - boolean -N -m --on httpd_execmem - boolean -N -m --on domain_kernel_load_modules - boolean -N -m --on httpd_can_network_connect - boolean -N -m --on swift_can_network - boolean -N -m --on httpd_use_openstack - fcontext -N -a -t named_zone_t \"$SHAREDSTATEDIR/designate/bind9(/.*)?\" - fcontext -N -a -t httpd_var_lib_t $SHAREDSTATEDIR/openstack-dashboard - fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/gnocchi/app.log - fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/aodh/app.log - fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/ceilometer/app.log - fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/panko/panko.log - fcontext -N -a -t neutron_exec_t $BINDIR/neutron-rootwrap-daemon - fcontext -N -a -t neutron_exec_t $BINDIR/neutron-metadata-agent - fcontext -N -a -t neutron_exec_t $BINDIR/neutron-netns-cleanup - fcontext -N -a -t neutron_exec_t $BINDIR/neutron-ns-metadata-proxy - fcontext -N -a -t neutron_exec_t $BINDIR/neutron-vpn-agent" - - # - # Append modules - # - for x in $MODULES; do - INPUT="${INPUT}${CR}module -N -a $DATADIR/selinux/packages/$x.pp.bz2" - done - - # - # Do everything in one transaction, but don't reload policy - # in case we're in a chroot environment. - # - do_echo "Installing OpenStack extra policies and setting booleans..." - echo "$INPUT" | $SBINDIR/semanage import -N - - if $SBINDIR/selinuxenabled ; then - do_echo "Reloading SELinux policies..." - # - # Chroot environments (e.g. when building images) - # won't get here, but the image will apply all of - # the policy on a reboot. - # - $SBINDIR/load_policy - - do_echo "Setting OpenStack booleans..." - # Unfortunately, we can't load modules and set - # booleans in those modules in a single transaction - setsebool -P os_nova_use_execmem on - setsebool -P os_neutron_use_execmem on - setsebool -P os_swift_use_execmem on - setsebool -P os_keystone_use_execmem on - - relabel_files - fi -} - - -uninstall_policies() { - do_echo "Removing OpenStack modules..." - $SBINDIR/semodule -n -r $MODULES &> /dev/null || : - if $SBINDIR/selinuxenabled ; then - $SBINDIR/load_policy - relabel_files - fi -} - - -while getopts m:xq opt; do - case $opt in - m) # modules - MODULES="$OPTARG" - ;; - x) # uninstall - MODE=1 - ;; - q) - QUIET=0 - ;; - esac -done - - -case $MODE in - 0) - install_policies - ;; - 1) - uninstall_policies - ;; -esac -exit $? diff --git a/local_settings.sh.in b/local_settings.sh.in new file mode 100644 index 0000000..6265e0e --- /dev/null +++ b/local_settings.sh.in @@ -0,0 +1,404 @@ +#!/bin/bash + +QUIET=1 +MODE=0 +ROOTDIR=${ROOTDIR:-/} +BINDIR=${BINDIR:-/usr/bin} +SBINDIR=${SBINDIR:-/sbin} +LOCALSTATEDIR=${LOCALSTATEDIR:-/var} +DATADIR=${DATADIR:-/usr/share} +SHAREDSTATEDIR=${SHAREDSTATEDIR:-/var/lib} +LOCALDIR=${LOCALDIR:-$DATADIR/openstack-selinux/master} +MODULES=${MODULES:-@MODULES@} +# libselinux-3.4 introduces a new feature. Let's see if we can use it! +SELINUX_THREAD_VERSION=3.4 + +# This is for caching the file modes; -A is a bash associative +# array ("dict" or "map" in other languages) +# See bug for bug #1560019 for more information. +declare -A file_modes + +# This associative array ("dict", "map", "hash") holds ALL the specific +# location with specific fcontext settings. +declare -A custom_fcontext=( +["$SHAREDSTATEDIR/designate/bind9(/.*)?"]='named_zone_t' +["$SHAREDSTATEDIR/vhost_sockets(/.*)?"]='virt_cache_t' +["$SHAREDSTATEDIR/openstack-dashboard"]='httpd_var_lib_t' +["$LOCALSTATEDIR/log/gnocchi/app.log"]='httpd_log_t' +["$LOCALSTATEDIR/log/aodh/app.log"]='httpd_log_t' +["$LOCALSTATEDIR/log/panko/app.log"]='httpd_log_t' +["$LOCALSTATEDIR/log/zaqar/zaqar.log"]='httpd_log_t' +["$LOCALSTATEDIR/lib/config-data(/.*)?"]='container_file_t' +["$LOCALSTATEDIR/lib/kolla(/.*)?"]='container_file_t' +["$LOCALSTATEDIR/lib/tripleo-config(/.*)?"]='container_file_t' +["$BINDIR/neutron-rootwrap-daemon"]='neutron_exec_t' +["$BINDIR/neutron-vpn-agent"]='neutron_exec_t' +["$LOCALSTATEDIR/cache/swift(/.*)?"]='swift_var_cache_t' +["$BINDIR/swift-object-reconstructor"]='swift_exec_t' +["$BINDIR/swift-object-relinker"]='swift_exec_t' +["${ROOTDIR}httpboot(/.*)?"]='httpd_sys_content_t' +["$SHAREDSTATEDIR/nova/.ssh(/.*)?"]='ssh_home_t' +["${ROOTDIR}tftpboot(/.*)?"]='tftpdir_t' +["$LOCALSTATEDIR/log/pacemaker.log.*"]='cluster_var_log_t' +["$LOCALSTATEDIR/log/pacemaker(/.*)?"]='cluster_var_log_t' +) + +# This associative array ("dict", "map", "hash") will holds all the current +# custom fcontext settings +declare -A existing_custom_fcontext + +# This associative array ("dict", "map", "hash") will holds all the differences +# we have between existing custom fcontext, and what we really want. +# It will be used in different methods in this script. +declare -A diff_fcontext + +# Let's populate the existing_custom_fcontext +for l in $(semanage fcontext -Cln | awk -F '[: ]+' '{print $1";"$6}'); do + existing_custom_fcontext+=([$(echo $l|cut -d ';' -f1)]=$(echo $l|cut -d ';' -f2)) +done + +# Let's populate the diff_fcontext +for i in "${!custom_fcontext[@]}"; do + if [[ ! -v existing_custom_fcontext["$i"] ]]; then + diff_fcontext+=([$i]=${custom_fcontext[$i]}) + elif [[ ${existing_custom_fcontext["$i"]} != "${custom_fcontext[$i]}" ]]; then + diff_fcontext+=([$i]=${custom_fcontext[$i]}) + fi +done + +do_echo() { + if [ $QUIET -eq 0 ]; then + return + fi + echo $* +} + +# Source : https://stackoverflow.com/questions/4023830/how-to-compare-two-strings-in-dot-separated-version-format-in-bash +vercomp () { + if [[ $1 == $2 ]]; then + return 0 + fi + local IFS=. + local i ver1=($1) ver2=($2) + # fill empty fields in ver1 with zeros + for ((i=${#ver1[@]}; i<${#ver2[@]}; i++)); do + ver1[i]=0 + done + for ((i=0; i<${#ver1[@]}; i++)); do + if [[ -z ${ver2[i]} ]]; then + # fill empty fields in ver2 with zeros + ver2[i]=0 + fi + if ((10#${ver1[i]} > 10#${ver2[i]})); then + return 1 + fi + if ((10#${ver1[i]} < 10#${ver2[i]})); then + return 2 + fi + done + return 0 +} + +function get_clean_name() { + if [[ "${1}" =~ '(' ]]; then + echo "$1" | cut -d '(' -f1 + else + echo $1 + fi +} + +relabel_files() { + local opts="" + + do_echo "Relabeling files..." + if [ $QUIET -ne 0 ]; then + opts="-v" + fi + current_version=$(/usr/bin/secon --version| grep -oE '[0-9]+(\.[0-9]+)+') # ensure we match 3.3, 3.3.1, 3.3-rc3 and so on + vercomp $current_version $SELINUX_THREAD_VERSION + if [ $? -le 1 ]; then # we want '>=' + # "-T 0" will use all available cores. + opts="${opts} -T 0" + fi + + # Setfiles is a lot like restorecon, except it takes a policy + # on-disk instead of looking at the kernel-loaded policy + # So, it works inside of image builds. + # + # At a minimum, we need a line for each entry we have where we are + # customizing the label using 'semanage' below, but also + # others, when applicable. + declare -a f_list + for i in "${!custom_fcontext[@]}"; do + f_list=("${f_list[@]}" "$(get_clean_name "$i")") + done + $SBINDIR/setfiles $opts -F $ROOTDIR/etc/selinux/targeted/contexts/files/file_contexts \ + $LOCALSTATEDIR/run/swift \ + $LOCALSTATEDIR/swift \ + /srv \ + $LOCALSTATEDIR/run/redis \ + $LOCALSTATEDIR/log \ + ${f_list[@]} 2> /dev/null || : +} + + +# usage: set_port tcp|udp port# context +set_port() +{ + # There's no add-or-modify, so try a modify, and if that fails, + # add the new rule. + # + # -N prevents reloading + $SBINDIR/semanage port -N -m -t $3 -p $1 $2 2>&1 | grep -qE 'ValueError: Port.*is not defined' + # Grep succeeded - meaning this was not defined + if [ $? -eq 0 ]; then + # So, we need to add it. + $SBINDIR/semanage port -N -a -t $3 -p $1 $2 &> /dev/null + fi +} + +# usage: set_file_context a|d (add/delete) +set_file_contexts() { + case $1 in + 'a') + for f_context in "${!diff_fcontext[@]}"; do + eval semanage fcontext -N -${1} -t ${diff_fcontext[$f_context]} \"${f_context}\" &> /dev/null + done + ;; + 'd') + for f_context in "${!custom_fcontext[@]}"; do + eval semanage fcontext -N -${1} -t ${custom_fcontext[$f_context]} \"${f_context}\" &> /dev/null + done + ;; + esac +} + + +_cache_file_modes() { + if ! [ -d '/etc/selinux/targeted/active' ]; then + return + fi + for f in $(find /etc/selinux/targeted/active -maxdepth 1 -type f); do + file_modes[$f]=$(stat -c %a $f) + done +} + + +_restore_file_modes() { + for k in "${!file_modes[@]}"; do + chmod ${file_modes[$k]} $k + done +} + + +install_policies() { + # Bug #1560019 + # + # 'semanage' seems to recreate + # /etc/selinux/targeted/active/seusers + # /etc/selinux/targeted/active/user_extra + # with the wrong mode, breaking 'rpm -Va' + # + # Store file modes and explicitly chmod + # them back when we're done with our setup. + _cache_file_modes + + do_echo "Setting up ports..." + # + # Port rules + # + + # bz#1118859 + set_port tcp 4444 mysqld_port_t + + # bz#1260202 + set_port tcp 6653 openvswitch_port_t + + # bz#1360434 + set_port tcp 8088 http_port_t + + # bz#1396553 + set_port tcp 8000 http_port_t + + # bz#1498921 + set_port tcp 6639 ovsdb_port_t + + # bz#1499134 + set_port tcp 6641 ovsdb_port_t + set_port tcp 6642 ovsdb_port_t + + # Create all the file contexts + do_echo "Add custom fcontext..." + set_file_contexts "a" + + # Build up a script to pass to semanage + # + # Booleans + # -N -> don't reload policy + # -m -> modify + # + CR=$'\n' + INPUT="boolean -N -m --on virt_use_fusefs + boolean -N -m --on glance_api_can_network + boolean -N -m --on neutron_can_network + boolean -N -m --on glance_use_fusefs + boolean -N -m --on haproxy_connect_any + boolean -N -m --on nis_enabled + boolean -N -m --on rsync_full_access + boolean -N -m --on rsync_client + boolean -N -m --on virt_use_execmem + boolean -N -m --on virt_use_nfs + boolean -N -m --on daemons_enable_cluster_mode + boolean -N -m --on glance_use_execmem + boolean -N -m --on httpd_execmem + boolean -N -m --on domain_kernel_load_modules + boolean -N -m --on httpd_can_network_connect + boolean -N -m --on swift_can_network + boolean -N -m --on httpd_use_openstack + boolean -N -m --on domain_can_mmap_files" + + # collectd_tcp_network_connect is not available on EL10+ + if $SBINDIR/semanage boolean -l -n 2>/dev/null | grep -qw collectd_tcp_network_connect; then + INPUT="${INPUT}${CR}boolean -N -m --on collectd_tcp_network_connect" + fi + + # + # Append modules to our semanage script + # + for x in $MODULES; do + INPUT="${INPUT}${CR}module -N -a $DATADIR/selinux/packages/$x.pp.bz2" + done + + # + # Execute the semanage script: + # Do most things in one transaction, but don't reload policy + # in case we're in a chroot environment. + # + do_echo "Installing OpenStack extra policies and setting booleans..." + echo "$INPUT" | $SBINDIR/semanage import -N + + # Unfortunately, we can't load new modules and set + # booleans defined in those modules in a single transaction, + # so do a second one to set our new booleans. + INPUT="boolean -N -m --on os_nova_use_execmem + boolean -N -m --on os_neutron_use_execmem + boolean -N -m --on os_swift_use_execmem + boolean -N -m --on os_keystone_use_execmem + boolean -N -m --on os_glance_use_sudo + boolean -N -m --on os_httpd_wsgi + boolean -N -m --on os_gnocchi_use_nfs + boolean -N -m --on os_virtlogd_use_nfs + boolean -N -m --on os_glance_use_nfs + boolean -N -m --on os_cinder_use_nfs + boolean -N -m --on os_glance_dac_override + boolean -N -m --on os_haproxy_dac_override + boolean -N -m --on os_keepalived_dac_override + boolean -N -m --on os_openvswitch_dac_override + boolean -N -m --on os_virtlog_dac_override" + # Note the last 5 dac_override booleans will be eventually disabled (bugzilla 2000945) + + do_echo "Setting OpenStack booleans..." + echo "$INPUT" | $SBINDIR/semanage import -N + + relabel_files + if $SBINDIR/selinuxenabled ; then + do_echo "Reloading SELinux policies..." + # + # Chroot environments (e.g. when building images) + # won't get here, which is why we do everything else + # above. + # + $SBINDIR/load_policy + fi + + # Bug #1560019 + _restore_file_modes +} + + +uninstall_policies() { + # Bug #1560019 + _cache_file_modes + + # Remove our modules and rebuild policy + do_echo "Removing OpenStack modules..." + $SBINDIR/semodule -n -r $MODULES &> /dev/null || : + + # Delete all the file contexts + do_echo "Removing custom fcontext..." + set_file_contexts "d" + + relabel_files + + if $SBINDIR/selinuxenabled ; then + do_echo "Reloading SELinux policies..." + $SBINDIR/load_policy + fi + + # Bug #1560019 + _restore_file_modes +} + +verify_policies() { + if ! selinuxenabled; then + echo "SELinux is disabled" + exit 0 + fi + if [ "$(id -u)" != "0" ]; then + echo "Note: UID is not 0; cannot check SELinux module status" + exit 0 + fi + + failed_count=0 + INSTALLED_MODULES=$(semodule -l) + for module in $MODULES; do + local_failed=1 + for installed_module in $INSTALLED_MODULES; do + if [ "$module" == "$installed_module" ]; then + local_failed=0 + break + fi + done + test ${local_failed} -ne 0 && (echo "Missing ${module}!" >&2) + let "failed_count+=$local_failed" + done + if [ ${failed_count} -eq 0 ]; then + echo "All modules are present." + exit 0 + else + echo "Found ${failed_count} missing module(s)." >&2 + exit 1 + fi +} + + +while getopts m:xqV opt; do + case $opt in + m) # modules + MODULES="$OPTARG" + ;; + x) # uninstall + MODE=1 + ;; + q) + QUIET=0 + ;; + V) + MODE=2 + ;; + esac +done + + +case $MODE in + 0) + install_policies + ;; + 1) + uninstall_policies + ;; + 2) + verify_policies + ;; +esac +exit $? diff --git a/os-barbican.te b/os-barbican.te new file mode 100644 index 0000000..689705e --- /dev/null +++ b/os-barbican.te @@ -0,0 +1,19 @@ +policy_module(os-barbican,0.1) + +gen_require(` + type container_t; + type initrc_t; + type pki_common_t; +') + +# Bugzilla 1732578 +allow container_t pki_common_t:dir read; +exec_files_pattern(container_t, pki_common_t, pki_common_t); + +gen_tunable(os_barbican_write_pki, false) +tunable_policy(`os_barbican_write_pki',` + allow container_t initrc_t:unix_stream_socket connectto; + allow container_t pki_common_t:dir { add_name remove_name write }; + allow container_t pki_common_t:file { append create lock rename write }; + allow container_t pki_common_t:sock_file write; +') diff --git a/os-ceilometer.te b/os-ceilometer.te new file mode 100644 index 0000000..4fe7030 --- /dev/null +++ b/os-ceilometer.te @@ -0,0 +1,23 @@ +policy_module(os-ceilometer, 1.0.0) + +gen_require(` + attribute container_net_domain; + type ceilometer_polling_t; + type container_file_t; + type proc_t; + type virt_var_run_t; + type virtd_t; +') + +# Get ceilometer_polling_t to work as a container +container_domain_template(ceilometer_polling, container) +container_runtime_domtrans(ceilometer_polling_t) +typeattribute ceilometer_polling_t container_net_domain; + +logging_send_audit_msgs(ceilometer_polling_t) +logging_send_syslog_msg(ceilometer_polling_t) + +# OSPRH-3373 +allow ceilometer_polling_t proc_t:filesystem associate; +allow ceilometer_polling_t virt_var_run_t:sock_file write; +allow ceilometer_polling_t virtd_t:unix_stream_socket connectto; diff --git a/os-certmonger.te b/os-certmonger.te new file mode 100644 index 0000000..277b19e --- /dev/null +++ b/os-certmonger.te @@ -0,0 +1,23 @@ +policy_module(os-certmonger,0.1) + +gen_require(` + type certmonger_t; + type iptables_t; + class dir {search}; +') + +optional_policy(` + gen_require(` + type puppet_etc_t; + ') + # rhbz#1777263 + allow certmonger_t puppet_etc_t:dir search; + read_files_pattern(certmonger_t, puppet_etc_t, puppet_etc_t) +') + +# rhbz#1777368 +container_runtime_domtrans(certmonger_t) +container_runtime_entrypoint(certmonger_t) + +# rhbz#1777738 +write_fifo_files_pattern(iptables_t, certmonger_t, certmonger_t) diff --git a/os-cinder.te b/os-cinder.te index 5911688..c815af1 100644 --- a/os-cinder.te +++ b/os-cinder.te @@ -2,17 +2,38 @@ policy_module(os-cinder,0.1) gen_require(` type cinder_log_t; - type httpd_t; - type iscsid_exec_t; - type iscsid_t; type cinder_backup_t; - class file { open create }; - class dir { add_name write }; + type systemd_logind_t; + type cinder_volume_t; + type cinder_var_lib_t; + type httpd_t; + class file { open create append getattr lock }; + class dir { add_name write create }; + class dbus { send_msg }; + attribute cinder_domain; ') # Bugzilla 1325623 allow httpd_t cinder_log_t:file { open create }; allow httpd_t cinder_log_t:dir { add_name write }; +# Bugzilla 1820504 and 2053849 +manage_dirs_pattern(httpd_t, cinder_var_lib_t, cinder_var_lib_t); + +# Allow httpd to handle files in statedir +manage_files_pattern(httpd_t, cinder_var_lib_t, cinder_var_lib_t); + # Bugzilla 1384472 iscsid_domtrans(cinder_backup_t); + +# Bugzilla #1628679 +allow systemd_logind_t cinder_volume_t:dbus { send_msg }; + +# Bugzilla 1653640 +gen_tunable(os_cinder_use_nfs, false) +tunable_policy(`os_cinder_use_nfs',` + fs_manage_nfs_dirs(cinder_domain) + fs_manage_nfs_files(cinder_domain) + fs_manage_nfs_symlinks(cinder_domain) + fs_exec_nfs_files(cinder_domain) +') diff --git a/os-collectd.te b/os-collectd.te new file mode 100644 index 0000000..693669a --- /dev/null +++ b/os-collectd.te @@ -0,0 +1,20 @@ +policy_module(os-collectd,0.1) + +optional_policy(` + gen_require(` + type collectd_t; + type var_lock_t; + type cpu_device_t; + class capability sys_rawio; + ') + + # Bugzilla #1558465 + allow collectd_t cpu_device_t:chr_file rw_file_perms; + + # FIXME: Upstream policy probably needs collectd_var_lock_t + # and a file transition rule in collectd.te. + allow collectd_t var_lock_t:dir add_entry_dir_perms; + allow collectd_t var_lock_t:file manage_file_perms; + allow collectd_t var_lock_t:lnk_file read_lnk_file_perms; + allow collectd_t self:capability sys_rawio; +') diff --git a/os-dnsmasq.te b/os-dnsmasq.te new file mode 100644 index 0000000..85bbb8c --- /dev/null +++ b/os-dnsmasq.te @@ -0,0 +1,17 @@ +policy_module(os-dnsmasq,0.1) + +gen_require(` + type var_lib_t; + type dnsmasq_t; + class file manage_file_perms; + class capability dac_override; +') + +# bug 1568993 +# dnsmasq_t can already create/delete var_lib_t directories +allow dnsmasq_t var_lib_t:file manage_file_perms; + +gen_tunable(os_dnsmasq_dac_override, false) +tunable_policy(`os_dnsmasq_dac_override',` + allow dnsmasq_t self:capability { dac_override }; +') diff --git a/os-frr.fc b/os-frr.fc new file mode 100644 index 0000000..4cdedea --- /dev/null +++ b/os-frr.fc @@ -0,0 +1 @@ +/var/run/frr gen_context(system_u:object_r:container_var_run_t,s0) diff --git a/os-frr.te b/os-frr.te new file mode 100644 index 0000000..c54a34a --- /dev/null +++ b/os-frr.te @@ -0,0 +1 @@ +policy_module(os-frr,0.1) diff --git a/os-glance.te b/os-glance.te index 843aa2a..8d7b225 100644 --- a/os-glance.te +++ b/os-glance.te @@ -5,35 +5,28 @@ gen_require(` type glance_registry_t; type glance_var_lib_t; type glance_tmp_t; + type fixed_disk_device_t; + type init_t; + type sysfs_t; type var_lib_t; type nfs_t; + type httpd_t; class dir { write getattr remove_name create add_name }; - class file { write getattr unlink open create }; + class file { write getattr unlink open create read}; class lnk_file read; type sudo_exec_t; class file { execute }; + attribute glance_domain; ') # Bugzilla 1362609 corenet_tcp_connect_memcache_port(glance_registry_t) -# Bugzilla 1119151 -corenet_tcp_connect_all_ports(glance_api_t) - -# Bugzilla 1135510 -#allow glance_api_t unreserved_port_t:tcp_socket name_connect; - -# Bugzilla 1130212 1119400 -# Allow glance execmem/execstack until we get the boolean -# in a later release of selinux-policy -allow glance_api_t self:process { execstack execmem }; - # Bugzilla 1219406 allow glance_api_t nfs_t:dir { search getattr write remove_name create add_name }; -allow glance_api_t nfs_t:file { write getattr unlink open create }; +allow glance_api_t nfs_t:file { write getattr unlink open create read }; allow glance_registry_t nfs_t:dir search; - # Bugzilla 1210271 allow glance_registry_t glance_var_lib_t:lnk_file read; allow glance_api_t glance_var_lib_t:lnk_file read; @@ -60,3 +53,54 @@ optional_policy(` # bugzilla 1192644 allow glance_api_t elasticsearch_port_t:tcp_socket name_bind; ') + +# Bug 1430402 +optional_policy(` + mysql_read_config(glance_api_t) +') + +# +# Bug 1475378 +# Bug 1447779 +# XXX +# Stolen from the Nova base policy. Broken sudo support for glance. +# +gen_tunable(os_glance_use_sudo, false) +tunable_policy(`os_glance_use_sudo',` + sudo_exec(glance_api_t) + logging_send_audit_msgs(glance_api_t) + iscsid_domtrans(glance_api_t) + fstools_domtrans(glance_api_t) + allow glance_api_t fixed_disk_device_t:blk_file { getattr ioctl open read setattr write }; + allow glance_api_t init_t:file { getattr open read }; + allow glance_api_t self:capability { setuid setgid }; + allow glance_api_t self:capability { audit_write setuid setgid chown sys_rawio sys_resource }; + allow glance_api_t self:netlink_audit_socket { create nlmsg_relay }; + allow glance_api_t self:process { setcap setrlimit setsched }; + allow glance_api_t sysfs_t:file append; +') + +gen_tunable(os_glance_dac_override, false) +tunable_policy(`os_glance_dac_override',` + allow glance_api_t self:capability dac_override; +') + +# Bugzilla 1653640 +gen_tunable(os_glance_use_nfs, false) +tunable_policy(`os_glance_use_nfs',` + fs_manage_nfs_dirs(glance_domain) + fs_manage_nfs_files(glance_domain) + fs_manage_nfs_symlinks(glance_domain) + fs_exec_nfs_files(glance_domain) +') + +# Bugzilla 1789710 +allow glance_api_t glance_var_lib_t:filesystem getattr; + +# Bugzilla 2255412 +auth_use_pam(glance_api_t) +init_rw_utmp(glance_api_t) + +# RDO-310 Allow httpd to handle files in statedir +manage_dirs_pattern(httpd_t, glance_var_lib_t, glance_var_lib_t); +manage_files_pattern(httpd_t, glance_var_lib_t, glance_var_lib_t); diff --git a/os-gnocchi.te b/os-gnocchi.te new file mode 100644 index 0000000..a4d2fe8 --- /dev/null +++ b/os-gnocchi.te @@ -0,0 +1,16 @@ +policy_module(os-gnocchi,0.1) + +require { + type httpd_var_lib_t; + type var_lib_t; + class filesystem associate; +} + + +# If using var_lib_t for NFS (I believe the default), gnocchi +# needs to do a few things that require this. +# bz#1466444 +gen_tunable(os_gnocchi_use_nfs, false) +tunable_policy(`os_gnocchi_use_nfs',` + allow httpd_var_lib_t var_lib_t:filesystem associate; +') diff --git a/os-haproxy.te b/os-haproxy.te index e311833..a79745f 100644 --- a/os-haproxy.te +++ b/os-haproxy.te @@ -1,10 +1,20 @@ policy_module(os-haproxy,0.1) gen_require(` + type haproxy_exec_t; type haproxy_t; + type ifconfig_t; + type ifconfig_exec_t; type sysfs_t; class filesystem getattr; + class file entrypoint; ') # Bugzilla 1195215 allow haproxy_t sysfs_t:filesystem getattr; + +domtrans_pattern(ifconfig_t, haproxy_exec_t, haproxy_t) + +# Bugzilla #1434826 +allow haproxy_t ifconfig_exec_t:file entrypoint; +sysnet_domtrans_ifconfig(haproxy_t) diff --git a/os-httpd.te b/os-httpd.te new file mode 100644 index 0000000..2bd24ce --- /dev/null +++ b/os-httpd.te @@ -0,0 +1,55 @@ +policy_module(os-httpd,0.1) + +gen_require(` + type httpd_t; + type var_log_t; + type nova_log_t; + type cinder_log_t; + type glance_log_t; + type neutron_log_t; + type keystone_log_t; + type nova_api_t; + type keystone_var_lib_t; + type container_file_t; +') + +# +# XXX +# RH OpenStack Platform services are not all WSGI; some are +# still using eventlet or another WSGI server. Furthermore, +# not all daemons have log files which are covered in base +# SELinux policy. For now, with this boolean, allow access +# for httpd to use all known OpenStack log types and +# var_log_t until these are all more correctly covered. +# +# Bugzilla #1437684 +# (... and many others ...) +# +gen_tunable(os_httpd_wsgi, false) +tunable_policy(`os_httpd_wsgi',` + # OpenStack services which have not gotten their own log type yet + manage_files_pattern(httpd_t, var_log_t, var_log_t) + + # OpenStack services which have an assigned log type + manage_files_pattern(httpd_t, nova_log_t, nova_log_t) + manage_files_pattern(httpd_t, cinder_log_t, cinder_log_t) + manage_files_pattern(httpd_t, glance_log_t, glance_log_t) + manage_files_pattern(httpd_t, neutron_log_t, neutron_log_t) + manage_files_pattern(httpd_t, keystone_log_t, keystone_log_t) + + # RHEL 7.4 keystone change + # Bugzilla #1478176 + # Bugzilla #1478177 + allow httpd_t keystone_var_lib_t:file read_file_perms; + + # Strange issue where nis_enabled disappears + # Bugzilla #1315457 + # Bugzilla #1489863 + corenet_tcp_bind_all_ports(httpd_t) + + # Allow read-only access to container_file_t + # This is due to image-server, and images being pulled via mistral container + # during an update/upgrade + read_files_pattern(httpd_t, container_file_t, container_file_t) + allow httpd_t container_file_t:dir read; +') diff --git a/os-keepalived.te b/os-keepalived.te index 2c10936..1888831 100644 --- a/os-keepalived.te +++ b/os-keepalived.te @@ -2,7 +2,6 @@ policy_module(os-keepalived,0.1) gen_require(` type keepalived_t; - type haproxy_t; type neutron_var_lib_t; type var_log_t; type cloud_var_lib_t; @@ -12,10 +11,12 @@ gen_require(` type sysfs_t; type NetworkManager_t; type systemd_systemctl_exec_t; - class filesystem getattr; - class process { signull sigkill }; - class capability { net_admin net_raw kill dac_override }; - class file { execute read create ioctl unlink execute_no_trans write getattr open }; + type ifconfig_exec_t; + type ifconfig_t; + class filesystem { setattr getattr }; + class process { signull sigkill setpgid setcap }; + class capability { net_admin net_raw kill dac_override sys_admin }; + class file { execute read create ioctl unlink execute_no_trans write getattr open entrypoint }; ') # Bugzilla 1351336 @@ -26,18 +27,20 @@ allow keepalived_t NetworkManager_t:process signull; # Bugzilla 1180679 and Bugzilla 1180881 neutron_manage_lib_dirs(keepalived_t) sysnet_exec_ifconfig(keepalived_t) -allow keepalived_t neutron_var_lib_t:file { execute read create getattr execute_no_trans write ioctl open }; +# Bugzilla 1969325 for setattr below. +allow keepalived_t neutron_var_lib_t:file { execute read create setattr getattr execute_no_trans write ioctl open }; allow keepalived_t cloud_var_lib_t:file { read getattr open }; allow keepalived_t init_var_lib_t:file { read getattr open }; allow keepalived_t var_lib_t:file { read getattr open }; allow keepalived_t var_log_t:file open; -allow keepalived_t self:capability dac_override; +# bz1434826 - sys_admin +allow keepalived_t self:capability { sys_admin }; allow keepalived_t neutron_t:process sigkill; -# Bugzilla 1145886 -domain_read_all_domains_state(keepalived_t) -allow keepalived_t haproxy_t:process signull; -allow keepalived_t self:capability kill; +gen_tunable(os_keepalived_dac_override, false) +tunable_policy(`os_keepalived_dac_override',` + allow keepalived_t self:capability dac_override; +') # Bugzilla 1206148 allow keepalived_t sysfs_t:filesystem getattr; @@ -53,3 +56,14 @@ optional_policy(` systemd_systemctl_domain(keepalived) unconfined_domain(keepalived_systemctl_t) ') + +# Bugzilla 1469823 +allow keepalived_t self:process setpgid; + +# Bugzilla #1434826 +allow keepalived_t ifconfig_exec_t:file entrypoint; +sysnet_domtrans_ifconfig(keepalived_t) + +# Bugzilla 1789068 +netutils_exec_ping(keepalived_t) +allow keepalived_t self:process setcap; diff --git a/os-keystone.te b/os-keystone.te index efe67c8..94377da 100644 --- a/os-keystone.te +++ b/os-keystone.te @@ -5,15 +5,8 @@ gen_require(` type keystone_log_t; type keystone_t; class file { create open }; - class process signal; ') -allow keystone_t self:process signal; - -# Bugzilla 1180230 -allow httpd_t keystone_log_t:file open; -corenet_tcp_bind_commplex_main_port(httpd_t) - # Bugzilla 1223006 allow httpd_t keystone_log_t:file create; keystone_manage_log(httpd_t) diff --git a/os-logrotate.te b/os-logrotate.te new file mode 100644 index 0000000..e39d60a --- /dev/null +++ b/os-logrotate.te @@ -0,0 +1,9 @@ +policy_module(os-logrotate,0.1) + +# Bugzilla 1727937 +gen_require(` + type logrotate_t; + type container_file_t; +') +manage_files_pattern(logrotate_t, container_file_t, container_file_t) +manage_dirs_pattern(logrotate_t, container_file_t, container_file_t) diff --git a/os-mongodb.te b/os-mongodb.te deleted file mode 100644 index 728cf8e..0000000 --- a/os-mongodb.te +++ /dev/null @@ -1,8 +0,0 @@ -policy_module(os-mongodb,0.1) - -gen_require(` - type mongod_t; -') - -# Bugzilla 1192049 -allow mongod_t self:process execmem; diff --git a/os-mysql.te b/os-mysql.te index 36103f8..3074d84 100644 --- a/os-mysql.te +++ b/os-mysql.te @@ -16,18 +16,16 @@ gen_require(` # Bugzilla 1081544 allow mysqld_t rsync_exec_t:file { read getattr open execute execute_no_trans }; -corenet_tcp_bind_tram_port(mysqld_t) corenet_tcp_connect_tram_port(mysqld_t) # Bugzilla 1114581 -allow mysqld_t nfs_t:dir search; +# allow mysqld_t nfs_t:dir search; # Bugzilla 1118859 -domain_read_all_domains_state(mysqld_t) -files_search_pids(mysqld_t) -files_getattr_all_sockets(mysqld_t) allow mysqld_t mysqld_safe_exec_t:file getattr; # Bugzilla 1284672 -allow mysqld_safe_t cluster_tmp_t:file write; +# Bugzilla 1439182 +# Bugzilla 1464114 +allow mysqld_safe_t cluster_tmp_t:file { setattr write_file_perms }; allow mysqld_safe_t cluster_var_lib_t:dir read; diff --git a/os-net-config.te b/os-net-config.te new file mode 100644 index 0000000..0f74c14 --- /dev/null +++ b/os-net-config.te @@ -0,0 +1,18 @@ +# +# openstack-selinux policy for os-net-config network manager +# +# Allow NetworkManager to access ovs db.sock +# +# Author: Ella Shulman +# + +policy_module(os-net-config,0.1) + +gen_require(` + type NetworkManager_t; + type container_file_t; + class sock_file write; +') + +# Jira OSPRH-16672 +rw_sock_files_pattern(NetworkManager_t, container_file_t, container_file_t) diff --git a/os-neutron.te b/os-neutron.te index 435eafb..1879022 100644 --- a/os-neutron.te +++ b/os-neutron.te @@ -4,6 +4,7 @@ gen_require(` type neutron_t; type neutron_var_lib_t; type neutron_tmp_t; + type neutron_exec_t; type haproxy_exec_t; type haproxy_t; type httpd_config_t; @@ -17,7 +18,9 @@ gen_require(` type keepalived_t; type logrotate_t; type nsfs_t; + type fs_t; class capability setpcap; + class capability dac_override; class key_socket { write read create }; class netlink_xfrm_socket { bind create nlmsg_write }; class process signal; @@ -44,23 +47,13 @@ neutron_domtrans(keepalived_t) # Bugzilla 1169859 & 1171460 & 1171458 can_exec(neutron_t,neutron_var_lib_t) +can_exec(neutron_t,neutron_exec_t) keepalived_domtrans(neutron_t) allow neutron_t self:netlink_socket { bind create getattr }; # Bugzilla 1153656 -allow neutron_t dnsmasq_t:process sigkill; allow haproxy_t proc_t:file read; -# Bugzilla 1110263 & 1111990 -allow neutron_t self:unix_stream_socket { accept listen connectto }; -corenet_tcp_connect_all_ports(neutron_t) - -# Bugzilla 1116755 -allow neutron_t haproxy_t:unix_stream_socket { accept listen connectto }; - -# Bugzilla 1114254 -allow neutron_t haproxy_exec_t:file execute_no_trans; - # Bugzilla 1135510 allow neutron_t ipsec_mgmt_exec_t:file exec_file_perms; @@ -73,13 +66,19 @@ manage_sock_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) # Bugzilla 1245846 allow neutron_t ipsec_key_file_t:file { read ioctl open getattr }; allow neutron_t modules_object_t:file getattr; -allow neutron_t self:capability setpcap; +allow neutron_t self:capability { setpcap }; allow neutron_t self:key_socket { write read create }; allow neutron_t self:netlink_xfrm_socket { bind create nlmsg_write }; ipsec_exec_mgmt(neutron_t) ipsec_manage_key_file(neutron_t) ipsec_read_config(neutron_t) -seutil_exec_restorecon(neutron_t) +seutil_exec_setfiles(neutron_t) + +# Bugzilla 1850973 +gen_tunable(os_neutron_dac_override, false) +tunable_policy(`os_neutron_dac_override',` + allow neutron_t self:capability { dac_override }; +') # Bugzilla 1280083 allow neutron_t httpd_config_t:dir search; @@ -88,7 +87,6 @@ allow neutron_t httpd_config_t:dir search; corecmd_getattr_all_executables(neutron_t) # Bugzilla 1294420 -allow logrotate_t self:netlink_selinux_socket create; allow neutron_t radvd_exec_t:file getattr; @@ -106,8 +104,8 @@ optional_policy(` # Bugzilla 1114254 manage_files_pattern(haproxy_t, neutron_var_lib_t, neutron_var_lib_t) manage_sock_files_pattern(haproxy_t, neutron_var_lib_t, neutron_var_lib_t) - # Bugzilla 1115724 - allow neutron_t haproxy_t:process sigkill; + # Bugzilla 1115724 and 1962802 + allow neutron_t haproxy_t:process { sigkill signal }; allow neutron_t proc_t:filesystem unmount; ') @@ -117,5 +115,24 @@ tunable_policy(`os_neutron_use_execmem',` allow neutron_t self:process execmem; ') -# Bugzilla 1419418 -allow neutron_t nsfs_t:file { open read }; +# Bugzilla 1419418 and 2053852 +allow neutron_t nsfs_t:file { open read getattr }; + +# Bugzilla 1893132 +allow neutron_t fs_t:filesystem unmount; + +# Bugzilla 2053852 +allow neutron_t nsfs_t:filesystem unmount; + +# Bugzilla 1547197 +allow neutron_t self:process setpgid; + +# Bugzilla 1581729 +corenet_udp_bind_dhcpc_port(neutron_t) + +# Bugzilla 1676954 +auth_use_pam(neutron_t) +init_rw_utmp(neutron_t) + +# Bugzilla 2254886 +fs_manage_tmpfs_files(neutron_t) diff --git a/os-nova.te b/os-nova.te index 4ed0eba..7f45800 100644 --- a/os-nova.te +++ b/os-nova.te @@ -1,38 +1,42 @@ policy_module(os-nova,0.1) gen_require(` - type nova_network_t; - type nova_var_lib_t; - type nova_api_t; - type nova_scheduler_t; - type nova_console_t; - type nova_cert_t; - type sssd_var_lib_t; - type cert_t; - type nova_log_t; - type httpd_t; - type tmpfs_t; - type netutils_exec_t; - type virtd_t; - type svirt_t; - type svirt_tcg_t; - type virtlogd_t; - attribute nova_domain; - class key write; - class packet_socket { bind create getattr }; - class capability { dac_override net_raw sys_ptrace kill }; - class capability2 block_suspend; - class file { getattr read write open create execute execute_no_trans }; - class sock_file write; - class dir { add_name write search }; - class lnk_file read; + type nova_t; + type nova_network_t; + type nova_var_lib_t; + type nova_api_t; + type nova_scheduler_t; + type nova_console_t; + type nova_cert_t; + type cert_t; + type nova_log_t; + type httpd_t; + type netutils_exec_t; + type virtd_t; + type virt_image_t; + type svirt_t; + type svirt_image_t; + type svirt_tcg_t; + type virtlogd_t; + type virt_log_t; + type iptables_t; + type modules_conf_t; + type container_share_t; + type container_runtime_t; + attribute nova_domain; + class key write; + class packet_socket { bind create getattr }; + class capability { dac_override net_raw sys_ptrace kill }; + class capability2 block_suspend; + class file { getattr read write open create execute execute_no_trans entrypoint }; + class sock_file write; + class dir { add_name write search read }; + class lnk_file read; + class process sigchld; ') # Bugzilla 1181428 iscsid_domtrans(virtd_t); -# Bugzilla 1180373 -allow nova_network_t self:key write; - # Bugzilla 1170839 allow nova_network_t netutils_exec_t:file { read execute open execute_no_trans }; allow nova_network_t self:packet_socket { bind create getattr }; @@ -41,11 +45,6 @@ netutils_domtrans(nova_network_t) # Bugzilla 1149975 allow nova_scheduler_t cert_t:dir search; -# Bugzilla 1162761 and 1158213 -corenet_tcp_connect_memcache_port(nova_console_t) -corenet_tcp_connect_memcache_port(nova_scheduler_t) -corenet_tcp_connect_memcache_port(nova_cert_t) - # from upstream - Bugzilla 1107861 auth_read_passwd(nova_domain) init_read_utmp(nova_domain) @@ -55,13 +54,6 @@ init_read_utmp(nova_domain) allow nova_network_t self:capability { net_raw sys_ptrace kill }; allow nova_network_t self:capability2 block_suspend; -# Bugzilla 1083566 -allow nova_network_t initrc_var_run_t:file read; - -# Bugzilla 1135510 -allow nova_api_t sssd_var_lib_t:sock_file write; -allow nova_scheduler_t cert_t:file { read getattr open }; - # Bugzilla 1210271 allow svirt_t nova_var_lib_t:lnk_file read; @@ -69,19 +61,29 @@ allow svirt_t nova_var_lib_t:lnk_file read; allow svirt_t nova_var_lib_t:file write; allow svirt_tcg_t nova_var_lib_t:file write; -# Bugzilla 1134617 -allow nova_api_t tmpfs_t:filesystem getattr; - # Bugzilla 1315457 allow httpd_t nova_log_t:dir { add_name write }; allow httpd_t nova_log_t:file { open create }; -corenet_tcp_bind_osapi_compute_port(httpd_t) # Bugzilla 1375766 nova_manage_lib_files(virtlogd_t) # Bugzilla 1377272 -allow virtlogd_t self:capability dac_override; +gen_tunable(os_virtlog_dac_override, false) +tunable_policy(`os_virtlog_dac_override',` + allow virtlogd_t self:capability dac_override; +') + +# Bugzilla #1499800 (workaround) +# src: https://eucalyptus.atlassian.net/browse/EUCA-13447 +create_files_pattern(virtlogd_t, virt_image_t, virt_log_t) +delete_files_pattern(virtlogd_t, virt_image_t, virt_log_t) +rename_files_pattern(virtlogd_t, virt_image_t, virt_log_t) + +delete_files_pattern(virtlogd_t, virt_image_t, svirt_image_t) +rename_files_pattern(virtlogd_t, virt_image_t, svirt_image_t) + +filetrans_pattern(virtlogd_t, virt_image_t, virt_log_t, file, "console.log") # Bugzilla 1249685 gen_tunable(os_nova_use_execmem, false) @@ -107,3 +109,48 @@ optional_policy(` # bugzilla 1280101 allow nova_t self:process execmem; ') + +# Bug 1430402 +optional_policy(` + mysql_read_config(nova_t) +') + +# Bug 1494907 and related +allow iptables_t modules_conf_t:file read_file_perms; +optional_policy(` + gen_require(` + type systemd_machined_t; + type container_runtime_t; + type container_share_t; + type container_unit_file_t; + type svirt_sandbox_file_t; + type spc_t; + ') + + # presumably this is "init_start|stop|status" + allow systemd_machined_t container_unit_file_t:service { start stop status }; + + # Already present in 2.26 + virt_transition_svirt(spc_t, system_r) + virt_sandbox_entrypoint(svirt_sandbox_file_t) + + # Needs fixed in >2.26 + allow svirt_t container_runtime_t:process sigchld; + + container_read_share_files(svirt_t) + allow svirt_t container_share_t:file { entrypoint execute }; + + allow svirt_t spc_t:dir search; + allow svirt_t spc_t:fifo_file write_file_perms; + allow svirt_t spc_t:file read_file_perms; +') + +# Requested for podman container engine +allow svirt_tcg_t container_runtime_t:process sigchld; +allow svirt_tcg_t container_share_t:file { execute getattr read entrypoint open }; +allow svirt_tcg_t container_share_t:lnk_file read; +allow svirt_tcg_t container_share_t:dir read; + +# Bug 1640528 +auth_use_pam(nova_t) +init_rw_utmp(nova_t) diff --git a/os-octavia.te b/os-octavia.te new file mode 100644 index 0000000..3a699e2 --- /dev/null +++ b/os-octavia.te @@ -0,0 +1,106 @@ +policy_module(os-octavia,0.1) + +gen_require(` + type keepalived_t; + type haproxy_t; + type ifconfig_t; + type user_tmp_t; + type var_run_t; + type ifconfig_exec_t; + type sysfs_t; + type var_lib_t; + type bin_t; + type root_t; + type sysctl_fs_t; + type proc_security_t; + type sysctl_kernel_t; + type etc_t; + type usermodehelper_t; + type keepalived_exec_t; + type unconfined_service_t; + type NetworkManager_t; + type tmpfs_t; + type nsfs_t; + type shell_exec_t; + type ping_exec_t; + class sock_file { create link rename setattr unlink write }; + class capability { sys_ptrace sys_admin }; + class file { create entrypoint execute execute_no_trans getattr ioctl open read write }; + class dir { add_name mounton write }; + class filesystem { mount unmount }; +') + +# bind mount capabilities +allow ifconfig_t etc_t:dir mounton; +allow ifconfig_t user_tmp_t:dir mounton; +allow ifconfig_t var_run_t:dir mounton; +allow ifconfig_t self:capability sys_ptrace; +allow ifconfig_t proc_security_t:file manage_file_perms; +allow ifconfig_t sysctl_fs_t:file manage_file_perms; +allow ifconfig_t sysctl_kernel_t:file manage_file_perms; +allow ifconfig_t usermodehelper_t:file { getattr open write }; + +# +# XXX Future work: need to set /var/lib/octavia to something +# haproxy_t / keepalived_t can access, rather than giving +# these two contexts blanket access to var_lib_t. Need to +# work with upstream selinux-policy-contrib developers +# to sort this out. Until then, this set of rules is +# better than using unconfined_domain() +# +# /var/lib/octavia/vrrp (directory) +allow keepalived_t var_lib_t:dir { add_name write remove_name }; + +# /var/lib/octavia/vrrp/octavia-keepalived.pid +# /var/lib/octavia/vrrp/check_script.sh +allow keepalived_t var_lib_t:file { create execute execute_no_trans getattr ioctl open read write unlink }; + +# /var/lib/octavia/[uuid].sock +allow keepalived_t var_lib_t:sock_file { create link rename setattr unlink write }; + +# These are needed during boot when setting up the netns +allow keepalived_t bin_t:file { entrypoint }; +allow keepalived_t etc_t:dir mounton; +allow keepalived_t keepalived_exec_t:file execute_no_trans; +allow keepalived_t root_t:dir mounton; +allow keepalived_t sysfs_t:filesystem { mount unmount }; +allow keepalived_t user_tmp_t:dir mounton; +allow keepalived_t var_run_t:dir { create mounton rmdir }; +allow keepalived_t sysfs_t:dir mounton; +allow keepalived_t tmpfs_t:filesystem unmount; + +# Same access for haproxy_t +allow haproxy_t bin_t:file { entrypoint execute }; +allow haproxy_t unconfined_service_t:file { open read }; +allow haproxy_t var_lib_t:dir { add_name write remove_name }; +allow haproxy_t var_lib_t:file { create execute execute_no_trans getattr ioctl open read write unlink }; +allow haproxy_t var_lib_t:sock_file { create link rename setattr unlink write }; +allow haproxy_t self:capability { sys_admin }; + +gen_tunable(os_haproxy_dac_override, false) +tunable_policy(`os_haproxy_dac_override',` + allow haproxy_t self:capability dac_override; +') + +# These are needed during boot when setting up the netns +allow haproxy_t etc_t:dir mounton; +allow haproxy_t root_t:dir mounton; +allow haproxy_t sysfs_t:filesystem { mount unmount }; +allow haproxy_t user_tmp_t:dir mounton; +allow haproxy_t NetworkManager_t:file { open read }; +allow haproxy_t sysfs_t:dir mounton; +gen_tunable(os_haproxy_enable_nsfs, false) +tunable_policy(`os_haproxy_enable_nsfs', ` + allow haproxy_t nsfs_t:file { open read }; +') +gen_tunable(os_haproxy_ping, false) +tunable_policy(`os_haproxy_ping', ` + allow haproxy_t ping_exec_t:file { execute execute_no_trans open read }; + allow haproxy_t self:rawip_socket { create getopt setopt write read }; + allow haproxy_t self:icmp_socket { create getopt setopt write read }; + allow haproxy_t self:process setcap; + allow haproxy_t shell_exec_t:file execute; +') + +kernel_read_fs_sysctls(ifconfig_t) + diff --git a/os-ovs-el9.te b/os-ovs-el9.te new file mode 100644 index 0000000..06d85ae --- /dev/null +++ b/os-ovs-el9.te @@ -0,0 +1,14 @@ +# +# openstack-selinux extra OVS policy for RHEL9 +# +# Allow openvswitch to write to files in /tmp +# +policy_module(os-ovs-el9,0.1) + +gen_require(` + type openvswitch_t; + type svirt_t; +') + +# bugzilla 2118908 +allow svirt_t openvswitch_t:anon_inode { read write }; diff --git a/os-ovs.te b/os-ovs.te index 913ab5b..2164b5f 100644 --- a/os-ovs.te +++ b/os-ovs.te @@ -9,33 +9,33 @@ policy_module(os-ovs,0.1) gen_require(` type openvswitch_t; + type neutron_t; type openvswitch_tmp_t; type svirt_t; type sysctl_net_t; type unreserved_port_t; type init_tmp_t; type tun_tap_device_t; + type svirt_t; + type svirt_tmpfs_t; + type virt_cache_t; + type spc_t; class dir search; class file { write read getattr open }; class tcp_socket name_bind; class tun_socket create; class chr_file open; class netlink_generic_socket create_socket_perms; - + class netlink_audit_socket { create nlmsg_relay read write }; + class capability audit_write; + class packet_socket create_socket_perms; + class unix_stream_socket { read write connectto }; ') # Bugzilla 1108187 allow openvswitch_t init_tmp_t:file write; -# Bugzilla 1231868 -allow openvswitch_t sysctl_net_t:dir search; -allow openvswitch_t sysctl_net_t:file { read getattr open }; - -# Bugzilla 1233154 -allow openvswitch_t unreserved_port_t:tcp_socket name_bind; - # Bugzilla 1259419 -corenet_tcp_connect_unreserved_ports(openvswitch_t) swift_manage_data_files(openvswitch_t) # Bugzilla 1284268 @@ -46,12 +46,6 @@ allow openvswitch_t tun_tap_device_t:chr_file open; # Bugzilla 1284268 corenet_tcp_bind_ovsdb_port(openvswitch_t) -# Bugzilla 1310383 -corenet_tcp_connect_reserved_port(openvswitch_t) - -# Bugzilla 1334732 -corenet_tcp_connect_openvswitch_port(openvswitch_t) - # Bugzilla 1372453 corenet_tcp_connect_vnc_port(openvswitch_t) @@ -75,10 +69,71 @@ sysnet_exec_ifconfig(openvswitch_t) # bugzilla #1419418 allow openvswitch_t self:netlink_generic_socket create_socket_perms; +# bugzilla #1431556 +allow openvswitch_t virt_cache_t:dir list_dir_perms; +allow openvswitch_t virt_cache_t:sock_file manage_sock_file_perms; +allow svirt_t virt_cache_t:sock_file manage_sock_file_perms; + optional_policy(` hostname_exec(openvswitch_t) ') optional_policy(` virt_manage_images(openvswitch_t) + virt_stream_connect_svirt(openvswitch_t) +') + +# bugzilla #1431556 +allow openvswitch_t self:packet_socket create_socket_perms; +allow openvswitch_t self:capability net_raw; +optional_policy(` + gen_require(` + type neutron_t; + ') + allow openvswitch_t neutron_t:dir search; +') + +# bugzilla #1448887 +# +# ovs-vsctl tries to read /proc/[ppid]/cmdline in order to +# Print debugging information. Allowing OVS to read all of +# neutron_t labeled files so the parent's cmdline can be +# printed is not worth this information at this time +# +dontaudit openvswitch_t neutron_t:file { read open getattr }; + +# bugzilla #1489863 +# +# Something unsets nis_enabled; this works around that by +# enabling binding to reserved and unreserved ports (bugzillas +# #1259419, #1310383) +corenet_tcp_connect_all_ports(openvswitch_t) + +# #1498797 +allow openvswitch_t self:capability { audit_write }; +allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay read write }; + +gen_tunable(os_openvswitch_dac_override, false) +tunable_policy(`os_openvswitch_dac_override',` + allow openvswitch_t self:capability dac_override; +') + +# #1542107 +allow openvswitch_t svirt_tmpfs_t:file { read write }; + +# #1554964 +corenet_tcp_bind_all_ports(openvswitch_t) + +# #1572510 +allow openvswitch_t svirt_t:unix_stream_socket { read write }; + +# bugzilla #1707840 +allow openvswitch_t spc_t:unix_stream_socket { read write }; + +# bugzilla 2118908 - anon_inode class available on EL9+ +optional_policy(` + gen_require(` + class anon_inode { read write }; + ') + allow svirt_t openvswitch_t:anon_inode { read write }; ') diff --git a/os-podman.te b/os-podman.te new file mode 100644 index 0000000..0374659 --- /dev/null +++ b/os-podman.te @@ -0,0 +1,65 @@ +policy_module(os-podman, 1.0) +gen_require(` + attribute container_domain; + attribute container_runtime_domain; + type container_t; + type container_file_t; + type container_log_t; + type openvswitch_t; + type cluster_var_log_t; + type init_t; + type swift_data_t; + type swift_var_cache_t; + type fixed_disk_device_t; + class blk_file getattr; +') +#============= container_t ============== +miscfiles_read_generic_certs(container_t) +openvswitch_stream_connect(container_t) + +optional_policy(` + gen_require(` + type puppet_etc_t; + ') + # for posterity: read_files_pattern includes dir accesses + read_files_pattern(container_t, puppet_etc_t, puppet_etc_t) + read_lnk_files_pattern(container_t, puppet_etc_t, puppet_etc_t) + # but read_files_pattern does not allow "read" on tclass=dir + allow container_t puppet_etc_t:dir { read }; +') + +# bugzilla #1772025 +allow openvswitch_t container_file_t:dir create; + +manage_files_pattern(openvswitch_t, container_file_t, container_file_t) +manage_sock_files_pattern(openvswitch_t, container_file_t, container_file_t) + +# Bugzilla 1778793 +allow openvswitch_t self:capability { net_broadcast fowner fsetid }; + +# needed for HA containers +manage_files_pattern(container_t, cluster_var_log_t, cluster_var_log_t); +manage_dirs_pattern(container_t, cluster_var_log_t, cluster_var_log_t); + +# Needed for LP#1853652 +allow init_t container_file_t:file { execute execute_no_trans }; + +# Bugzilla 1926765. See also container-selinux commit 448dfb +allow container_domain container_runtime_domain:process sigchld; + +# Bugzilla 1941922 + 1941412 +manage_files_pattern(container_t, swift_data_t, swift_data_t); +manage_dirs_pattern(container_t, swift_data_t, swift_data_t); +# Bugzilla 2013194 +manage_files_pattern(container_t, swift_var_cache_t, swift_var_cache_t); +manage_dirs_pattern(container_t, swift_var_cache_t, swift_var_cache_t); + +# LP 1944539 +allow container_t fixed_disk_device_t:blk_file getattr; + +# Bugzilla 2020210 +manage_files_pattern(container_t, container_log_t, container_log_t); +manage_dirs_pattern(container_t, container_log_t, container_log_t); + +# Bugzilla 2091076 +manage_sock_files_pattern(init_t, container_file_t, container_file_t); diff --git a/os-rabbitmq.te b/os-rabbitmq.te index 00157d8..67b75bf 100644 --- a/os-rabbitmq.te +++ b/os-rabbitmq.te @@ -1,20 +1,34 @@ policy_module(os-rabbitmq,0.1) gen_require(` + type epmd_port_t; type init_tmp_t; + type logrotate_t; + type proc_net_t; type rabbitmq_epmd_t; - type rabbitmq_beam_t; + type rabbitmq_port_t; + type rabbitmq_t; type rabbitmq_var_lib_t; - type systemd_logind_t; - type cluster_t; - class dbus send_msg; - class file write; + type security_t; + class dir { read write }; + class file { getattr open read write }; + class passwd passwd; + class security compute_av; + class tcp_socket { name_bind name_connect }; ') -# Bugzilla 1185444 -allow systemd_logind_t cluster_t:dbus send_msg; # Bugzilla 1135637 allow rabbitmq_epmd_t init_tmp_t:file write; -# Bugzilla 1179040 -manage_lnk_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) +# Bugzilla 1413775 +allow logrotate_t epmd_port_t:tcp_socket {name_connect name_bind}; +allow logrotate_t rabbitmq_port_t:tcp_socket name_connect; +allow logrotate_t rabbitmq_var_lib_t:dir { read write }; +allow logrotate_t rabbitmq_var_lib_t:file { getattr open read }; +allow logrotate_t security_t:security compute_av; +allow logrotate_t self:passwd passwd; + +# Bugzilla 1650046 +allow logrotate_t proc_net_t:file read; +allow logrotate_t self:process setrlimit; +allow rabbitmq_t proc_net_t:file read; diff --git a/os-redis.te b/os-redis.te index 489e6f3..5dac3d5 100644 --- a/os-redis.te +++ b/os-redis.te @@ -10,9 +10,6 @@ gen_require(` class file { read write }; ') -# Bugzilla 1284436 -allow redis_t redis_port_t:tcp_socket name_connect; - # Bugzilla 1283674 allow sshd_t cluster_var_log_t:file { read write }; allow useradd_t cluster_var_log_t:file { read write }; diff --git a/os-rsync.te b/os-rsync.te index c322453..8c4edb0 100644 --- a/os-rsync.te +++ b/os-rsync.te @@ -15,6 +15,5 @@ gen_require(` # Bugzilla 1135637 allow rsync_t etc_runtime_t:file relabelto; allow rsync_t etc_t:file relabelfrom; -allow rsync_t cert_t:file { relabelfrom relabelto }; allow rsync_t cert_t:dir { relabelfrom relabelto }; allow load_policy_t init_t:fifo_file write; diff --git a/os-rsyslog.te b/os-rsyslog.te new file mode 100644 index 0000000..2c3bd61 --- /dev/null +++ b/os-rsyslog.te @@ -0,0 +1,11 @@ +policy_module(os-rsyslog,0.1) + +gen_require(` + type container_file_t; + type syslogd_t; +') + +# LP #1810422 +manage_files_pattern(syslogd_t, container_file_t, container_file_t) +manage_dirs_pattern(syslogd_t, container_file_t, container_file_t) +manage_lnk_files_pattern(syslogd_t, container_file_t, container_file_t) diff --git a/os-swift.te b/os-swift.te index fc67da4..8327a58 100644 --- a/os-swift.te +++ b/os-swift.te @@ -2,21 +2,13 @@ policy_module(os-swift,0.1) gen_require(` type swift_t; + type swift_data_t; type amqp_port_t; - type httpd_config_t; type var_log_t; class tcp_socket name_connect; class file { open }; ') -# Bugzilla 1105344 -corenet_tcp_connect_keystone_port(swift_t) -corenet_tcp_connect_memcache_port(swift_t) -allow swift_t httpd_config_t:dir search; - -# Bugzilla 1109087 -corenet_tcp_connect_xserver_port(swift_t) - # Emergency tripleo fix allow swift_t var_log_t:file open; allow swift_t amqp_port_t:tcp_socket name_connect; @@ -29,3 +21,6 @@ gen_tunable(os_swift_use_execmem, false) tunable_policy(`os_swift_use_execmem',` allow swift_t self:process execmem; ') + +# Bugzilla 1652297 +allow swift_t swift_data_t:lnk_file { create read }; diff --git a/os-timemaster.te b/os-timemaster.te new file mode 100644 index 0000000..6d75713 --- /dev/null +++ b/os-timemaster.te @@ -0,0 +1,11 @@ +policy_module(os-timemaster,0.1) + +optional_policy(` + gen_require(` + type ptp4l_t; + ') + + # Bugzilla 1872651 referencing RHEL bug 1759214. We need this for 8.2 too. + allow ptp4l_t self:capability sys_admin; + allow ptp4l_t self:packet_socket create_socket_perms; +') diff --git a/os-virt.te b/os-virt.te new file mode 100644 index 0000000..902c817 --- /dev/null +++ b/os-virt.te @@ -0,0 +1,46 @@ +policy_module(os-virt,0.1) + +gen_require(` + type container_file_t; + type systemd_logind_t; + type systemd_logind_inhibit_var_run_t; + type virtlogd_t; + type virt_var_run_t; + type svirt_t; + type spc_t; + type unlabeled_t; + class dbus send_msg; + class fifo_file write; + class tun_socket attach_queue; +') + +# #1561711 - work around inability to send message +# over dbus. Will be superseded once #1547250 is +# fixed. +allow virtlogd_t systemd_logind_t:dbus send_msg; +allow systemd_logind_t virtlogd_t:dbus send_msg; +allow virtlogd_t systemd_logind_inhibit_var_run_t:fifo_file write; +# allow access to /var/lib/nova directories which are labeled with container_file_t +# This is required for https://issues.redhat.com//browse/OSPRH-960 +manage_files_pattern(virtlogd_t, container_file_t, container_file_t) +allow virtlogd_t self:capability dac_override; +# #1566973 +# Tunable to allow virtlogd to write to NFS +gen_tunable(os_virtlogd_use_nfs, false) +tunable_policy(`os_virtlogd_use_nfs',` + fs_manage_nfs_dirs(virtlogd_t) + fs_manage_nfs_files(virtlogd_t) + fs_read_nfs_symlinks(virtlogd_t) +') + +# Bugzilla 1642102 +allow svirt_t spc_t:tun_socket attach_queue; + +# Bugzilla 1751300 +allow spc_t unlabeled_t:key manage_key_perms; + +# Bugzilla 2007314 +gen_tunable(os_enable_vtpm, false) +tunable_policy(`os_enable_vtpm',` + manage_sock_files_pattern(svirt_t, container_file_t, container_file_t) +') diff --git a/tests/bz1040411 b/tests/bz1040411 deleted file mode 100644 index b48bae0..0000000 --- a/tests/bz1040411 +++ /dev/null @@ -1 +0,0 @@ -type=AVC msg=audit(1434613888.676:39583): avc: denied { name_bind } for pid=15783 comm="ovsdb-server" src=6640 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket diff --git a/tests/bz1170839 b/tests/bz1170839 index 6bf9ae1..9815cd1 100644 --- a/tests/bz1170839 +++ b/tests/bz1170839 @@ -5,6 +5,3 @@ type=AVC msg=audit(1417690758.589:915): avc: denied { execute_no_trans } for pid type=AVC msg=audit(1417690758.591:918): avc: denied { getattr } for pid=8511 comm="arping" scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:system_r:nova_network_t:s0 tclass=packet_socket type=AVC msg=audit(1417690351.147:8882): avc: denied { signal } for pid=9605 comm="keystone-all" scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:system_r:keystone_t:s0 tclass=process type=AVC msg=audit(1417690758.588:914): avc: denied { execute } for pid=8510 comm="nova-rootwrap" name="arping" dev="vda1" ino=17240309 scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file - - - diff --git a/tests/bz1176830 b/tests/bz1176830 index 93063a2..d3bd77a 100644 --- a/tests/bz1176830 +++ b/tests/bz1176830 @@ -1 +1 @@ -type=AVC msg=audit(1419326478.236:14309): avc: denied { getattr } for pid=32013 comm="neutron-ns-meta" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem \ No newline at end of file +type=AVC msg=audit(1419326478.236:14309): avc: denied { getattr } for pid=32013 comm="neutron-ns-meta" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem diff --git a/tests/bz1192049 b/tests/bz1192049 deleted file mode 100644 index 1a233a4..0000000 --- a/tests/bz1192049 +++ /dev/null @@ -1 +0,0 @@ -type=AVC msg=audit(1424715492.561:319885): avc: denied { execmem } for pid=30884 comm="mongod" scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:mongod_t:s0 tclass=process diff --git a/tests/bz1245846 b/tests/bz1245846 index 40a9e29..a76128f 100644 --- a/tests/bz1245846 +++ b/tests/bz1245846 @@ -31,5 +31,4 @@ type=AVC msg=audit(07/21/2015 19:45:23.599:32491) : avc: denied { bind } for type=AVC msg=audit(07/21/2015 19:45:23.599:32492) : avc: denied { create } for pid=12524 comm=pluto scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=key_socket type=AVC msg=audit(07/21/2015 19:45:23.600:32493) : avc: denied { write } for pid=12524 comm=pluto path=socket:[7796583] dev="sockfs" ino=7796583 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=key_socket type=AVC msg=audit(07/21/2015 19:45:23.684:32494) : avc: denied { read } for pid=12524 comm=pluto path=socket:[7796583] dev="sockfs" ino=7796583 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=key_socket -type=MAC_IPSEC_EVENT msg=audit(07/21/2015 19:45:24.721:32500) : op=SPD-add auid=unset ses=unset subj=system_u:system_r:neutron_t:s0 res=yes src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0 type=AVC msg=audit(07/21/2015 19:45:24.721:32500) : avc: denied { nlmsg_write } for pid=12524 comm=pluto scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=netlink_xfrm_socket diff --git a/tests/bz1279537 b/tests/bz1279537 deleted file mode 100644 index 329b6ed..0000000 --- a/tests/bz1279537 +++ /dev/null @@ -1,3 +0,0 @@ -type=AVC msg=audit(1441204057.176:32748): avc: denied { name_connect } for pid=23947 comm="ovsdb-server" dest=6632 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket -type=AVC msg=audit(1441204364.388:32861): avc: denied { getattr } for pid=23982 comm="system_stats4" path="/srv/node/swiftloopback" dev="loop0" ino=2 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir -type=AVC msg=audit(1441204354.383:32858): avc: denied { search } for pid=23982 comm="system_stats4" name="node" dev="sda1" ino=42410035 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir diff --git a/tests/bz1397537 b/tests/bz1397537 index c7d97c9..dcdc967 100644 --- a/tests/bz1397537 +++ b/tests/bz1397537 @@ -1,5 +1,4 @@ -type=AVC msg=audit(1479734070.102:28): avc: denied { read write } for pid=1232 comm="ovs-vswitchd" name="vfio" dev="devtmpfs" ino=34881 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:ob -ject_r:vfio_device_t:s0 tclass=chr_file +type=AVC msg=audit(1479734070.102:28): avc: denied { read write } for pid=1232 comm="ovs-vswitchd" name="vfio" dev="devtmpfs" ino=34881 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:vfio_device_t:s0 tclass=chr_file type=AVC msg=audit(1479734082.245:30): avc: denied { connectto } for pid=1302 comm="plymouth" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1479734839.323:28): avc: denied { open } for pid=1232 comm="ovs-vswitchd" path="/dev/vfio/vfio" dev="devtmpfs" ino=26699 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:vfio_device_t:s0 tclass=chr_file type=AVC msg=audit(1479735230.962:28): avc: denied { ioctl } for pid=1236 comm="ovs-vswitchd" path="/dev/vfio/vfio" dev="devtmpfs" ino=22693 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:vfio_device_t:s0 tclass=chr_file diff --git a/tests/bz1413775 b/tests/bz1413775 new file mode 100644 index 0000000..6499919 --- /dev/null +++ b/tests/bz1413775 @@ -0,0 +1,10 @@ +type=AVC msg=audit(1520795762.042:230): avc: denied { name_connect } for pid=3149 comm="2_scheduler" dest=4369 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:epmd_port_t:s0 tclass=tcp_socket +type=AVC msg=audit(1520795761.442:226): avc: denied { name_bind } for pid=3161 comm="epmd" src=4369 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:epmd_port_t:s0 tclass=tcp_socket +type=AVC msg=audit(1520795942.068:312): avc: denied { name_connect } for pid=4264 comm="2_scheduler" dest=25672 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rabbitmq_port_t:s0 tclass=tcp_socket +type=AVC msg=audit(1520795761.195:224): avc: denied { read } for pid=3137 comm="async_1" name="rabbitmq" dev="vda1" ino=50372751 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rabbitmq_var_lib_t:s0 tclass=dir +type=AVC msg=audit(1520795821.201:252): avc: denied { write } for pid=3650 comm="async_1" name="rabbitmq" dev="vda1" ino=50372751 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rabbitmq_var_lib_t:s0 tclass=dir +type=AVC msg=audit(1520795761.142:223): avc: denied { getattr } for pid=3111 comm="rabbitmqctl" path="/var/lib/rabbitmq/mnesia/rabbit@openstack.pid" dev="vda1" ino=33616151 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rabbitmq_var_lib_t:s0 tclass=file +type=AVC msg=audit(1520795761.514:227): avc: denied { read } for pid=3171 comm="async_8" name=".erlang.cookie" dev="vda1" ino=50372733 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rabbitmq_var_lib_t:s0 tclass=file +type=AVC msg=audit(1520795761.514:228): avc: denied { open } for pid=3172 comm="async_9" path="/var/lib/rabbitmq/.erlang.cookie" dev="vda1" ino=50372733 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rabbitmq_var_lib_t:s0 tclass=file +type=AVC msg=audit(1520795941.140:300): avc: denied { compute_av } for pid=4172 comm="su" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=security +type=USER_AVC msg=audit(1520795941.141:301): pid=4172 uid=0 auid=0 ses=19 subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 msg='avc: denied { passwd } for scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=passwd exe="/usr/bin/su" sauid=0 hostname=? addr=? terminal=?' diff --git a/tests/bz1430402 b/tests/bz1430402 new file mode 100644 index 0000000..fc0e783 --- /dev/null +++ b/tests/bz1430402 @@ -0,0 +1,5 @@ +type=AVC msg=audit(1490708508.568:4786): avc: denied { search } for pid=428106 comm="nova-api" name="my.cnf.d" dev="vda2" ino=866 scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=dir +type=AVC msg=audit(1490708839.879:4915): avc: denied { search } for pid=470231 comm="nova-scheduler" name="my.cnf.d" dev="vda2" ino=866 scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=dir +type=AVC msg=audit(1490708833.260:4883): avc: denied { search } for pid=470038 comm="nova-conductor" name="my.cnf.d" dev="vda2" ino=866 scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=dir +type=AVC msg=audit(1490709327.031:5296): avc: denied { search } for pid=430212 comm="glance-api" name="my.cnf.d" dev="vda2" ino=866 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=dir +type=AVC msg=audit(1490708842.508:4919): avc: denied { search } for pid=470319 comm="nova-consoleaut" name="my.cnf.d" dev="vda2" ino=866 scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=dir diff --git a/tests/bz1431556 b/tests/bz1431556 new file mode 100644 index 0000000..3048793 --- /dev/null +++ b/tests/bz1431556 @@ -0,0 +1,10 @@ +type=AVC msg=audit(1491476260.819:468): avc: denied { net_raw } for pid=16208 comm="ovs-vswitchd" capability=13 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability +type=AVC msg=audit(1491476260.819:469): avc: denied { setopt } for pid=16208 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=packet_socket +type=AVC msg=audit(1491476260.819:470): avc: denied { bind } for pid=16208 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=packet_socket +type=AVC msg=audit(1491476260.819:468): avc: denied { create } for pid=16208 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=packet_socket +type=AVC msg=audit(1491471288.799:211): avc: denied { search } for pid=16454 comm="ovs-vsctl" name="16445" dev="proc" ino=122913 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=dir +type=AVC msg=audit(1491737286.265:1005): avc: denied { search } for pid=21524 comm="ovs-vswitchd" name="vhost_sockets" dev="sda2" ino=13749162 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir +type=AVC msg=audit(1491737286.491:1014): avc: denied { create } for pid=41979 comm="qemu-kvm" name="vhuda2153ef-bb" scontext=system_u:system_r:svirt_t:s0:c196,c856 tcontext=system_u:object_r:virt_cache_t:s0 tclass=sock_file +type=AVC msg=audit(1491737298.403:1054): avc: denied { create } for pid=42061 comm="qemu-kvm" name="vhuda2153ef-bb" scontext=system_u:system_r:svirt_t:s0:c485,c1012 tcontext=system_u:object_r:virt_cache_t:s0 tclass=sock_file +type=AVC msg=audit(1492005897.842:867): avc: denied { search } for pid=32747 comm="ovs-vswitchd" name="vhost_sockets" dev="sda2" ino=13912914 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir +type=AVC msg=audit(1492075576.802:2437): avc: denied { connectto } for pid=32747 comm="ovs-vswitchd" path="/var/lib/vhost_sockets/vhu7aad635e-67" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c103,c352 tclass=unix_stream_socket diff --git a/tests/bz1434826 b/tests/bz1434826 new file mode 100644 index 0000000..cee0238 --- /dev/null +++ b/tests/bz1434826 @@ -0,0 +1,37 @@ +type=AVC msg=audit(1521755700.743:68): avc: denied { entrypoint } for pid=1528 comm="(ip)" path="/usr/sbin/ip" dev="vda1" ino=36286 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file +type=AVC msg=audit(1521755700.847:73): avc: denied { write } for pid=1529 comm="keepalived" name="vrrp" dev="vda1" ino=535343 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir +type=AVC msg=audit(1521755700.847:73): avc: denied { add_name } for pid=1529 comm="keepalived" name="octavia-keepalived.pid" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir +type=AVC msg=audit(1521755700.847:73): avc: denied { create } for pid=1529 comm="keepalived" name="octavia-keepalived.pid" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521755700.913:75): avc: denied { execute } for pid=1534 comm="sh" name="check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521755700.913:75): avc: denied { execute_no_trans } for pid=1534 comm="sh" path="/var/lib/octavia/vrrp/check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521755700.914:76): avc: denied { ioctl } for pid=1534 comm="sh" path="/var/lib/octavia/vrrp/check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756001.706:137): avc: denied { mounton } for pid=1765 comm="ip" path="/run/netns" dev="tmpfs" ino=18861 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir +type=AVC msg=audit(1521756001.760:138): avc: denied { mounton } for pid=1766 comm="ip" path="/sys" dev="vda1" ino=2881 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir +type=AVC msg=audit(1521756001.762:139): avc: denied { mounton } for pid=1766 comm="ip" path="/etc/sysconfig" dev="vda1" ino=446 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir +type=AVC msg=audit(1521756001.794:140): avc: denied { write } for pid=1766 comm="sysctl" name="ptrace_scope" dev="proc" ino=8640 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file +type=AVC msg=audit(1521756001.794:141): avc: denied { sys_ptrace } for pid=1766 comm="sysctl" capability=19 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability +type=AVC msg=audit(1521756001.797:142): avc: denied { getattr } for pid=1766 comm="sysctl" path="/proc/sys/fs/protected_hardlinks" dev="proc" ino=8670 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file +type=AVC msg=audit(1521756001.797:143): avc: denied { write } for pid=1766 comm="sysctl" name="protected_hardlinks" dev="proc" ino=8670 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file +type=AVC msg=audit(1521756001.797:143): avc: denied { open } for pid=1766 comm="sysctl" path="/proc/sys/fs/protected_hardlinks" dev="proc" ino=8670 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file +type=AVC msg=audit(1521756001.799:144): avc: denied { getattr } for pid=1766 comm="sysctl" path="/proc/sys/fs/file-max" dev="proc" ino=11686 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file +type=AVC msg=audit(1521756001.800:145): avc: denied { write } for pid=1766 comm="sysctl" name="file-max" dev="proc" ino=11686 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file +type=AVC msg=audit(1521756001.800:145): avc: denied { open } for pid=1766 comm="sysctl" path="/proc/sys/fs/file-max" dev="proc" ino=11686 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file +type=AVC msg=audit(1521756002.536:147): avc: denied { read } for pid=1859 comm="haproxy" name="haproxy.cfg" dev="vda1" ino=537368 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756002.536:147): avc: denied { open } for pid=1859 comm="haproxy" path="/var/lib/octavia/90723fd2-3dc8-4488-8078-899be972eec3/haproxy.cfg" dev="vda1" ino=537368 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756002.536:148): avc: denied { getattr } for pid=1859 comm="haproxy" path="/var/lib/octavia/90723fd2-3dc8-4488-8078-899be972eec3/haproxy.cfg" dev="vda1" ino=537368 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756002.573:150): avc: denied { entrypoint } for pid=1860 comm="(ip)" path="/usr/sbin/ip" dev="vda1" ino=36286 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file +type=AVC msg=audit(1521756002.580:151): avc: denied { read } for pid=1860 comm="ip" path="/usr/sbin/ip" dev="vda1" ino=36286 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file +type=AVC msg=audit(1521756002.596:152): avc: denied { mounton } for pid=1860 comm="ip" path="/" dev="vda1" ino=2 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir +type=AVC msg=audit(1521756002.596:154): avc: denied { mounton } for pid=1860 comm="ip" path="/sys" dev="vda1" ino=2881 scontext=system_u:system_r:haproxy_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir +type=AVC msg=audit(1521756002.597:155): avc: denied { mounton } for pid=1860 comm="ip" path="/etc/sysconfig" dev="vda1" ino=446 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir +type=AVC msg=audit(1521756002.621:156): avc: denied { create } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock.1862.tmp" scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file +type=AVC msg=audit(1521756002.626:157): avc: denied { setattr } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock.1862.tmp" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file +type=AVC msg=audit(1521756002.626:158): avc: denied { rename } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock.1862.tmp" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file +type=AVC msg=audit(1521756002.651:159): avc: denied { write } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file +type=AVC msg=audit(1521756005.967:160): avc: denied { execute } for pid=1867 comm="sh" name="check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756005.967:160): avc: denied { execute_no_trans } for pid=1867 comm="sh" path="/var/lib/octavia/vrrp/check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756005.968:161): avc: denied { ioctl } for pid=1867 comm="sh" path="/var/lib/octavia/vrrp/check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756006.438:162): avc: denied { write } for pid=1869 comm="haproxy-vrrp-ch" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file +type=AVC msg=audit(1521756015.580:163): avc: denied { entrypoint } for pid=1899 comm="(kill)" path="/usr/bin/kill" dev="vda1" ino=20196 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file +type=AVC msg=audit(1521756015.616:164): avc: denied { link } for pid=1900 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file +type=AVC msg=audit(1521756015.626:165): avc: denied { unlink } for pid=1900 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file diff --git a/tests/bz1437684 b/tests/bz1437684 new file mode 100644 index 0000000..8aced84 --- /dev/null +++ b/tests/bz1437684 @@ -0,0 +1 @@ +type=AVC msg=audit(1490770503.768:2446): avc: denied { open } for pid=16990 comm="httpd" path="/var/log/barbican/api.log" dev="vda1" ino=5772151 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file diff --git a/tests/bz1448887 b/tests/bz1448887 new file mode 100644 index 0000000..ca16145 --- /dev/null +++ b/tests/bz1448887 @@ -0,0 +1,3 @@ +type=AVC msg=audit(1494905982.458:2181): avc: denied { open } for pid=7404 comm="ovs-vsctl" path="/proc/7357/cmdline" dev="proc" ino=216884 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=file +type=AVC msg=audit(1494905982.458:2182): avc: denied { getattr } for pid=7404 comm="ovs-vsctl" path="/proc/7357/cmdline" dev="proc" ino=216884 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=file +type=AVC msg=audit(1494905982.458:2182): avc: denied { read } for pid=7404 comm="ovs-vsctl" path="/proc/7357/cmdline" dev="proc" ino=216884 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=file diff --git a/tests/bz1452418 b/tests/bz1452418 new file mode 100644 index 0000000..c6b301d --- /dev/null +++ b/tests/bz1452418 @@ -0,0 +1 @@ +type=AVC msg=audit(1495149503.842:3417): avc: denied { name_connect } for pid=24486 comm="glance-api" dest=35357 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:keystone_port_t:s0 tclass=tcp_socket diff --git a/tests/bz1464114 b/tests/bz1464114 new file mode 100644 index 0000000..3c57447 --- /dev/null +++ b/tests/bz1464114 @@ -0,0 +1,2 @@ +bz1464114:1:type=AVC msg=audit(1498082689.658:317): avc: denied { open } for pid=24495 comm="touch" path="/tmp/tmp.cgvP0Qe4oc" dev="vda2" ino=910 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:cluster_tmp_t:s0 tclass=file +bz1464114:2:type=AVC msg=audit(1498082689.659:318): avc: denied { setattr } for pid=24496 comm="chown" name="tmp.cgvP0Qe4oc" dev="vda2" ino=910 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:cluster_tmp_t:s0 tclass=file diff --git a/tests/bz1466444 b/tests/bz1466444 new file mode 100644 index 0000000..00fda55 --- /dev/null +++ b/tests/bz1466444 @@ -0,0 +1 @@ +type=AVC msg=audit(1498672139.870:5641): avc: denied { associate } for pid=365129 comm="httpd" name="gnocchiUvHVPC" scontext=system_u:object_r:httpd_var_lib_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=filesystem diff --git a/tests/bz1469823 b/tests/bz1469823 new file mode 100644 index 0000000..110425e --- /dev/null +++ b/tests/bz1469823 @@ -0,0 +1 @@ +type=AVC msg=audit(1499805908.280:4362): avc: denied { setpgid } for pid=16339 comm="keepalived" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=process diff --git a/tests/bz1478176 b/tests/bz1478176 new file mode 100644 index 0000000..4a7be36 --- /dev/null +++ b/tests/bz1478176 @@ -0,0 +1,2 @@ +type=AVC msg=audit(1501609484.063:13177): avc: denied { open } for pid=10111 comm="httpd" path="/var/lib/keystone/.local/share/python_keyring/keyringrc.cfg" dev="dm-0" ino=396418 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:keystone_var_lib_t:s0 tclass=file +type=AVC msg=audit(1501609484.063:13177): avc: denied { read } for pid=10111 comm="httpd" name="keyringrc.cfg" dev="dm-0" ino=396418 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:keystone_var_lib_t:s0 tclass=file diff --git a/tests/bz1494907 b/tests/bz1494907 new file mode 100644 index 0000000..e8f800f --- /dev/null +++ b/tests/bz1494907 @@ -0,0 +1,25 @@ +type=AVC msg=audit(1506381584.797:150): avc: denied { read } for pid=20335 comm="grep" name="kvm.conf" dev="sda2" ino=12583138 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file +type=AVC msg=audit(1506522147.108:6883): avc: denied { getattr } for pid=224688 comm="qemu-kvm" path="/proc/34155/cmdline" dev="proc" ino=195421 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:system_r:spc_t:s0 tclass=file +type=AVC msg=audit(1506522177.143:6891): avc: denied { read } for pid=225281 comm="qemu-kvm" name="ld.so.cache" dev="overlay" ino=196770 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:object_r:container_share_t:s0 tclass=file +type=AVC msg=audit(1506522147.136:6884): avc: denied { sigchld } for pid=34139 comm="docker-containe" scontext=system_u:system_r:svirt_t:s0:c391,c860 tcontext=system_u:system_r:container_runtime_t:s0 tclass=process +type=AVC msg=audit(1506522064.398:6871): avc: denied { entrypoint } for pid=224688 comm="libvirtd" path="/usr/libexec/qemu-kvm" dev="vda2" ino=5819701 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:object_r:container_share_t:s0 tclass=file +type=AVC msg=audit(1506522177.143:6892): avc: denied { getattr } for pid=225281 comm="qemu-kvm" path="/etc/ld.so.cache" dev="overlay" ino=196770 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:object_r:container_share_t:s0 tclass=file +type=AVC msg=audit(1506522389.519:6958): avc: denied { entrypoint } for pid=226377 comm="libvirtd" path="/usr/libexec/qemu-kvm" dev="vda2" ino=5819701 scontext=system_u:system_r:svirt_t:s0:c549,c593 tcontext=system_u:object_r:container_share_t:s0 tclass=file +type=AVC msg=audit(1506522064.400:6875): avc: denied { execute } for pid=224688 comm="qemu-kvm" path="/usr/lib64/libz.so.1.2.7" dev="vda2" ino=62914801 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:object_r:container_share_t:s0 tclass=file +type=AVC msg=audit(1506522177.141:6890): avc: denied { write } for pid=225281 comm="qemu-kvm" path="pipe:[2814876]" dev="pipefs" ino=2814876 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:system_r:spc_t:s0 tclass=fifo_file +type=AVC msg=audit(1506522064.400:6872): avc: denied { read } for pid=224688 comm="qemu-kvm" name="ld.so.cache" dev="overlay" ino=196770 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:object_r:container_share_t:s0 tclass=file +type=AVC msg=audit(1506522147.136:6884): avc: denied { sigchld } for pid=34139 comm="docker-containe" scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:system_r:container_runtime_t:s0 tclass=process +type=AVC msg=audit(1506522064.398:6871): avc: denied { write } for pid=224688 comm="qemu-kvm" path="pipe:[2816199]" dev="pipefs" ino=2816199 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:system_r:spc_t:s0 tclass=fifo_file +type=AVC msg=audit(1506522147.107:6882): avc: denied { open } for pid=224688 comm="qemu-kvm" path="/proc/34155/cmdline" dev="proc" ino=195421 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:system_r:spc_t:s0 tclass=file +type=AVC msg=audit(1506522147.107:6882): avc: denied { read } for pid=224688 comm="qemu-kvm" name="cmdline" dev="proc" ino=195421 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:system_r:spc_t:s0 tclass=file +type=AVC msg=audit(1506522224.531:6901): avc: denied { read } for pid=225281 comm="qemu-kvm" name="cmdline" dev="proc" ino=195421 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:system_r:spc_t:s0 tclass=file +type=AVC msg=audit(1506522147.107:6882): avc: denied { search } for pid=224688 comm="qemu-kvm" name="34155" dev="proc" ino=195743 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:system_r:spc_t:s0 tclass=dir +type=AVC msg=audit(1506522224.558:6904): avc: denied { sigchld } for pid=34139 comm="docker-containe" scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:system_r:container_runtime_t:s0 tclass=process +type=AVC msg=audit(1506522177.143:6891): avc: denied { open } for pid=225281 comm="qemu-kvm" path="/etc/ld.so.cache" dev="vda2" ino=21009912 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:object_r:container_share_t:s0 tclass=file +type=AVC msg=audit(1506522224.531:6901): avc: denied { open } for pid=225281 comm="qemu-kvm" path="/proc/34155/cmdline" dev="proc" ino=195421 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:system_r:spc_t:s0 tclass=file +type=AVC msg=audit(1506522064.400:6873): avc: denied { getattr } for pid=224688 comm="qemu-kvm" path="/etc/ld.so.cache" dev="overlay" ino=196770 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:object_r:container_share_t:s0 tclass=file +type=AVC msg=audit(1506522224.531:6901): avc: denied { search } for pid=225281 comm="qemu-kvm" name="34155" dev="proc" ino=195743 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:system_r:spc_t:s0 tclass=dir +type=AVC msg=audit(1506522177.141:6890): avc: denied { entrypoint } for pid=225281 comm="libvirtd" path="/usr/libexec/qemu-kvm" dev="vda2" ino=5819701 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:object_r:container_share_t:s0 tclass=file +type=AVC msg=audit(1506522064.400:6872): avc: denied { open } for pid=224688 comm="qemu-kvm" path="/etc/ld.so.cache" dev="vda2" ino=21009912 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:object_r:container_share_t:s0 tclass=file +type=AVC msg=audit(1506522177.143:6894): avc: denied { execute } for pid=225281 comm="qemu-kvm" path="/usr/lib64/libz.so.1.2.7" dev="vda2" ino=62914801 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:object_r:container_share_t:s0 tclass=file +type=AVC msg=audit(1506522224.533:6902): avc: denied { getattr } for pid=225281 comm="qemu-kvm" path="/proc/34155/cmdline" dev="proc" ino=195421 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:system_r:spc_t:s0 tclass=file diff --git a/tests/bz1498797 b/tests/bz1498797 new file mode 100644 index 0000000..5710207 --- /dev/null +++ b/tests/bz1498797 @@ -0,0 +1,7 @@ +type=AVC msg=audit(1507882760.767:1386): avc: denied { write } for pid=6246 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket +type=AVC msg=audit(1507882834.017:1434): avc: denied { read } for pid=6495 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket +type=AVC msg=audit(1507882927.297:1507): avc: denied { dac_override } for pid=6744 comm="ovs-vsctl" capability=1 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability +type=AVC msg=audit(1507594742.843:184): avc: denied { create } for pid=1424 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket permissive=1 +type=AVC msg=audit(1507594742.843:185): avc: denied { nlmsg_relay } for pid=1424 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket permissive=1 +type=AVC msg=audit(1507594742.844:186): avc: denied { audit_write } for pid=1424 comm="runuser" capability=29 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1 +type=AVC msg=audit(1507594743.049:195): avc: denied { dac_override } for pid=1431 comm="ovs-vsctl" capability=1 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1 diff --git a/tests/bz1542107 b/tests/bz1542107 new file mode 100644 index 0000000..35f97bb --- /dev/null +++ b/tests/bz1542107 @@ -0,0 +1 @@ +type=AVC msg=audit(1517841541.153:650): avc: denied { read write } for pid=7168 comm="vhost_thread2" path=2F6D656D66643A76686F73742D6C6F67202864656C6574656429 dev="tmpfs" ino=324410 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmpfs_t:s0 tclass=file diff --git a/tests/bz1547197 b/tests/bz1547197 new file mode 100644 index 0000000..bb4f0fa --- /dev/null +++ b/tests/bz1547197 @@ -0,0 +1 @@ +type=AVC msg=audit(1519144859.347:11041): avc: denied { setpgid } for pid=844370 comm="dibbler-client" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=process diff --git a/tests/bz1554964 b/tests/bz1554964 new file mode 100644 index 0000000..d1fff53 --- /dev/null +++ b/tests/bz1554964 @@ -0,0 +1 @@ +type=AVC msg=audit(1520957807.128:122131): avc: denied { name_bind } for pid=2715 comm="ovsdb-server" src=6640 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ovsdb_port_t:s0 tclass=tcp_socket diff --git a/tests/bz1558465 b/tests/bz1558465 new file mode 100644 index 0000000..a5854f0 --- /dev/null +++ b/tests/bz1558465 @@ -0,0 +1,9 @@ +type=AVC msg=audit(1521626242.055:83): avc: denied { read } for pid=1443 comm="collectd" name="lock" dev="dm-3" ino=137 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file +type=AVC msg=audit(1521626242.055:83): avc: denied { write } for pid=1443 comm="collectd" name="lock" dev="tmpfs" ino=9300 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir +type=AVC msg=audit(1521626242.055:83): avc: denied { add_name } for pid=1443 comm="collectd" name="libpqos" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir +type=AVC msg=audit(1521626242.055:83): avc: denied { create } for pid=1443 comm="collectd" name="libpqos" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file +type=AVC msg=audit(1521626242.055:84): avc: denied { lock } for pid=1443 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file +type=AVC msg=audit(1521629666.167:1293): avc: denied { open } for pid=20204 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file +type=AVC msg=audit(1521629666.169:1295): avc: denied { read write } for pid=20204 comm="collectd" name="msr" dev="devtmpfs" ino=1108 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file +type=AVC msg=audit(1521629666.169:1295): avc: denied { open } for pid=20204 comm="collectd" path="/dev/cpu/0/msr" dev="devtmpfs" ino=1108 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file +type=AVC msg=audit(1521629666.169:1295): avc: denied { sys_rawio } for pid=20204 comm="collectd" capability=17 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=capability diff --git a/tests/bz1561711 b/tests/bz1561711 new file mode 100644 index 0000000..aefa39e --- /dev/null +++ b/tests/bz1561711 @@ -0,0 +1,3 @@ +type=USER_AVC msg=audit(1520195408.164:1668): pid=1393 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=Inhibit dest=org.freedesktop.login1 spid=3123 tpid=1390 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' +type=USER_AVC msg=audit(1527075220.353:14540): pid=581 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.866 spid=575 tpid=11664 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' +type=AVC msg=audit(1527492439.572:13842): avc: denied { write } for pid=10949 comm="virtlogd" path="/run/systemd/inhibit/4.ref" dev="tmpfs" ino=251799 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_inhibit_var_run_t:s0 tclass=fifo_file diff --git a/tests/bz1566973 b/tests/bz1566973 new file mode 100644 index 0000000..1f51bcf --- /dev/null +++ b/tests/bz1566973 @@ -0,0 +1 @@ +type=AVC msg=audit(1524017564.805:204): avc: denied { write } for pid=12021 comm="virtlogd" name="bec321f0-2651-4948-ac85-1845a91271a0" dev="0:39" ino=4197515 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir diff --git a/tests/bz1568993 b/tests/bz1568993 new file mode 100644 index 0000000..8bc64fc --- /dev/null +++ b/tests/bz1568993 @@ -0,0 +1,5 @@ +type=AVC msg=audit(1523966763.994:1875): avc: denied { read } for pid=16973 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1523990351.136:7706): avc: denied { getattr } for pid=31332 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1523990351.136:7707): avc: denied { getattr } for pid=8168 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:7c:b5:00" dev="vda1" ino=114077529 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1523990351.136:7708): avc: denied { open } for pid=8168 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:7c:b5:00" dev="vda1" ino=114077529 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1523990351.136:7709): avc: denied { read } for pid=8168 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=114077529 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file diff --git a/tests/bz1572510 b/tests/bz1572510 new file mode 100644 index 0000000..f3683ea --- /dev/null +++ b/tests/bz1572510 @@ -0,0 +1 @@ +type=AVC msg=audit(1525078074.900:1198999): avc: denied { read write } for pid=11438 comm="ovs-vswitchd" path="socket:[38710370]" dev="sockfs" ino=38710370 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c14,c629 tclass=unix_stream_socket diff --git a/tests/bz1581729 b/tests/bz1581729 new file mode 100644 index 0000000..83731b5 --- /dev/null +++ b/tests/bz1581729 @@ -0,0 +1 @@ +type=AVC msg=audit(1527075675.414:18010): avc: denied { name_bind } for pid=4521 comm="dhcp_release6" src=546 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:dhcpc_port_t:s0 tclass=udp_socket diff --git a/tests/bz1628679 b/tests/bz1628679 new file mode 100644 index 0000000..4986f9e --- /dev/null +++ b/tests/bz1628679 @@ -0,0 +1 @@ +type=USER_AVC msg=audit(1538043682.101:8006): pid=2252 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.410 spid=2405 tpid=19100 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:cinder_volume_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' diff --git a/tests/bz1640528 b/tests/bz1640528 new file mode 100644 index 0000000..396f171 --- /dev/null +++ b/tests/bz1640528 @@ -0,0 +1,8 @@ +type=AVC msg=audit(...): avc: denied { connectto } for pid=... comm="sudo" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:nova_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 +type=AVC msg=audit(...): avc: denied { execute } for pid=... comm="sudo" name="unix_chkpwd" dev="vda1" ino=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=1 +type=AVC msg=audit(...): avc: denied { execute_no_trans } for pid=... comm="sudo" path="/usr/sbin/unix_chkpwd" dev="vda1" ino=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=1 +type=AVC msg=audit(...): avc: denied { getattr } for pid=... comm="unix_chkpwd" path="/etc/shadow" dev="vda1" ino=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 +type=AVC msg=audit(...): avc: denied { open } for pid=... comm="unix_chkpwd" path="/etc/shadow" dev="vda1" ino=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 +type=AVC msg=audit(...): avc: denied { read } for pid=... comm="unix_chkpwd" name="shadow" dev="vda1" ino=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 +type=AVC msg=audit(...): avc: denied { read open } for pid=... comm="sudo" path="/usr/sbin/unix_chkpwd" dev="vda1" ino=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=1 +type=USER_AVC msg=audit(): pid=... uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=... spid=... tpid=... scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:nova_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' diff --git a/tests/bz1642102 b/tests/bz1642102 new file mode 100644 index 0000000..b624011 --- /dev/null +++ b/tests/bz1642102 @@ -0,0 +1 @@ +type=AVC msg=audit(1540216030.840:31215): avc: denied { attach_queue } for pid=34373 comm=43505520312F4B564D scontext=system_u:system_r:svirt_t:s0:c457,c875 tcontext=system_u:system_r:spc_t:s0 tclass=tun_socket diff --git a/tests/bz1650046 b/tests/bz1650046 new file mode 100644 index 0000000..015fe8e --- /dev/null +++ b/tests/bz1650046 @@ -0,0 +1,3 @@ +type=AVC msg=audit(1583112189.890:19129): avc: denied { read } for pid=13620 comm="inet_gethost" name="unix" dev="proc" ino=4026532003 scontext=system_u:system_r:rabbitmq_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1583136605.180:19713): avc: denied { setrlimit } for pid=20488 comm="runuser" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=process permissive=1 +type=AVC msg=audit(1583136606.388:19715): avc: denied { read } for pid=20640 comm="inet_gethost" name="unix" dev="proc" ino=4026532003 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 diff --git a/tests/bz1652297 b/tests/bz1652297 new file mode 100644 index 0000000..cfd8115 --- /dev/null +++ b/tests/bz1652297 @@ -0,0 +1 @@ +type=AVC msg=audit(1542830504.754:4792): avc: denied { read } for pid=1378 comm="swift-container" name="aae3e64f909b58ab302a0fbb385eff3f.db" dev="loop0" ino=20 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:swift_data_t:s0 tclass=lnk_file diff --git a/tests/bz1671514 b/tests/bz1671514 new file mode 100644 index 0000000..5bf8d77 --- /dev/null +++ b/tests/bz1671514 @@ -0,0 +1 @@ +type=AVC msg=audit(1548880833.900:153941): avc: denied { name_connect } for pid=4841 comm="glance-registry" dest=13357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket diff --git a/tests/bz1684885 b/tests/bz1684885 new file mode 100644 index 0000000..9c3e1f2 --- /dev/null +++ b/tests/bz1684885 @@ -0,0 +1,10 @@ +type=AVC msg=audit(1551866885.134:39): avc: denied { getattr } for pid=1175 comm="sysctl" path="/proc/sys/kernel/core_pattern" dev="proc" ino=10947 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1551866885.136:40): avc: denied { write } for pid=1175 comm="sysctl" name="core_pattern" dev="proc" ino=10947 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1551866885.136:40): avc: denied { open } for pid=1175 comm="sysctl" path="/proc/sys/kernel/core_pattern" dev="proc" ino=10947 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1551866885.485:42): avc: denied { execute_no_trans } for pid=1286 comm="ip" path="/usr/sbin/keepalived" dev="vda1" ino=537483 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:keepalived_exec_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1551867084.102:44): avc: denied { read } for pid=1376 comm="ip" dev="nsfs" ino=4026532223 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1551867084.102:44): avc: denied { open } for pid=1376 comm="ip" path="/run/netns/amphora-haproxy" dev="nsfs" ino=4026532223 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1551867108.032:46): avc: denied { map } for pid=1431 comm="kill" path="/usr/bin/kill" dev="vda1" ino=538254 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1551867108.032:46): avc: denied { execute } for pid=1431 comm="kill" path="/usr/bin/kill" dev="vda1" ino=538254 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1551867168.534:47): avc: denied { create } for pid=1487 comm="keepalived" name="keepalived" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1551867168.535:48): avc: denied { mounton } for pid=1487 comm="keepalived" path="/run/keepalived" dev="tmpfs" ino=24185 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 diff --git a/tests/bz1687321 b/tests/bz1687321 new file mode 100644 index 0000000..1577de1 --- /dev/null +++ b/tests/bz1687321 @@ -0,0 +1 @@ +type=AVC msg=audit(1552241787.746:60): avc: denied { entrypoint } for pid=3530 comm="(kill)" path="/usr/bin/kill" dev="vda1" ino=43348 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 diff --git a/tests/bz1692325 b/tests/bz1692325 new file mode 100644 index 0000000..f860209 --- /dev/null +++ b/tests/bz1692325 @@ -0,0 +1,26 @@ +type=AVC msg=audit(1553504112.730:7560): avc: denied { write } for pid=41771 comm="mkdir" name="galera-bundle-0" dev="vda2" ino=8512171 scontext=system_u:system_r:container_t:s0:c296,c382 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504112.730:7560): avc: denied { add_name } for pid=41771 comm="mkdir" name="kolla" scontext=system_u:system_r:container_t:s0:c296,c382 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504112.730:7560): avc: denied { create } for pid=41771 comm="mkdir" name="kolla" scontext=system_u:system_r:container_t:s0:c296,c382 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504112.730:7561): avc: denied { read } for pid=41771 comm="mkdir" name="kolla" dev="vda2" ino=65194464 scontext=system_u:system_r:container_t:s0:c296,c382 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504118.347:7565): avc: denied { create } for pid=42078 comm="su" name="lastlog" scontext=system_u:system_r:container_t:s0:c296,c382 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1553504118.347:7565): avc: denied { read write open } for pid=42078 comm="su" path="/var/log/lastlog" dev="vda2" ino=8512175 scontext=system_u:system_r:container_t:s0:c296,c382 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1553504118.347:7566): avc: denied { lock } for pid=42078 comm="su" path="/var/log/lastlog" dev="vda2" ino=8512175 scontext=system_u:system_r:container_t:s0:c296,c382 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1553504226.542:7628): avc: denied { write } for pid=46749 comm="python" name="rabbitmq-bundle-0" dev="vda2" ino=67376550 scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504226.542:7628): avc: denied { add_name } for pid=46749 comm="python" name="btmp" scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504226.542:7628): avc: denied { create } for pid=46749 comm="python" name="btmp" scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1553504226.542:7628): avc: denied { write open } for pid=46749 comm="python" path="/var/log/btmp" dev="vda2" ino=67376554 scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1553504226.542:7629): avc: denied { ioctl } for pid=46749 comm="python" path="/var/log/btmp" dev="vda2" ino=67376554 ioctlcmd=0x5401 scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1553504226.542:7630): avc: denied { setattr } for pid=46749 comm="python" name="btmp" dev="vda2" ino=67376554 scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1553504226.564:7633): avc: denied { create } for pid=46774 comm="mkdir" name="kolla" scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504226.564:7634): avc: denied { read } for pid=46774 comm="mkdir" name="kolla" dev="vda2" ino=35865839 scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504307.112:7757): avc: denied { write } for pid=52665 comm="mkdir" name="redis-bundle-0" dev="vda2" ino=73669291 scontext=system_u:system_r:container_t:s0:c383,c514 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504307.112:7757): avc: denied { add_name } for pid=52665 comm="mkdir" name="kolla" scontext=system_u:system_r:container_t:s0:c383,c514 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504307.112:7757): avc: denied { create } for pid=52665 comm="mkdir" name="kolla" scontext=system_u:system_r:container_t:s0:c383,c514 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504307.112:7758): avc: denied { read } for pid=52665 comm="mkdir" name="kolla" dev="vda2" ino=31565583 scontext=system_u:system_r:container_t:s0:c383,c514 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504312.069:7762): avc: denied { create } for pid=52961 comm="su" name="lastlog" scontext=system_u:system_r:container_t:s0:c383,c514 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1553504312.069:7762): avc: denied { read write open } for pid=52961 comm="su" path="/var/log/lastlog" dev="vda2" ino=73669296 scontext=system_u:system_r:container_t:s0:c383,c514 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1553504312.069:7763): avc: denied { lock } for pid=52961 comm="su" path="/var/log/lastlog" dev="vda2" ino=73669296 scontext=system_u:system_r:container_t:s0:c383,c514 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1553504532.565:8213): avc: denied { write } for pid=73801 comm="mkdir" name="ovn-dbs-bundle-0" dev="vda2" ino=86202322 scontext=system_u:system_r:container_t:s0:c670,c1013 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504532.565:8213): avc: denied { add_name } for pid=73801 comm="mkdir" name="kolla" scontext=system_u:system_r:container_t:s0:c670,c1013 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504532.565:8213): avc: denied { create } for pid=73801 comm="mkdir" name="kolla" scontext=system_u:system_r:container_t:s0:c670,c1013 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504532.565:8214): avc: denied { read } for pid=73801 comm="mkdir" name="kolla" dev="vda2" ino=38118009 scontext=system_u:system_r:container_t:s0:c670,c1013 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 diff --git a/tests/bz1707840 b/tests/bz1707840 new file mode 100644 index 0000000..e8651a1 --- /dev/null +++ b/tests/bz1707840 @@ -0,0 +1 @@ +type=AVC msg=audit(1557322725.873:12375): avc: denied { read write } for pid=8786 comm="vhost-events" path="socket:[16378370]" dev="sockfs" ino=16378370 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=unix_stream_socket permissive=1 diff --git a/tests/bz1715492 b/tests/bz1715492 new file mode 100644 index 0000000..8463d08 --- /dev/null +++ b/tests/bz1715492 @@ -0,0 +1,2 @@ +type=AVC msg=audit(1559218642.208:72): avc: denied { dac_override } for pid=6702 comm="haproxy" capability=1 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=capability permissive=1 + diff --git a/tests/bz1727937 b/tests/bz1727937 new file mode 100644 index 0000000..323113e --- /dev/null +++ b/tests/bz1727937 @@ -0,0 +1,3 @@ +type=AVC msg=audit(1567480861.728:31696): avc: denied { write } for pid=683284 comm="logrotate" name="openvswitch" dev="sda2" ino=2881762 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=0 +type=AVC msg=audit(1562513521.955:5768): avc: denied { read } for pid=54302 comm="logrotate" name="openvswitch" dev="vda2" ino=1012142 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=0 + diff --git a/tests/bz1732578 b/tests/bz1732578 new file mode 100644 index 0000000..e6fbbbb --- /dev/null +++ b/tests/bz1732578 @@ -0,0 +1,6 @@ +type=AVC msg=audit(1563895304.208:14480): avc: denied { read } for pid=81224 comm="barbican-manage" name="libcknfast.so" dev="vda2" ino=35936420 scontext=system_u:system_r:container_t:s0:c194,c638 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file permissive=0 +type=AVC msg=audit(1563895442.774:14719): avc: denied { read } for pid=94348 comm="httpd" name="libcknfast.so" dev="vda2" ino=35936420 scontext=system_u:system_r:container_t:s0:c111,c895 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file permissive=0 +type=AVC msg=audit(1563899396.472:17769): avc: denied { read } for pid=382136 comm="barbican-manage" name="libcknfast.so" dev="vda2" ino=35936420 scontext=system_u:system_r:container_t:s0:c194,c638 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1563899396.472:17769): avc: denied { open } for pid=382136 comm="barbican-manage" path="/opt/nfast/toolkits/pkcs11/libcknfast.so" dev="vda2" ino=35936420 scontext=system_u:system_r:container_t:s0:c194,c638 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1563899396.472:17770): avc: denied { execute } for pid=382136 comm="barbican-manage" path="/opt/nfast/toolkits/pkcs11/libcknfast.so" dev="vda2" ino=35936420 scontext=system_u:system_r:container_t:s0:c194,c638 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1563907351.675:23726): avc: denied { read } for pid=960024 comm="ls" name="nfast" dev="vda2" ino=33555398 scontext=system_u:system_r:container_t:s0:c353,c747 tcontext=system_u:object_r:pki_common_t:s0 tclass=dir permissive=0 diff --git a/tests/bz1751300 b/tests/bz1751300 new file mode 100644 index 0000000..9de2aa1 --- /dev/null +++ b/tests/bz1751300 @@ -0,0 +1 @@ +type=AVC msg=audit(1568239901.789:19443): avc: denied { create } for pid=186828 comm="runc:[2:INIT]" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=key permissive=0 diff --git a/tests/bz1765910 b/tests/bz1765910 new file mode 100644 index 0000000..ef12b0a --- /dev/null +++ b/tests/bz1765910 @@ -0,0 +1,6 @@ +type=AVC msg=audit(1572103537.454:113): avc: denied { read } for pid=1752 comm="ip" dev="nsfs" ino=4026531992 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1572103537.454:113): avc: denied { open } for pid=1752 comm="ip" path="net:[4026531992]" dev="nsfs" ino=4026531992 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1572356953.842:84): avc: denied { mounton } for pid=4491 comm="ip" path="/sys" dev="vda1" ino=509 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0 +type=AVC msg=audit(1572445298.403:73): avc: denied { mounton } for pid=4371 comm="ip" path="/sys" dev="vda1" ino=2097505 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1572445302.642:75): avc: denied { unmount } for pid=4376 comm="keepalived" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1 +type=AVC msg=audit(1572445302.642:76): avc: denied { rmdir } for pid=4376 comm="keepalived" name="amphora-haproxy" dev="tmpfs" ino=30412 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 diff --git a/tests/bz1772025 b/tests/bz1772025 new file mode 100644 index 0000000..eba7dfd --- /dev/null +++ b/tests/bz1772025 @@ -0,0 +1 @@ +type=AVC msg=audit(1573651690.514:4640): avc: denied { create } for pid=34421 comm="ovs-vswitchd" name="dpdk" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1 diff --git a/tests/bz1777263 b/tests/bz1777263 new file mode 100644 index 0000000..866135d --- /dev/null +++ b/tests/bz1777263 @@ -0,0 +1,3 @@ +type=AVC msg=audit(1574861307.690:5254): avc: denied { getattr } for pid=25373 comm="ruby" path="/etc/puppet/hiera.yaml" dev="sda1" ino=150996716 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1574861307.690:5255): avc: denied { read } for pid=25373 comm="ruby" name="hiera.yaml" dev="sda1" ino=150996716 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1574861307.690:5255): avc: denied { open } for pid=25373 comm="ruby" path="/etc/puppet/hiera.yaml" dev="sda1" ino=150996716 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file permissive=1 diff --git a/tests/bz1777738 b/tests/bz1777738 new file mode 100644 index 0000000..3d7c9b4 --- /dev/null +++ b/tests/bz1777738 @@ -0,0 +1 @@ +type=AVC msg=audit(11/29/2019 14:32:51.557:32236) : avc: denied { write } for pid=205548 comm=iptables path=pipe:[1864791] dev="pipefs" ino=1864791 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=fifo_file permissive=1 diff --git a/tests/bz1778793 b/tests/bz1778793 new file mode 100644 index 0000000..032a8ad --- /dev/null +++ b/tests/bz1778793 @@ -0,0 +1,2 @@ +type=AVC msg=audit(12/02/2019 13:32:12.703:5794) : avc: denied { fsetid } for pid=3137 comm=install capability=fsetid scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1 +type=AVC msg=audit(12/02/2019 13:32:12.703:5794) : avc: denied { fowner } for pid=3137 comm=install capability=fowner scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1 diff --git a/tests/bz1789068 b/tests/bz1789068 new file mode 100644 index 0000000..7dc41a4 --- /dev/null +++ b/tests/bz1789068 @@ -0,0 +1,6 @@ +type=AVC msg=audit(1578500356.540:5530): avc: denied { getattr } for pid=86851 comm="ha_check_script" path="/usr/bin/ping" dev="dm-0" ino=100718607 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1578500356.540:5531): avc: denied { execute } for pid=86851 comm="ha_check_script" name="ping" dev="dm-0" ino=100718607 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1578500356.540:5532): avc: denied { read } for pid=86851 comm="ha_check_script" name="ping" dev="dm-0" ino=100718607 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1578500356.542:5533): avc: denied { open } for pid=86854 comm="ha_check_script" path="/usr/bin/ping" dev="dm-0" ino=100718607 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1578500356.542:5533): avc: denied { execute_no_trans } for pid=86854 comm="ha_check_script" path="/usr/bin/ping" dev="dm-0" ino=100718607 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1578500356.546:5534): avc: denied { setcap } for pid=86854 comm="ping" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=process permissive=1 diff --git a/tests/bz1789710 b/tests/bz1789710 new file mode 100644 index 0000000..7cd6e68 --- /dev/null +++ b/tests/bz1789710 @@ -0,0 +1 @@ +type=AVC msg=audit(1578626829.434:88494): avc: denied { getattr } for pid=981968 comm="glance-api" name="/" dev="0:46" ino=289429476 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=filesystem permissive=0 diff --git a/tests/bz1820504 b/tests/bz1820504 new file mode 100644 index 0000000..ca46c1a --- /dev/null +++ b/tests/bz1820504 @@ -0,0 +1,8 @@ +type=AVC msg=audit(1585843550.178:7813550): avc: denied { add_name } for pid=3306876 comm="httpd" name="groups" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=dir +type=AVC msg=audit(1585843799.707:7814032): avc: denied { write } for pid=3306876 comm="httpd" name="cinder" dev="dm-0" ino=1230986 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=dir +type=AVC msg=audit(1585843767.395:7814013): avc: denied { create } for pid=3306875 comm="httpd" name="groups" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=dir + + +type=AVC msg=audit(1587719480.723:9252596): avc: denied { append open } for pid=3907385 comm="httpd" path="/var/lib/cinder/cinder-attachment_update-b3b103ae-78a6-424f-b406-642d177c6c20-" dev="dm-0" ino=135032832 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=file +type=AVC msg=audit(1587719779.203:2939539): avc: denied { getattr } for pid=2451695 comm="httpd" path="/var/lib/cinder/cinder-attachment_update-243361c4-189a-423c-963a-89beefac2135-" dev="dm-0" ino=134395353 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=file +type=AVC msg=audit(1587720082.812:2942608): avc: denied { lock } for pid=2451695 comm="httpd" path="/var/lib/cinder/cinder-attachment_update-243361c4-189a-423c-963a-89beefac2135-" dev="dm-0" ino=134395353 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=file diff --git a/tests/bz1847037 b/tests/bz1847037 new file mode 100644 index 0000000..3a911c4 --- /dev/null +++ b/tests/bz1847037 @@ -0,0 +1,2 @@ +type=AVC msg=audit(1592206154.561:5419): avc: denied { execute_no_trans } for pid=3827 comm="sudo" path="/usr/bin/neutron-rootwrap-daemon" dev="sda1" ino=9310801 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:neutron_exec_t:s0 tclass=file permissive=0 +type=AVC msg=audit(1592206157.680:5438): avc: denied { execute_no_trans } for pid=3860 comm="sudo" path="/usr/bin/neutron-rootwrap-daemon" dev="sda1" ino=9310801 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:neutron_exec_t:s0 tclass=file permissive=0 diff --git a/tests/bz1872651 b/tests/bz1872651 new file mode 100644 index 0000000..7c0cfba --- /dev/null +++ b/tests/bz1872651 @@ -0,0 +1,5 @@ +type=AVC msg=audit(1598898583.306:659): avc: denied { sys_admin } for pid=2595 comm="ptp4l" capability=21 scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=capability permiss +type=AVC msg=audit(1598898583.306:658): avc: denied { setopt } for pid=2595 comm="ptp4l" scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=packet_socket permissive=1 +type=AVC msg=audit(1598898583.298:657): avc: denied { bind } for pid=2595 comm="ptp4l" scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=packet_socket permissive=1 +type=AVC msg=audit(1598898583.298:656): avc: denied { ioctl } for pid=2595 comm="ptp4l" path="socket:[186527]" dev="sockfs" ino=186527 ioctlcmd=0x8933 scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:s +type=AVC msg=audit(1598898583.298:655): avc: denied { create } for pid=2595 comm="ptp4l" scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=packet_socket permissive=1 diff --git a/tests/bz1893132 b/tests/bz1893132 new file mode 100644 index 0000000..bfb20b6 --- /dev/null +++ b/tests/bz1893132 @@ -0,0 +1,2 @@ +type=AVC msg=audit(1604010639.062:643445): avc: denied { unmount } for pid=753263 comm="privsep-helper" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem +type=AVC msg=audit(1604010639.098:643446): avc: denied { unmount } for pid=753263 comm="privsep-helper" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem diff --git a/tests/bz1926765 b/tests/bz1926765 new file mode 100644 index 0000000..2ffc858 --- /dev/null +++ b/tests/bz1926765 @@ -0,0 +1 @@ +type=AVC msg=audit(1612971631.581:8655): avc: denied { sigchld } for pid=236718 comm="conmon" scontext=system_u:system_r:container_t:s0:c409,c785 tcontext=unconfined_u:system_r:container_runtime_t:s0 tclass=process permissive=1 diff --git a/tests/bz1941412 b/tests/bz1941412 new file mode 100644 index 0000000..37f7c39 --- /dev/null +++ b/tests/bz1941412 @@ -0,0 +1,8 @@ +type=AVC msg=audit(1616384789.103:3183): avc: denied { read } for pid=39321 comm="swift-object-up" name="d1" dev="dm-0" ino=67180559 scontext=system_u:system_r:container_t:s0:c158,c230 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir permissive=0 +type=AVC msg=audit(1616384823.339:3274): avc: denied { read } for pid=4456 comm="swift-container" name="containers" dev="dm-0" ino=140452138 scontext=system_u:system_r:container_t:s0:c288,c429 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir permissive=0 +type=AVC msg=audit(1616385089.159:3761): avc: denied { read } for pid=46803 comm="swift-object-up" name="d1" dev="dm-0" ino=67180559 scontext=system_u:system_r:container_t:s0:c158,c230 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir permissive=0 +type=AVC msg=audit(1616385123.436:3840): avc: denied { read } for pid=4456 comm="swift-container" name="containers" dev="dm-0" ino=140452138 scontext=system_u:system_r:container_t:s0:c288,c429 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir permissive=0 +type=AVC msg=audit(1616385389.169:4321): avc: denied { read } for pid=54242 comm="swift-object-up" name="d1" dev="dm-0" ino=67180559 scontext=system_u:system_r:container_t:s0:c158,c230 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir permissive=0 +type=AVC msg=audit(1616385423.480:4392): avc: denied { read } for pid=4456 comm="swift-container" name="containers" dev="dm-0" ino=140452138 scontext=system_u:system_r:container_t:s0:c288,c429 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir permissive=0 +type=AVC msg=audit(1616385689.197:4888): avc: denied { read } for pid=61777 comm="swift-object-up" name="d1" dev="dm-0" ino=67180559 scontext=system_u:system_r:container_t:s0:c158,c230 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir permissive=0 +type=AVC msg=audit(1616385723.573:4959): avc: denied { read } for pid=4456 comm="swift-container" name="containers" dev="dm-0" ino=140452138 scontext=system_u:system_r:container_t:s0:c288,c429 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir permissive=0 diff --git a/tests/bz1962802 b/tests/bz1962802 new file mode 100644 index 0000000..0a7e054 --- /dev/null +++ b/tests/bz1962802 @@ -0,0 +1 @@ +type=AVC msg=audit(1621521322.324:1212399): avc: denied { signal } for pid=1442393 comm="kill" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=process permissive=1 diff --git a/tests/bz1969325 b/tests/bz1969325 new file mode 100644 index 0000000..15c42fd --- /dev/null +++ b/tests/bz1969325 @@ -0,0 +1,3 @@ +type=AVC msg=audit(1622799389.155:390): avc: denied { setattr } for pid=4715 comm="keepalived" name="1171ec49-19e7-4b89-a97c-88d5e8732bf8.pid.keepalived" dev="dm-0" ino=237885 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1622799392.683:404): avc: denied { setattr } for pid=4808 comm="keepalived" name="0a74a7c4-8735-4aea-8b16-0e46780c9a39.pid.keepalived" dev="dm-0" ino=237887 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1622799420.386:566): avc: denied { setattr } for pid=5621 comm="keepalived" name="db8f00f6-b84f-4ec1-b96a-24b46200c26b.pid.keepalived" dev="dm-0" ino=232460 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=file permissive=1 diff --git a/tests/bz2013194 b/tests/bz2013194 new file mode 100644 index 0000000..fee4ec3 --- /dev/null +++ b/tests/bz2013194 @@ -0,0 +1 @@ +type=AVC msg=audit(1633990096.040:24220): avc: denied { read write } for pid=5337 comm="swift-container" name="container.recon" dev="vda2" ino=46373631 scontext=system_u:system_r:container_t:s0:c50,c57 tcontext=system_u:object_r:swift_var_cache_t:s0 tclass=file permissive=0 diff --git a/tests/bz2020210 b/tests/bz2020210 new file mode 100644 index 0000000..576af71 --- /dev/null +++ b/tests/bz2020210 @@ -0,0 +1 @@ +type=AVC msg=audit(1635988536.870:9187): avc: denied { append } for pid=128557 comm="redis-server" name="redis.log" dev="vda2" ino=67368647 scontext=system_u:system_r:container_t:s0:c67,c288 tcontext=system_u:object_r:container_log_t:s0 tclass=file permissive=0 diff --git a/tests/bz2053849 b/tests/bz2053849 new file mode 100644 index 0000000..50a2086 --- /dev/null +++ b/tests/bz2053849 @@ -0,0 +1,4 @@ +type=AVC msg=audit(1644681031.316:8213): avc: denied { ioctl } for pid=72966 comm="httpd" path="/var/lib/cinder/cinder-attachment_update-3d70b60e-246f-48b1-a711-42ed47305219-centos-9-stream" dev="vda1" ino=6829831 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1644681041.232:8256): avc: denied { remove_name } for pid=72965 comm="httpd" name="cinder-attachment_update-3d70b60e-246f-48b1-a711-42ed47305219-centos-9-stream" dev="vda1" ino=6829831 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1644681041.232:8256): avc: denied { unlink } for pid=72965 comm="httpd" name="cinder-attachment_update-3d70b60e-246f-48b1-a711-42ed47305219-centos-9-stream" dev="vda1" ino=6829831 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1644681192.761:8641): avc: denied { read } for pid=72965 comm="httpd" name="cinder" dev="vda1" ino=6815392 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=dir permissive=1 diff --git a/tests/bz2053852 b/tests/bz2053852 new file mode 100644 index 0000000..5a52d32 --- /dev/null +++ b/tests/bz2053852 @@ -0,0 +1,2 @@ +type=AVC msg=audit(1644681472.535:9235): avc: denied { getattr } for pid=78599 comm="privsep-helper" path="/run/netns/qdhcp-d6afbd95-bfef-44d7-84cc-559cda9a0686" dev="nsfs" ino=4026532244 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1644681474.970:9248): avc: denied { unmount } for pid=78610 comm="privsep-helper" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=filesystem permissive=1 diff --git a/tests/bz2091076 b/tests/bz2091076 new file mode 100644 index 0000000..dcc8990 --- /dev/null +++ b/tests/bz2091076 @@ -0,0 +1,2 @@ +type=AVC msg=audit(1663231589.213:223510): avc: denied { create } for pid=1 comm="systemd" name="podman.sock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=sock_file permissive=1 +type=AVC msg=audit(1663231589.213:223511): avc: denied { write } for pid=1 comm="systemd" name="podman.sock" dev="vda4" ino=143041949 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=sock_file permissive=1 diff --git a/tests/bz2254886 b/tests/bz2254886 new file mode 100644 index 0000000..abf4db6 --- /dev/null +++ b/tests/bz2254886 @@ -0,0 +1,5 @@ +type=AVC msg=audit(1702821160.556:5348): avc: denied { create } for pid=71109 comm="neutron-server" name="sem.ooVkM5" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1702821160.556:5348): avc: denied { read write open } for pid=71109 comm="neutron-server" path="/dev/shm/sem.ooVkM5" dev="tmpfs" ino=6 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1702821160.556:5349): avc: denied { link } for pid=71109 comm="neutron-server" name="sem.ooVkM5" dev="tmpfs" ino=6 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1702821160.556:5350): avc: denied { getattr } for pid=71109 comm="neutron-server" path="/dev/shm/sem.ooVkM5" dev="tmpfs" ino=6 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1702821160.556:5351): avc: denied { unlink } for pid=71109 comm="neutron-server" name="sem.ooVkM5" dev="tmpfs" ino=6 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 diff --git a/tests/bz2255412 b/tests/bz2255412 new file mode 100644 index 0000000..a175c8d --- /dev/null +++ b/tests/bz2255412 @@ -0,0 +1,2 @@ +type=AVC msg=audit(1703084811.884:6481): avc: denied { execute } for pid=72459 comm="sudo" name="unix_chkpwd" dev="vda1" ino=4700890 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=0 +type=AVC msg=audit(1703084818.067:6524): avc: denied { execute } for pid=72505 comm="sudo" name="unix_chkpwd" dev="vda1" ino=4700890 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=0 diff --git a/tests/check_all b/tests/check_all index a635506..f270985 100755 --- a/tests/check_all +++ b/tests/check_all @@ -11,55 +11,82 @@ export LANG=C TMP=$(mktemp /tmp/openstack-selinux-test.XXXXXX) +rm -f $TMP +mkdir -p $TMP PWD=$(pwd) cd "$(dirname $0)" -TEST_FILES=$(/bin/ls -1 bz*) +TEST_FILES=$(/bin/ls -1 bz* lp* osprh* rdo*) +TEST_INPUT=$TMP/input +TEST_OUTPUT=$TMP/output +TEST_FAIL=$TMP/failed_tests +TEST_FAIL_INFO=$TMP/failed_info passed=0 failed=0 +rm -f $TEST_INPUT +touch $TEST_INPUT for f in $TEST_FILES; do - echo "CHECKING:" $f - totalAVC=$(grep -s -c "type=AVC" $f) - count=0 - while read; do - ((count++)) - echo "("$count"/"$totalAVC")" - - # Copy our individual AVC line to our temp file. - echo "$REPLY" > $TMP - - # - # Ensure that the AVC does not generate a 'Missing type - # enforcement' error message from audit2why. This requires - # that the openstack-selinux policies are installed and - # loaded, or you will receive false failures. - # - if audit2why -i $TMP | grep -q 'Missing type'; then - echo Failed on $f with the following AVC: - # - # An optimization could be to call audit2why only - # once (and check that output above), but this is - # an error path we hope to not hit very often. - # - audit2why -i $TMP - ((failed++)) - else - ((passed++)) - fi - done < $f + grep '^type=\(USER_\)\?AVC' $f >> $TEST_INPUT done +totalAVC=$(wc -l $TEST_INPUT) +audit2why -i $TEST_INPUT > $TEST_OUTPUT + +cat > $TMP/check.awk << EOT +BEGIN { + working = 0 + last_line = "" +} + +/^type=AVC/ { + if (working == 1) { + print last_line + last_line = "" + working = 0 + } + working = 1 + last_line=\$0 +} + +/Unknown -/ { + working = 0 + last_line = "" +} + +END { + if (working == 1) { + working = 0 + print last_line + } +} +EOT + +awk -f $TMP/check.awk $TEST_OUTPUT > $TEST_FAIL + +while read; do + ((failed++)) + grep -n "$REPLY" $TEST_FILES + # echo "$REPLY" | audit2why | grep -v '$REPLY' +done < $TEST_FAIL + +if [ $failed -ne 0 ]; then + audit2why -i $TEST_FAIL > $TEST_FAIL_INFO +fi + cd "$PWD" -echo Results: $passed passed, $failed failed +echo Results: ${totalAVC/ */} total, $failed failed echo -n "Overall result: " if [ $failed -ne 0 ]; then echo FAIL + echo Check $TEST_FAIL_INFO for more information exit 1 fi +rm -rf $TMP + echo PASS exit 0 diff --git a/tests/lp1853652 b/tests/lp1853652 new file mode 100644 index 0000000..74c9040 --- /dev/null +++ b/tests/lp1853652 @@ -0,0 +1,3 @@ +type=AVC msg=audit(1576568492.577:8193): avc: denied { execute } for pid=77376 comm="(sync)" name="sync" dev="vda1" ino=236350363 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1576568492.577:8193): avc: denied { execute_no_trans } for pid=77376 comm="(sync)" path="/var/lib/neutron/dhcp_dnsmasq/sync" dev="vda1" ino=236350363 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1 + diff --git a/tests/lp1864501 b/tests/lp1864501 new file mode 100644 index 0000000..1210689 --- /dev/null +++ b/tests/lp1864501 @@ -0,0 +1 @@ +type=AVC msg=audit(1582559167.088:1893): avc: denied { read } for pid=39502 comm="ls" name="puppet" dev="sda1" ino=113293470 scontext=system_u:system_r:container_t:s0:c390,c595 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0 diff --git a/tests/lp1944539 b/tests/lp1944539 new file mode 100644 index 0000000..5b3e438 --- /dev/null +++ b/tests/lp1944539 @@ -0,0 +1 @@ +type=AVC msg=audit(09/22/2021 10:46:27.412:11298) : avc: denied { getattr } for pid=338462 comm=lsof path=/dev/sda2 dev="devtmpfs" ino=24765 scontext=system_u:system_r:container_t:s0:c216,c474 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1 diff --git a/tests/osprh16672 b/tests/osprh16672 new file mode 100644 index 0000000..d832059 --- /dev/null +++ b/tests/osprh16672 @@ -0,0 +1 @@ +type=AVC msg=audit(1747193869.722:197759): avc: denied { write } for pid=321799 comm="NetworkManager" name="db.sock" dev="tmpfs" ino=2393 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=sock_file permissive=0 diff --git a/tests/osprh3373 b/tests/osprh3373 new file mode 100644 index 0000000..324eef4 --- /dev/null +++ b/tests/osprh3373 @@ -0,0 +1,3 @@ +type=AVC msg=audit(1707395260.099:18787): avc: denied { associate } for pid=74475 comm="ceilometer-poll" name="1" scontext=system_u:object_r:ceilometer_polling_t:s0:c24,c595 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1 +type=AVC msg=audit(1707395260.231:18790): avc: denied { write } for pid=74485 comm="ceilometer-poll" name="virtqemud-sock-ro" dev="tmpfs" ino=1703 scontext=system_u:system_r:ceilometer_polling_t:s0:c24,c595 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=sock_file permissive=1 +type=AVC msg=audit(1707478033.374:19852): avc: denied { connectto } for pid=86771 comm="ceilometer-poll" path="/run/libvirt/virtqemud-sock-ro" scontext=system_u:system_r:ceilometer_polling_t:s0:c322,c751 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 diff --git a/tests/osprh960 b/tests/osprh960 new file mode 100644 index 0000000..b65bc57 --- /dev/null +++ b/tests/osprh960 @@ -0,0 +1,9 @@ +type=AVC msg=audit(11/21/2023 18:43:16.798:56328) : avc: denied { getattr } for pid=194510 comm=virtlogd path=/run/libvirt dev="tmpfs" ino=2396 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir +type=AVC msg=audit(11/21/2023 18:44:45.880:56409) : avc: denied { remove_name } for pid=194763 comm=virtlogd name=console.log dev="vda1" ino=25791090 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir +type=AVC msg=audit(11/21/2023 18:44:45.880:56409) : avc: denied { search } for pid=194763 comm=virtlogd name=nova dev="vda1" ino=9239640 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir +type=AVC msg=audit(11/21/2023 18:44:45.880:56409) : avc: denied { unlink } for pid=194763 comm=virtlogd name=console.log dev="vda1" ino=25791090 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=file +type=AVC msg=audit(11/21/2023 18:44:45.880:56409) : avc: denied { write } for pid=194763 comm=virtlogd name=b450ad46-233c-41a1-838a-2168ae0a131d dev="vda1" ino=25170710 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir +type=AVC msg=audit(11/21/2023 18:44:45.880:56410) : avc: denied { add_name } for pid=194763 comm=virtlogd name=console.log scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir +type=AVC msg=audit(11/21/2023 18:44:45.880:56410) : avc: denied { create } for pid=194763 comm=virtlogd name=console.log scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=file +type=AVC msg=audit(11/21/2023 18:44:45.880:56410) : avc: denied { open } for pid=194763 comm=virtlogd path=/var/lib/nova/instances/b450ad46-233c-41a1-838a-2168ae0a131d/console.log dev="vda1" ino=25791090 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=file +type=AVC msg=audit(11/22/2023 14:02:47.411:58105) : avc: denied { search } for pid=194763 comm=virtlogd name=nova dev="vda1" ino=9239640 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir diff --git a/tests/rdo310 b/tests/rdo310 new file mode 100644 index 0000000..24575b5 --- /dev/null +++ b/tests/rdo310 @@ -0,0 +1,90 @@ +type=AVC msg=audit(1721753290.030:6163): avc: denied { write } for pid=72846 comm="httpd" name="python-entrypoints" dev="xvda1" ino=7874172 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721753290.030:6163): avc: denied { add_name } for pid=72846 comm="httpd" name="5cef0780e4541cdc8fdde031924d524d2fd27b68b07d2a5d38a7240bd855ebde" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721753290.030:6163): avc: denied { create } for pid=72846 comm="httpd" name="5cef0780e4541cdc8fdde031924d524d2fd27b68b07d2a5d38a7240bd855ebde" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753290.030:6163): avc: denied { write open } for pid=72846 comm="httpd" path="/var/lib/glance/.cache/python-entrypoints/5cef0780e4541cdc8fdde031924d524d2fd27b68b07d2a5d38a7240bd855ebde" dev="xvda1" ino=7875290 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753290.032:6164): avc: denied { getattr } for pid=72846 comm="httpd" path="/var/lib/glance/.cache/python-entrypoints/5cef0780e4541cdc8fdde031924d524d2fd27b68b07d2a5d38a7240bd855ebde" dev="xvda1" ino=7875290 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753290.032:6165): avc: denied { ioctl } for pid=72846 comm="httpd" path="/var/lib/glance/.cache/python-entrypoints/5cef0780e4541cdc8fdde031924d524d2fd27b68b07d2a5d38a7240bd855ebde" dev="xvda1" ino=7875290 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753290.846:6167): avc: denied { write } for pid=72846 comm="httpd" name="glance" dev="xvda1" ino=7463345 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721753290.846:6167): avc: denied { add_name } for pid=72846 comm="httpd" name="os_glance_staging_store" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721753290.846:6167): avc: denied { create } for pid=72846 comm="httpd" name="os_glance_staging_store" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721753291.255:6168): avc: denied { read } for pid=72846 comm="httpd" name="os_glance_staging_store" dev="xvda1" ino=7875358 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721753293.061:6170): avc: denied { read } for pid=72845 comm="httpd" name="5cef0780e4541cdc8fdde031924d524d2fd27b68b07d2a5d38a7240bd855ebde" dev="xvda1" ino=7875290 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753293.831:6173): avc: denied { write } for pid=72845 comm="httpd" name="os_glance_staging_store" dev="xvda1" ino=7875358 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721753294.223:6174): avc: denied { read } for pid=72845 comm="httpd" name="os_glance_staging_store" dev="xvda1" ino=7875358 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721753311.557:6262): avc: denied { write } for pid=72846 comm="httpd" name="glance" dev="xvda1" ino=7463345 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721753311.557:6262): avc: denied { add_name } for pid=72846 comm="httpd" name="tmp" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721753311.557:6262): avc: denied { create } for pid=72846 comm="httpd" name="tmp" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721753311.557:6263): avc: denied { create } for pid=72846 comm="httpd" name="os-brick-connect_volume" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753311.557:6263): avc: denied { append open } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753311.557:6264): avc: denied { getattr } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753311.557:6265): avc: denied { ioctl } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753311.557:6266): avc: denied { lock } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753315.678:6301): avc: denied { append } for pid=72846 comm="httpd" name="os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753315.678:6301): avc: denied { open } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753315.678:6302): avc: denied { getattr } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753315.678:6303): avc: denied { ioctl } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753315.678:6304): avc: denied { lock } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753335.523:6400): avc: denied { append } for pid=72846 comm="httpd" name="os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753335.523:6400): avc: denied { open } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753335.523:6401): avc: denied { getattr } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753335.523:6402): avc: denied { ioctl } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753335.523:6403): avc: denied { lock } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753335.524:6404): avc: denied { write } for pid=72846 comm="httpd" name="tmp" dev="xvda1" ino=7875364 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721753335.524:6404): avc: denied { add_name } for pid=72846 comm="httpd" name="os-brick-connect_to_iscsi_portal-[::1]:3260-iqn.2010-10.org.openstack:volume-83574b8c-e719-4371-b037-4640f833817d" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721753335.524:6404): avc: denied { create } for pid=72846 comm="httpd" name="os-brick-connect_to_iscsi_portal-[::1]:3260-iqn.2010-10.org.openstack:volume-83574b8c-e719-4371-b037-4640f833817d" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753336.677:6417): avc: denied { lock } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753339.608:6442): avc: denied { append } for pid=72846 comm="httpd" name="os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753339.608:6442): avc: denied { open } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753339.608:6443): avc: denied { getattr } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753339.608:6444): avc: denied { ioctl } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753948.221:7345): avc: denied { append } for pid=72845 comm="httpd" name="os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753948.221:7345): avc: denied { open } for pid=72845 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753948.221:7346): avc: denied { getattr } for pid=72845 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753948.221:7347): avc: denied { ioctl } for pid=72845 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753948.221:7348): avc: denied { lock } for pid=72845 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753948.339:7362): avc: denied { lock } for pid=72845 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_to_iscsi_portal-[::1]:3260-iqn.2010-10.org.openstack:volume-1fd802af-84b7-4250-a1e1-710de88986d4" dev="xvda1" ino=7875366 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753952.338:7386): avc: denied { append } for pid=72845 comm="httpd" name="os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753952.338:7386): avc: denied { open } for pid=72845 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753952.338:7387): avc: denied { getattr } for pid=72845 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753952.338:7388): avc: denied { ioctl } for pid=72845 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753952.339:7389): avc: denied { lock } for pid=72845 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753967.935:7563): avc: denied { append } for pid=72846 comm="httpd" name="os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753967.935:7563): avc: denied { open } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753967.935:7564): avc: denied { getattr } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753967.935:7565): avc: denied { ioctl } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753967.935:7566): avc: denied { lock } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753968.057:7579): avc: denied { lock } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_to_iscsi_portal-[::1]:3260-iqn.2010-10.org.openstack:volume-1fd802af-84b7-4250-a1e1-710de88986d4" dev="xvda1" ino=7875366 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753971.772:7620): avc: denied { append } for pid=72846 comm="httpd" name="os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753971.772:7620): avc: denied { open } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753971.772:7621): avc: denied { getattr } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753971.772:7622): avc: denied { ioctl } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753971.772:7623): avc: denied { lock } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754217.809:8295): avc: denied { append } for pid=72846 comm="httpd" name="os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754217.809:8295): avc: denied { open } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754217.809:8296): avc: denied { getattr } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754217.809:8297): avc: denied { ioctl } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754217.809:8298): avc: denied { lock } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754217.810:8299): avc: denied { write } for pid=72846 comm="httpd" name="tmp" dev="xvda1" ino=7875364 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721754217.810:8299): avc: denied { add_name } for pid=72846 comm="httpd" name="os-brick-connect_to_iscsi_portal-[::1]:3260-iqn.2010-10.org.openstack:volume-3dd46f7d-8161-4280-85bb-60a59cbbc8bc" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721754217.810:8299): avc: denied { create } for pid=72846 comm="httpd" name="os-brick-connect_to_iscsi_portal-[::1]:3260-iqn.2010-10.org.openstack:volume-3dd46f7d-8161-4280-85bb-60a59cbbc8bc" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754232.368:8420): avc: denied { append } for pid=72846 comm="httpd" name="os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754232.368:8420): avc: denied { open } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754232.368:8421): avc: denied { getattr } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754232.368:8422): avc: denied { ioctl } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754232.368:8423): avc: denied { lock } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754232.494:8437): avc: denied { lock } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_to_iscsi_portal-[::1]:3260-iqn.2010-10.org.openstack:volume-3dd46f7d-8161-4280-85bb-60a59cbbc8bc" dev="xvda1" ino=7875375 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754235.051:8461): avc: denied { append } for pid=72846 comm="httpd" name="os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754235.051:8461): avc: denied { open } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754235.051:8462): avc: denied { getattr } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754235.052:8463): avc: denied { ioctl } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754361.027:8841): avc: denied { append } for pid=72846 comm="httpd" name="os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754361.027:8841): avc: denied { open } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754361.027:8842): avc: denied { getattr } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754361.027:8843): avc: denied { ioctl } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754361.027:8844): avc: denied { lock } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754361.180:8857): avc: denied { lock } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_to_iscsi_portal-[::1]:3260-iqn.2010-10.org.openstack:volume-1fd802af-84b7-4250-a1e1-710de88986d4" dev="xvda1" ino=7875366 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754365.266:8882): avc: denied { append } for pid=72846 comm="httpd" name="os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754365.266:8882): avc: denied { open } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754365.266:8883): avc: denied { getattr } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754365.266:8884): avc: denied { ioctl } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754365.266:8885): avc: denied { lock } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 diff --git a/utils/avc_recorded b/utils/avc_recorded new file mode 100755 index 0000000..cc4dd6b --- /dev/null +++ b/utils/avc_recorded @@ -0,0 +1,25 @@ +#!/bin/bash + +while read; do + if [ "${REPLY/type=AVC/}" == "$REPLY" ] && \ + [ "${REPLY/type=USER_AVC/}" == "$REPLY" ]; then + continue + fi + + operations=${REPLY/*\{ /} + operations=${operations/ \}*/} + src=${REPLY/*scontext=/} + src=${src/ */} + src=${src/:s0*/} + tgt=${REPLY/*tcontext=/} + tgt=${tgt/ */} + tgt=${tgt/:s0*/} + tclass=${REPLY/*tclass=/} + tclass=${tclass/ */} + + for op in $operations; do + s="$op.*scontext=$src.*tcontext=$tgt.*tclass=$tclass" + [ -d tests ] && grep "$s" tests/bz* + [ -d ../tests ] && grep "$s" ../tests/bz* + done +done diff --git a/utils/sortavcs b/utils/sortavcs index 17c0631..8c408d7 100755 --- a/utils/sortavcs +++ b/utils/sortavcs @@ -3,7 +3,7 @@ if [ -n "$1" ] && [ -n "$2" ]; then echo "Sorting" $1"!" else - echo "-------Sort AVCs-------" + echo "-------Sort AVCs-------" echo "Sort AVCs will remove duplicate AVCs from you audit.log so you can save them for the regression test in the /openstack-selinux/tests directory." echo "Use the following format:" echo "./sortavcs " @@ -28,7 +28,7 @@ declare -A avcs while read; do LINE="$REPLY" - + # Optimization: if not type=AVC, we don't care [[ $LINE =~ ^type=AVC ]] || continue @@ -36,7 +36,7 @@ while read; do [[ $LINE =~ [^\{]+\{\ (.*)\ \}.*comm=\"([^\"]*)\".*(dest=[0-9]+|path).*scontext=([^\ ]*)\ tcontext=([^\ ]*) ]] HASH="${BASH_REMATCH[1]}.${BASH_REMATCH[2]}.${BASH_REMATCH[3]}.${BASH_REMATCH[4]}.${BASH_REMATCH[5]}" - # ... which isn't always there ... + # ... which isn't always there ... if [ "$HASH" = "...." ]; then [[ $LINE =~ [^\{]+\{\ (.*)\ \}.*comm=\"([^\"]*)\".*scontext=([^\ ]*)\ tcontext=([^\ ]*) ]] # XXX the trailing . is important for non-matches diff --git a/utils/testpolicy b/utils/testpolicy index 0de9454..752f66a 100755 --- a/utils/testpolicy +++ b/utils/testpolicy @@ -7,9 +7,9 @@ if [ -n "$1" ] && [ -n "$2" ]; then echo "Using" $1 "and" $2"!" else - echo "-------Openstack-selinux policy test-------" + echo "-------Openstack-selinux policy test-------" echo "Use the following format:" - echo "./testpolicy.sh " + echo "./testpolicy.sh " exit 1 fi