From 52a9338a9efbc7b65ccc8172d39e1b1eb194d282 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Thu, 12 Jun 2014 16:36:40 -0400 Subject: [PATCH 001/192] Use release branches instead of master for code Signed-off-by: Lon Hohberger --- Makefile | 22 --------- README | 14 ++++++ openstack-rsync.te | 37 --------------- openstack-selinux-neutron.te | 31 ------------ openstack-selinux-nova.te | 41 ---------------- openstack-selinux-quantum.te | 30 ------------ swift.fc | 46 ------------------ swift.te | 91 ------------------------------------ 8 files changed, 14 insertions(+), 298 deletions(-) delete mode 100644 Makefile create mode 100644 README delete mode 100644 openstack-rsync.te delete mode 100644 openstack-selinux-neutron.te delete mode 100644 openstack-selinux-nova.te delete mode 100644 openstack-selinux-quantum.te delete mode 100644 swift.fc delete mode 100644 swift.te diff --git a/Makefile b/Makefile deleted file mode 100644 index 07fb019..0000000 --- a/Makefile +++ /dev/null @@ -1,22 +0,0 @@ -TARGETS?=openstack-selinux-nova openstack-selinux-neutron openstack-selinux-quantum swift openstack-rsync -MODULES?=${TARGETS:=.pp.bz2} -SHAREDIR?=/usr/share -#INSTALL=?=install - -all: ${TARGETS:=.pp.bz2} - -%.pp.bz2: %.pp - @echo Compressing $^ -\> $@ - bzip2 -9 $^ - -%.pp: %.te - make -f ${SHAREDIR}/selinux/devel/Makefile $@ - -clean: - rm -f *~ *.if *.tc *.pp *.pp.bz2 - rm -rf tmp - -#install: -# ${INSTALL} -m 0644 ${TARGETS} \ -# ${DESTDIR}${SHAREDIR}/targeted/modules - diff --git a/README b/README new file mode 100644 index 0000000..985e3c1 --- /dev/null +++ b/README @@ -0,0 +1,14 @@ +This repository contains OpenStack policy workarounds +for EL6 and EL7 and derivatives. Each release has its +own corresponsing branch. + +Branch Operating System + el7 Red Hat Enterprise Linux 7, CentOS 7, and related + el6 Red Hat Enterprise Linux 6, CentOS 6, and related + +The policies here are not designed to replace - but augment - +the selinux-policy package from your operating system. + +Bugs may be filed against the 'openstack-selinux' package +in the 'RDO' or 'Red Hat OpenStack' products at +https://bugzilla.redhat.com/ diff --git a/openstack-rsync.te b/openstack-rsync.te deleted file mode 100644 index be11804..0000000 --- a/openstack-rsync.te +++ /dev/null @@ -1,37 +0,0 @@ -# -# SELinux policy module for OpenStack Swift running rsync -# Copyright 2013 Red Hat, Inc. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation version 2. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# - -# -# Allow rsync operating under swift to deal with rsync lock files -# Author: Dan Walsh -# -policy_module(openstack-rsync, 0.4) - -require { - type rsync_t; -} - - -files_manage_generic_locks(rsync_t) - -# Compile with: -# make -f /usr/share/selinux/devel/Makefile -# Install: -# semodule -i openstack-selinux-nova.pp -# Remove: -# semodule -r openstack-selinux-nova diff --git a/openstack-selinux-neutron.te b/openstack-selinux-neutron.te deleted file mode 100644 index 50fd188..0000000 --- a/openstack-selinux-neutron.te +++ /dev/null @@ -1,31 +0,0 @@ -# -# SELinux supplemental policy module for OpenStack Neutron -# Copyright 2013 Red Hat, Inc. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation version 2. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# - -# -# Author: Lon Hohberger -# Miroslav Grepl -# - -policy_module(openstack-selinux-neutron,0.2.3) - -require { - type dnsmasq_t; - type neutron_var_lib_t; -} - -rw_files_pattern(dnsmasq_t, neutron_var_lib_t, neutron_var_lib_t) diff --git a/openstack-selinux-nova.te b/openstack-selinux-nova.te deleted file mode 100644 index ad87215..0000000 --- a/openstack-selinux-nova.te +++ /dev/null @@ -1,41 +0,0 @@ -# -# SELinux policy module for OpenStack Nova -# Copyright 2013 Red Hat, Inc. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation version 2. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# - -policy_module(openstack-selinux-nova, 0.2) - -require { - type admin_home_t; - type semanage_t; - type nova_var_lib_t; - type qemu_t; - class capability dac_override; - class file { write ioctl read open getattr }; -} -# dwalsh: Nova is currently running as virtd_t and SELinux policy says -# that virtd_t running qemu_exec_t will run as qemu_t. Nova launches -# qemu_t when injecting code probably useing guestfs into a virt image. - -allow qemu_t nova_var_lib_t:file rw_file_perms; -allow qemu_t self:capability dac_override; - -# Compile with: -# make -f /usr/share/selinux/devel/Makefile -# Install: -# semodule -i openstack-selinux-nova.pp -# Remove: -# semodule -r openstack-selinux-nova diff --git a/openstack-selinux-quantum.te b/openstack-selinux-quantum.te deleted file mode 100644 index 78c8777..0000000 --- a/openstack-selinux-quantum.te +++ /dev/null @@ -1,30 +0,0 @@ -# -# SELinux policy module for OpenStack Quantum -# Copyright 2013 Red Hat, Inc. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation version 2. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# - -# -# Author: Miroslav Grepl -# - -policy_module(openstack-selinux-quantum,0.2.1) - -require { - type dnsmasq_t; - type quantum_var_lib_t; -} - -rw_files_pattern(dnsmasq_t, quantum_var_lib_t, quantum_var_lib_t) diff --git a/swift.fc b/swift.fc deleted file mode 100644 index a2edd55..0000000 --- a/swift.fc +++ /dev/null @@ -1,46 +0,0 @@ -# -# SELinux policy module for OpenStack Swift -# Copyright 2013 Red Hat, Inc. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation version 2. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# - -# -# Author: Miroslav Grepl -# - -/usr/bin/swift-account-auditor -- gen_context(system_u:object_r:swift_exec_t,s0) -/usr/bin/swift-account-reaper -- gen_context(system_u:object_r:swift_exec_t,s0) -/usr/bin/swift-account-replicator -- gen_context(system_u:object_r:swift_exec_t,s0) -/usr/bin/swift-account-server -- gen_context(system_u:object_r:swift_exec_t,s0) -/usr/bin/swift-container-auditor -- gen_context(system_u:object_r:swift_exec_t,s0) -/usr/bin/swift-container-replicator -- gen_context(system_u:object_r:swift_exec_t,s0) -/usr/bin/swift-container-server -- gen_context(system_u:object_r:swift_exec_t,s0) -/usr/bin/swift-container-sync -- gen_context(system_u:object_r:swift_exec_t,s0) -/usr/bin/swift-container-updater -- gen_context(system_u:object_r:swift_exec_t,s0) -/usr/bin/swift-object-auditor -- gen_context(system_u:object_r:swift_exec_t,s0) -/usr/bin/swift-object-info -- gen_context(system_u:object_r:swift_exec_t,s0) -/usr/bin/swift-object-replicator -- gen_context(system_u:object_r:swift_exec_t,s0) -/usr/bin/swift-object-server -- gen_context(system_u:object_r:swift_exec_t,s0) -/usr/bin/swift-object-updater -- gen_context(system_u:object_r:swift_exec_t,s0) - -/var/run/swift(/.*)? gen_context(system_u:object_r:swift_var_run_t,s0) - -# This seems to be a de-facto standard when using swift. -/srv/node(/.*)? gen_context(system_u:object_r:swift_data_t,s0) - -# This is specific to RHOS's packstack utility -ifdef(`distro_redhat', ` -/srv/loopback-device(/.*)? gen_context(system_u:object_r:swift_data_t,s0) -') diff --git a/swift.te b/swift.te deleted file mode 100644 index acc7321..0000000 --- a/swift.te +++ /dev/null @@ -1,91 +0,0 @@ -# -# SELinux policy module for OpenStack Swift -# Copyright 2013 Red Hat, Inc. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation version 2. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# - -# -# Author: Miroslav Grepl -# -# After building, you must run the following: -# restorecon -Rv /usr/bin/swift* /var/run/swift -# - -policy_module(swift, 1.0.0) - -gen_require(` - type rsync_t; -') - -######################################## -# -# Declarations -# - -type swift_t; -type swift_exec_t; -init_daemon_domain(swift_t, swift_exec_t) - -type swift_var_run_t; -files_pid_file(swift_var_run_t) - -type swift_data_t; -files_type(swift_data_t) - -######################################## -# -# swift local policy -# - -allow swift_t self:fifo_file rw_fifo_file_perms; -allow swift_t self:unix_stream_socket create_stream_socket_perms; -allow swift_t self:unix_dgram_socket create_socket_perms; - -manage_dirs_pattern(swift_t, swift_var_run_t, swift_var_run_t) -manage_files_pattern(swift_t, swift_var_run_t, swift_var_run_t) - -# swift makes use of rsync, so we need to give rsync permissions -# to edit swift_data_t files as well as swift_t those permissions -manage_dirs_pattern(swift_t, swift_data_t, swift_data_t) -manage_files_pattern(swift_t, swift_data_t, swift_data_t) -manage_dirs_pattern(rsync_t, swift_data_t, swift_data_t) -manage_files_pattern(rsync_t, swift_data_t, swift_data_t) - -manage_lnk_files_pattern(swift_t, swift_var_run_t, swift_var_run_t) -files_pid_filetrans(swift_t, swift_var_run_t, { dir }) - -kernel_dgram_send(swift_t) -kernel_read_system_state(swift_t) - -corecmd_exec_shell(swift_t) - -dev_read_urand(swift_t) - -domain_use_interactive_fds(swift_t) - -files_read_etc_files(swift_t) - -auth_use_nsswitch(swift_t) - -libs_exec_ldconfig(swift_t) - -logging_send_syslog_msg(swift_t) - -miscfiles_read_localization(swift_t) - -# Allow swift to run unconfined -optional_policy(` - unconfined_domain(swift_t) -') From 0b9c4805fab3fd04c6c38230b317ea19271ab10a Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Thu, 2 Mar 2017 14:17:46 -0500 Subject: [PATCH 002/192] Update readme Signed-off-by: Lon Hohberger --- README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README b/README index 985e3c1..faa0c5b 100644 --- a/README +++ b/README @@ -3,7 +3,7 @@ for EL6 and EL7 and derivatives. Each release has its own corresponsing branch. Branch Operating System - el7 Red Hat Enterprise Linux 7, CentOS 7, and related + master Red Hat Enterprise Linux 7, CentOS 7, and related el6 Red Hat Enterprise Linux 6, CentOS 6, and related The policies here are not designed to replace - but augment - From d991d2f07ce20cc910c95c7354217956f4a85482 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Wed, 29 Mar 2017 11:31:38 -0400 Subject: [PATCH 003/192] panko: Rename panko.log to app.log Using panko.log and having puppet-panko create it caused it to be labelled with the wrong type. Removing log creation will cause httpd to create app.log instead, with http_log_t permissions. Signed-off-by: Lon Hohberger --- local_settings.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/local_settings.sh b/local_settings.sh index 686a7d5..ef344f5 100755 --- a/local_settings.sh +++ b/local_settings.sh @@ -77,7 +77,7 @@ install_policies() { fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/gnocchi/app.log fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/aodh/app.log fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/ceilometer/app.log - fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/panko/panko.log + fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/panko/app.log fcontext -N -a -t neutron_exec_t $BINDIR/neutron-rootwrap-daemon fcontext -N -a -t neutron_exec_t $BINDIR/neutron-metadata-agent fcontext -N -a -t neutron_exec_t $BINDIR/neutron-netns-cleanup From e5de393a6f357bdb4df88ebd20730b806f683de9 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mon, 3 Apr 2017 16:28:05 +0200 Subject: [PATCH 004/192] Label /var/lib/vhost_sockets as virt_cache_t to allow virt-machines acces to ovs sockets. rhbz#1431556 --- os-ovs.fc | 1 + 1 file changed, 1 insertion(+) create mode 100644 os-ovs.fc diff --git a/os-ovs.fc b/os-ovs.fc new file mode 100644 index 0000000..7b61c32 --- /dev/null +++ b/os-ovs.fc @@ -0,0 +1 @@ +/var/lib/vhost_sockets(/.*)? gen_context(system_u:object_r:virt_cache_t,s0) From 0708375c32a3c4cb3b226433a1d9ffc04544e2ad Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Tue, 4 Apr 2017 13:15:45 +0200 Subject: [PATCH 005/192] Revert "Label /var/lib/vhost_sockets as virt_cache_t to allow virt-machines acces to ovs sockets. rhbz#1431556" This reverts commit e5de393a6f357bdb4df88ebd20730b806f683de9. --- os-ovs.fc | 1 - 1 file changed, 1 deletion(-) delete mode 100644 os-ovs.fc diff --git a/os-ovs.fc b/os-ovs.fc deleted file mode 100644 index 7b61c32..0000000 --- a/os-ovs.fc +++ /dev/null @@ -1 +0,0 @@ -/var/lib/vhost_sockets(/.*)? gen_context(system_u:object_r:virt_cache_t,s0) From 729f5248c731c7e05355566ac68b8b8921ba696c Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Tue, 4 Apr 2017 13:18:28 +0200 Subject: [PATCH 006/192] Label /var/lib/vhosts_sockets as virt_cache_t in local_settings.sh file instead of creating os-ovs.fc file --- local_settings.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/local_settings.sh b/local_settings.sh index ef344f5..fe6f4c7 100755 --- a/local_settings.sh +++ b/local_settings.sh @@ -25,6 +25,7 @@ relabel_files() $LOCALSTATEDIR/run/swift \ $SHAREDSTATEDIR/nova/.ssh \ $SHAREDSTATEDIR/designate/bind9 \ + $SHAREDSTATEDIR/vhost_sockets \ /srv \ $BINDIR/neutron* \ $LOCALSTATEDIR/run/redis \ @@ -73,6 +74,7 @@ install_policies() { boolean -N -m --on swift_can_network boolean -N -m --on httpd_use_openstack fcontext -N -a -t named_zone_t \"$SHAREDSTATEDIR/designate/bind9(/.*)?\" + fcontext -N -a -t virt_cache_t \"$SHAREDSTATEDIR/vhost_sockets(/.*)?\" fcontext -N -a -t httpd_var_lib_t $SHAREDSTATEDIR/openstack-dashboard fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/gnocchi/app.log fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/aodh/app.log From 2ed77a4d9514c5440bcd0fc7376300dd2b0457a8 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Wed, 5 Apr 2017 14:12:58 +0200 Subject: [PATCH 007/192] Allow mysqld_safe domain write to cluster temporary files. Resolves: rhbz#1439182 --- os-mysql.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/os-mysql.te b/os-mysql.te index 36103f8..3a9f1e5 100644 --- a/os-mysql.te +++ b/os-mysql.te @@ -29,5 +29,6 @@ files_getattr_all_sockets(mysqld_t) allow mysqld_t mysqld_safe_exec_t:file getattr; # Bugzilla 1284672 -allow mysqld_safe_t cluster_tmp_t:file write; +# Bugzilla 1439182 +allow mysqld_safe_t cluster_tmp_t:file { setattr write_file_perms }; allow mysqld_safe_t cluster_var_lib_t:dir read; From 660578e51e4f42b3d98bc8f226c22d9561363f3b Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Thu, 30 Mar 2017 09:18:01 -0400 Subject: [PATCH 008/192] Allow nova and glance to read my.cnf.d/* Signed-off-by: Lon Hohberger --- os-glance.te | 5 +++++ os-nova.te | 6 ++++++ tests/bz1430402 | 5 +++++ 3 files changed, 16 insertions(+) create mode 100644 tests/bz1430402 diff --git a/os-glance.te b/os-glance.te index 843aa2a..c99054d 100644 --- a/os-glance.te +++ b/os-glance.te @@ -60,3 +60,8 @@ optional_policy(` # bugzilla 1192644 allow glance_api_t elasticsearch_port_t:tcp_socket name_bind; ') + +# Bug 1430402 +optional_policy(` + mysql_read_config(glance_api_t) +') diff --git a/os-nova.te b/os-nova.te index 4ed0eba..b0ee0bb 100644 --- a/os-nova.te +++ b/os-nova.te @@ -1,6 +1,7 @@ policy_module(os-nova,0.1) gen_require(` + type nova_t; type nova_network_t; type nova_var_lib_t; type nova_api_t; @@ -107,3 +108,8 @@ optional_policy(` # bugzilla 1280101 allow nova_t self:process execmem; ') + +# Bug 1430402 +optional_policy(` + mysql_read_config(nova_t) +') diff --git a/tests/bz1430402 b/tests/bz1430402 new file mode 100644 index 0000000..fc0e783 --- /dev/null +++ b/tests/bz1430402 @@ -0,0 +1,5 @@ +type=AVC msg=audit(1490708508.568:4786): avc: denied { search } for pid=428106 comm="nova-api" name="my.cnf.d" dev="vda2" ino=866 scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=dir +type=AVC msg=audit(1490708839.879:4915): avc: denied { search } for pid=470231 comm="nova-scheduler" name="my.cnf.d" dev="vda2" ino=866 scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=dir +type=AVC msg=audit(1490708833.260:4883): avc: denied { search } for pid=470038 comm="nova-conductor" name="my.cnf.d" dev="vda2" ino=866 scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=dir +type=AVC msg=audit(1490709327.031:5296): avc: denied { search } for pid=430212 comm="glance-api" name="my.cnf.d" dev="vda2" ino=866 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=dir +type=AVC msg=audit(1490708842.508:4919): avc: denied { search } for pid=470319 comm="nova-consoleaut" name="my.cnf.d" dev="vda2" ino=866 scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=dir From c943f3825dc95fdc3d501ec41a76142c72ce22b6 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Fri, 7 Apr 2017 10:01:13 -0400 Subject: [PATCH 009/192] More changes for bug 1431556 Let OVS use packet sockets and net_raw Signed-off-by: Lon Hohberger --- os-ovs.te | 11 +++++++++++ tests/bz1431556 | 5 +++++ 2 files changed, 16 insertions(+) create mode 100644 tests/bz1431556 diff --git a/os-ovs.te b/os-ovs.te index 913ab5b..c97b481 100644 --- a/os-ovs.te +++ b/os-ovs.te @@ -21,6 +21,7 @@ gen_require(` class tun_socket create; class chr_file open; class netlink_generic_socket create_socket_perms; + class packet_socket create_socket_perms; ') @@ -82,3 +83,13 @@ optional_policy(` optional_policy(` virt_manage_images(openvswitch_t) ') + +# bugzilla #1431556 +allow openvswitch_t self:packet_socket create_socket_perms; +allow openvswitch_t self:capability net_raw; +optional_policy(` + gen_require(` + type neutron_t; + ') + allow openvswitch_t neutron_t:dir search; +') diff --git a/tests/bz1431556 b/tests/bz1431556 new file mode 100644 index 0000000..000f59a --- /dev/null +++ b/tests/bz1431556 @@ -0,0 +1,5 @@ +type=AVC msg=audit(1491476260.819:468): avc: denied { net_raw } for pid=16208 comm="ovs-vswitchd" capability=13 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability +type=AVC msg=audit(1491476260.819:469): avc: denied { setopt } for pid=16208 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=packet_socket +type=AVC msg=audit(1491476260.819:470): avc: denied { bind } for pid=16208 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=packet_socket +type=AVC msg=audit(1491476260.819:468): avc: denied { create } for pid=16208 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=packet_socket +type=AVC msg=audit(1491471288.799:211): avc: denied { search } for pid=16454 comm="ovs-vsctl" name="16445" dev="proc" ino=122913 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=dir From 1ba671f021c8da6821502d0c7985712e9bb8a428 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mon, 10 Apr 2017 09:17:32 +0200 Subject: [PATCH 010/192] Update ovs policy to allow svirt_t and openvswitch_t domains creating sockets labeled as virt_cache_t. Resolves: rhbz#1431556 --- os-ovs.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/os-ovs.te b/os-ovs.te index 913ab5b..16f1ee0 100644 --- a/os-ovs.te +++ b/os-ovs.te @@ -15,6 +15,8 @@ gen_require(` type unreserved_port_t; type init_tmp_t; type tun_tap_device_t; + type svirt_t; + type virt_cache_t; class dir search; class file { write read getattr open }; class tcp_socket name_bind; @@ -75,6 +77,10 @@ sysnet_exec_ifconfig(openvswitch_t) # bugzilla #1419418 allow openvswitch_t self:netlink_generic_socket create_socket_perms; +# bugzilla #1431556 +allow openvswitch_t virt_cache_t:sock_file manage_sock_file_perms; +allow svirt_t virt_cache_t:sock_file manage_sock_file_perms; + optional_policy(` hostname_exec(openvswitch_t) ') From b09ec67785aa3f3a8751b15ac695effa17151876 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Mon, 10 Apr 2017 12:57:56 -0400 Subject: [PATCH 011/192] Amend tests for bz1431556 for new AVCs Signed-off-by: Lon Hohberger --- tests/bz1431556 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/bz1431556 b/tests/bz1431556 index 000f59a..8a96b8c 100644 --- a/tests/bz1431556 +++ b/tests/bz1431556 @@ -3,3 +3,6 @@ type=AVC msg=audit(1491476260.819:469): avc: denied { setopt } for pid=16208 type=AVC msg=audit(1491476260.819:470): avc: denied { bind } for pid=16208 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=packet_socket type=AVC msg=audit(1491476260.819:468): avc: denied { create } for pid=16208 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=packet_socket type=AVC msg=audit(1491471288.799:211): avc: denied { search } for pid=16454 comm="ovs-vsctl" name="16445" dev="proc" ino=122913 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=dir +type=AVC msg=audit(1491737286.265:1005): avc: denied { search } for pid=21524 comm="ovs-vswitchd" name="vhost_sockets" dev="sda2" ino=13749162 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir +type=AVC msg=audit(1491737286.491:1014): avc: denied { create } for pid=41979 comm="qemu-kvm" name="vhuda2153ef-bb" scontext=system_u:system_r:svirt_t:s0:c196,c856 tcontext=system_u:object_r:virt_cache_t:s0 tclass=sock_file +type=AVC msg=audit(1491737298.403:1054): avc: denied { create } for pid=42061 comm="qemu-kvm" name="vhuda2153ef-bb" scontext=system_u:system_r:svirt_t:s0:c485,c1012 tcontext=system_u:object_r:virt_cache_t:s0 tclass=sock_file From 2befd313eb16e920a45fac56320161e05491a37f Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Wed, 12 Apr 2017 16:48:12 +0200 Subject: [PATCH 012/192] Allow openvswitch_t domain list dirs labeled as virt_cache_t Resolves: rhbz#1431556 --- os-ovs.te | 1 + 1 file changed, 1 insertion(+) diff --git a/os-ovs.te b/os-ovs.te index 16f1ee0..47a15ea 100644 --- a/os-ovs.te +++ b/os-ovs.te @@ -78,6 +78,7 @@ sysnet_exec_ifconfig(openvswitch_t) allow openvswitch_t self:netlink_generic_socket create_socket_perms; # bugzilla #1431556 +allow openvswitch_t virt_cache_t:dir list_dir_perms; allow openvswitch_t virt_cache_t:sock_file manage_sock_file_perms; allow svirt_t virt_cache_t:sock_file manage_sock_file_perms; From 86432ae958d20e369e5268db61489b6a35eed00b Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Wed, 12 Apr 2017 11:46:00 -0400 Subject: [PATCH 013/192] Add additional test for bz#1431556 Signed-off-by: Lon Hohberger --- tests/bz1431556 | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/bz1431556 b/tests/bz1431556 index 8a96b8c..580594a 100644 --- a/tests/bz1431556 +++ b/tests/bz1431556 @@ -6,3 +6,4 @@ type=AVC msg=audit(1491471288.799:211): avc: denied { search } for pid=16454 type=AVC msg=audit(1491737286.265:1005): avc: denied { search } for pid=21524 comm="ovs-vswitchd" name="vhost_sockets" dev="sda2" ino=13749162 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir type=AVC msg=audit(1491737286.491:1014): avc: denied { create } for pid=41979 comm="qemu-kvm" name="vhuda2153ef-bb" scontext=system_u:system_r:svirt_t:s0:c196,c856 tcontext=system_u:object_r:virt_cache_t:s0 tclass=sock_file type=AVC msg=audit(1491737298.403:1054): avc: denied { create } for pid=42061 comm="qemu-kvm" name="vhuda2153ef-bb" scontext=system_u:system_r:svirt_t:s0:c485,c1012 tcontext=system_u:object_r:virt_cache_t:s0 tclass=sock_file +type=AVC msg=audit(1492005897.842:867): avc: denied { search } for pid=32747 comm="ovs-vswitchd" name="vhost_sockets" dev="sda2" ino=13912914 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir From 60304ae259152d41734040ab6dd0114bd4a3e69e Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Thu, 13 Apr 2017 10:25:32 -0400 Subject: [PATCH 014/192] Label /var/lib/mongodb/* as mongod_var_lib_t Resolves: rhbz#1440219 Signed-off-by: Lon Hohberger --- local_settings.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/local_settings.sh b/local_settings.sh index fe6f4c7..ef25162 100755 --- a/local_settings.sh +++ b/local_settings.sh @@ -76,6 +76,7 @@ install_policies() { fcontext -N -a -t named_zone_t \"$SHAREDSTATEDIR/designate/bind9(/.*)?\" fcontext -N -a -t virt_cache_t \"$SHAREDSTATEDIR/vhost_sockets(/.*)?\" fcontext -N -a -t httpd_var_lib_t $SHAREDSTATEDIR/openstack-dashboard + fcontext -N -a -t mongod_var_lib_t \"$SHAREDSTATEDIR/mongodb(/.*)?\" fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/gnocchi/app.log fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/aodh/app.log fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/ceilometer/app.log From 326cde3b29bd539ef10669730874d9469ba6e978 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Fri, 14 Apr 2017 15:21:18 +0200 Subject: [PATCH 015/192] Allow openvswitch to streamconnect to virt machines. Resolves: rhbz#1431556 --- os-ovs.te | 1 + 1 file changed, 1 insertion(+) diff --git a/os-ovs.te b/os-ovs.te index 47a15ea..787a362 100644 --- a/os-ovs.te +++ b/os-ovs.te @@ -88,4 +88,5 @@ optional_policy(` optional_policy(` virt_manage_images(openvswitch_t) + virt_stream_connect_svirt(openvswitch_t) ') From 03b511de1c5514cfbb597e31ee5cc82f473115a5 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Tue, 18 Apr 2017 11:11:36 -0400 Subject: [PATCH 016/192] Additional test for 1431556 Signed-off-by: Lon Hohberger --- tests/bz1431556 | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/bz1431556 b/tests/bz1431556 index 580594a..3048793 100644 --- a/tests/bz1431556 +++ b/tests/bz1431556 @@ -7,3 +7,4 @@ type=AVC msg=audit(1491737286.265:1005): avc: denied { search } for pid=21524 type=AVC msg=audit(1491737286.491:1014): avc: denied { create } for pid=41979 comm="qemu-kvm" name="vhuda2153ef-bb" scontext=system_u:system_r:svirt_t:s0:c196,c856 tcontext=system_u:object_r:virt_cache_t:s0 tclass=sock_file type=AVC msg=audit(1491737298.403:1054): avc: denied { create } for pid=42061 comm="qemu-kvm" name="vhuda2153ef-bb" scontext=system_u:system_r:svirt_t:s0:c485,c1012 tcontext=system_u:object_r:virt_cache_t:s0 tclass=sock_file type=AVC msg=audit(1492005897.842:867): avc: denied { search } for pid=32747 comm="ovs-vswitchd" name="vhost_sockets" dev="sda2" ino=13912914 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir +type=AVC msg=audit(1492075576.802:2437): avc: denied { connectto } for pid=32747 comm="ovs-vswitchd" path="/var/lib/vhost_sockets/vhu7aad635e-67" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c103,c352 tclass=unix_stream_socket From 312bdba69484711b0d3fd4bab55e6870708c0d69 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Wed, 19 Apr 2017 16:29:51 -0400 Subject: [PATCH 017/192] Turn on collectd's ability to connect to TCP ports Resolves: rhbz#1441695 Signed-off-by: Lon Hohberger --- local_settings.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/local_settings.sh b/local_settings.sh index ef25162..a22097a 100755 --- a/local_settings.sh +++ b/local_settings.sh @@ -73,6 +73,7 @@ install_policies() { boolean -N -m --on httpd_can_network_connect boolean -N -m --on swift_can_network boolean -N -m --on httpd_use_openstack + boolean -N -m --on collectd_tcp_network_connect fcontext -N -a -t named_zone_t \"$SHAREDSTATEDIR/designate/bind9(/.*)?\" fcontext -N -a -t virt_cache_t \"$SHAREDSTATEDIR/vhost_sockets(/.*)?\" fcontext -N -a -t httpd_var_lib_t $SHAREDSTATEDIR/openstack-dashboard From b00b11d95f4a5c9a24271f4d9f6d6d2b0687ccf4 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Mon, 8 May 2017 15:18:13 -0400 Subject: [PATCH 018/192] Don't audit openvswitch_t reading neutron_t Resolves: rhbz#1448887 Signed-off-by: Lon Hohberger --- os-ovs.te | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/os-ovs.te b/os-ovs.te index 77dca51..c1be482 100644 --- a/os-ovs.te +++ b/os-ovs.te @@ -101,3 +101,12 @@ optional_policy(` ') allow openvswitch_t neutron_t:dir search; ') + +# bugzilla #1448887 +# +# ovs-vsctl tries to read /proc/[ppid]/cmdline in order to +# Print debugging information. Allowing OVS to read all of +# neutron_t labeled files so the parent's cmdline can be +# printed is not worth this information at this time +# +dontaudit openvswitch_t neutron_t:file read; From 69822b36bd1ba7d0237a328ab8ce7675d13f49d0 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Mon, 8 May 2017 17:52:00 -0400 Subject: [PATCH 019/192] Fix missing neutron_t Signed-off-by: Lon Hohberger --- os-ovs.te | 1 + 1 file changed, 1 insertion(+) diff --git a/os-ovs.te b/os-ovs.te index c1be482..d39227c 100644 --- a/os-ovs.te +++ b/os-ovs.te @@ -9,6 +9,7 @@ policy_module(os-ovs,0.1) gen_require(` type openvswitch_t; + type neutron_t; type openvswitch_tmp_t; type svirt_t; type sysctl_net_t; From 4e52ae2bda5949e445ec098ff061db53caf7124a Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Tue, 9 May 2017 17:24:52 -0400 Subject: [PATCH 020/192] Comment out unnecesary policy bits; fix tests Signed-off-by: Lon Hohberger --- local_settings.sh | 6 ++---- os-glance.te | 9 ++++++--- os-keepalived.te | 7 ++++--- os-keystone.te | 9 +++++---- os-mongodb.te | 2 +- os-mysql.te | 17 ++++++++++------- os-neutron.te | 18 +++++++++++------- os-nova.te | 19 +++++++++++-------- os-ovs.te | 12 ++++++------ os-rabbitmq.te | 4 ++-- os-redis.te | 2 +- os-rsync.te | 3 ++- os-swift.te | 12 +++++++----- tests/bz1040411 | 1 - tests/bz1170839 | 3 --- tests/bz1176830 | 2 +- tests/bz1245846 | 1 - tests/bz1279537 | 3 --- tests/bz1397537 | 3 +-- 19 files changed, 70 insertions(+), 63 deletions(-) delete mode 100644 tests/bz1040411 delete mode 100644 tests/bz1279537 diff --git a/local_settings.sh b/local_settings.sh index a22097a..aead9d8 100755 --- a/local_settings.sh +++ b/local_settings.sh @@ -40,7 +40,8 @@ install_policies() { # Port rules # # bz#1107873 - $SBINDIR/semanage port -N -a -t amqp_port_t -p tcp 15672 &> /dev/null + # Part of base policy - 09-May-2017 + # $SBINDIR/semanage port -N -a -t amqp_port_t -p tcp 15672 &> /dev/null # bz#1118859 $SBINDIR/semanage port -N -m -t mysqld_port_t -p tcp 4444 &> /dev/null @@ -83,9 +84,6 @@ install_policies() { fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/ceilometer/app.log fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/panko/app.log fcontext -N -a -t neutron_exec_t $BINDIR/neutron-rootwrap-daemon - fcontext -N -a -t neutron_exec_t $BINDIR/neutron-metadata-agent - fcontext -N -a -t neutron_exec_t $BINDIR/neutron-netns-cleanup - fcontext -N -a -t neutron_exec_t $BINDIR/neutron-ns-metadata-proxy fcontext -N -a -t neutron_exec_t $BINDIR/neutron-vpn-agent" # diff --git a/os-glance.te b/os-glance.te index c99054d..6860433 100644 --- a/os-glance.te +++ b/os-glance.te @@ -18,15 +18,18 @@ gen_require(` corenet_tcp_connect_memcache_port(glance_registry_t) # Bugzilla 1119151 -corenet_tcp_connect_all_ports(glance_api_t) +# 09-May-2017 - no longer needed +# corenet_tcp_connect_all_ports(glance_api_t) # Bugzilla 1135510 -#allow glance_api_t unreserved_port_t:tcp_socket name_connect; +# 09-May-2017 - no longer needed +# allow glance_api_t unreserved_port_t:tcp_socket name_connect; # Bugzilla 1130212 1119400 # Allow glance execmem/execstack until we get the boolean # in a later release of selinux-policy -allow glance_api_t self:process { execstack execmem }; +# 09-May-2017 - No longer needed +# allow glance_api_t self:process { execstack execmem }; # Bugzilla 1219406 allow glance_api_t nfs_t:dir { search getattr write remove_name create add_name }; diff --git a/os-keepalived.te b/os-keepalived.te index 2c10936..4243b09 100644 --- a/os-keepalived.te +++ b/os-keepalived.te @@ -35,9 +35,10 @@ allow keepalived_t self:capability dac_override; allow keepalived_t neutron_t:process sigkill; # Bugzilla 1145886 -domain_read_all_domains_state(keepalived_t) -allow keepalived_t haproxy_t:process signull; -allow keepalived_t self:capability kill; +# No longer needed - 09-May-2017 +# domain_read_all_domains_state(keepalived_t) +# allow keepalived_t haproxy_t:process signull; +# allow keepalived_t self:capability kill; # Bugzilla 1206148 allow keepalived_t sysfs_t:filesystem getattr; diff --git a/os-keystone.te b/os-keystone.te index efe67c8..64d4544 100644 --- a/os-keystone.te +++ b/os-keystone.te @@ -5,14 +5,15 @@ gen_require(` type keystone_log_t; type keystone_t; class file { create open }; - class process signal; + # class process signal; ') -allow keystone_t self:process signal; +# Bugzilla 1167073 - no longer needed 09-May-2017 +# allow keystone_t self:process signal; # Bugzilla 1180230 -allow httpd_t keystone_log_t:file open; -corenet_tcp_bind_commplex_main_port(httpd_t) +# allow httpd_t keystone_log_t:file open; +# corenet_tcp_bind_commplex_main_port(httpd_t) # Bugzilla 1223006 allow httpd_t keystone_log_t:file create; diff --git a/os-mongodb.te b/os-mongodb.te index 728cf8e..ffeae2c 100644 --- a/os-mongodb.te +++ b/os-mongodb.te @@ -5,4 +5,4 @@ gen_require(` ') # Bugzilla 1192049 -allow mongod_t self:process execmem; +# allow mongod_t self:process execmem; diff --git a/os-mysql.te b/os-mysql.te index 3a9f1e5..6ef8846 100644 --- a/os-mysql.te +++ b/os-mysql.te @@ -16,19 +16,22 @@ gen_require(` # Bugzilla 1081544 allow mysqld_t rsync_exec_t:file { read getattr open execute execute_no_trans }; -corenet_tcp_bind_tram_port(mysqld_t) corenet_tcp_connect_tram_port(mysqld_t) +# Test 5: 09-May 2017: Provided by base policy +# corenet_tcp_bind_tram_port(mysqld_t) + # Bugzilla 1114581 -allow mysqld_t nfs_t:dir search; +# allow mysqld_t nfs_t:dir search; # Bugzilla 1118859 -domain_read_all_domains_state(mysqld_t) -files_search_pids(mysqld_t) -files_getattr_all_sockets(mysqld_t) +# 9-May-2017 - no longer needed +# domain_read_all_domains_state(mysqld_t) +# files_search_pids(mysqld_t) +# files_getattr_all_sockets(mysqld_t) allow mysqld_t mysqld_safe_exec_t:file getattr; # Bugzilla 1284672 # Bugzilla 1439182 -allow mysqld_safe_t cluster_tmp_t:file { setattr write_file_perms }; -allow mysqld_safe_t cluster_var_lib_t:dir read; +# allow mysqld_safe_t cluster_tmp_t:file { setattr write_file_perms }; +# allow mysqld_safe_t cluster_var_lib_t:dir read; diff --git a/os-neutron.te b/os-neutron.te index 435eafb..9b32f09 100644 --- a/os-neutron.te +++ b/os-neutron.te @@ -48,18 +48,22 @@ keepalived_domtrans(neutron_t) allow neutron_t self:netlink_socket { bind create getattr }; # Bugzilla 1153656 -allow neutron_t dnsmasq_t:process sigkill; +# No longer needed - 09-May-2017 +# allow neutron_t dnsmasq_t:process sigkill; allow haproxy_t proc_t:file read; # Bugzilla 1110263 & 1111990 -allow neutron_t self:unix_stream_socket { accept listen connectto }; -corenet_tcp_connect_all_ports(neutron_t) - +# Allowed by base policy - 9-May-2017 +# allow neutron_t self:unix_stream_socket { accept listen connectto }; +# corenet_tcp_connect_all_ports(neutron_t) + # Bugzilla 1116755 -allow neutron_t haproxy_t:unix_stream_socket { accept listen connectto }; +# 9-May-2017 - no longer needed +# allow neutron_t haproxy_t:unix_stream_socket { accept listen connectto }; # Bugzilla 1114254 -allow neutron_t haproxy_exec_t:file execute_no_trans; +# 9-May-2017 - no longer needed +# allow neutron_t haproxy_exec_t:file execute_no_trans; # Bugzilla 1135510 allow neutron_t ipsec_mgmt_exec_t:file exec_file_perms; @@ -88,7 +92,7 @@ allow neutron_t httpd_config_t:dir search; corecmd_getattr_all_executables(neutron_t) # Bugzilla 1294420 -allow logrotate_t self:netlink_selinux_socket create; +# allow logrotate_t self:netlink_selinux_socket create; allow neutron_t radvd_exec_t:file getattr; diff --git a/os-nova.te b/os-nova.te index b0ee0bb..0f62f24 100644 --- a/os-nova.te +++ b/os-nova.te @@ -32,7 +32,7 @@ gen_require(` iscsid_domtrans(virtd_t); # Bugzilla 1180373 -allow nova_network_t self:key write; +# allow nova_network_t self:key write; # Bugzilla 1170839 allow nova_network_t netutils_exec_t:file { read execute open execute_no_trans }; @@ -43,9 +43,9 @@ netutils_domtrans(nova_network_t) allow nova_scheduler_t cert_t:dir search; # Bugzilla 1162761 and 1158213 -corenet_tcp_connect_memcache_port(nova_console_t) -corenet_tcp_connect_memcache_port(nova_scheduler_t) -corenet_tcp_connect_memcache_port(nova_cert_t) +# corenet_tcp_connect_memcache_port(nova_console_t) +# corenet_tcp_connect_memcache_port(nova_scheduler_t) +# corenet_tcp_connect_memcache_port(nova_cert_t) # from upstream - Bugzilla 1107861 auth_read_passwd(nova_domain) @@ -57,11 +57,13 @@ allow nova_network_t self:capability { net_raw sys_ptrace kill }; allow nova_network_t self:capability2 block_suspend; # Bugzilla 1083566 -allow nova_network_t initrc_var_run_t:file read; +# 09-May-2017 - provided by base policy +# allow nova_network_t initrc_var_run_t:file read; # Bugzilla 1135510 -allow nova_api_t sssd_var_lib_t:sock_file write; -allow nova_scheduler_t cert_t:file { read getattr open }; +# 09-May-2017 - provided by base policy +# allow nova_api_t sssd_var_lib_t:sock_file write; +# allow nova_scheduler_t cert_t:file { read getattr open }; # Bugzilla 1210271 allow svirt_t nova_var_lib_t:lnk_file read; @@ -71,7 +73,8 @@ allow svirt_t nova_var_lib_t:file write; allow svirt_tcg_t nova_var_lib_t:file write; # Bugzilla 1134617 -allow nova_api_t tmpfs_t:filesystem getattr; +# 09-May-2017 No longer needed +# allow nova_api_t tmpfs_t:filesystem getattr; # Bugzilla 1315457 allow httpd_t nova_log_t:dir { add_name write }; diff --git a/os-ovs.te b/os-ovs.te index d39227c..ea9973d 100644 --- a/os-ovs.te +++ b/os-ovs.te @@ -32,14 +32,14 @@ gen_require(` allow openvswitch_t init_tmp_t:file write; # Bugzilla 1231868 -allow openvswitch_t sysctl_net_t:dir search; -allow openvswitch_t sysctl_net_t:file { read getattr open }; +# allow openvswitch_t sysctl_net_t:dir search; +# allow openvswitch_t sysctl_net_t:file { read getattr open }; # Bugzilla 1233154 -allow openvswitch_t unreserved_port_t:tcp_socket name_bind; +# allow openvswitch_t unreserved_port_t:tcp_socket name_bind; # Bugzilla 1259419 -corenet_tcp_connect_unreserved_ports(openvswitch_t) +# corenet_tcp_connect_unreserved_ports(openvswitch_t) swift_manage_data_files(openvswitch_t) # Bugzilla 1284268 @@ -51,10 +51,10 @@ allow openvswitch_t tun_tap_device_t:chr_file open; corenet_tcp_bind_ovsdb_port(openvswitch_t) # Bugzilla 1310383 -corenet_tcp_connect_reserved_port(openvswitch_t) +# corenet_tcp_connect_reserved_port(openvswitch_t) # Bugzilla 1334732 -corenet_tcp_connect_openvswitch_port(openvswitch_t) +# corenet_tcp_connect_openvswitch_port(openvswitch_t) # Bugzilla 1372453 corenet_tcp_connect_vnc_port(openvswitch_t) diff --git a/os-rabbitmq.te b/os-rabbitmq.te index 00157d8..bb6d271 100644 --- a/os-rabbitmq.te +++ b/os-rabbitmq.te @@ -11,10 +11,10 @@ gen_require(` class file write; ') # Bugzilla 1185444 -allow systemd_logind_t cluster_t:dbus send_msg; +# allow systemd_logind_t cluster_t:dbus send_msg; # Bugzilla 1135637 allow rabbitmq_epmd_t init_tmp_t:file write; # Bugzilla 1179040 -manage_lnk_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) +# manage_lnk_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) diff --git a/os-redis.te b/os-redis.te index 489e6f3..6a06f1a 100644 --- a/os-redis.te +++ b/os-redis.te @@ -11,7 +11,7 @@ gen_require(` ') # Bugzilla 1284436 -allow redis_t redis_port_t:tcp_socket name_connect; +# allow redis_t redis_port_t:tcp_socket name_connect; # Bugzilla 1283674 allow sshd_t cluster_var_log_t:file { read write }; diff --git a/os-rsync.te b/os-rsync.te index c322453..5ca1d61 100644 --- a/os-rsync.te +++ b/os-rsync.te @@ -13,8 +13,9 @@ gen_require(` ') # Bugzilla 1135637 +# These are no longer needed - 05-may-2017 allow rsync_t etc_runtime_t:file relabelto; allow rsync_t etc_t:file relabelfrom; -allow rsync_t cert_t:file { relabelfrom relabelto }; +# allow rsync_t cert_t:file { relabelfrom relabelto }; allow rsync_t cert_t:dir { relabelfrom relabelto }; allow load_policy_t init_t:fifo_file write; diff --git a/os-swift.te b/os-swift.te index fc67da4..3e40c5a 100644 --- a/os-swift.te +++ b/os-swift.te @@ -3,19 +3,21 @@ policy_module(os-swift,0.1) gen_require(` type swift_t; type amqp_port_t; - type httpd_config_t; + # type httpd_config_t; type var_log_t; class tcp_socket name_connect; class file { open }; ') # Bugzilla 1105344 -corenet_tcp_connect_keystone_port(swift_t) -corenet_tcp_connect_memcache_port(swift_t) -allow swift_t httpd_config_t:dir search; +# All all are allowed by base policy - 09-May-2017 +# corenet_tcp_connect_keystone_port(swift_t) +# corenet_tcp_connect_memcache_port(swift_t) +# allow swift_t httpd_config_t:dir search; # Bugzilla 1109087 -corenet_tcp_connect_xserver_port(swift_t) +# Allowed by base policy - 09-May-2017 +# corenet_tcp_connect_xserver_port(swift_t) # Emergency tripleo fix allow swift_t var_log_t:file open; diff --git a/tests/bz1040411 b/tests/bz1040411 deleted file mode 100644 index b48bae0..0000000 --- a/tests/bz1040411 +++ /dev/null @@ -1 +0,0 @@ -type=AVC msg=audit(1434613888.676:39583): avc: denied { name_bind } for pid=15783 comm="ovsdb-server" src=6640 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket diff --git a/tests/bz1170839 b/tests/bz1170839 index 6bf9ae1..9815cd1 100644 --- a/tests/bz1170839 +++ b/tests/bz1170839 @@ -5,6 +5,3 @@ type=AVC msg=audit(1417690758.589:915): avc: denied { execute_no_trans } for pid type=AVC msg=audit(1417690758.591:918): avc: denied { getattr } for pid=8511 comm="arping" scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:system_r:nova_network_t:s0 tclass=packet_socket type=AVC msg=audit(1417690351.147:8882): avc: denied { signal } for pid=9605 comm="keystone-all" scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:system_r:keystone_t:s0 tclass=process type=AVC msg=audit(1417690758.588:914): avc: denied { execute } for pid=8510 comm="nova-rootwrap" name="arping" dev="vda1" ino=17240309 scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file - - - diff --git a/tests/bz1176830 b/tests/bz1176830 index 93063a2..d3bd77a 100644 --- a/tests/bz1176830 +++ b/tests/bz1176830 @@ -1 +1 @@ -type=AVC msg=audit(1419326478.236:14309): avc: denied { getattr } for pid=32013 comm="neutron-ns-meta" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem \ No newline at end of file +type=AVC msg=audit(1419326478.236:14309): avc: denied { getattr } for pid=32013 comm="neutron-ns-meta" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem diff --git a/tests/bz1245846 b/tests/bz1245846 index 40a9e29..a76128f 100644 --- a/tests/bz1245846 +++ b/tests/bz1245846 @@ -31,5 +31,4 @@ type=AVC msg=audit(07/21/2015 19:45:23.599:32491) : avc: denied { bind } for type=AVC msg=audit(07/21/2015 19:45:23.599:32492) : avc: denied { create } for pid=12524 comm=pluto scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=key_socket type=AVC msg=audit(07/21/2015 19:45:23.600:32493) : avc: denied { write } for pid=12524 comm=pluto path=socket:[7796583] dev="sockfs" ino=7796583 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=key_socket type=AVC msg=audit(07/21/2015 19:45:23.684:32494) : avc: denied { read } for pid=12524 comm=pluto path=socket:[7796583] dev="sockfs" ino=7796583 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=key_socket -type=MAC_IPSEC_EVENT msg=audit(07/21/2015 19:45:24.721:32500) : op=SPD-add auid=unset ses=unset subj=system_u:system_r:neutron_t:s0 res=yes src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0 type=AVC msg=audit(07/21/2015 19:45:24.721:32500) : avc: denied { nlmsg_write } for pid=12524 comm=pluto scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=netlink_xfrm_socket diff --git a/tests/bz1279537 b/tests/bz1279537 deleted file mode 100644 index 329b6ed..0000000 --- a/tests/bz1279537 +++ /dev/null @@ -1,3 +0,0 @@ -type=AVC msg=audit(1441204057.176:32748): avc: denied { name_connect } for pid=23947 comm="ovsdb-server" dest=6632 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket -type=AVC msg=audit(1441204364.388:32861): avc: denied { getattr } for pid=23982 comm="system_stats4" path="/srv/node/swiftloopback" dev="loop0" ino=2 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir -type=AVC msg=audit(1441204354.383:32858): avc: denied { search } for pid=23982 comm="system_stats4" name="node" dev="sda1" ino=42410035 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir diff --git a/tests/bz1397537 b/tests/bz1397537 index c7d97c9..dcdc967 100644 --- a/tests/bz1397537 +++ b/tests/bz1397537 @@ -1,5 +1,4 @@ -type=AVC msg=audit(1479734070.102:28): avc: denied { read write } for pid=1232 comm="ovs-vswitchd" name="vfio" dev="devtmpfs" ino=34881 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:ob -ject_r:vfio_device_t:s0 tclass=chr_file +type=AVC msg=audit(1479734070.102:28): avc: denied { read write } for pid=1232 comm="ovs-vswitchd" name="vfio" dev="devtmpfs" ino=34881 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:vfio_device_t:s0 tclass=chr_file type=AVC msg=audit(1479734082.245:30): avc: denied { connectto } for pid=1302 comm="plymouth" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1479734839.323:28): avc: denied { open } for pid=1232 comm="ovs-vswitchd" path="/dev/vfio/vfio" dev="devtmpfs" ino=26699 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:vfio_device_t:s0 tclass=chr_file type=AVC msg=audit(1479735230.962:28): avc: denied { ioctl } for pid=1236 comm="ovs-vswitchd" path="/dev/vfio/vfio" dev="devtmpfs" ino=22693 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:vfio_device_t:s0 tclass=chr_file From c2d92fe9ae0670f4d6b7371cd6d34fcb7bf5c50b Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Wed, 10 May 2017 15:49:58 -0400 Subject: [PATCH 021/192] Delete obsolete policy Signed-off-by: Lon Hohberger --- local_settings.sh | 3 --- os-cinder.te | 4 +--- os-glance.te | 14 -------------- os-keepalived.te | 7 ------- os-keystone.te | 8 -------- os-mongodb.te | 7 ------- os-mysql.te | 15 --------------- os-neutron.te | 16 ---------------- os-nova.te | 23 ----------------------- os-ovs.te | 14 -------------- os-rabbitmq.te | 5 ----- os-redis.te | 3 --- os-rsync.te | 2 -- os-swift.te | 11 ----------- 14 files changed, 1 insertion(+), 131 deletions(-) diff --git a/local_settings.sh b/local_settings.sh index aead9d8..1cc9b8f 100755 --- a/local_settings.sh +++ b/local_settings.sh @@ -39,9 +39,6 @@ install_policies() { # # Port rules # - # bz#1107873 - # Part of base policy - 09-May-2017 - # $SBINDIR/semanage port -N -a -t amqp_port_t -p tcp 15672 &> /dev/null # bz#1118859 $SBINDIR/semanage port -N -m -t mysqld_port_t -p tcp 4444 &> /dev/null diff --git a/os-cinder.te b/os-cinder.te index 5911688..1f661b1 100644 --- a/os-cinder.te +++ b/os-cinder.te @@ -2,10 +2,8 @@ policy_module(os-cinder,0.1) gen_require(` type cinder_log_t; - type httpd_t; - type iscsid_exec_t; - type iscsid_t; type cinder_backup_t; + type httpd_t; class file { open create }; class dir { add_name write }; ') diff --git a/os-glance.te b/os-glance.te index 6860433..fcbd3a2 100644 --- a/os-glance.te +++ b/os-glance.te @@ -17,20 +17,6 @@ gen_require(` # Bugzilla 1362609 corenet_tcp_connect_memcache_port(glance_registry_t) -# Bugzilla 1119151 -# 09-May-2017 - no longer needed -# corenet_tcp_connect_all_ports(glance_api_t) - -# Bugzilla 1135510 -# 09-May-2017 - no longer needed -# allow glance_api_t unreserved_port_t:tcp_socket name_connect; - -# Bugzilla 1130212 1119400 -# Allow glance execmem/execstack until we get the boolean -# in a later release of selinux-policy -# 09-May-2017 - No longer needed -# allow glance_api_t self:process { execstack execmem }; - # Bugzilla 1219406 allow glance_api_t nfs_t:dir { search getattr write remove_name create add_name }; allow glance_api_t nfs_t:file { write getattr unlink open create }; diff --git a/os-keepalived.te b/os-keepalived.te index 4243b09..e860824 100644 --- a/os-keepalived.te +++ b/os-keepalived.te @@ -2,7 +2,6 @@ policy_module(os-keepalived,0.1) gen_require(` type keepalived_t; - type haproxy_t; type neutron_var_lib_t; type var_log_t; type cloud_var_lib_t; @@ -34,12 +33,6 @@ allow keepalived_t var_log_t:file open; allow keepalived_t self:capability dac_override; allow keepalived_t neutron_t:process sigkill; -# Bugzilla 1145886 -# No longer needed - 09-May-2017 -# domain_read_all_domains_state(keepalived_t) -# allow keepalived_t haproxy_t:process signull; -# allow keepalived_t self:capability kill; - # Bugzilla 1206148 allow keepalived_t sysfs_t:filesystem getattr; allow keepalived_t neutron_var_lib_t:file unlink; diff --git a/os-keystone.te b/os-keystone.te index 64d4544..94377da 100644 --- a/os-keystone.te +++ b/os-keystone.te @@ -5,16 +5,8 @@ gen_require(` type keystone_log_t; type keystone_t; class file { create open }; - # class process signal; ') -# Bugzilla 1167073 - no longer needed 09-May-2017 -# allow keystone_t self:process signal; - -# Bugzilla 1180230 -# allow httpd_t keystone_log_t:file open; -# corenet_tcp_bind_commplex_main_port(httpd_t) - # Bugzilla 1223006 allow httpd_t keystone_log_t:file create; keystone_manage_log(httpd_t) diff --git a/os-mongodb.te b/os-mongodb.te index ffeae2c..5ef388e 100644 --- a/os-mongodb.te +++ b/os-mongodb.te @@ -1,8 +1 @@ policy_module(os-mongodb,0.1) - -gen_require(` - type mongod_t; -') - -# Bugzilla 1192049 -# allow mongod_t self:process execmem; diff --git a/os-mysql.te b/os-mysql.te index 6ef8846..00a8cff 100644 --- a/os-mysql.te +++ b/os-mysql.te @@ -6,9 +6,6 @@ gen_require(` type mysqld_t; type nfs_t; type mysqld_safe_exec_t; - type cluster_tmp_t; - type cluster_var_lib_t; - type mysqld_safe_t; class tcp_socket name_connect; class file { read getattr open execute execute_no_trans write }; class dir read; @@ -18,20 +15,8 @@ gen_require(` allow mysqld_t rsync_exec_t:file { read getattr open execute execute_no_trans }; corenet_tcp_connect_tram_port(mysqld_t) -# Test 5: 09-May 2017: Provided by base policy -# corenet_tcp_bind_tram_port(mysqld_t) - # Bugzilla 1114581 # allow mysqld_t nfs_t:dir search; # Bugzilla 1118859 -# 9-May-2017 - no longer needed -# domain_read_all_domains_state(mysqld_t) -# files_search_pids(mysqld_t) -# files_getattr_all_sockets(mysqld_t) allow mysqld_t mysqld_safe_exec_t:file getattr; - -# Bugzilla 1284672 -# Bugzilla 1439182 -# allow mysqld_safe_t cluster_tmp_t:file { setattr write_file_perms }; -# allow mysqld_safe_t cluster_var_lib_t:dir read; diff --git a/os-neutron.te b/os-neutron.te index 9b32f09..5d9951b 100644 --- a/os-neutron.te +++ b/os-neutron.te @@ -48,23 +48,8 @@ keepalived_domtrans(neutron_t) allow neutron_t self:netlink_socket { bind create getattr }; # Bugzilla 1153656 -# No longer needed - 09-May-2017 -# allow neutron_t dnsmasq_t:process sigkill; allow haproxy_t proc_t:file read; -# Bugzilla 1110263 & 1111990 -# Allowed by base policy - 9-May-2017 -# allow neutron_t self:unix_stream_socket { accept listen connectto }; -# corenet_tcp_connect_all_ports(neutron_t) - -# Bugzilla 1116755 -# 9-May-2017 - no longer needed -# allow neutron_t haproxy_t:unix_stream_socket { accept listen connectto }; - -# Bugzilla 1114254 -# 9-May-2017 - no longer needed -# allow neutron_t haproxy_exec_t:file execute_no_trans; - # Bugzilla 1135510 allow neutron_t ipsec_mgmt_exec_t:file exec_file_perms; @@ -92,7 +77,6 @@ allow neutron_t httpd_config_t:dir search; corecmd_getattr_all_executables(neutron_t) # Bugzilla 1294420 -# allow logrotate_t self:netlink_selinux_socket create; allow neutron_t radvd_exec_t:file getattr; diff --git a/os-nova.te b/os-nova.te index 0f62f24..3ecbd73 100644 --- a/os-nova.te +++ b/os-nova.te @@ -8,11 +8,9 @@ gen_require(` type nova_scheduler_t; type nova_console_t; type nova_cert_t; - type sssd_var_lib_t; type cert_t; type nova_log_t; type httpd_t; - type tmpfs_t; type netutils_exec_t; type virtd_t; type svirt_t; @@ -31,9 +29,6 @@ gen_require(` # Bugzilla 1181428 iscsid_domtrans(virtd_t); -# Bugzilla 1180373 -# allow nova_network_t self:key write; - # Bugzilla 1170839 allow nova_network_t netutils_exec_t:file { read execute open execute_no_trans }; allow nova_network_t self:packet_socket { bind create getattr }; @@ -42,11 +37,6 @@ netutils_domtrans(nova_network_t) # Bugzilla 1149975 allow nova_scheduler_t cert_t:dir search; -# Bugzilla 1162761 and 1158213 -# corenet_tcp_connect_memcache_port(nova_console_t) -# corenet_tcp_connect_memcache_port(nova_scheduler_t) -# corenet_tcp_connect_memcache_port(nova_cert_t) - # from upstream - Bugzilla 1107861 auth_read_passwd(nova_domain) init_read_utmp(nova_domain) @@ -56,15 +46,6 @@ init_read_utmp(nova_domain) allow nova_network_t self:capability { net_raw sys_ptrace kill }; allow nova_network_t self:capability2 block_suspend; -# Bugzilla 1083566 -# 09-May-2017 - provided by base policy -# allow nova_network_t initrc_var_run_t:file read; - -# Bugzilla 1135510 -# 09-May-2017 - provided by base policy -# allow nova_api_t sssd_var_lib_t:sock_file write; -# allow nova_scheduler_t cert_t:file { read getattr open }; - # Bugzilla 1210271 allow svirt_t nova_var_lib_t:lnk_file read; @@ -72,10 +53,6 @@ allow svirt_t nova_var_lib_t:lnk_file read; allow svirt_t nova_var_lib_t:file write; allow svirt_tcg_t nova_var_lib_t:file write; -# Bugzilla 1134617 -# 09-May-2017 No longer needed -# allow nova_api_t tmpfs_t:filesystem getattr; - # Bugzilla 1315457 allow httpd_t nova_log_t:dir { add_name write }; allow httpd_t nova_log_t:file { open create }; diff --git a/os-ovs.te b/os-ovs.te index ea9973d..8d92632 100644 --- a/os-ovs.te +++ b/os-ovs.te @@ -31,15 +31,7 @@ gen_require(` # Bugzilla 1108187 allow openvswitch_t init_tmp_t:file write; -# Bugzilla 1231868 -# allow openvswitch_t sysctl_net_t:dir search; -# allow openvswitch_t sysctl_net_t:file { read getattr open }; - -# Bugzilla 1233154 -# allow openvswitch_t unreserved_port_t:tcp_socket name_bind; - # Bugzilla 1259419 -# corenet_tcp_connect_unreserved_ports(openvswitch_t) swift_manage_data_files(openvswitch_t) # Bugzilla 1284268 @@ -50,12 +42,6 @@ allow openvswitch_t tun_tap_device_t:chr_file open; # Bugzilla 1284268 corenet_tcp_bind_ovsdb_port(openvswitch_t) -# Bugzilla 1310383 -# corenet_tcp_connect_reserved_port(openvswitch_t) - -# Bugzilla 1334732 -# corenet_tcp_connect_openvswitch_port(openvswitch_t) - # Bugzilla 1372453 corenet_tcp_connect_vnc_port(openvswitch_t) diff --git a/os-rabbitmq.te b/os-rabbitmq.te index bb6d271..6818f87 100644 --- a/os-rabbitmq.te +++ b/os-rabbitmq.te @@ -10,11 +10,6 @@ gen_require(` class dbus send_msg; class file write; ') -# Bugzilla 1185444 -# allow systemd_logind_t cluster_t:dbus send_msg; # Bugzilla 1135637 allow rabbitmq_epmd_t init_tmp_t:file write; - -# Bugzilla 1179040 -# manage_lnk_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) diff --git a/os-redis.te b/os-redis.te index 6a06f1a..5dac3d5 100644 --- a/os-redis.te +++ b/os-redis.te @@ -10,9 +10,6 @@ gen_require(` class file { read write }; ') -# Bugzilla 1284436 -# allow redis_t redis_port_t:tcp_socket name_connect; - # Bugzilla 1283674 allow sshd_t cluster_var_log_t:file { read write }; allow useradd_t cluster_var_log_t:file { read write }; diff --git a/os-rsync.te b/os-rsync.te index 5ca1d61..8c4edb0 100644 --- a/os-rsync.te +++ b/os-rsync.te @@ -13,9 +13,7 @@ gen_require(` ') # Bugzilla 1135637 -# These are no longer needed - 05-may-2017 allow rsync_t etc_runtime_t:file relabelto; allow rsync_t etc_t:file relabelfrom; -# allow rsync_t cert_t:file { relabelfrom relabelto }; allow rsync_t cert_t:dir { relabelfrom relabelto }; allow load_policy_t init_t:fifo_file write; diff --git a/os-swift.te b/os-swift.te index 3e40c5a..dfdfcd3 100644 --- a/os-swift.te +++ b/os-swift.te @@ -3,22 +3,11 @@ policy_module(os-swift,0.1) gen_require(` type swift_t; type amqp_port_t; - # type httpd_config_t; type var_log_t; class tcp_socket name_connect; class file { open }; ') -# Bugzilla 1105344 -# All all are allowed by base policy - 09-May-2017 -# corenet_tcp_connect_keystone_port(swift_t) -# corenet_tcp_connect_memcache_port(swift_t) -# allow swift_t httpd_config_t:dir search; - -# Bugzilla 1109087 -# Allowed by base policy - 09-May-2017 -# corenet_tcp_connect_xserver_port(swift_t) - # Emergency tripleo fix allow swift_t var_log_t:file open; allow swift_t amqp_port_t:tcp_socket name_connect; From d47d5cd55bd758298e5589d54f9835eae6c13f99 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Tue, 16 May 2017 16:37:43 -0400 Subject: [PATCH 022/192] dontaudit open/getattr for openvswitch_t reading neutron_t Related: rhbz#1448887 Signed-off-by: Lon Hohberger --- os-ovs.te | 2 +- tests/bz1448887 | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 tests/bz1448887 diff --git a/os-ovs.te b/os-ovs.te index 8d92632..33bb6e8 100644 --- a/os-ovs.te +++ b/os-ovs.te @@ -96,4 +96,4 @@ optional_policy(` # neutron_t labeled files so the parent's cmdline can be # printed is not worth this information at this time # -dontaudit openvswitch_t neutron_t:file read; +dontaudit openvswitch_t neutron_t:file { read open getattr }; diff --git a/tests/bz1448887 b/tests/bz1448887 new file mode 100644 index 0000000..ca16145 --- /dev/null +++ b/tests/bz1448887 @@ -0,0 +1,3 @@ +type=AVC msg=audit(1494905982.458:2181): avc: denied { open } for pid=7404 comm="ovs-vsctl" path="/proc/7357/cmdline" dev="proc" ino=216884 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=file +type=AVC msg=audit(1494905982.458:2182): avc: denied { getattr } for pid=7404 comm="ovs-vsctl" path="/proc/7357/cmdline" dev="proc" ino=216884 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=file +type=AVC msg=audit(1494905982.458:2182): avc: denied { read } for pid=7404 comm="ovs-vsctl" path="/proc/7357/cmdline" dev="proc" ino=216884 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=file From 72e6d46444100742a9d4e44746199603c2f91d52 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Mon, 22 May 2017 15:49:54 -0400 Subject: [PATCH 023/192] check_all: Look for all errors, not just TE errors Signed-off-by: Lon Hohberger --- tests/check_all | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/tests/check_all b/tests/check_all index a635506..08b95af 100755 --- a/tests/check_all +++ b/tests/check_all @@ -37,18 +37,19 @@ for f in $TEST_FILES; do # that the openstack-selinux policies are installed and # loaded, or you will receive false failures. # - if audit2why -i $TMP | grep -q 'Missing type'; then - echo Failed on $f with the following AVC: - # - # An optimization could be to call audit2why only - # once (and check that output above), but this is - # an error path we hope to not hit very often. - # - audit2why -i $TMP - ((failed++)) - else + if audit2why -i $TMP | grep -q -e 'Unknown - '; then ((passed++)) + continue fi + + echo Failed on $f with the following AVC: + # + # An optimization could be to call audit2why only + # once (and check that output above), but this is + # an error path we hope to not hit very often. + # + audit2why -i $TMP + ((failed++)) done < $f done From 0ecd4be49acde47ffb44d7b9afd2da00f0df13b8 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Mon, 22 May 2017 13:54:01 -0400 Subject: [PATCH 024/192] Fix up regressions in glance/neutron changes - turn on glance_api_can_network - turn on neutron_can_network - re-add glance_registry_t -> memcache_port_t, commplex_main_port_t Resolves: rhbz#1452418 Signed-off-by: Lon Hohberger --- local_settings.sh | 2 ++ os-glance.te | 3 +-- tests/bz1452418 | 1 + 3 files changed, 4 insertions(+), 2 deletions(-) create mode 100644 tests/bz1452418 diff --git a/local_settings.sh b/local_settings.sh index 1cc9b8f..876ea0b 100755 --- a/local_settings.sh +++ b/local_settings.sh @@ -57,6 +57,8 @@ install_policies() { # CR=$'\n' INPUT="boolean -N -m --on virt_use_fusefs + boolean -N -m --on glance_api_can_network + boolean -N -m --on neutron_can_network boolean -N -m --on glance_use_fusefs boolean -N -m --on haproxy_connect_any boolean -N -m --on nis_enabled diff --git a/os-glance.te b/os-glance.te index fcbd3a2..8e77d3e 100644 --- a/os-glance.te +++ b/os-glance.te @@ -22,7 +22,6 @@ allow glance_api_t nfs_t:dir { search getattr write remove_name create add_name allow glance_api_t nfs_t:file { write getattr unlink open create }; allow glance_registry_t nfs_t:dir search; - # Bugzilla 1210271 allow glance_registry_t glance_var_lib_t:lnk_file read; allow glance_api_t glance_var_lib_t:lnk_file read; @@ -31,7 +30,7 @@ allow glance_registry_t var_lib_t:lnk_file read; # Bugzilla 1145802 allow glance_api_t nfs_t:dir getattr; - + # Bugzilla 1306525 corenet_tcp_connect_commplex_main_port(glance_registry_t) diff --git a/tests/bz1452418 b/tests/bz1452418 new file mode 100644 index 0000000..c6b301d --- /dev/null +++ b/tests/bz1452418 @@ -0,0 +1 @@ +type=AVC msg=audit(1495149503.842:3417): avc: denied { name_connect } for pid=24486 comm="glance-api" dest=35357 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:keystone_port_t:s0 tclass=tcp_socket From e57255a45f648b32ad69abfc7134702f325a6bc7 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Tue, 23 May 2017 13:47:42 -0400 Subject: [PATCH 025/192] Whitespace clean-ups Signed-off-by: Lon Hohberger --- os-glance.te | 2 +- os-ovs.te | 4 ++-- utils/sortavcs | 6 +++--- utils/testpolicy | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/os-glance.te b/os-glance.te index 8e77d3e..323910d 100644 --- a/os-glance.te +++ b/os-glance.te @@ -30,7 +30,7 @@ allow glance_registry_t var_lib_t:lnk_file read; # Bugzilla 1145802 allow glance_api_t nfs_t:dir getattr; - + # Bugzilla 1306525 corenet_tcp_connect_commplex_main_port(glance_registry_t) diff --git a/os-ovs.te b/os-ovs.te index 33bb6e8..2f82f17 100644 --- a/os-ovs.te +++ b/os-ovs.te @@ -93,7 +93,7 @@ optional_policy(` # # ovs-vsctl tries to read /proc/[ppid]/cmdline in order to # Print debugging information. Allowing OVS to read all of -# neutron_t labeled files so the parent's cmdline can be -# printed is not worth this information at this time +# neutron_t labeled files so the parent's cmdline can be +# printed is not worth this information at this time # dontaudit openvswitch_t neutron_t:file { read open getattr }; diff --git a/utils/sortavcs b/utils/sortavcs index 17c0631..8c408d7 100755 --- a/utils/sortavcs +++ b/utils/sortavcs @@ -3,7 +3,7 @@ if [ -n "$1" ] && [ -n "$2" ]; then echo "Sorting" $1"!" else - echo "-------Sort AVCs-------" + echo "-------Sort AVCs-------" echo "Sort AVCs will remove duplicate AVCs from you audit.log so you can save them for the regression test in the /openstack-selinux/tests directory." echo "Use the following format:" echo "./sortavcs " @@ -28,7 +28,7 @@ declare -A avcs while read; do LINE="$REPLY" - + # Optimization: if not type=AVC, we don't care [[ $LINE =~ ^type=AVC ]] || continue @@ -36,7 +36,7 @@ while read; do [[ $LINE =~ [^\{]+\{\ (.*)\ \}.*comm=\"([^\"]*)\".*(dest=[0-9]+|path).*scontext=([^\ ]*)\ tcontext=([^\ ]*) ]] HASH="${BASH_REMATCH[1]}.${BASH_REMATCH[2]}.${BASH_REMATCH[3]}.${BASH_REMATCH[4]}.${BASH_REMATCH[5]}" - # ... which isn't always there ... + # ... which isn't always there ... if [ "$HASH" = "...." ]; then [[ $LINE =~ [^\{]+\{\ (.*)\ \}.*comm=\"([^\"]*)\".*scontext=([^\ ]*)\ tcontext=([^\ ]*) ]] # XXX the trailing . is important for non-matches diff --git a/utils/testpolicy b/utils/testpolicy index 0de9454..752f66a 100755 --- a/utils/testpolicy +++ b/utils/testpolicy @@ -7,9 +7,9 @@ if [ -n "$1" ] && [ -n "$2" ]; then echo "Using" $1 "and" $2"!" else - echo "-------Openstack-selinux policy test-------" + echo "-------Openstack-selinux policy test-------" echo "Use the following format:" - echo "./testpolicy.sh " + echo "./testpolicy.sh " exit 1 fi From 3094c844b066e10b76c1ddf825b318f19ef08360 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Tue, 23 May 2017 14:44:03 -0400 Subject: [PATCH 026/192] tests: Improve performance - Combine AVCs into a single file - audit2why on all AVCs in one shot - Record all non-passing lines (failures) - Print bz# and line# for failures - Present audit2why output file for RCA Signed-off-by: Lon Hohberger --- tests/check_all | 88 ++++++++++++++++++++++++++++++++----------------- 1 file changed, 57 insertions(+), 31 deletions(-) diff --git a/tests/check_all b/tests/check_all index 08b95af..74c2bd8 100755 --- a/tests/check_all +++ b/tests/check_all @@ -11,56 +11,82 @@ export LANG=C TMP=$(mktemp /tmp/openstack-selinux-test.XXXXXX) +rm -f $TMP +mkdir -p $TMP PWD=$(pwd) cd "$(dirname $0)" TEST_FILES=$(/bin/ls -1 bz*) +TEST_INPUT=$TMP/input +TEST_OUTPUT=$TMP/output +TEST_FAIL=$TMP/failed_tests +TEST_FAIL_INFO=$TMP/failed_info passed=0 failed=0 +rm -f $TEST_INPUT +touch $TEST_INPUT for f in $TEST_FILES; do - echo "CHECKING:" $f - totalAVC=$(grep -s -c "type=AVC" $f) - count=0 - while read; do - ((count++)) - echo "("$count"/"$totalAVC")" - - # Copy our individual AVC line to our temp file. - echo "$REPLY" > $TMP - - # - # Ensure that the AVC does not generate a 'Missing type - # enforcement' error message from audit2why. This requires - # that the openstack-selinux policies are installed and - # loaded, or you will receive false failures. - # - if audit2why -i $TMP | grep -q -e 'Unknown - '; then - ((passed++)) - continue - fi - - echo Failed on $f with the following AVC: - # - # An optimization could be to call audit2why only - # once (and check that output above), but this is - # an error path we hope to not hit very often. - # - audit2why -i $TMP - ((failed++)) - done < $f + grep '^type=AVC' $f >> $TEST_INPUT done +totalAVC=$(wc -l $TEST_INPUT) +audit2why -i $TEST_INPUT > $TEST_OUTPUT + +cat > $TMP/check.awk << EOT +BEGIN { + working = 0 + last_line = "" +} + +/^type=AVC/ { + if (working == 1) { + print last_line + last_line = "" + working = 0 + } + working = 1 + last_line=\$0 +} + +/Unknown -/ { + working = 0 + last_line = "" +} + +END { + if (working == 1) { + working = 0 + print last_line + } +} +EOT + +awk -f $TMP/check.awk $TEST_OUTPUT > $TEST_FAIL + +while read; do + ((failed++)) + grep -n "$REPLY" $TEST_FILES + # echo "$REPLY" | audit2why | grep -v '$REPLY' +done < $TEST_FAIL + +if [ $failed -ne 0 ]; then + audit2why -i $TEST_FAIL > $TEST_FAIL_INFO +fi + cd "$PWD" -echo Results: $passed passed, $failed failed +echo Results: ${totalAVC/ */} total, $failed failed echo -n "Overall result: " if [ $failed -ne 0 ]; then echo FAIL + echo Check $TEST_FAIL_INFO for more information exit 1 fi +rm -rf $TMP + echo PASS exit 0 From 92bf28e4f331e141ece394d3700368ad86108af1 Mon Sep 17 00:00:00 2001 From: Fabian Arrotin Date: Thu, 8 Jun 2017 16:11:00 +0200 Subject: [PATCH 027/192] Allow glance over NFS Without the read permission, Glance can't access file on NFS --- os-glance.te | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/os-glance.te b/os-glance.te index 323910d..ae732f3 100644 --- a/os-glance.te +++ b/os-glance.te @@ -8,7 +8,7 @@ gen_require(` type var_lib_t; type nfs_t; class dir { write getattr remove_name create add_name }; - class file { write getattr unlink open create }; + class file { write getattr unlink open create read}; class lnk_file read; type sudo_exec_t; class file { execute }; @@ -19,7 +19,7 @@ corenet_tcp_connect_memcache_port(glance_registry_t) # Bugzilla 1219406 allow glance_api_t nfs_t:dir { search getattr write remove_name create add_name }; -allow glance_api_t nfs_t:file { write getattr unlink open create }; +allow glance_api_t nfs_t:file { write getattr unlink open create read }; allow glance_registry_t nfs_t:dir search; # Bugzilla 1210271 From 74ddc0e5317694ccbab7997f85cb862b8d01c003 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Thu, 22 Jun 2017 14:15:16 -0400 Subject: [PATCH 028/192] os-mysql: Readd read perms for cluster_tmp_t While several AVCs are resolved by newer base policy, a few others were not. Caught by automation. Resolves: rhbz#1464114 Signed-off-by: Lon Hohberger --- os-mysql.te | 9 +++++++++ tests/bz1464114 | 2 ++ 2 files changed, 11 insertions(+) create mode 100644 tests/bz1464114 diff --git a/os-mysql.te b/os-mysql.te index 00a8cff..3074d84 100644 --- a/os-mysql.te +++ b/os-mysql.te @@ -6,6 +6,9 @@ gen_require(` type mysqld_t; type nfs_t; type mysqld_safe_exec_t; + type cluster_tmp_t; + type cluster_var_lib_t; + type mysqld_safe_t; class tcp_socket name_connect; class file { read getattr open execute execute_no_trans write }; class dir read; @@ -20,3 +23,9 @@ corenet_tcp_connect_tram_port(mysqld_t) # Bugzilla 1118859 allow mysqld_t mysqld_safe_exec_t:file getattr; + +# Bugzilla 1284672 +# Bugzilla 1439182 +# Bugzilla 1464114 +allow mysqld_safe_t cluster_tmp_t:file { setattr write_file_perms }; +allow mysqld_safe_t cluster_var_lib_t:dir read; diff --git a/tests/bz1464114 b/tests/bz1464114 new file mode 100644 index 0000000..3c57447 --- /dev/null +++ b/tests/bz1464114 @@ -0,0 +1,2 @@ +bz1464114:1:type=AVC msg=audit(1498082689.658:317): avc: denied { open } for pid=24495 comm="touch" path="/tmp/tmp.cgvP0Qe4oc" dev="vda2" ino=910 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:cluster_tmp_t:s0 tclass=file +bz1464114:2:type=AVC msg=audit(1498082689.659:318): avc: denied { setattr } for pid=24496 comm="chown" name="tmp.cgvP0Qe4oc" dev="vda2" ino=910 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:cluster_tmp_t:s0 tclass=file From bd843a705122ec58bee5bbd2c13509f21822747e Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Tue, 1 Aug 2017 09:18:03 -0400 Subject: [PATCH 029/192] Allow keepalived self:process setpgid Signed-off-by: Lon Hohberger --- os-keepalived.te | 6 +++++- tests/bz1469823 | 1 + 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 tests/bz1469823 diff --git a/os-keepalived.te b/os-keepalived.te index e860824..51a05a1 100644 --- a/os-keepalived.te +++ b/os-keepalived.te @@ -12,7 +12,7 @@ gen_require(` type NetworkManager_t; type systemd_systemctl_exec_t; class filesystem getattr; - class process { signull sigkill }; + class process { signull sigkill setpgid }; class capability { net_admin net_raw kill dac_override }; class file { execute read create ioctl unlink execute_no_trans write getattr open }; ') @@ -47,3 +47,7 @@ optional_policy(` systemd_systemctl_domain(keepalived) unconfined_domain(keepalived_systemctl_t) ') + +# Bugzilla 1469823 +allow keepalived_t self:process setpgid; + diff --git a/tests/bz1469823 b/tests/bz1469823 new file mode 100644 index 0000000..110425e --- /dev/null +++ b/tests/bz1469823 @@ -0,0 +1 @@ +type=AVC msg=audit(1499805908.280:4362): avc: denied { setpgid } for pid=16339 comm="keepalived" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=process From f7297a77903fcb8963c7796e49d357cb7cce2b28 Mon Sep 17 00:00:00 2001 From: Lee Yarwood Date: Wed, 2 Aug 2017 16:39:17 +0100 Subject: [PATCH 030/192] Label /var/log/zaqar/zaqar.log with httpd_log_t Allowing both the WSGI app and websocket service to log to the file. Resolves: rhbz#1456562 Signed-off-by: Lee Yarwood --- local_settings.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/local_settings.sh b/local_settings.sh index 876ea0b..8e5f407 100755 --- a/local_settings.sh +++ b/local_settings.sh @@ -82,6 +82,7 @@ install_policies() { fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/aodh/app.log fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/ceilometer/app.log fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/panko/app.log + fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/zaqar/zaqar.log fcontext -N -a -t neutron_exec_t $BINDIR/neutron-rootwrap-daemon fcontext -N -a -t neutron_exec_t $BINDIR/neutron-vpn-agent" From 5002b373a03c3910cc7a5fbd94468e8e3b84d55c Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Tue, 1 Aug 2017 09:41:11 -0400 Subject: [PATCH 031/192] Allow glance_api_t to use sudo for different backends Resolves: rhbz#1475378 Resolves: rhbz#1447779 Signed-off-by: Lon Hohberger --- local_settings.sh | 1 + os-glance.te | 24 ++++++++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/local_settings.sh b/local_settings.sh index 8e5f407..a7f8a0f 100755 --- a/local_settings.sh +++ b/local_settings.sh @@ -116,6 +116,7 @@ install_policies() { setsebool -P os_neutron_use_execmem on setsebool -P os_swift_use_execmem on setsebool -P os_keystone_use_execmem on + setsebool -P os_glance_use_sudo on relabel_files fi diff --git a/os-glance.te b/os-glance.te index ae732f3..1db7c70 100644 --- a/os-glance.te +++ b/os-glance.te @@ -5,6 +5,9 @@ gen_require(` type glance_registry_t; type glance_var_lib_t; type glance_tmp_t; + type fixed_disk_device_t; + type init_t; + type sysfs_t; type var_lib_t; type nfs_t; class dir { write getattr remove_name create add_name }; @@ -53,3 +56,24 @@ optional_policy(` optional_policy(` mysql_read_config(glance_api_t) ') + +# +# Bug 1475378 +# Bug 1447779 +# XXX +# Stolen from the Nova base policy. Broken sudo support for glance. +# +gen_tunable(os_glance_use_sudo, false) +tunable_policy(`os_glance_use_sudo',` + sudo_exec(glance_api_t) + logging_send_audit_msgs(glance_api_t) + iscsid_domtrans(glance_api_t) + fstools_domtrans(glance_api_t) + allow glance_api_t fixed_disk_device_t:blk_file { getattr ioctl open read setattr write }; + allow glance_api_t init_t:file { getattr open read }; + allow glance_api_t self:capability { setuid setgid }; + allow glance_api_t self:capability { audit_write setuid setgid chown dac_override sys_rawio sys_resource }; + allow glance_api_t self:netlink_audit_socket { create nlmsg_relay }; + allow glance_api_t self:process { setcap setrlimit setsched }; + allow glance_api_t sysfs_t:file append; +') From 6ed38dcd9fb345a4b1d5d0482ac1b5aed4752348 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Thu, 3 Aug 2017 16:51:07 -0400 Subject: [PATCH 032/192] tunable: Allow apache to read logs when hosting WSGI services This patch allows Apache to log to service directories which are typically owned per-service (or, if no specific label is defined, var_log_t) Signed-off-by: Lon Hohberger --- Makefile | 2 +- local_settings.sh | 1 + os-httpd.te | 38 ++++++++++++++++++++++++++++++++++++++ tests/bz1437684 | 1 + 4 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 os-httpd.te create mode 100644 tests/bz1437684 diff --git a/Makefile b/Makefile index 8dec6d1..bf2d31a 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder +TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd MODULES?=${TARGETS:=.pp.bz2} DATADIR?=/usr/share #INSTALL=?=install diff --git a/local_settings.sh b/local_settings.sh index a7f8a0f..c887b4d 100755 --- a/local_settings.sh +++ b/local_settings.sh @@ -117,6 +117,7 @@ install_policies() { setsebool -P os_swift_use_execmem on setsebool -P os_keystone_use_execmem on setsebool -P os_glance_use_sudo on + setsebool -P os_httpd_wsgi on relabel_files fi diff --git a/os-httpd.te b/os-httpd.te new file mode 100644 index 0000000..80f9a5e --- /dev/null +++ b/os-httpd.te @@ -0,0 +1,38 @@ +policy_module(os-httpd,0.1) + +gen_require(` + type httpd_t; + type var_log_t; + type nova_log_t; + type cinder_log_t; + type glance_log_t; + type neutron_log_t; + type keystone_log_t; + type nova_api_t; + type keystone_var_lib_t; +') + +# +# XXX +# RH OpenStack Platform services are not all WSGI; some are +# still using eventlet or another WSGI server. Furthermore, +# not all daemons have log files which are covered in base +# SELinux policy. For now, with this boolean, allow access +# for httpd to use all known OpenStack log types and +# var_log_t until these are all more correctly covered. +# +# Bugzilla #1437684 +# (... and many others ...) +# +gen_tunable(os_httpd_wsgi, false) +tunable_policy(`os_httpd_wsgi',` + # OpenStack services which have not gotten their own log type yet + manage_files_pattern(httpd_t, var_log_t, var_log_t) + + # OpenStack services which have an assigned log type + manage_files_pattern(httpd_t, nova_log_t, nova_log_t) + manage_files_pattern(httpd_t, cinder_log_t, cinder_log_t) + manage_files_pattern(httpd_t, glance_log_t, glance_log_t) + manage_files_pattern(httpd_t, neutron_log_t, neutron_log_t) + manage_files_pattern(httpd_t, keystone_log_t, keystone_log_t) +') diff --git a/tests/bz1437684 b/tests/bz1437684 new file mode 100644 index 0000000..8aced84 --- /dev/null +++ b/tests/bz1437684 @@ -0,0 +1 @@ +type=AVC msg=audit(1490770503.768:2446): avc: denied { open } for pid=16990 comm="httpd" path="/var/log/barbican/api.log" dev="vda1" ino=5772151 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file From ad96ed3d459797cc417cdbfaf1a869d4d285f50e Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Fri, 4 Aug 2017 10:31:53 -0400 Subject: [PATCH 033/192] Allow reading keystone key when using Apache for WSGI Resolves: rhbz#1478176 #1478177 Signed-off-by: Lon Hohberger --- os-httpd.te | 5 +++++ tests/bz1478176 | 2 ++ 2 files changed, 7 insertions(+) create mode 100644 tests/bz1478176 diff --git a/os-httpd.te b/os-httpd.te index 80f9a5e..3885cad 100644 --- a/os-httpd.te +++ b/os-httpd.te @@ -35,4 +35,9 @@ tunable_policy(`os_httpd_wsgi',` manage_files_pattern(httpd_t, glance_log_t, glance_log_t) manage_files_pattern(httpd_t, neutron_log_t, neutron_log_t) manage_files_pattern(httpd_t, keystone_log_t, keystone_log_t) + + # RHEL 7.4 keystone change + # Bugzilla #1478176 + # Bugzilla #1478177 + allow httpd_t keystone_var_lib_t:file { open read }; ') diff --git a/tests/bz1478176 b/tests/bz1478176 new file mode 100644 index 0000000..4a7be36 --- /dev/null +++ b/tests/bz1478176 @@ -0,0 +1,2 @@ +type=AVC msg=audit(1501609484.063:13177): avc: denied { open } for pid=10111 comm="httpd" path="/var/lib/keystone/.local/share/python_keyring/keyringrc.cfg" dev="dm-0" ino=396418 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:keystone_var_lib_t:s0 tclass=file +type=AVC msg=audit(1501609484.063:13177): avc: denied { read } for pid=10111 comm="httpd" name="keyringrc.cfg" dev="dm-0" ino=396418 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:keystone_var_lib_t:s0 tclass=file From 709939bbed6a16bf29133398db139df1cd5a012a Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Mon, 21 Aug 2017 10:54:53 -0400 Subject: [PATCH 034/192] Allow read_perms on keystone key when using Apache for WSGI Adds getattr/ioctl/lock. Resolves: rhbz#1478176 #1478177 Signed-off-by: Lon Hohberger --- os-httpd.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/os-httpd.te b/os-httpd.te index 3885cad..d3cb9ea 100644 --- a/os-httpd.te +++ b/os-httpd.te @@ -39,5 +39,5 @@ tunable_policy(`os_httpd_wsgi',` # RHEL 7.4 keystone change # Bugzilla #1478176 # Bugzilla #1478177 - allow httpd_t keystone_var_lib_t:file { open read }; + allow httpd_t keystone_var_lib_t:file read_file_perms; ') From e16a8f8ef52cc5147b73dda508f7da41368b7ea8 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Thu, 14 Sep 2017 15:02:26 -0400 Subject: [PATCH 035/192] Drop nis_enabled boolean httpd (wsgi mode): Allow binding to any port openvswitch: Allow connecting to any port Resolves: rhbz#1489863 Signed-off-by: Lon Hohberger --- local_settings.sh | 1 - os-httpd.te | 5 +++++ os-nova.te | 1 - os-ovs.te | 7 +++++++ 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/local_settings.sh b/local_settings.sh index c887b4d..6695f58 100755 --- a/local_settings.sh +++ b/local_settings.sh @@ -61,7 +61,6 @@ install_policies() { boolean -N -m --on neutron_can_network boolean -N -m --on glance_use_fusefs boolean -N -m --on haproxy_connect_any - boolean -N -m --on nis_enabled boolean -N -m --on rsync_full_access boolean -N -m --on rsync_client boolean -N -m --on virt_use_execmem diff --git a/os-httpd.te b/os-httpd.te index d3cb9ea..4456ff0 100644 --- a/os-httpd.te +++ b/os-httpd.te @@ -40,4 +40,9 @@ tunable_policy(`os_httpd_wsgi',` # Bugzilla #1478176 # Bugzilla #1478177 allow httpd_t keystone_var_lib_t:file read_file_perms; + + # Strange issue where nis_enabled disappears + # Bugzilla #1315457 + # Bugzilla #1489863 + corenet_tcp_bind_all_ports(httpd_t) ') diff --git a/os-nova.te b/os-nova.te index 3ecbd73..5b522c2 100644 --- a/os-nova.te +++ b/os-nova.te @@ -56,7 +56,6 @@ allow svirt_tcg_t nova_var_lib_t:file write; # Bugzilla 1315457 allow httpd_t nova_log_t:dir { add_name write }; allow httpd_t nova_log_t:file { open create }; -corenet_tcp_bind_osapi_compute_port(httpd_t) # Bugzilla 1375766 nova_manage_lib_files(virtlogd_t) diff --git a/os-ovs.te b/os-ovs.te index 2f82f17..c0c759e 100644 --- a/os-ovs.te +++ b/os-ovs.te @@ -97,3 +97,10 @@ optional_policy(` # printed is not worth this information at this time # dontaudit openvswitch_t neutron_t:file { read open getattr }; + +# bugzilla #1489863 +# +# Something unsets nis_enabled; this works around that by +# enabling binding to reserved and unreserved ports (bugzillas +# #1259419, #1310383) +corenet_tcp_connect_all_ports(openvswitch_t) From 52b3fe8e139e068d638a3c11dc1f4cb45d49cb1d Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Fri, 22 Sep 2017 11:59:52 -0400 Subject: [PATCH 036/192] local_settings: Set all booleans in on-disk policy In chroots (for example, when building images using diskimage-builder or other utilities), access to the selinux policy in-kernel policy is not allowed. So, setsebool/getsebool do not work. Instead, use semanage to modify the on-disk policy in two passes: Pass (1): install our modules, change file contexts, and set booleans that already exist on the systems. Pass(2): set booleans that were added in our newly-installed modules from step 1. Related: rhbz#1489863 Signed-off-by: Lon Hohberger --- local_settings.sh | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/local_settings.sh b/local_settings.sh index 6695f58..52b0dee 100755 --- a/local_settings.sh +++ b/local_settings.sh @@ -99,25 +99,28 @@ install_policies() { do_echo "Installing OpenStack extra policies and setting booleans..." echo "$INPUT" | $SBINDIR/semanage import -N + # Unfortunately, we can't load modules and set + # booleans in those modules in a single transaction, so + # do a second one to set our new booleans. + INPUT="boolean -N -m --on os_nova_use_execmem + boolean -N -m --on os_neutron_use_execmem + boolean -N -m --on os_swift_use_execmem + boolean -N -m --on os_keystone_use_execmem + boolean -N -m --on os_glance_use_sudo + boolean -N -m --on os_httpd_wsgi" + + do_echo "Setting OpenStack booleans..." + echo "$INPUT" | $SBINDIR/semanage import -N + if $SBINDIR/selinuxenabled ; then do_echo "Reloading SELinux policies..." # # Chroot environments (e.g. when building images) - # won't get here, but the image will apply all of - # the policy on a reboot. + # won't get here, which is why we do everything else + # above. # $SBINDIR/load_policy - do_echo "Setting OpenStack booleans..." - # Unfortunately, we can't load modules and set - # booleans in those modules in a single transaction - setsebool -P os_nova_use_execmem on - setsebool -P os_neutron_use_execmem on - setsebool -P os_swift_use_execmem on - setsebool -P os_keystone_use_execmem on - setsebool -P os_glance_use_sudo on - setsebool -P os_httpd_wsgi on - relabel_files fi } From b8ca1dad841b498d1fd41269edafbd29ed983db3 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Wed, 27 Sep 2017 08:59:52 -0400 Subject: [PATCH 037/192] os-nova: Work around container-selinux issues 1) Include these two in openstack-selinux for now: https://github.com/projectatomic/container-selinux/commit/947f3a996bd154b524d69e0ea094f09e098b6fad https://github.com/projectatomic/container-selinux/commit/efaffbd8fa3f304c2b90d36c32d35fd9b03860bf 2) Work around the rest using macros provided by container-selinux, where applicable. Most of them should be resolved by: https://github.com/projectatomic/container-selinux/commit/23b2e0b1670a87105301a1ff720e9f937a5ccbd1 Resolves: rhbz#1494907 Signed-off-by: Lon Hohberger --- os-nova.te | 32 ++++++++++++++++++++++++++++++++ tests/bz1494907 | 25 +++++++++++++++++++++++++ 2 files changed, 57 insertions(+) create mode 100644 tests/bz1494907 diff --git a/os-nova.te b/os-nova.te index 5b522c2..1ce8982 100644 --- a/os-nova.te +++ b/os-nova.te @@ -16,6 +16,8 @@ gen_require(` type svirt_t; type svirt_tcg_t; type virtlogd_t; + type iptables_t; + type modules_conf_t; attribute nova_domain; class key write; class packet_socket { bind create getattr }; @@ -92,3 +94,33 @@ optional_policy(` optional_policy(` mysql_read_config(nova_t) ') + +# Bug 1494907 and related +allow iptables_t modules_conf_t:file read_file_perms; +optional_policy(` + gen_require(` + type systemd_machined_t; + type container_runtime_t; + type container_share_t; + type container_unit_file_t; + type svirt_sandbox_file_t; + type spc_t; + ') + + # presumably this is "init_start|stop|status" + allow systemd_machined_t container_unit_file_t:service { start stop status }; + + # Already present in 2.26 + virt_transition_svirt(spc_t, system_r) + virt_sandbox_entrypoint(svirt_sandbox_file_t) + + # Needs fixed in >2.26 + allow svirt_t container_runtime_t:process sigchld; + + container_read_share_files(svirt_t) + allow svirt_t container_share_t:file { entrypoint execute }; + + allow svirt_t spc_t:dir search; + allow svirt_t spc_t:fifo_file write_file_perms; + allow svirt_t spc_t:file read_file_perms; +') diff --git a/tests/bz1494907 b/tests/bz1494907 new file mode 100644 index 0000000..e8f800f --- /dev/null +++ b/tests/bz1494907 @@ -0,0 +1,25 @@ +type=AVC msg=audit(1506381584.797:150): avc: denied { read } for pid=20335 comm="grep" name="kvm.conf" dev="sda2" ino=12583138 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file +type=AVC msg=audit(1506522147.108:6883): avc: denied { getattr } for pid=224688 comm="qemu-kvm" path="/proc/34155/cmdline" dev="proc" ino=195421 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:system_r:spc_t:s0 tclass=file +type=AVC msg=audit(1506522177.143:6891): avc: denied { read } for pid=225281 comm="qemu-kvm" name="ld.so.cache" dev="overlay" ino=196770 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:object_r:container_share_t:s0 tclass=file +type=AVC msg=audit(1506522147.136:6884): avc: denied { sigchld } for pid=34139 comm="docker-containe" scontext=system_u:system_r:svirt_t:s0:c391,c860 tcontext=system_u:system_r:container_runtime_t:s0 tclass=process +type=AVC msg=audit(1506522064.398:6871): avc: denied { entrypoint } for pid=224688 comm="libvirtd" path="/usr/libexec/qemu-kvm" dev="vda2" ino=5819701 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:object_r:container_share_t:s0 tclass=file +type=AVC msg=audit(1506522177.143:6892): avc: denied { getattr } for pid=225281 comm="qemu-kvm" path="/etc/ld.so.cache" dev="overlay" ino=196770 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:object_r:container_share_t:s0 tclass=file +type=AVC msg=audit(1506522389.519:6958): avc: denied { entrypoint } for pid=226377 comm="libvirtd" path="/usr/libexec/qemu-kvm" dev="vda2" ino=5819701 scontext=system_u:system_r:svirt_t:s0:c549,c593 tcontext=system_u:object_r:container_share_t:s0 tclass=file +type=AVC msg=audit(1506522064.400:6875): avc: denied { execute } for pid=224688 comm="qemu-kvm" path="/usr/lib64/libz.so.1.2.7" dev="vda2" ino=62914801 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:object_r:container_share_t:s0 tclass=file +type=AVC msg=audit(1506522177.141:6890): avc: denied { write } for pid=225281 comm="qemu-kvm" path="pipe:[2814876]" dev="pipefs" ino=2814876 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:system_r:spc_t:s0 tclass=fifo_file +type=AVC msg=audit(1506522064.400:6872): avc: denied { read } for pid=224688 comm="qemu-kvm" name="ld.so.cache" dev="overlay" ino=196770 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:object_r:container_share_t:s0 tclass=file +type=AVC msg=audit(1506522147.136:6884): avc: denied { sigchld } for pid=34139 comm="docker-containe" scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:system_r:container_runtime_t:s0 tclass=process +type=AVC msg=audit(1506522064.398:6871): avc: denied { write } for pid=224688 comm="qemu-kvm" path="pipe:[2816199]" dev="pipefs" ino=2816199 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:system_r:spc_t:s0 tclass=fifo_file +type=AVC msg=audit(1506522147.107:6882): avc: denied { open } for pid=224688 comm="qemu-kvm" path="/proc/34155/cmdline" dev="proc" ino=195421 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:system_r:spc_t:s0 tclass=file +type=AVC msg=audit(1506522147.107:6882): avc: denied { read } for pid=224688 comm="qemu-kvm" name="cmdline" dev="proc" ino=195421 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:system_r:spc_t:s0 tclass=file +type=AVC msg=audit(1506522224.531:6901): avc: denied { read } for pid=225281 comm="qemu-kvm" name="cmdline" dev="proc" ino=195421 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:system_r:spc_t:s0 tclass=file +type=AVC msg=audit(1506522147.107:6882): avc: denied { search } for pid=224688 comm="qemu-kvm" name="34155" dev="proc" ino=195743 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:system_r:spc_t:s0 tclass=dir +type=AVC msg=audit(1506522224.558:6904): avc: denied { sigchld } for pid=34139 comm="docker-containe" scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:system_r:container_runtime_t:s0 tclass=process +type=AVC msg=audit(1506522177.143:6891): avc: denied { open } for pid=225281 comm="qemu-kvm" path="/etc/ld.so.cache" dev="vda2" ino=21009912 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:object_r:container_share_t:s0 tclass=file +type=AVC msg=audit(1506522224.531:6901): avc: denied { open } for pid=225281 comm="qemu-kvm" path="/proc/34155/cmdline" dev="proc" ino=195421 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:system_r:spc_t:s0 tclass=file +type=AVC msg=audit(1506522064.400:6873): avc: denied { getattr } for pid=224688 comm="qemu-kvm" path="/etc/ld.so.cache" dev="overlay" ino=196770 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:object_r:container_share_t:s0 tclass=file +type=AVC msg=audit(1506522224.531:6901): avc: denied { search } for pid=225281 comm="qemu-kvm" name="34155" dev="proc" ino=195743 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:system_r:spc_t:s0 tclass=dir +type=AVC msg=audit(1506522177.141:6890): avc: denied { entrypoint } for pid=225281 comm="libvirtd" path="/usr/libexec/qemu-kvm" dev="vda2" ino=5819701 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:object_r:container_share_t:s0 tclass=file +type=AVC msg=audit(1506522064.400:6872): avc: denied { open } for pid=224688 comm="qemu-kvm" path="/etc/ld.so.cache" dev="vda2" ino=21009912 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:object_r:container_share_t:s0 tclass=file +type=AVC msg=audit(1506522177.143:6894): avc: denied { execute } for pid=225281 comm="qemu-kvm" path="/usr/lib64/libz.so.1.2.7" dev="vda2" ino=62914801 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:object_r:container_share_t:s0 tclass=file +type=AVC msg=audit(1506522224.533:6902): avc: denied { getattr } for pid=225281 comm="qemu-kvm" path="/proc/34155/cmdline" dev="proc" ino=195421 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:system_r:spc_t:s0 tclass=file From 2cd97afab26feaf48ed2050b98648f6359c77cfb Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Thu, 5 Oct 2017 14:34:58 -0400 Subject: [PATCH 038/192] local_settings: set port 6639 to ovsdb_port_t Resolves: rhbz#1498921 Signed-off-by: Lon Hohberger --- local_settings.sh | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/local_settings.sh b/local_settings.sh index 52b0dee..184cbf3 100755 --- a/local_settings.sh +++ b/local_settings.sh @@ -34,6 +34,18 @@ relabel_files() } +# usage: set_port tcp|udp port# context +set_port() +{ + $SBINDIR/semanage port -N -m -t $3 -p $1 $2 2>&1 | grep -qE 'ValueError: Port.*is not defined' + # Grep succeeded - meaning this was not defined + if [ $? -eq 0 ]; then + # So, we need to add it. + $SBINDIR/semanage port -N -a -t $3 -p $1 $2 &> /dev/null + fi +} + + install_policies() { do_echo "Setting up ports..." # @@ -41,16 +53,19 @@ install_policies() { # # bz#1118859 - $SBINDIR/semanage port -N -m -t mysqld_port_t -p tcp 4444 &> /dev/null + set_port tcp 4444 mysqld_port_t # bz#1260202 - $SBINDIR/semanage port -N -m -t openvswitch_port_t -p tcp 6653 &> /dev/null + set_port tcp 6653 openvswitch_port_t # bz#1360434 - $SBINDIR/semanage port -N -m -t http_port_t -p tcp 8088 &> /dev/null + set_port tcp 8088 http_port_t # bz#1396553 - $SBINDIR/semanage port -N -m -t http_port_t -p tcp 8000 &> /dev/null + set_port tcp 8000 http_port_t + + # bz#1498921 + set_port tcp 6639 ovsdb_port_t # # Booleans & file contexts From 64d475aaf93ad3ee1b412bc9a8ce3ba5b30bec94 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Fri, 6 Oct 2017 11:31:35 -0400 Subject: [PATCH 039/192] Generate local_settings.sh from Makefile Signed-off-by: Lon Hohberger --- Makefile | 8 ++++++-- local_settings.sh => local_settings.sh.in | 3 +-- 2 files changed, 7 insertions(+), 4 deletions(-) rename local_settings.sh => local_settings.sh.in (99%) mode change 100755 => 100644 diff --git a/Makefile b/Makefile index bf2d31a..e6745a0 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ MODULES?=${TARGETS:=.pp.bz2} DATADIR?=/usr/share #INSTALL=?=install -all: ${TARGETS:=.pp.bz2} +all: ${TARGETS:=.pp.bz2} local_settings.sh %.pp.bz2: %.pp @echo Compressing $^ -\> $@ @@ -12,8 +12,12 @@ all: ${TARGETS:=.pp.bz2} %.pp: %.te make -f ${DATADIR}/selinux/devel/Makefile $@ +local_settings.sh: local_settings.sh.in + sed -e 's/@MODULES@/${TARGETS}/' $^ > $@ + chmod 0755 $@ + clean: - rm -f *~ *.if *.tc *.pp *.pp.bz2 + rm -f *~ *.if *.tc *.pp *.pp.bz2 local_settings.sh rm -rf tmp *.tar.gz tarball: .git/config diff --git a/local_settings.sh b/local_settings.sh.in old mode 100755 new mode 100644 similarity index 99% rename from local_settings.sh rename to local_settings.sh.in index 184cbf3..50d5a93 --- a/local_settings.sh +++ b/local_settings.sh.in @@ -7,8 +7,7 @@ SBINDIR=${SBINDIR:-/sbin} LOCALSTATEDIR=${LOCALSTATEDIR:-/var} DATADIR=${DATADIR:-/usr/share} SHAREDSTATEDIR=${SHAREDSTATEDIR:-/var/lib} -MODULES="" - +MODULES=${MODULES:-@MODULES@} do_echo() { if [ $QUIET -eq 0 ]; then From c8dead5cdaad0257cb70c110ada508ca6d0a0756 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Fri, 6 Oct 2017 11:49:02 -0400 Subject: [PATCH 040/192] Makefile: Add 'install' target Signed-off-by: Lon Hohberger --- Makefile | 20 +++++++++++++++++++- local_settings.sh.in | 1 + 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index e6745a0..b01ca24 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,8 @@ TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd MODULES?=${TARGETS:=.pp.bz2} DATADIR?=/usr/share -#INSTALL=?=install +INSTALL?=install +MODULE_TYPE?=services all: ${TARGETS:=.pp.bz2} local_settings.sh @@ -67,3 +68,20 @@ local-tarball: .git/config # ${INSTALL} -m 0644 ${TARGETS} \ # ${DESTDIR}${DATADIR}/targeted/modules +install: + # Install the setup script + ${INSTALL} -d ${LOCALDIR} + ${INSTALL} -m 0755 local_settings.sh ${LOCALDIR} + + # Install tests + ${INSTALL} -d ${LOCALDIR}/tests + ${INSTALL} -m 0644 tests/bz* ${LOCALDIR}/tests + ${INSTALL} -m 0755 tests/check_all ${LOCALDIR}/tests + + # Install interfaces + ${INSTALL} -d ${DATADIR}/selinux/devel/include/${MODULE_TYPE} + ${INSTALL} -m 0644 ${TARGETS:=.if} ${DATADIR}/selinux/devel/include/${MODULE_TYPE} + + # Install policy modules + ${INSTALL} -d ${DATADIR}/selinux/packages + ${INSTALL} -m 0644 ${TARGETS:=.pp.bz2} ${DATADIR}/selinux/packages diff --git a/local_settings.sh.in b/local_settings.sh.in index 50d5a93..8d54c6c 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -7,6 +7,7 @@ SBINDIR=${SBINDIR:-/sbin} LOCALSTATEDIR=${LOCALSTATEDIR:-/var} DATADIR=${DATADIR:-/usr/share} SHAREDSTATEDIR=${SHAREDSTATEDIR:-/var/lib} +LOCALDIR=${LOCALDIR:-$DATADIR/openstack-selinux/master} MODULES=${MODULES:-@MODULES@} do_echo() { From 13b81dfa230bb475fe198b3013ccb5a07b7005d1 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Fri, 6 Oct 2017 14:14:09 -0400 Subject: [PATCH 041/192] Delete unnecessary comments Signed-off-by: Lon Hohberger --- Makefile | 6 ------ 1 file changed, 6 deletions(-) diff --git a/Makefile b/Makefile index b01ca24..9318351 100644 --- a/Makefile +++ b/Makefile @@ -62,12 +62,6 @@ local-tarball: .git/config fi ;\ fi - - -#install: -# ${INSTALL} -m 0644 ${TARGETS} \ -# ${DESTDIR}${DATADIR}/targeted/modules - install: # Install the setup script ${INSTALL} -d ${LOCALDIR} From 0b27a05e9ea33ffe8a492ec3d4b9071f52830d5f Mon Sep 17 00:00:00 2001 From: Ilya Etingof Date: Mon, 9 Oct 2017 21:59:22 +0200 Subject: [PATCH 042/192] Add proper fcontext to /httpboot & /tftpboot directories Resolves: rhbz#1483748 --- os-ironic-inspector.fc | 2 ++ os-ironic-inspector.te | 6 ++++++ tests/bz1483748 | 1 + 3 files changed, 9 insertions(+) create mode 100644 os-ironic-inspector.fc create mode 100644 os-ironic-inspector.te create mode 100644 tests/bz1483748 diff --git a/os-ironic-inspector.fc b/os-ironic-inspector.fc new file mode 100644 index 0000000..1450dd4 --- /dev/null +++ b/os-ironic-inspector.fc @@ -0,0 +1,2 @@ +/httpboot(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_t,s0) diff --git a/os-ironic-inspector.te b/os-ironic-inspector.te new file mode 100644 index 0000000..efc2731 --- /dev/null +++ b/os-ironic-inspector.te @@ -0,0 +1,6 @@ +module os-ironic-inspector 0.1; + +require { + type httpd_sys_content_t; + type tftpdir_t; +} diff --git a/tests/bz1483748 b/tests/bz1483748 new file mode 100644 index 0000000..2d03dda --- /dev/null +++ b/tests/bz1483748 @@ -0,0 +1 @@ +type=AVC msg=audit(1507573833.328:965007): avc: denied { getattr } for pid=17948 comm="httpd" path="/httpboot/inspector.ipxe" dev="vda1" ino=100671928 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file From c677012699d2bad1846ab2a927b2af89ed976dcf Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Tue, 10 Oct 2017 11:07:27 -0400 Subject: [PATCH 043/192] Allow openvswitch netlink_audit_socket permissions Resolves: rhbz#1498797 Signed-off-by: Lon Hohberger --- os-ovs.te | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/os-ovs.te b/os-ovs.te index c0c759e..26d35ed 100644 --- a/os-ovs.te +++ b/os-ovs.te @@ -24,8 +24,9 @@ gen_require(` class tun_socket create; class chr_file open; class netlink_generic_socket create_socket_perms; - class packet_socket create_socket_perms; - + class netlink_audit_socket { create nlmsg_relay }; + class capability audit_write; + class packet_socket create_socket_perms; ') # Bugzilla 1108187 @@ -104,3 +105,7 @@ dontaudit openvswitch_t neutron_t:file { read open getattr }; # enabling binding to reserved and unreserved ports (bugzillas # #1259419, #1310383) corenet_tcp_connect_all_ports(openvswitch_t) + +# #1498797 +allow openvswitch_t self:capability audit_write; +allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay }; From 2dea2d58bcd975717b4da1f8bc14bde282b4e090 Mon Sep 17 00:00:00 2001 From: Ilya Etingof Date: Wed, 11 Oct 2017 12:19:09 +0200 Subject: [PATCH 044/192] replaced policy with path labeling --- local_settings.sh.in | 5 ++++- os-ironic-inspector.fc | 2 -- os-ironic-inspector.te | 6 ------ 3 files changed, 4 insertions(+), 9 deletions(-) delete mode 100644 os-ironic-inspector.fc delete mode 100644 os-ironic-inspector.te diff --git a/local_settings.sh.in b/local_settings.sh.in index 8d54c6c..9620c3c 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -2,6 +2,7 @@ QUIET=1 MODE=0 +ROOTDIR=${ROOTDIR:-/} BINDIR=${BINDIR:-/usr/bin} SBINDIR=${SBINDIR:-/sbin} LOCALSTATEDIR=${LOCALSTATEDIR:-/var} @@ -98,7 +99,9 @@ install_policies() { fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/panko/app.log fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/zaqar/zaqar.log fcontext -N -a -t neutron_exec_t $BINDIR/neutron-rootwrap-daemon - fcontext -N -a -t neutron_exec_t $BINDIR/neutron-vpn-agent" + fcontext -N -a -t neutron_exec_t $BINDIR/neutron-vpn-agent + fcontext -N -a -t httpd_sys_content_t \"$ROOTDIR/httpboot(/.*)?\" + fcontext -N -a -t tftpdir_t \"$ROOTDIR/tftpboot(/.*)?\"" # # Append modules diff --git a/os-ironic-inspector.fc b/os-ironic-inspector.fc deleted file mode 100644 index 1450dd4..0000000 --- a/os-ironic-inspector.fc +++ /dev/null @@ -1,2 +0,0 @@ -/httpboot(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_t,s0) diff --git a/os-ironic-inspector.te b/os-ironic-inspector.te deleted file mode 100644 index efc2731..0000000 --- a/os-ironic-inspector.te +++ /dev/null @@ -1,6 +0,0 @@ -module os-ironic-inspector 0.1; - -require { - type httpd_sys_content_t; - type tftpdir_t; -} From 9ee3b57ade15196a9a6187259f53174b9d3d5ef1 Mon Sep 17 00:00:00 2001 From: Ilya Etingof Date: Wed, 11 Oct 2017 12:23:53 +0200 Subject: [PATCH 045/192] policy test is probably not relevant anymore --- tests/bz1483748 | 1 - 1 file changed, 1 deletion(-) delete mode 100644 tests/bz1483748 diff --git a/tests/bz1483748 b/tests/bz1483748 deleted file mode 100644 index 2d03dda..0000000 --- a/tests/bz1483748 +++ /dev/null @@ -1 +0,0 @@ -type=AVC msg=audit(1507573833.328:965007): avc: denied { getattr } for pid=17948 comm="httpd" path="/httpboot/inspector.ipxe" dev="vda1" ino=100671928 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file From 811923c0a1454f38151bae8ff1eb5ae2dfbaffca Mon Sep 17 00:00:00 2001 From: Ilya Etingof Date: Wed, 11 Oct 2017 12:47:05 +0200 Subject: [PATCH 046/192] missing relabeling targets added --- local_settings.sh.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/local_settings.sh.in b/local_settings.sh.in index 9620c3c..9efb916 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -29,6 +29,8 @@ relabel_files() $SHAREDSTATEDIR/vhost_sockets \ /srv \ $BINDIR/neutron* \ + $ROOTDIR/httpboot \ + $ROOTDIR/tftpboot \ $LOCALSTATEDIR/run/redis \ $LOCALSTATEDIR/log \ &> /dev/null || : From 0e609360731bb1e6554d35020a07e665d58df656 Mon Sep 17 00:00:00 2001 From: Ilya Etingof Date: Wed, 11 Oct 2017 12:55:34 +0200 Subject: [PATCH 047/192] $ROOT is special - adjust paths --- local_settings.sh.in | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/local_settings.sh.in b/local_settings.sh.in index 9efb916..9db56c8 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -29,8 +29,8 @@ relabel_files() $SHAREDSTATEDIR/vhost_sockets \ /srv \ $BINDIR/neutron* \ - $ROOTDIR/httpboot \ - $ROOTDIR/tftpboot \ + ${ROOTDIR}httpboot \ + ${ROOTDIR}tftpboot \ $LOCALSTATEDIR/run/redis \ $LOCALSTATEDIR/log \ &> /dev/null || : @@ -102,8 +102,8 @@ install_policies() { fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/zaqar/zaqar.log fcontext -N -a -t neutron_exec_t $BINDIR/neutron-rootwrap-daemon fcontext -N -a -t neutron_exec_t $BINDIR/neutron-vpn-agent - fcontext -N -a -t httpd_sys_content_t \"$ROOTDIR/httpboot(/.*)?\" - fcontext -N -a -t tftpdir_t \"$ROOTDIR/tftpboot(/.*)?\"" + fcontext -N -a -t httpd_sys_content_t \"${ROOTDIR}httpboot(/.*)?\" + fcontext -N -a -t tftpdir_t \"${ROOTDIR}tftpboot(/.*)?\"" # # Append modules From 1258d6cf607cf64ba521b6b1ecfa35029d458d6c Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Thu, 12 Oct 2017 13:02:45 -0400 Subject: [PATCH 048/192] ovs: Set 6641 and 6642 to ovsdb_port_t Resolves: rhbz#1499134 Signed-off-by: Lon Hohberger --- local_settings.sh.in | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/local_settings.sh.in b/local_settings.sh.in index 9db56c8..facd833 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -70,6 +70,10 @@ install_policies() { # bz#1498921 set_port tcp 6639 ovsdb_port_t + # bz#1499134 + set_port tcp 6641 ovsdb_port_t + set_port tcp 6642 ovsdb_port_t + # # Booleans & file contexts # From 2775ec70be1e3d915aa9a06bf8f18c89e054ec5f Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Fri, 13 Oct 2017 11:22:31 -0400 Subject: [PATCH 049/192] ovs: Allow dac_override and more audit socket permissions Add missing unit tests Resolves: rhbz#1498797 Signed-off-by: Lon Hohberger --- os-ovs.te | 4 ++-- tests/bz1498797 | 7 +++++++ 2 files changed, 9 insertions(+), 2 deletions(-) create mode 100644 tests/bz1498797 diff --git a/os-ovs.te b/os-ovs.te index 26d35ed..a45d0ba 100644 --- a/os-ovs.te +++ b/os-ovs.te @@ -24,7 +24,7 @@ gen_require(` class tun_socket create; class chr_file open; class netlink_generic_socket create_socket_perms; - class netlink_audit_socket { create nlmsg_relay }; + class netlink_audit_socket { create nlmsg_relay read write }; class capability audit_write; class packet_socket create_socket_perms; ') @@ -107,5 +107,5 @@ dontaudit openvswitch_t neutron_t:file { read open getattr }; corenet_tcp_connect_all_ports(openvswitch_t) # #1498797 -allow openvswitch_t self:capability audit_write; +allow openvswitch_t self:capability { audit_write dac_override }; allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay }; diff --git a/tests/bz1498797 b/tests/bz1498797 new file mode 100644 index 0000000..5710207 --- /dev/null +++ b/tests/bz1498797 @@ -0,0 +1,7 @@ +type=AVC msg=audit(1507882760.767:1386): avc: denied { write } for pid=6246 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket +type=AVC msg=audit(1507882834.017:1434): avc: denied { read } for pid=6495 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket +type=AVC msg=audit(1507882927.297:1507): avc: denied { dac_override } for pid=6744 comm="ovs-vsctl" capability=1 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability +type=AVC msg=audit(1507594742.843:184): avc: denied { create } for pid=1424 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket permissive=1 +type=AVC msg=audit(1507594742.843:185): avc: denied { nlmsg_relay } for pid=1424 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket permissive=1 +type=AVC msg=audit(1507594742.844:186): avc: denied { audit_write } for pid=1424 comm="runuser" capability=29 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1 +type=AVC msg=audit(1507594743.049:195): avc: denied { dac_override } for pid=1431 comm="ovs-vsctl" capability=1 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1 From 9d30e36cea34027f6e4cda7fb190c2c989223f18 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Fri, 13 Oct 2017 11:58:39 -0400 Subject: [PATCH 050/192] ovs: Add missing read/write Signed-off-by: Lon Hohberger --- os-ovs.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/os-ovs.te b/os-ovs.te index a45d0ba..1417c7e 100644 --- a/os-ovs.te +++ b/os-ovs.te @@ -108,4 +108,4 @@ corenet_tcp_connect_all_ports(openvswitch_t) # #1498797 allow openvswitch_t self:capability { audit_write dac_override }; -allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay }; +allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay read write }; From 74526732122dfd20bda5545380586029fd201cda Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Fri, 13 Oct 2017 11:59:44 -0400 Subject: [PATCH 051/192] Makefile: Add missing LOCALDIR variable Signed-off-by: Lon Hohberger --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index 9318351..da5c041 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,7 @@ TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd MODULES?=${TARGETS:=.pp.bz2} DATADIR?=/usr/share +LOCALDIR?=/usr/share/openstack-selinux/master INSTALL?=install MODULE_TYPE?=services From b878d1189f91827633f675d8760b46b0912f6091 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Fri, 13 Oct 2017 12:30:33 -0400 Subject: [PATCH 052/192] Makefile: Add 'check' for easy local tests Signed-off-by: Lon Hohberger --- Makefile | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Makefile b/Makefile index da5c041..2b03488 100644 --- a/Makefile +++ b/Makefile @@ -80,3 +80,10 @@ install: # Install policy modules ${INSTALL} -d ${DATADIR}/selinux/packages ${INSTALL} -m 0644 ${TARGETS:=.pp.bz2} ${DATADIR}/selinux/packages + +# Note: You can't run this in a build system unless the build +# system has access to change the kernel SELinux policies +check: + cd ${LOCALDIR} && ./local_settings.sh + cd ${LOCALDIR}/tests && ./check_all + cd ${LOCALDIR} && ./local_settings.sh -x From ce13ba72c9148791e32d7d54f7ffaf27c88bb76f Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Fri, 13 Oct 2017 15:11:21 -0400 Subject: [PATCH 053/192] os-gnocchi: Introduce boolean for NFS usage I don't like how this works, since you shouldn't need to do filesystem:associate in general. However, it does work for the affected parties, so we'll leave it as a boolean for now and hopefully remove it later. Resolves: rhbz#1466444 Signed-off-by: Lon Hohberger --- Makefile | 2 +- local_settings.sh.in | 3 ++- os-gnocchi.te | 16 ++++++++++++++++ tests/bz1466444 | 1 + 4 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 os-gnocchi.te create mode 100644 tests/bz1466444 diff --git a/Makefile b/Makefile index 2b03488..b76c9a4 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd +TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi MODULES?=${TARGETS:=.pp.bz2} DATADIR?=/usr/share LOCALDIR?=/usr/share/openstack-selinux/master diff --git a/local_settings.sh.in b/local_settings.sh.in index facd833..637593a 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -131,7 +131,8 @@ install_policies() { boolean -N -m --on os_swift_use_execmem boolean -N -m --on os_keystone_use_execmem boolean -N -m --on os_glance_use_sudo - boolean -N -m --on os_httpd_wsgi" + boolean -N -m --on os_httpd_wsgi + boolean -N -m --on os_gnocchi_use_nfs" do_echo "Setting OpenStack booleans..." echo "$INPUT" | $SBINDIR/semanage import -N diff --git a/os-gnocchi.te b/os-gnocchi.te new file mode 100644 index 0000000..a4d2fe8 --- /dev/null +++ b/os-gnocchi.te @@ -0,0 +1,16 @@ +policy_module(os-gnocchi,0.1) + +require { + type httpd_var_lib_t; + type var_lib_t; + class filesystem associate; +} + + +# If using var_lib_t for NFS (I believe the default), gnocchi +# needs to do a few things that require this. +# bz#1466444 +gen_tunable(os_gnocchi_use_nfs, false) +tunable_policy(`os_gnocchi_use_nfs',` + allow httpd_var_lib_t var_lib_t:filesystem associate; +') diff --git a/tests/bz1466444 b/tests/bz1466444 new file mode 100644 index 0000000..00fda55 --- /dev/null +++ b/tests/bz1466444 @@ -0,0 +1 @@ +type=AVC msg=audit(1498672139.870:5641): avc: denied { associate } for pid=365129 comm="httpd" name="gnocchiUvHVPC" scontext=system_u:object_r:httpd_var_lib_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=filesystem From ce3cff747f48594b21ebced8e81842db30f87aeb Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Fri, 10 Nov 2017 10:07:29 -0500 Subject: [PATCH 054/192] nova: Add filetrans for console.log for instances Resolves: rhbz#1499800 Signed-off-by: Lon Hohberger --- os-nova.te | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/os-nova.te b/os-nova.te index 1ce8982..922b991 100644 --- a/os-nova.te +++ b/os-nova.te @@ -65,6 +65,16 @@ nova_manage_lib_files(virtlogd_t) # Bugzilla 1377272 allow virtlogd_t self:capability dac_override; +# Bugzilla #1499800 (workaround) +create_files_pattern(virtlogd_t, virt_image_t, virt_log_t) +delete_files_pattern(virtlogd_t, virt_image_t, virt_log_t) +rename_files_pattern(virtlogd_t, virt_image_t, virt_log_t) + +delete_files_pattern(virtlogd_t, virt_image_t, svirt_image_t) +rename_files_pattern(virtlogd_t, virt_image_t, svirt_image_t) + +filetrans_pattern(virtlogd_t, virt_image_t, virt_log_t, file, "console.log") + # Bugzilla 1249685 gen_tunable(os_nova_use_execmem, false) tunable_policy(`os_nova_use_execmem',` From 974060c318399a877ba1dc1de309f3964b7c4dc2 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Fri, 10 Nov 2017 10:09:41 -0500 Subject: [PATCH 055/192] nova: Add comment about source for filetrans entries Signed-off-by: Lon Hohberger --- os-nova.te | 1 + 1 file changed, 1 insertion(+) diff --git a/os-nova.te b/os-nova.te index 922b991..e6d7077 100644 --- a/os-nova.te +++ b/os-nova.te @@ -66,6 +66,7 @@ nova_manage_lib_files(virtlogd_t) allow virtlogd_t self:capability dac_override; # Bugzilla #1499800 (workaround) +# src: https://eucalyptus.atlassian.net/browse/EUCA-13447 create_files_pattern(virtlogd_t, virt_image_t, virt_log_t) delete_files_pattern(virtlogd_t, virt_image_t, virt_log_t) rename_files_pattern(virtlogd_t, virt_image_t, virt_log_t) From 904af4727741e38887d57072f42c60383da16f13 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Fri, 10 Nov 2017 10:28:27 -0500 Subject: [PATCH 056/192] nova: Fix missing types Signed-off-by: Lon Hohberger --- os-nova.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/os-nova.te b/os-nova.te index e6d7077..a2adfd3 100644 --- a/os-nova.te +++ b/os-nova.te @@ -13,9 +13,12 @@ gen_require(` type httpd_t; type netutils_exec_t; type virtd_t; + type virt_image_t; type svirt_t; + type svirt_image_t; type svirt_tcg_t; type virtlogd_t; + type virt_log_t; type iptables_t; type modules_conf_t; attribute nova_domain; From 28132e322371bceac95b00cdfdd8affbd22b3eed Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Mon, 4 Dec 2017 17:55:47 -0500 Subject: [PATCH 057/192] local_settings: Fix a few swift contexts - swift-object-reconstructor and switf-object-relinker had incorrect file contexts - /var/cache/swift needs to be swift_var_cache_t lp#1736246 Signed-off-by: Lon Hohberger --- local_settings.sh.in | 5 +++++ os-haproxy.te | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/local_settings.sh.in b/local_settings.sh.in index 637593a..b9a27d7 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -24,11 +24,13 @@ relabel_files() do_echo "Relabeling files..." $SBINDIR/restorecon -Rv $BINDIR/swift* \ $LOCALSTATEDIR/run/swift \ + $LOCALSTATEDIR//swift \ $SHAREDSTATEDIR/nova/.ssh \ $SHAREDSTATEDIR/designate/bind9 \ $SHAREDSTATEDIR/vhost_sockets \ /srv \ $BINDIR/neutron* \ + $BINDIR/swift-object-* \ ${ROOTDIR}httpboot \ ${ROOTDIR}tftpboot \ $LOCALSTATEDIR/run/redis \ @@ -106,6 +108,9 @@ install_policies() { fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/zaqar/zaqar.log fcontext -N -a -t neutron_exec_t $BINDIR/neutron-rootwrap-daemon fcontext -N -a -t neutron_exec_t $BINDIR/neutron-vpn-agent + fcontext -N -a -t swift_var_cache_t \"$LOCALSTATEDIR/cache/swift(/.*)\" + fcontext -N -a -t swift_exec_t $BINDIR/swift-object-reconstructor + fcontext -N -a -t swift_exec_t $BINDIR/swift-object-relinker fcontext -N -a -t httpd_sys_content_t \"${ROOTDIR}httpboot(/.*)?\" fcontext -N -a -t tftpdir_t \"${ROOTDIR}tftpboot(/.*)?\"" diff --git a/os-haproxy.te b/os-haproxy.te index e311833..faa9b98 100644 --- a/os-haproxy.te +++ b/os-haproxy.te @@ -1,10 +1,14 @@ policy_module(os-haproxy,0.1) gen_require(` + type haproxy_exec_t; type haproxy_t; + type ifconfig_t; type sysfs_t; class filesystem getattr; ') # Bugzilla 1195215 allow haproxy_t sysfs_t:filesystem getattr; + +domtrans_pattern(ifconfig_t, haproxy_exec_t, haproxy_t) From 7e9ef4a53b7b377b1e6643574b154cc83a8041f8 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Mon, 4 Dec 2017 18:18:56 -0500 Subject: [PATCH 058/192] local_settings: Code cleanups - fix // in swift binary - use uniform indentation Signed-off-by: Lon Hohberger --- local_settings.sh.in | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/local_settings.sh.in b/local_settings.sh.in index b9a27d7..3a74df3 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -24,15 +24,15 @@ relabel_files() do_echo "Relabeling files..." $SBINDIR/restorecon -Rv $BINDIR/swift* \ $LOCALSTATEDIR/run/swift \ - $LOCALSTATEDIR//swift \ + $LOCALSTATEDIR/swift \ $SHAREDSTATEDIR/nova/.ssh \ $SHAREDSTATEDIR/designate/bind9 \ - $SHAREDSTATEDIR/vhost_sockets \ + $SHAREDSTATEDIR/vhost_sockets \ /srv \ $BINDIR/neutron* \ $BINDIR/swift-object-* \ - ${ROOTDIR}httpboot \ - ${ROOTDIR}tftpboot \ + ${ROOTDIR}httpboot \ + ${ROOTDIR}tftpboot \ $LOCALSTATEDIR/run/redis \ $LOCALSTATEDIR/log \ &> /dev/null || : From c6158ceb8ff4175e346db8d7efa78148e57aab42 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Mon, 8 Jan 2018 10:23:14 -0500 Subject: [PATCH 059/192] local_settings: Use setfiles When building images, restorecon is not run since it requires access to the SELinux policy store in the host kernel and we do not reload the policy when building images (since RPM installation is done in a chroot environment). Using setfiles works without the need for the policy to be loaded. Thanks to Petr Lautrbach for the pointer. Signed-off-by: Lon Hohberger --- local_settings.sh.in | 40 +++++++++++++++++++++++----------------- 1 file changed, 23 insertions(+), 17 deletions(-) diff --git a/local_settings.sh.in b/local_settings.sh.in index 3a74df3..87376fb 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -21,21 +21,27 @@ do_echo() { relabel_files() { + local opts="" + do_echo "Relabeling files..." - $SBINDIR/restorecon -Rv $BINDIR/swift* \ - $LOCALSTATEDIR/run/swift \ - $LOCALSTATEDIR/swift \ - $SHAREDSTATEDIR/nova/.ssh \ - $SHAREDSTATEDIR/designate/bind9 \ - $SHAREDSTATEDIR/vhost_sockets \ - /srv \ - $BINDIR/neutron* \ - $BINDIR/swift-object-* \ - ${ROOTDIR}httpboot \ - ${ROOTDIR}tftpboot \ - $LOCALSTATEDIR/run/redis \ - $LOCALSTATEDIR/log \ - &> /dev/null || : + if [ $QUIET -ne 0 ]; then + opts="-v" + fi + $SBINDIR/setfiles $opts -F $ROOTDIR/etc/selinux/targeted/contexts/files/file_contexts \ + $BINDIR/swift* \ + $LOCALSTATEDIR/run/swift \ + $LOCALSTATEDIR/swift \ + $SHAREDSTATEDIR/nova/.ssh \ + $SHAREDSTATEDIR/designate/bind9 \ + $SHAREDSTATEDIR/vhost_sockets \ + /srv \ + $BINDIR/neutron* \ + $BINDIR/swift-object-* \ + ${ROOTDIR}httpboot \ + ${ROOTDIR}tftpboot \ + $LOCALSTATEDIR/run/redis \ + $LOCALSTATEDIR/log \ + 2> /dev/null || : } @@ -100,7 +106,7 @@ install_policies() { fcontext -N -a -t named_zone_t \"$SHAREDSTATEDIR/designate/bind9(/.*)?\" fcontext -N -a -t virt_cache_t \"$SHAREDSTATEDIR/vhost_sockets(/.*)?\" fcontext -N -a -t httpd_var_lib_t $SHAREDSTATEDIR/openstack-dashboard - fcontext -N -a -t mongod_var_lib_t \"$SHAREDSTATEDIR/mongodb(/.*)?\" + fcontext -N -a -t mongod_var_lib_t \"$SHAREDSTATEDIR/mongodb(/.*)?\" fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/gnocchi/app.log fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/aodh/app.log fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/ceilometer/app.log @@ -142,6 +148,7 @@ install_policies() { do_echo "Setting OpenStack booleans..." echo "$INPUT" | $SBINDIR/semanage import -N + relabel_files if $SBINDIR/selinuxenabled ; then do_echo "Reloading SELinux policies..." # @@ -151,7 +158,6 @@ install_policies() { # $SBINDIR/load_policy - relabel_files fi } @@ -159,9 +165,9 @@ install_policies() { uninstall_policies() { do_echo "Removing OpenStack modules..." $SBINDIR/semodule -n -r $MODULES &> /dev/null || : + relabel_files if $SBINDIR/selinuxenabled ; then $SBINDIR/load_policy - relabel_files fi } From 4e6703eb4f9e872a802a21c80dd703923e88def7 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Wed, 7 Feb 2018 16:07:48 -0500 Subject: [PATCH 060/192] ovs: allow reading svirt_tmp_t Required by live migration Resolves: rhbz#1542107 Signed-off-by: Lon Hohberger --- os-ovs.te | 4 ++++ tests/bz1542107 | 1 + 2 files changed, 5 insertions(+) create mode 100644 tests/bz1542107 diff --git a/os-ovs.te b/os-ovs.te index 1417c7e..0d6e40e 100644 --- a/os-ovs.te +++ b/os-ovs.te @@ -17,6 +17,7 @@ gen_require(` type init_tmp_t; type tun_tap_device_t; type svirt_t; + type svirt_tmpfs_t; type virt_cache_t; class dir search; class file { write read getattr open }; @@ -109,3 +110,6 @@ corenet_tcp_connect_all_ports(openvswitch_t) # #1498797 allow openvswitch_t self:capability { audit_write dac_override }; allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay read write }; + +# #1542107 +allow openvswitch_t svirt_tmpfs_t:file { read write }; diff --git a/tests/bz1542107 b/tests/bz1542107 new file mode 100644 index 0000000..35f97bb --- /dev/null +++ b/tests/bz1542107 @@ -0,0 +1 @@ +type=AVC msg=audit(1517841541.153:650): avc: denied { read write } for pid=7168 comm="vhost_thread2" path=2F6D656D66643A76686F73742D6C6F67202864656C6574656429 dev="tmpfs" ino=324410 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmpfs_t:s0 tclass=file From 026efd7e5f98da6b631e524763095111b6cdbee5 Mon Sep 17 00:00:00 2001 From: Peter Lemenkov Date: Mon, 12 Mar 2018 15:01:21 +0100 Subject: [PATCH 061/192] RabbitMQ: remove currently unused definitions These definitions were used by the rules commented out in commit 4e52ae2bda5949e445ec098ff061db53caf7124a and later removed entirely in commit c2d92fe9ae0670f4d6b7371cd6d34fcb7bf5c50b. Signed-off-by: Peter Lemenkov --- os-rabbitmq.te | 5 ----- 1 file changed, 5 deletions(-) diff --git a/os-rabbitmq.te b/os-rabbitmq.te index 6818f87..73ed355 100644 --- a/os-rabbitmq.te +++ b/os-rabbitmq.te @@ -3,11 +3,6 @@ policy_module(os-rabbitmq,0.1) gen_require(` type init_tmp_t; type rabbitmq_epmd_t; - type rabbitmq_beam_t; - type rabbitmq_var_lib_t; - type systemd_logind_t; - type cluster_t; - class dbus send_msg; class file write; ') From ff35b4188563600bc1e9cdf97b71745e60cb8e0e Mon Sep 17 00:00:00 2001 From: Peter Lemenkov Date: Mon, 12 Mar 2018 15:29:23 +0100 Subject: [PATCH 062/192] RabbitMQ: allow proper log rotation See this rhbz for further details: * https://bugzilla.redhat.com/1413775 Signed-off-by: Peter Lemenkov --- os-rabbitmq.te | 19 ++++++++++++++++++- tests/bz1413775 | 10 ++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 tests/bz1413775 diff --git a/os-rabbitmq.te b/os-rabbitmq.te index 73ed355..e2de7b9 100644 --- a/os-rabbitmq.te +++ b/os-rabbitmq.te @@ -1,10 +1,27 @@ policy_module(os-rabbitmq,0.1) gen_require(` + type epmd_port_t; type init_tmp_t; + type logrotate_t; type rabbitmq_epmd_t; - class file write; + type rabbitmq_port_t; + type rabbitmq_var_lib_t; + type security_t; + class dir { read write }; + class file { getattr open read write }; + class passwd passwd; + class security compute_av; + class tcp_socket { name_bind name_connect }; ') # Bugzilla 1135637 allow rabbitmq_epmd_t init_tmp_t:file write; + +# Bugzilla 1413775 +allow logrotate_t epmd_port_t:tcp_socket {name_connect name_bind}; +allow logrotate_t rabbitmq_port_t:tcp_socket name_connect; +allow logrotate_t rabbitmq_var_lib_t:dir { read write }; +allow logrotate_t rabbitmq_var_lib_t:file { getattr open read }; +allow logrotate_t security_t:security compute_av; +allow logrotate_t self:passwd passwd; diff --git a/tests/bz1413775 b/tests/bz1413775 new file mode 100644 index 0000000..6499919 --- /dev/null +++ b/tests/bz1413775 @@ -0,0 +1,10 @@ +type=AVC msg=audit(1520795762.042:230): avc: denied { name_connect } for pid=3149 comm="2_scheduler" dest=4369 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:epmd_port_t:s0 tclass=tcp_socket +type=AVC msg=audit(1520795761.442:226): avc: denied { name_bind } for pid=3161 comm="epmd" src=4369 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:epmd_port_t:s0 tclass=tcp_socket +type=AVC msg=audit(1520795942.068:312): avc: denied { name_connect } for pid=4264 comm="2_scheduler" dest=25672 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rabbitmq_port_t:s0 tclass=tcp_socket +type=AVC msg=audit(1520795761.195:224): avc: denied { read } for pid=3137 comm="async_1" name="rabbitmq" dev="vda1" ino=50372751 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rabbitmq_var_lib_t:s0 tclass=dir +type=AVC msg=audit(1520795821.201:252): avc: denied { write } for pid=3650 comm="async_1" name="rabbitmq" dev="vda1" ino=50372751 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rabbitmq_var_lib_t:s0 tclass=dir +type=AVC msg=audit(1520795761.142:223): avc: denied { getattr } for pid=3111 comm="rabbitmqctl" path="/var/lib/rabbitmq/mnesia/rabbit@openstack.pid" dev="vda1" ino=33616151 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rabbitmq_var_lib_t:s0 tclass=file +type=AVC msg=audit(1520795761.514:227): avc: denied { read } for pid=3171 comm="async_8" name=".erlang.cookie" dev="vda1" ino=50372733 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rabbitmq_var_lib_t:s0 tclass=file +type=AVC msg=audit(1520795761.514:228): avc: denied { open } for pid=3172 comm="async_9" path="/var/lib/rabbitmq/.erlang.cookie" dev="vda1" ino=50372733 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rabbitmq_var_lib_t:s0 tclass=file +type=AVC msg=audit(1520795941.140:300): avc: denied { compute_av } for pid=4172 comm="su" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=security +type=USER_AVC msg=audit(1520795941.141:301): pid=4172 uid=0 auid=0 ses=19 subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 msg='avc: denied { passwd } for scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=passwd exe="/usr/bin/su" sauid=0 hostname=? addr=? terminal=?' From 1786824c92e8a57cbfede5d32c327f270d35b792 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Thu, 15 Mar 2018 16:01:05 -0400 Subject: [PATCH 063/192] neutron: Allow setpgid Signed-off-by: Lon Hohberger --- os-neutron.te | 4 ++++ tests/bz1547197 | 1 + 2 files changed, 5 insertions(+) create mode 100644 tests/bz1547197 diff --git a/os-neutron.te b/os-neutron.te index 5d9951b..e643575 100644 --- a/os-neutron.te +++ b/os-neutron.te @@ -18,6 +18,7 @@ gen_require(` type logrotate_t; type nsfs_t; class capability setpcap; + class capability setpgid; class key_socket { write read create }; class netlink_xfrm_socket { bind create nlmsg_write }; class process signal; @@ -107,3 +108,6 @@ tunable_policy(`os_neutron_use_execmem',` # Bugzilla 1419418 allow neutron_t nsfs_t:file { open read }; + +# Bugzilla 1547197 +allow neutron_t self:process setpgid; diff --git a/tests/bz1547197 b/tests/bz1547197 new file mode 100644 index 0000000..bb4f0fa --- /dev/null +++ b/tests/bz1547197 @@ -0,0 +1 @@ +type=AVC msg=audit(1519144859.347:11041): avc: denied { setpgid } for pid=844370 comm="dibbler-client" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=process From 38398f5215ab207403a81a784c2404c1af03f2ab Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Fri, 16 Mar 2018 08:41:01 -0400 Subject: [PATCH 064/192] os-ovs: Allow openvswitch to bind to all ports Resolves: rhbz#1554964 Signed-off-by: Lon Hohberger --- os-ovs.te | 3 +++ tests/bz1554964 | 1 + 2 files changed, 4 insertions(+) create mode 100644 tests/bz1554964 diff --git a/os-ovs.te b/os-ovs.te index 0d6e40e..93dc5d7 100644 --- a/os-ovs.te +++ b/os-ovs.te @@ -113,3 +113,6 @@ allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay read write }; # #1542107 allow openvswitch_t svirt_tmpfs_t:file { read write }; + +# #1554964 +corenet_tcp_bind_all_ports(openvswitch_t) diff --git a/tests/bz1554964 b/tests/bz1554964 new file mode 100644 index 0000000..d1fff53 --- /dev/null +++ b/tests/bz1554964 @@ -0,0 +1 @@ +type=AVC msg=audit(1520957807.128:122131): avc: denied { name_bind } for pid=2715 comm="ovsdb-server" src=6640 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ovsdb_port_t:s0 tclass=tcp_socket From 3253131d38c6916f56ea7eb7e9961ab0f7dbd0a5 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Fri, 16 Mar 2018 12:40:28 -0400 Subject: [PATCH 065/192] local_settings: Fix nova's .ssh label According to commit 1d8c3bb274fd1d4dba46f64e77743701bf03cc38, /var/lib/nova/.ssh should be ssh_home_t. However, for some reason, it no longer is. Add an explicit label for it here. Signed-off-by: Lon Hohberger --- local_settings.sh.in | 1 + 1 file changed, 1 insertion(+) diff --git a/local_settings.sh.in b/local_settings.sh.in index 87376fb..234bebe 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -118,6 +118,7 @@ install_policies() { fcontext -N -a -t swift_exec_t $BINDIR/swift-object-reconstructor fcontext -N -a -t swift_exec_t $BINDIR/swift-object-relinker fcontext -N -a -t httpd_sys_content_t \"${ROOTDIR}httpboot(/.*)?\" + fcontext -N -a -t ssh_home_t \"$SHAREDSTATEDIR/nova/.ssh(/.*)?\" fcontext -N -a -t tftpdir_t \"${ROOTDIR}tftpboot(/.*)?\"" # From f1e1448f18e8d76d6b765027f798284d5c474391 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Fri, 23 Mar 2018 09:47:51 -0400 Subject: [PATCH 066/192] collectd: Add policy for collectd 5.8 Some notes: var_lock_t will need a type defined upstream in the future. Signed-off-by: Lon Hohberger --- Makefile | 2 +- os-collectd.te | 18 ++++++++++++++++++ tests/bz1558465 | 9 +++++++++ 3 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 os-collectd.te create mode 100644 tests/bz1558465 diff --git a/Makefile b/Makefile index b76c9a4..5100591 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi +TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd MODULES?=${TARGETS:=.pp.bz2} DATADIR?=/usr/share LOCALDIR?=/usr/share/openstack-selinux/master diff --git a/os-collectd.te b/os-collectd.te new file mode 100644 index 0000000..2a4015c --- /dev/null +++ b/os-collectd.te @@ -0,0 +1,18 @@ +policy_module(os-collectd,0.1) + +gen_require(` + type collectd_t; + type var_lock_t; + type cpu_device_t; + class capability sys_rawio; +') + +# Bugzilla #1558465 +allow collectd_t cpu_device_t:chr_file rw_file_perms; + +# FIXME: Upstream policy probably needs collectd_var_lock_t +# and a file transition rule in collectd.te. +allow collectd_t var_lock_t:dir add_entry_dir_perms; +allow collectd_t var_lock_t:file manage_file_perms; +allow collectd_t var_lock_t:lnk_file read_lnk_file_perms; +allow collectd_t self:capability sys_rawio; diff --git a/tests/bz1558465 b/tests/bz1558465 new file mode 100644 index 0000000..a5854f0 --- /dev/null +++ b/tests/bz1558465 @@ -0,0 +1,9 @@ +type=AVC msg=audit(1521626242.055:83): avc: denied { read } for pid=1443 comm="collectd" name="lock" dev="dm-3" ino=137 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file +type=AVC msg=audit(1521626242.055:83): avc: denied { write } for pid=1443 comm="collectd" name="lock" dev="tmpfs" ino=9300 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir +type=AVC msg=audit(1521626242.055:83): avc: denied { add_name } for pid=1443 comm="collectd" name="libpqos" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir +type=AVC msg=audit(1521626242.055:83): avc: denied { create } for pid=1443 comm="collectd" name="libpqos" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file +type=AVC msg=audit(1521626242.055:84): avc: denied { lock } for pid=1443 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file +type=AVC msg=audit(1521629666.167:1293): avc: denied { open } for pid=20204 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file +type=AVC msg=audit(1521629666.169:1295): avc: denied { read write } for pid=20204 comm="collectd" name="msr" dev="devtmpfs" ino=1108 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file +type=AVC msg=audit(1521629666.169:1295): avc: denied { open } for pid=20204 comm="collectd" path="/dev/cpu/0/msr" dev="devtmpfs" ino=1108 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file +type=AVC msg=audit(1521629666.169:1295): avc: denied { sys_rawio } for pid=20204 comm="collectd" capability=17 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=capability From 43e6f586ca41c18f176a825b41aca2f4e72710a9 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Fri, 23 Mar 2018 10:45:50 -0400 Subject: [PATCH 067/192] check_all: Also test for USER_AVCs we've recorded Signed-off-by: Lon Hohberger --- tests/check_all | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/check_all b/tests/check_all index 74c2bd8..fc1ce16 100755 --- a/tests/check_all +++ b/tests/check_all @@ -29,7 +29,7 @@ failed=0 rm -f $TEST_INPUT touch $TEST_INPUT for f in $TEST_FILES; do - grep '^type=AVC' $f >> $TEST_INPUT + grep '^type=\(USER_\)\?AVC' $f >> $TEST_INPUT done totalAVC=$(wc -l $TEST_INPUT) From 5afbeac1cc251a823aa0517fc5256a4f8697151e Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Mon, 26 Mar 2018 15:20:56 -0400 Subject: [PATCH 068/192] local_settings: Work around permissions issue semanage alters various files in /etc/selinux/policy/targeted/active, which is expected. However, what is not expected is changing the access modes of those files from 0600 to 0644. This breaks RPM verification. As a workaround, cache the modes of all files in /etc/selinux/policy/targeted/active, and explicitly restore them when our operations are complete. (Note: Merely setting umask prior to calling semanage did not work.) Resolves: rhbz#1560019 Signed-off-by: Lon Hohberger --- local_settings.sh.in | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/local_settings.sh.in b/local_settings.sh.in index 234bebe..6fcb298 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -11,6 +11,8 @@ SHAREDSTATEDIR=${SHAREDSTATEDIR:-/var/lib} LOCALDIR=${LOCALDIR:-$DATADIR/openstack-selinux/master} MODULES=${MODULES:-@MODULES@} +declare -A file_modes + do_echo() { if [ $QUIET -eq 0 ]; then return @@ -57,7 +59,35 @@ set_port() } +_cache_file_modes() { + if ! [ -d '/etc/selinux/targeted/active' ]; then + return + fi + for f in $(find /etc/selinux/targeted/active -maxdepth 1 -type f); do + file_modes[$f]=$(stat -c %a $f) + done +} + + +_restore_file_modes() { + for k in "${!file_modes[@]}"; do + chmod ${file_modes[$k]} $k + done +} + + install_policies() { + # Bug #1560019 + # + # 'semanage' seems to recreate + # /etc/selinux/targeted/active/seusers + # /etc/selinux/targeted/active/user_extra + # with the wrong mode, breaking 'rpm -Va' + # + # Store file modes and explicitly chmod + # them back when we're done with our setup. + _cache_file_modes + do_echo "Setting up ports..." # # Port rules @@ -160,16 +190,20 @@ install_policies() { $SBINDIR/load_policy fi + + _restore_file_modes } uninstall_policies() { + _cache_file_modes do_echo "Removing OpenStack modules..." $SBINDIR/semodule -n -r $MODULES &> /dev/null || : relabel_files if $SBINDIR/selinuxenabled ; then $SBINDIR/load_policy fi + _restore_file_modes } From bc744f2300da53e3f3b39b2b233a15a7e6197adf Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Wed, 28 Mar 2018 14:25:15 -0400 Subject: [PATCH 069/192] os-virt: Allow virtlogd_t to send over dbus Resolves: rhbz#1561711 Related: rhbz#1547250 Signed-off-by: Lon Hohberger --- Makefile | 2 +- os-virt.te | 12 ++++++++++++ tests/bz1561711 | 1 + 3 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 os-virt.te create mode 100644 tests/bz1561711 diff --git a/Makefile b/Makefile index 5100591..860e112 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd +TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt MODULES?=${TARGETS:=.pp.bz2} DATADIR?=/usr/share LOCALDIR?=/usr/share/openstack-selinux/master diff --git a/os-virt.te b/os-virt.te new file mode 100644 index 0000000..2729064 --- /dev/null +++ b/os-virt.te @@ -0,0 +1,12 @@ +policy_module(os-virt,0.1) + +gen_require(` + type systemd_logind_t; + type virtlogd_t; + class dbus send_msg; +') + +# #1561711 - work around inability to send message +# over dbus. Will be superseded once #1547250 is +# fixed. +allow virtlogd_t systemd_logind_t:dbus send_msg; diff --git a/tests/bz1561711 b/tests/bz1561711 new file mode 100644 index 0000000..b18999a --- /dev/null +++ b/tests/bz1561711 @@ -0,0 +1 @@ +type=USER_AVC msg=audit(1520195408.164:1668): pid=1393 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=Inhibit dest=org.freedesktop.login1 spid=3123 tpid=1390 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' From 5f38941ee53431b59172a16a43972019cc5d068b Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Wed, 18 Apr 2018 12:22:35 -0400 Subject: [PATCH 070/192] os-dnsmasq: Allow managing var_lib_t files This isn't ideal; the goal would be to have a proper label for the undercloud when using /var/lib/ironic-inspector/dhcp-hostsdir as the dhcp-hostsdir when running dnsmasq. manage_file_perms is needed since dnsmasq launched by ironic inspector tries to create/unlink these files, too. Signed-off-by: Lon Hohberger --- Makefile | 2 +- os-dnsmasq.te | 12 ++++++++++++ tests/bz1568993 | 5 +++++ 3 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 os-dnsmasq.te create mode 100644 tests/bz1568993 diff --git a/Makefile b/Makefile index 860e112..7e8b45a 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt +TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq MODULES?=${TARGETS:=.pp.bz2} DATADIR?=/usr/share LOCALDIR?=/usr/share/openstack-selinux/master diff --git a/os-dnsmasq.te b/os-dnsmasq.te new file mode 100644 index 0000000..abdfb3b --- /dev/null +++ b/os-dnsmasq.te @@ -0,0 +1,12 @@ +policy_module(os-dnsmasq,0.1) + +gen_require(` + type var_lib_t; + type dnsmasq_t; + class file manage_file_perms; +') + +# bug 1568993 +# dnsmasq_t can already create/delete var_lib_t directories +allow dnsmasq_t var_lib_t:file manage_file_perms; + diff --git a/tests/bz1568993 b/tests/bz1568993 new file mode 100644 index 0000000..8bc64fc --- /dev/null +++ b/tests/bz1568993 @@ -0,0 +1,5 @@ +type=AVC msg=audit(1523966763.994:1875): avc: denied { read } for pid=16973 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1523990351.136:7706): avc: denied { getattr } for pid=31332 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1523990351.136:7707): avc: denied { getattr } for pid=8168 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:7c:b5:00" dev="vda1" ino=114077529 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1523990351.136:7708): avc: denied { open } for pid=8168 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:7c:b5:00" dev="vda1" ino=114077529 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1523990351.136:7709): avc: denied { read } for pid=8168 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=114077529 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file From 2b17806f12a07bc90a8d99d5520ea2a5ca7042a0 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Tue, 24 Apr 2018 14:23:24 -0400 Subject: [PATCH 071/192] os-haproxy: Transition to ifconfig_exec_t Part one for bug 1434826 Signed-off-by: Lon Hohberger --- os-haproxy.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/os-haproxy.te b/os-haproxy.te index faa9b98..d267c40 100644 --- a/os-haproxy.te +++ b/os-haproxy.te @@ -4,11 +4,17 @@ gen_require(` type haproxy_exec_t; type haproxy_t; type ifconfig_t; + type ifconfig_exec_t; type sysfs_t; class filesystem getattr; + class file entrypoint; ') # Bugzilla 1195215 allow haproxy_t sysfs_t:filesystem getattr; domtrans_pattern(ifconfig_t, haproxy_exec_t, haproxy_t) + +# Bugzilla #1434826 +allow haproxy_t ifconfig_exec_t:file entrypoint; +domtrans_pattern(haproxy_t, ifconfig_exec_t, ifconfig_t) From c41fb3ba32a0f0e851cf507119fbaa2a109c27fa Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Tue, 24 Apr 2018 14:23:24 -0400 Subject: [PATCH 072/192] os-keepalived: Transition to ifconfig_exec_t Part two for bug 1434826 Signed-off-by: Lon Hohberger --- os-keepalived.te | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/os-keepalived.te b/os-keepalived.te index 51a05a1..525e45c 100644 --- a/os-keepalived.te +++ b/os-keepalived.te @@ -11,10 +11,12 @@ gen_require(` type sysfs_t; type NetworkManager_t; type systemd_systemctl_exec_t; + type ifconfig_exec_t; + type ifconfig_t; class filesystem getattr; class process { signull sigkill setpgid }; class capability { net_admin net_raw kill dac_override }; - class file { execute read create ioctl unlink execute_no_trans write getattr open }; + class file { execute read create ioctl unlink execute_no_trans write getattr open entrypoint }; ') # Bugzilla 1351336 @@ -51,3 +53,6 @@ optional_policy(` # Bugzilla 1469823 allow keepalived_t self:process setpgid; +# Bugzilla #1434826 +allow keepalived_t ifconfig_exec_t:file entrypoint; +domtrans_pattern(keepalived_t, ifconfig_exec_t, ifconfig_t) From 89854d8f70bfaf6954c93b360d6ed645d1ac2892 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Tue, 24 Apr 2018 15:18:50 -0400 Subject: [PATCH 073/192] os-octavia: Preliminary Amphora policy Bug 1434826 Part 3: Amphora haproxy/keepalived interactions Signed-off-by: Lon Hohberger --- Makefile | 2 +- os-octavia.te | 55 +++++++++++++++++++++++++++++++++++++++++++++++++ tests/bz1434826 | 31 ++++++++++++++++++++++++++++ 3 files changed, 87 insertions(+), 1 deletion(-) create mode 100644 os-octavia.te create mode 100644 tests/bz1434826 diff --git a/Makefile b/Makefile index 7e8b45a..f0f7688 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq +TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia MODULES?=${TARGETS:=.pp.bz2} DATADIR?=/usr/share LOCALDIR?=/usr/share/openstack-selinux/master diff --git a/os-octavia.te b/os-octavia.te new file mode 100644 index 0000000..e133bd3 --- /dev/null +++ b/os-octavia.te @@ -0,0 +1,55 @@ +policy_module(os-octavia,0.1) + +gen_require(` + type keepalived_t; + type haproxy_t; + type ifconfig_t; + type user_tmp_t; + type var_run_t; + type ifconfig_exec_t; + type sysfs_t; + type var_lib_t; + type bin_t; + type sysctl_fs_t; + type proc_security_t; + type sysctl_kernel_t; + type etc_t; + class sock_file { create link rename setattr unlink write }; + class capability sys_ptrace; + class file { create entrypoint execute execute_no_trans getattr ioctl open read write }; + class dir { add_name mounton write }; + class filesystem { mount unmount }; +') + +# bind mount capabilities +allow ifconfig_t etc_t:dir mounton; +allow ifconfig_t user_tmp_t:dir mounton; +allow ifconfig_t var_run_t:dir mounton; +allow ifconfig_t self:capability sys_ptrace; +allow ifconfig_t proc_security_t:file manage_file_perms; +allow ifconfig_t sysctl_fs_t:file manage_file_perms; +allow ifconfig_t sysctl_kernel_t:file manage_file_perms; + +# +# XXX Future work: need to set /var/lib/octavia to something +# haproxy_t / keepalived_t can access, rather than giving +# these two contexts blanket access to var_lib_t. Need to +# work with upstream selinux-policy-contrib developers +# to sort this out. Until then, this set of rules is +# better than using unconfined_domain() +# +# /var/lib/octavia/vrrp (directory) +allow keepalived_t var_lib_t:dir { add_name write }; + +# /var/lib/octavia/vrrp/octavia-keepalived.pid +# /var/lib/octavia/vrrp/check_script.sh +allow keepalived_t var_lib_t:file { create execute execute_no_trans getattr ioctl open read write }; + +# /var/lib/octavia/[uuid].sock +allow keepalived_t var_lib_t:sock_file { create link rename setattr unlink write }; + +# Same access for haproxy_t +allow haproxy_t bin_t:file { entrypoint }; +allow haproxy_t var_lib_t:dir { add_name write }; +allow haproxy_t var_lib_t:file { create execute execute_no_trans getattr ioctl open read write }; +allow haproxy_t var_lib_t:sock_file { create link rename setattr unlink write }; diff --git a/tests/bz1434826 b/tests/bz1434826 new file mode 100644 index 0000000..a6cc065 --- /dev/null +++ b/tests/bz1434826 @@ -0,0 +1,31 @@ +type=AVC msg=audit(1521756002.651:159): avc: denied { write } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file +type=AVC msg=audit(1521756001.797:143): avc: denied { write } for pid=1766 comm="sysctl" name="protected_hardlinks" dev="proc" ino=8670 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file +type=AVC msg=audit(1521756001.797:143): avc: denied { open } for pid=1766 comm="sysctl" path="/proc/sys/fs/protected_hardlinks" dev="proc" ino=8670 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file +type=AVC msg=audit(1521756015.580:163): avc: denied { entrypoint } for pid=1899 comm="(kill)" path="/usr/bin/kill" dev="vda1" ino=20196 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file +type=AVC msg=audit(1521756001.800:145): avc: denied { open } for pid=1766 comm="sysctl" path="/proc/sys/fs/file-max" dev="proc" ino=11686 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file +type=AVC msg=audit(1521756002.626:157): avc: denied { setattr } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock.1862.tmp" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file +type=AVC msg=audit(1521756002.621:156): avc: denied { create } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock.1862.tmp" scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file +type=AVC msg=audit(1521755700.847:73): avc: denied { add_name } for pid=1529 comm="keepalived" name="octavia-keepalived.pid" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir +type=AVC msg=audit(1521755700.847:73): avc: denied { write } for pid=1529 comm="keepalived" name="vrrp" dev="vda1" ino=535343 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir +type=AVC msg=audit(1521756002.580:151): avc: denied { read } for pid=1860 comm="ip" path="/usr/sbin/ip" dev="vda1" ino=36286 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file +type=AVC msg=audit(1521756001.799:144): avc: denied { getattr } for pid=1766 comm="sysctl" path="/proc/sys/fs/file-max" dev="proc" ino=11686 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file +type=AVC msg=audit(1521756002.536:147): avc: denied { open } for pid=1859 comm="haproxy" path="/var/lib/octavia/90723fd2-3dc8-4488-8078-899be972eec3/haproxy.cfg" dev="vda1" ino=537368 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756015.616:164): avc: denied { link } for pid=1900 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file +type=AVC msg=audit(1521756001.797:142): avc: denied { getattr } for pid=1766 comm="sysctl" path="/proc/sys/fs/protected_hardlinks" dev="proc" ino=8670 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file +type=AVC msg=audit(1521756001.794:141): avc: denied { sys_ptrace } for pid=1766 comm="sysctl" capability=19 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability +type=AVC msg=audit(1521756001.706:137): avc: denied { mounton } for pid=1765 comm="ip" path="/run/netns" dev="tmpfs" ino=18861 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir +type=AVC msg=audit(1521755700.913:75): avc: denied { execute_no_trans } for pid=1534 comm="sh" path="/var/lib/octavia/vrrp/check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756006.438:162): avc: denied { write } for pid=1869 comm="haproxy-vrrp-ch" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file +type=AVC msg=audit(1521756015.626:165): avc: denied { unlink } for pid=1900 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file +type=AVC msg=audit(1521755700.847:73): avc: denied { create } for pid=1529 comm="keepalived" name="octavia-keepalived.pid" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756001.760:138): avc: denied { mounton } for pid=1766 comm="ip" path="/sys" dev="vda1" ino=2881 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir +type=AVC msg=audit(1521755700.913:75): avc: denied { execute } for pid=1534 comm="sh" name="check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756002.573:150): avc: denied { entrypoint } for pid=1860 comm="(ip)" path="/usr/sbin/ip" dev="vda1" ino=36286 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file +type=AVC msg=audit(1521755700.914:76): avc: denied { ioctl } for pid=1534 comm="sh" path="/var/lib/octavia/vrrp/check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756002.536:148): avc: denied { getattr } for pid=1859 comm="haproxy" path="/var/lib/octavia/90723fd2-3dc8-4488-8078-899be972eec3/haproxy.cfg" dev="vda1" ino=537368 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756001.762:139): avc: denied { mounton } for pid=1766 comm="ip" path="/etc/sysconfig" dev="vda1" ino=446 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir +type=AVC msg=audit(1521755700.743:68): avc: denied { entrypoint } for pid=1528 comm="(ip)" path="/usr/sbin/ip" dev="vda1" ino=36286 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file +type=AVC msg=audit(1521756002.536:147): avc: denied { read } for pid=1859 comm="haproxy" name="haproxy.cfg" dev="vda1" ino=537368 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756002.626:158): avc: denied { rename } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock.1862.tmp" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file +type=AVC msg=audit(1521756001.794:140): avc: denied { write } for pid=1766 comm="sysctl" name="ptrace_scope" dev="proc" ino=8640 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file +type=AVC msg=audit(1521756001.800:145): avc: denied { write } for pid=1766 comm="sysctl" name="file-max" dev="proc" ino=11686 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file From f0f75a164d8b2312e9e354e9a876d044dbcc7edd Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Fri, 27 Apr 2018 15:13:37 -0400 Subject: [PATCH 074/192] os-virt: Add tunable for virtlogd on NFS Resolves: rhbz#1566973 Signed-off-by: Lon Hohberger --- local_settings.sh.in | 3 ++- os-virt.te | 9 +++++++++ tests/bz1566973 | 1 + 3 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 tests/bz1566973 diff --git a/local_settings.sh.in b/local_settings.sh.in index 6fcb298..46ec5e4 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -174,7 +174,8 @@ install_policies() { boolean -N -m --on os_keystone_use_execmem boolean -N -m --on os_glance_use_sudo boolean -N -m --on os_httpd_wsgi - boolean -N -m --on os_gnocchi_use_nfs" + boolean -N -m --on os_gnocchi_use_nfs + boolean -N -m --on os_virtlogd_use_nfs" do_echo "Setting OpenStack booleans..." echo "$INPUT" | $SBINDIR/semanage import -N diff --git a/os-virt.te b/os-virt.te index 2729064..d25a338 100644 --- a/os-virt.te +++ b/os-virt.te @@ -10,3 +10,12 @@ gen_require(` # over dbus. Will be superseded once #1547250 is # fixed. allow virtlogd_t systemd_logind_t:dbus send_msg; + +# #1566973 +# Tunable to allow virtlogd to write to NFS +gen_tunable(os_virtlogd_use_nfs, false) +tunable_policy(`os_virtlogd_use_nfs',` + fs_manage_nfs_dirs(virtlogd_t) + fs_manage_nfs_files(virtlogd_t) + fs_read_nfs_symlinks(virtlogd_t) +') diff --git a/tests/bz1566973 b/tests/bz1566973 new file mode 100644 index 0000000..1f51bcf --- /dev/null +++ b/tests/bz1566973 @@ -0,0 +1 @@ +type=AVC msg=audit(1524017564.805:204): avc: denied { write } for pid=12021 comm="virtlogd" name="bec321f0-2651-4948-ac85-1845a91271a0" dev="0:39" ino=4197515 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir From 41bf0676ca2cd1624cebb68659257c039603c3e6 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Mon, 30 Apr 2018 08:20:25 -0400 Subject: [PATCH 075/192] os-ovs: Allow read/write to svirt unix sockets Resolves: rhbz#1572510 Signed-off-by: Lon Hohberger --- os-ovs.te | 4 ++++ tests/bz1572510 | 1 + 2 files changed, 5 insertions(+) create mode 100644 tests/bz1572510 diff --git a/os-ovs.te b/os-ovs.te index 93dc5d7..988be6a 100644 --- a/os-ovs.te +++ b/os-ovs.te @@ -116,3 +116,7 @@ allow openvswitch_t svirt_tmpfs_t:file { read write }; # #1554964 corenet_tcp_bind_all_ports(openvswitch_t) + +# #1572510 +allow openvswitch_t svirt_t:unix_stream_socket { read write }; + diff --git a/tests/bz1572510 b/tests/bz1572510 new file mode 100644 index 0000000..f3683ea --- /dev/null +++ b/tests/bz1572510 @@ -0,0 +1 @@ +type=AVC msg=audit(1525078074.900:1198999): avc: denied { read write } for pid=11438 comm="ovs-vswitchd" path="socket:[38710370]" dev="sockfs" ino=38710370 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c14,c629 tclass=unix_stream_socket From 776c2b9c3e6dd7d815d1381cdf73d511fe7c9161 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Thu, 10 May 2018 16:41:10 -0400 Subject: [PATCH 076/192] octavia: Add sys-admin for haproxy for Amphora Related: rhbz#1434826 Signed-off-by: Lon Hohberger --- os-octavia.te | 3 ++- tests/bz1434826 | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/os-octavia.te b/os-octavia.te index e133bd3..efeb59a 100644 --- a/os-octavia.te +++ b/os-octavia.te @@ -15,7 +15,7 @@ gen_require(` type sysctl_kernel_t; type etc_t; class sock_file { create link rename setattr unlink write }; - class capability sys_ptrace; + class capability { sys_ptrace sys_admin }; class file { create entrypoint execute execute_no_trans getattr ioctl open read write }; class dir { add_name mounton write }; class filesystem { mount unmount }; @@ -53,3 +53,4 @@ allow haproxy_t bin_t:file { entrypoint }; allow haproxy_t var_lib_t:dir { add_name write }; allow haproxy_t var_lib_t:file { create execute execute_no_trans getattr ioctl open read write }; allow haproxy_t var_lib_t:sock_file { create link rename setattr unlink write }; +allow haproxy_t self:capability { sys_admin }; diff --git a/tests/bz1434826 b/tests/bz1434826 index a6cc065..3587c44 100644 --- a/tests/bz1434826 +++ b/tests/bz1434826 @@ -29,3 +29,4 @@ type=AVC msg=audit(1521756002.536:147): avc: denied { read } for pid=1859 comm=" type=AVC msg=audit(1521756002.626:158): avc: denied { rename } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock.1862.tmp" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file type=AVC msg=audit(1521756001.794:140): avc: denied { write } for pid=1766 comm="sysctl" name="ptrace_scope" dev="proc" ino=8640 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file type=AVC msg=audit(1521756001.800:145): avc: denied { write } for pid=1766 comm="sysctl" name="file-max" dev="proc" ino=11686 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file +type=AVC msg=audit(1525382110.500:85): avc: denied { sys_admin } for pid=1855 comm="ip" capability=21 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=capability From 8e74a95ae05b9d9fac963de0bbf5fc3d3975c216 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Tue, 15 May 2018 11:59:26 -0400 Subject: [PATCH 077/192] octavia: Fix up ip netns bits When spawning keepalived/haproxy in an amphora image, they are run in a created network namespace. a) fixup the domain transition rules, and b) let ifconfig_t do what it needs to during boot Related: rhbz#1434826 Signed-off-by: Lon Hohberger --- bz1434826 | 37 +++++++++++++++++++++++++++++++++++++ os-haproxy.te | 2 +- os-keepalived.te | 2 +- os-octavia.te | 13 +++++++++++++ tests/bz1434826 | 10 ++++++++++ 5 files changed, 62 insertions(+), 2 deletions(-) create mode 100644 bz1434826 diff --git a/bz1434826 b/bz1434826 new file mode 100644 index 0000000..cee0238 --- /dev/null +++ b/bz1434826 @@ -0,0 +1,37 @@ +type=AVC msg=audit(1521755700.743:68): avc: denied { entrypoint } for pid=1528 comm="(ip)" path="/usr/sbin/ip" dev="vda1" ino=36286 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file +type=AVC msg=audit(1521755700.847:73): avc: denied { write } for pid=1529 comm="keepalived" name="vrrp" dev="vda1" ino=535343 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir +type=AVC msg=audit(1521755700.847:73): avc: denied { add_name } for pid=1529 comm="keepalived" name="octavia-keepalived.pid" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir +type=AVC msg=audit(1521755700.847:73): avc: denied { create } for pid=1529 comm="keepalived" name="octavia-keepalived.pid" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521755700.913:75): avc: denied { execute } for pid=1534 comm="sh" name="check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521755700.913:75): avc: denied { execute_no_trans } for pid=1534 comm="sh" path="/var/lib/octavia/vrrp/check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521755700.914:76): avc: denied { ioctl } for pid=1534 comm="sh" path="/var/lib/octavia/vrrp/check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756001.706:137): avc: denied { mounton } for pid=1765 comm="ip" path="/run/netns" dev="tmpfs" ino=18861 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir +type=AVC msg=audit(1521756001.760:138): avc: denied { mounton } for pid=1766 comm="ip" path="/sys" dev="vda1" ino=2881 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir +type=AVC msg=audit(1521756001.762:139): avc: denied { mounton } for pid=1766 comm="ip" path="/etc/sysconfig" dev="vda1" ino=446 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir +type=AVC msg=audit(1521756001.794:140): avc: denied { write } for pid=1766 comm="sysctl" name="ptrace_scope" dev="proc" ino=8640 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file +type=AVC msg=audit(1521756001.794:141): avc: denied { sys_ptrace } for pid=1766 comm="sysctl" capability=19 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability +type=AVC msg=audit(1521756001.797:142): avc: denied { getattr } for pid=1766 comm="sysctl" path="/proc/sys/fs/protected_hardlinks" dev="proc" ino=8670 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file +type=AVC msg=audit(1521756001.797:143): avc: denied { write } for pid=1766 comm="sysctl" name="protected_hardlinks" dev="proc" ino=8670 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file +type=AVC msg=audit(1521756001.797:143): avc: denied { open } for pid=1766 comm="sysctl" path="/proc/sys/fs/protected_hardlinks" dev="proc" ino=8670 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file +type=AVC msg=audit(1521756001.799:144): avc: denied { getattr } for pid=1766 comm="sysctl" path="/proc/sys/fs/file-max" dev="proc" ino=11686 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file +type=AVC msg=audit(1521756001.800:145): avc: denied { write } for pid=1766 comm="sysctl" name="file-max" dev="proc" ino=11686 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file +type=AVC msg=audit(1521756001.800:145): avc: denied { open } for pid=1766 comm="sysctl" path="/proc/sys/fs/file-max" dev="proc" ino=11686 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file +type=AVC msg=audit(1521756002.536:147): avc: denied { read } for pid=1859 comm="haproxy" name="haproxy.cfg" dev="vda1" ino=537368 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756002.536:147): avc: denied { open } for pid=1859 comm="haproxy" path="/var/lib/octavia/90723fd2-3dc8-4488-8078-899be972eec3/haproxy.cfg" dev="vda1" ino=537368 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756002.536:148): avc: denied { getattr } for pid=1859 comm="haproxy" path="/var/lib/octavia/90723fd2-3dc8-4488-8078-899be972eec3/haproxy.cfg" dev="vda1" ino=537368 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756002.573:150): avc: denied { entrypoint } for pid=1860 comm="(ip)" path="/usr/sbin/ip" dev="vda1" ino=36286 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file +type=AVC msg=audit(1521756002.580:151): avc: denied { read } for pid=1860 comm="ip" path="/usr/sbin/ip" dev="vda1" ino=36286 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file +type=AVC msg=audit(1521756002.596:152): avc: denied { mounton } for pid=1860 comm="ip" path="/" dev="vda1" ino=2 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir +type=AVC msg=audit(1521756002.596:154): avc: denied { mounton } for pid=1860 comm="ip" path="/sys" dev="vda1" ino=2881 scontext=system_u:system_r:haproxy_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir +type=AVC msg=audit(1521756002.597:155): avc: denied { mounton } for pid=1860 comm="ip" path="/etc/sysconfig" dev="vda1" ino=446 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir +type=AVC msg=audit(1521756002.621:156): avc: denied { create } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock.1862.tmp" scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file +type=AVC msg=audit(1521756002.626:157): avc: denied { setattr } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock.1862.tmp" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file +type=AVC msg=audit(1521756002.626:158): avc: denied { rename } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock.1862.tmp" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file +type=AVC msg=audit(1521756002.651:159): avc: denied { write } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file +type=AVC msg=audit(1521756005.967:160): avc: denied { execute } for pid=1867 comm="sh" name="check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756005.967:160): avc: denied { execute_no_trans } for pid=1867 comm="sh" path="/var/lib/octavia/vrrp/check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756005.968:161): avc: denied { ioctl } for pid=1867 comm="sh" path="/var/lib/octavia/vrrp/check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756006.438:162): avc: denied { write } for pid=1869 comm="haproxy-vrrp-ch" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file +type=AVC msg=audit(1521756015.580:163): avc: denied { entrypoint } for pid=1899 comm="(kill)" path="/usr/bin/kill" dev="vda1" ino=20196 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file +type=AVC msg=audit(1521756015.616:164): avc: denied { link } for pid=1900 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file +type=AVC msg=audit(1521756015.626:165): avc: denied { unlink } for pid=1900 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file diff --git a/os-haproxy.te b/os-haproxy.te index d267c40..a79745f 100644 --- a/os-haproxy.te +++ b/os-haproxy.te @@ -17,4 +17,4 @@ domtrans_pattern(ifconfig_t, haproxy_exec_t, haproxy_t) # Bugzilla #1434826 allow haproxy_t ifconfig_exec_t:file entrypoint; -domtrans_pattern(haproxy_t, ifconfig_exec_t, ifconfig_t) +sysnet_domtrans_ifconfig(haproxy_t) diff --git a/os-keepalived.te b/os-keepalived.te index 525e45c..2a1de65 100644 --- a/os-keepalived.te +++ b/os-keepalived.te @@ -55,4 +55,4 @@ allow keepalived_t self:process setpgid; # Bugzilla #1434826 allow keepalived_t ifconfig_exec_t:file entrypoint; -domtrans_pattern(keepalived_t, ifconfig_exec_t, ifconfig_t) +sysnet_domtrans_ifconfig(keepalived_t) diff --git a/os-octavia.te b/os-octavia.te index efeb59a..03195eb 100644 --- a/os-octavia.te +++ b/os-octavia.te @@ -10,6 +10,7 @@ gen_require(` type sysfs_t; type var_lib_t; type bin_t; + type root_t; type sysctl_fs_t; type proc_security_t; type sysctl_kernel_t; @@ -48,9 +49,21 @@ allow keepalived_t var_lib_t:file { create execute execute_no_trans getattr ioct # /var/lib/octavia/[uuid].sock allow keepalived_t var_lib_t:sock_file { create link rename setattr unlink write }; +# These are needed during boot when setting up the netns +allow keepalived_t etc_t:dir mounton; +allow keepalived_t root_t:dir mounton; +allow keepalived_t sysfs_t:filesystem { mount unmount }; +allow keepalived_t user_tmp_t:dir mounton; + # Same access for haproxy_t allow haproxy_t bin_t:file { entrypoint }; allow haproxy_t var_lib_t:dir { add_name write }; allow haproxy_t var_lib_t:file { create execute execute_no_trans getattr ioctl open read write }; allow haproxy_t var_lib_t:sock_file { create link rename setattr unlink write }; allow haproxy_t self:capability { sys_admin }; + +# These are needed during boot when setting up the netns +allow haproxy_t etc_t:dir mounton; +allow haproxy_t root_t:dir mounton; +allow haproxy_t sysfs_t:filesystem { mount unmount }; +allow haproxy_t user_tmp_t:dir mounton; diff --git a/tests/bz1434826 b/tests/bz1434826 index 3587c44..7a1a57f 100644 --- a/tests/bz1434826 +++ b/tests/bz1434826 @@ -30,3 +30,13 @@ type=AVC msg=audit(1521756002.626:158): avc: denied { rename } for pid=1862 comm type=AVC msg=audit(1521756001.794:140): avc: denied { write } for pid=1766 comm="sysctl" name="ptrace_scope" dev="proc" ino=8640 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file type=AVC msg=audit(1521756001.800:145): avc: denied { write } for pid=1766 comm="sysctl" name="file-max" dev="proc" ino=11686 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file type=AVC msg=audit(1525382110.500:85): avc: denied { sys_admin } for pid=1855 comm="ip" capability=21 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=capability +type=AVC msg=audit(1526390359.992:77): avc: denied { mount } for pid=1671 comm="ip" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem +type=AVC msg=audit(1526391382.560:75): avc: denied { mount } for pid=1570 comm="ip" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem +type=AVC msg=audit(1526390359.992:75): avc: denied { mounton } for pid=1671 comm="ip" path="/" dev="vda1" ino=2 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir +type=AVC msg=audit(1526391382.555:73): avc: denied { mounton } for pid=1570 comm="ip" path="/" dev="vda1" ino=2 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir +type=AVC msg=audit(1526390359.992:77): avc: denied { mounton } for pid=1671 comm="ip" path="/sys" dev="vda1" ino=2899 scontext=system_u:system_r:haproxy_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir +type=AVC msg=audit(1526391382.560:75): avc: denied { mounton } for pid=1570 comm="ip" path="/sys" dev="vda1" ino=2899 scontext=system_u:system_r:keepalived_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir +type=AVC msg=audit(1526390359.992:76): avc: denied { unmount } for pid=1671 comm="ip" scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem +type=AVC msg=audit(1526391382.558:74): avc: denied { unmount } for pid=1570 comm="ip" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem +type=AVC msg=audit(1526392042.896:85): avc: denied { mounton } for pid=1983 comm="ip" path="/etc/sysconfig" dev="vda1" ino=2401 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir +type=AVC msg=audit(1526391382.569:76): avc: denied { mounton } for pid=1570 comm="ip" path="/etc/sysconfig" dev="vda1" ino=2401 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir From 0328c0e6721c01ea354a83a8e1288d2169aff40b Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Thu, 17 May 2018 12:00:27 -0400 Subject: [PATCH 078/192] octavia: Fix remove perms for amphora Signed-off-by: Lon Hohberger --- os-octavia.te | 8 ++++---- tests/bz1434826 | 4 ++++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/os-octavia.te b/os-octavia.te index 03195eb..35bc6df 100644 --- a/os-octavia.te +++ b/os-octavia.te @@ -40,11 +40,11 @@ allow ifconfig_t sysctl_kernel_t:file manage_file_perms; # better than using unconfined_domain() # # /var/lib/octavia/vrrp (directory) -allow keepalived_t var_lib_t:dir { add_name write }; +allow keepalived_t var_lib_t:dir { add_name write remove_name }; # /var/lib/octavia/vrrp/octavia-keepalived.pid # /var/lib/octavia/vrrp/check_script.sh -allow keepalived_t var_lib_t:file { create execute execute_no_trans getattr ioctl open read write }; +allow keepalived_t var_lib_t:file { create execute execute_no_trans getattr ioctl open read write unlink }; # /var/lib/octavia/[uuid].sock allow keepalived_t var_lib_t:sock_file { create link rename setattr unlink write }; @@ -57,8 +57,8 @@ allow keepalived_t user_tmp_t:dir mounton; # Same access for haproxy_t allow haproxy_t bin_t:file { entrypoint }; -allow haproxy_t var_lib_t:dir { add_name write }; -allow haproxy_t var_lib_t:file { create execute execute_no_trans getattr ioctl open read write }; +allow haproxy_t var_lib_t:dir { add_name write remove_name }; +allow haproxy_t var_lib_t:file { create execute execute_no_trans getattr ioctl open read write unlink }; allow haproxy_t var_lib_t:sock_file { create link rename setattr unlink write }; allow haproxy_t self:capability { sys_admin }; diff --git a/tests/bz1434826 b/tests/bz1434826 index 7a1a57f..899e522 100644 --- a/tests/bz1434826 +++ b/tests/bz1434826 @@ -40,3 +40,7 @@ type=AVC msg=audit(1526390359.992:76): avc: denied { unmount } for pid=1671 c type=AVC msg=audit(1526391382.558:74): avc: denied { unmount } for pid=1570 comm="ip" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem type=AVC msg=audit(1526392042.896:85): avc: denied { mounton } for pid=1983 comm="ip" path="/etc/sysconfig" dev="vda1" ino=2401 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir type=AVC msg=audit(1526391382.569:76): avc: denied { mounton } for pid=1570 comm="ip" path="/etc/sysconfig" dev="vda1" ino=2401 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir +type=AVC msg=audit(1526572380.517:156): avc: denied { remove_name } for pid=1570 comm="keepalived" name="octavia-keepalived.pid" dev="vda1" ino=41955 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir +type=AVC msg=audit(1526572380.517:156): avc: denied { unlink } for pid=1570 comm="keepalived" name="octavia-keepalived.pid" dev="vda1" ino=41955 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1526572380.517:156): avc: denied { remove_name } for pid=1570 comm="keepalived" name="octavia-keepalived.pid" dev="vda1" ino=41955 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir +type=AVC msg=audit(1526572380.517:156): avc: denied { unlink } for pid=1570 comm="keepalived" name="octavia-keepalived.pid" dev="vda1" ino=41955 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file From ef9c11877a4143082c75fe9176674b6d758db85d Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Mon, 21 May 2018 08:28:39 -0400 Subject: [PATCH 079/192] octavia: Let ifconfig read sysfs Related: rhbz#1434826 Signed-off-by: Lon Hohberger --- os-octavia.te | 2 ++ tests/bz1434826 | 1 + 2 files changed, 3 insertions(+) diff --git a/os-octavia.te b/os-octavia.te index 35bc6df..3d292ee 100644 --- a/os-octavia.te +++ b/os-octavia.te @@ -67,3 +67,5 @@ allow haproxy_t etc_t:dir mounton; allow haproxy_t root_t:dir mounton; allow haproxy_t sysfs_t:filesystem { mount unmount }; allow haproxy_t user_tmp_t:dir mounton; + +kernel_read_fs_sysctls(ifconfig_t) diff --git a/tests/bz1434826 b/tests/bz1434826 index 899e522..70fd4b4 100644 --- a/tests/bz1434826 +++ b/tests/bz1434826 @@ -44,3 +44,4 @@ type=AVC msg=audit(1526572380.517:156): avc: denied { remove_name } for pid=1 type=AVC msg=audit(1526572380.517:156): avc: denied { unlink } for pid=1570 comm="keepalived" name="octavia-keepalived.pid" dev="vda1" ino=41955 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1526572380.517:156): avc: denied { remove_name } for pid=1570 comm="keepalived" name="octavia-keepalived.pid" dev="vda1" ino=41955 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=AVC msg=audit(1526572380.517:156): avc: denied { unlink } for pid=1570 comm="keepalived" name="octavia-keepalived.pid" dev="vda1" ino=41955 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1526651537.202:89): avc: denied { search } for pid=1724 comm="sysctl" name="fs" dev="proc" ino=8645 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir From ef2bb7f308546b083458cf4e0dcf61d9bd385186 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Tue, 22 May 2018 08:09:51 -0400 Subject: [PATCH 080/192] keepalived: Add cap sys_admin for Octavia Signed-off-by: Lon Hohberger --- os-keepalived.te | 5 +++-- tests/bz1434826 | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/os-keepalived.te b/os-keepalived.te index 2a1de65..3b00519 100644 --- a/os-keepalived.te +++ b/os-keepalived.te @@ -15,7 +15,7 @@ gen_require(` type ifconfig_t; class filesystem getattr; class process { signull sigkill setpgid }; - class capability { net_admin net_raw kill dac_override }; + class capability { net_admin net_raw kill dac_override sys_admin }; class file { execute read create ioctl unlink execute_no_trans write getattr open entrypoint }; ') @@ -32,7 +32,8 @@ allow keepalived_t cloud_var_lib_t:file { read getattr open }; allow keepalived_t init_var_lib_t:file { read getattr open }; allow keepalived_t var_lib_t:file { read getattr open }; allow keepalived_t var_log_t:file open; -allow keepalived_t self:capability dac_override; +# bz1434826 - sys_admin +allow keepalived_t self:capability { dac_override sys_admin }; allow keepalived_t neutron_t:process sigkill; # Bugzilla 1206148 diff --git a/tests/bz1434826 b/tests/bz1434826 index 70fd4b4..6926904 100644 --- a/tests/bz1434826 +++ b/tests/bz1434826 @@ -45,3 +45,4 @@ type=AVC msg=audit(1526572380.517:156): avc: denied { unlink } for pid=1570 c type=AVC msg=audit(1526572380.517:156): avc: denied { remove_name } for pid=1570 comm="keepalived" name="octavia-keepalived.pid" dev="vda1" ino=41955 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=AVC msg=audit(1526572380.517:156): avc: denied { unlink } for pid=1570 comm="keepalived" name="octavia-keepalived.pid" dev="vda1" ino=41955 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1526651537.202:89): avc: denied { search } for pid=1724 comm="sysctl" name="fs" dev="proc" ino=8645 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir +type=AVC msg=audit(1526989034.757:148): avc: denied { sys_admin } for pid=1752 comm="ip" capability=21 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=capability From 12da54d847a53a02eb0129407f46959fa4e854c9 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Wed, 23 May 2018 09:40:23 -0400 Subject: [PATCH 081/192] os-virt: Ancillary fix for dbus/virtlogd Resolves: rhbz#1561711 Signed-off-by: Lon Hohberger --- os-virt.te | 1 + tests/bz1561711 | 1 + 2 files changed, 2 insertions(+) diff --git a/os-virt.te b/os-virt.te index d25a338..dfb90cd 100644 --- a/os-virt.te +++ b/os-virt.te @@ -10,6 +10,7 @@ gen_require(` # over dbus. Will be superseded once #1547250 is # fixed. allow virtlogd_t systemd_logind_t:dbus send_msg; +allow systemd_logind_t virtlogd_t:dbus send_msg; # #1566973 # Tunable to allow virtlogd to write to NFS diff --git a/tests/bz1561711 b/tests/bz1561711 index b18999a..b91af7f 100644 --- a/tests/bz1561711 +++ b/tests/bz1561711 @@ -1 +1,2 @@ type=USER_AVC msg=audit(1520195408.164:1668): pid=1393 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=Inhibit dest=org.freedesktop.login1 spid=3123 tpid=1390 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' +type=USER_AVC msg=audit(1527075220.353:14540): pid=581 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.866 spid=575 tpid=11664 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' From 59fe3b97bb3dd21d0853b8e49edb80c2a47a0a27 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Wed, 23 May 2018 09:52:52 -0400 Subject: [PATCH 082/192] os-neutron: Allow dhcpc binding Resolves: rhbz#1581729 Signed-off-by: Lon Hohberger --- os-neutron.te | 3 +++ tests/bz1581729 | 1 + 2 files changed, 4 insertions(+) create mode 100644 tests/bz1581729 diff --git a/os-neutron.te b/os-neutron.te index e643575..765279b 100644 --- a/os-neutron.te +++ b/os-neutron.te @@ -111,3 +111,6 @@ allow neutron_t nsfs_t:file { open read }; # Bugzilla 1547197 allow neutron_t self:process setpgid; + +# Bugzilla 1581729 +corenet_udp_bind_dhcpc_port(neutron_t) diff --git a/tests/bz1581729 b/tests/bz1581729 new file mode 100644 index 0000000..83731b5 --- /dev/null +++ b/tests/bz1581729 @@ -0,0 +1 @@ +type=AVC msg=audit(1527075675.414:18010): avc: denied { name_bind } for pid=4521 comm="dhcp_release6" src=546 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:dhcpc_port_t:s0 tclass=udp_socket From f272dc6ac623c737a6ad1bfa97992b84b54223ff Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Wed, 23 May 2018 13:37:03 -0400 Subject: [PATCH 083/192] Add avc_recorded utility to check for matching AVCs Signed-off-by: Lon Hohberger --- utils/avc_recorded | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100755 utils/avc_recorded diff --git a/utils/avc_recorded b/utils/avc_recorded new file mode 100755 index 0000000..cc4dd6b --- /dev/null +++ b/utils/avc_recorded @@ -0,0 +1,25 @@ +#!/bin/bash + +while read; do + if [ "${REPLY/type=AVC/}" == "$REPLY" ] && \ + [ "${REPLY/type=USER_AVC/}" == "$REPLY" ]; then + continue + fi + + operations=${REPLY/*\{ /} + operations=${operations/ \}*/} + src=${REPLY/*scontext=/} + src=${src/ */} + src=${src/:s0*/} + tgt=${REPLY/*tcontext=/} + tgt=${tgt/ */} + tgt=${tgt/:s0*/} + tclass=${REPLY/*tclass=/} + tclass=${tclass/ */} + + for op in $operations; do + s="$op.*scontext=$src.*tcontext=$tgt.*tclass=$tclass" + [ -d tests ] && grep "$s" tests/bz* + [ -d ../tests ] && grep "$s" ../tests/bz* + done +done From b63283a660a259f55358fd2a90c0039236b30a74 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Thu, 24 May 2018 09:35:27 -0400 Subject: [PATCH 084/192] Add comments to local_settings.sh.in Clarify, add reasoning, etc. Signed-off-by: Lon Hohberger --- local_settings.sh.in | 39 +++++++++++++++++++++++++++++++++------ 1 file changed, 33 insertions(+), 6 deletions(-) diff --git a/local_settings.sh.in b/local_settings.sh.in index 46ec5e4..965ce46 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -11,6 +11,9 @@ SHAREDSTATEDIR=${SHAREDSTATEDIR:-/var/lib} LOCALDIR=${LOCALDIR:-$DATADIR/openstack-selinux/master} MODULES=${MODULES:-@MODULES@} +# This is for caching the file modes; -A is a bash associative +# array ("dict" or "map" in other languages) +# See bug for bug #1560019 for more information. declare -A file_modes do_echo() { @@ -29,6 +32,14 @@ relabel_files() if [ $QUIET -ne 0 ]; then opts="-v" fi + + # Setfiles is a lot like restorecon, except it takes a policy + # on-disk instead of looking at the kernel-loaded policy + # So, it works inside of image builds. + # + # At a minimum, we need a line for each entry we have where we are + # custominzing the label using 'semanage' below, but also + # others, when applicable. $SBINDIR/setfiles $opts -F $ROOTDIR/etc/selinux/targeted/contexts/files/file_contexts \ $BINDIR/swift* \ $LOCALSTATEDIR/run/swift \ @@ -50,6 +61,10 @@ relabel_files() # usage: set_port tcp|udp port# context set_port() { + # There's no add-or-modify, so try a modify, and if that fails, + # add the new rule. + # + # -N prevents reloading $SBINDIR/semanage port -N -m -t $3 -p $1 $2 2>&1 | grep -qE 'ValueError: Port.*is not defined' # Grep succeeded - meaning this was not defined if [ $? -eq 0 ]; then @@ -112,8 +127,11 @@ install_policies() { set_port tcp 6641 ovsdb_port_t set_port tcp 6642 ovsdb_port_t + # Build up a script to pass to semanage # # Booleans & file contexts + # -N -> don't reload policy + # -m -> modify # CR=$'\n' INPUT="boolean -N -m --on virt_use_fusefs @@ -152,22 +170,23 @@ install_policies() { fcontext -N -a -t tftpdir_t \"${ROOTDIR}tftpboot(/.*)?\"" # - # Append modules + # Append modules to our semanage script # for x in $MODULES; do INPUT="${INPUT}${CR}module -N -a $DATADIR/selinux/packages/$x.pp.bz2" done # - # Do everything in one transaction, but don't reload policy + # Execute the semanage script: + # Do most things in one transaction, but don't reload policy # in case we're in a chroot environment. # do_echo "Installing OpenStack extra policies and setting booleans..." echo "$INPUT" | $SBINDIR/semanage import -N - # Unfortunately, we can't load modules and set - # booleans in those modules in a single transaction, so - # do a second one to set our new booleans. + # Unfortunately, we can't load new modules and set + # booleans defined in those modules in a single transaction, + # so do a second one to set our new booleans. INPUT="boolean -N -m --on os_nova_use_execmem boolean -N -m --on os_neutron_use_execmem boolean -N -m --on os_swift_use_execmem @@ -189,21 +208,29 @@ install_policies() { # above. # $SBINDIR/load_policy - fi + # Bug #1560019 _restore_file_modes } uninstall_policies() { + # Bug #1560019 _cache_file_modes + + # Remove our modules and rebuild policy do_echo "Removing OpenStack modules..." $SBINDIR/semodule -n -r $MODULES &> /dev/null || : + relabel_files + if $SBINDIR/selinuxenabled ; then + do_echo "Reloading SELinux policies..." $SBINDIR/load_policy fi + + # Bug #1560019 _restore_file_modes } From 7d1601040eea20609d7dce62587cf49e32a4d4ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Tue, 11 Sep 2018 08:14:52 +0200 Subject: [PATCH 085/192] Add podman rules for OpenStack Currently, services with container_t flag cannot access some of the host content, such as the certificates (cert_t) and OpenVSwitch socket (openvswitch_t socket). This patch correct that situation. --- os-podman.te | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 os-podman.te diff --git a/os-podman.te b/os-podman.te new file mode 100644 index 0000000..63ff1b9 --- /dev/null +++ b/os-podman.te @@ -0,0 +1,7 @@ +policy_module(os-podman, 1.0) +gen_require(` + type container_t; +') +#============= container_t ============== +miscfiles_read_generic_certs(container_t) +openvswitch_stream_connect(container_t) From 476faba77f492497666dbf8ea01b3558bb55be69 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Tue, 29 May 2018 07:20:18 -0400 Subject: [PATCH 086/192] Allow virtlogd to write to systemd_logind FIFOs Related: rhbz#1561711 Signed-off-by: Lon Hohberger --- os-virt.te | 3 +++ tests/bz1561711 | 1 + 2 files changed, 4 insertions(+) diff --git a/os-virt.te b/os-virt.te index dfb90cd..a8c987c 100644 --- a/os-virt.te +++ b/os-virt.te @@ -2,8 +2,10 @@ policy_module(os-virt,0.1) gen_require(` type systemd_logind_t; + type systemd_logind_inhibit_var_run_t; type virtlogd_t; class dbus send_msg; + class fifo_file write; ') # #1561711 - work around inability to send message @@ -11,6 +13,7 @@ gen_require(` # fixed. allow virtlogd_t systemd_logind_t:dbus send_msg; allow systemd_logind_t virtlogd_t:dbus send_msg; +allow virtlogd_t systemd_logind_inhibit_var_run_t:fifo_file write; # #1566973 # Tunable to allow virtlogd to write to NFS diff --git a/tests/bz1561711 b/tests/bz1561711 index b91af7f..aefa39e 100644 --- a/tests/bz1561711 +++ b/tests/bz1561711 @@ -1,2 +1,3 @@ type=USER_AVC msg=audit(1520195408.164:1668): pid=1393 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=Inhibit dest=org.freedesktop.login1 spid=3123 tpid=1390 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1527075220.353:14540): pid=581 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.866 spid=575 tpid=11664 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' +type=AVC msg=audit(1527492439.572:13842): avc: denied { write } for pid=10949 comm="virtlogd" path="/run/systemd/inhibit/4.ref" dev="tmpfs" ino=251799 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_inhibit_var_run_t:s0 tclass=fifo_file From 12297a632960d78440081e92208c1c33de5589f7 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Tue, 2 Oct 2018 09:04:48 -0400 Subject: [PATCH 087/192] Add os-podman to the install list Signed-off-by: Lon Hohberger --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index f0f7688..c96395f 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia +TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman MODULES?=${TARGETS:=.pp.bz2} DATADIR?=/usr/share LOCALDIR?=/usr/share/openstack-selinux/master From 4a047a052cb174f2ff055b7be4513c95575d40a5 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Wed, 3 Oct 2018 08:30:33 -0400 Subject: [PATCH 088/192] os-cinder: Work around USER_AVC on send_msg to dbus Resolves: rhbz#1628679 Related: rhbz#1630318 Signed-off-by: Lon Hohberger --- os-cinder.te | 6 ++++++ tests/bz1628679 | 1 + 2 files changed, 7 insertions(+) create mode 100644 tests/bz1628679 diff --git a/os-cinder.te b/os-cinder.te index 1f661b1..5154d58 100644 --- a/os-cinder.te +++ b/os-cinder.te @@ -3,9 +3,12 @@ policy_module(os-cinder,0.1) gen_require(` type cinder_log_t; type cinder_backup_t; + type systemd_logind_t; + type cinder_volume_t; type httpd_t; class file { open create }; class dir { add_name write }; + class dbus { send_msg }; ') # Bugzilla 1325623 @@ -14,3 +17,6 @@ allow httpd_t cinder_log_t:dir { add_name write }; # Bugzilla 1384472 iscsid_domtrans(cinder_backup_t); + +# Bugzilla #1628679 +allow systemd_logind_t cinder_volume_t:dbus { send_msg }; diff --git a/tests/bz1628679 b/tests/bz1628679 new file mode 100644 index 0000000..4986f9e --- /dev/null +++ b/tests/bz1628679 @@ -0,0 +1 @@ +type=USER_AVC msg=audit(1538043682.101:8006): pid=2252 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.410 spid=2405 tpid=19100 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:cinder_volume_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' From 945d5cad7b9cc553787b3ffdb0606f2944dd1d6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Wed, 17 Oct 2018 08:37:58 +0200 Subject: [PATCH 089/192] realign content --- os-nova.te | 58 +++++++++++++++++++++++++++--------------------------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/os-nova.te b/os-nova.te index a2adfd3..519fbd6 100644 --- a/os-nova.te +++ b/os-nova.te @@ -1,35 +1,35 @@ policy_module(os-nova,0.1) gen_require(` - type nova_t; - type nova_network_t; - type nova_var_lib_t; - type nova_api_t; - type nova_scheduler_t; - type nova_console_t; - type nova_cert_t; - type cert_t; - type nova_log_t; - type httpd_t; - type netutils_exec_t; - type virtd_t; - type virt_image_t; - type svirt_t; - type svirt_image_t; - type svirt_tcg_t; - type virtlogd_t; - type virt_log_t; - type iptables_t; - type modules_conf_t; - attribute nova_domain; - class key write; - class packet_socket { bind create getattr }; - class capability { dac_override net_raw sys_ptrace kill }; - class capability2 block_suspend; - class file { getattr read write open create execute execute_no_trans }; - class sock_file write; - class dir { add_name write search }; - class lnk_file read; + type nova_t; + type nova_network_t; + type nova_var_lib_t; + type nova_api_t; + type nova_scheduler_t; + type nova_console_t; + type nova_cert_t; + type cert_t; + type nova_log_t; + type httpd_t; + type netutils_exec_t; + type virtd_t; + type virt_image_t; + type svirt_t; + type svirt_image_t; + type svirt_tcg_t; + type virtlogd_t; + type virt_log_t; + type iptables_t; + type modules_conf_t; + attribute nova_domain; + class key write; + class packet_socket { bind create getattr }; + class capability { dac_override net_raw sys_ptrace kill }; + class capability2 block_suspend; + class file { getattr read write open create execute execute_no_trans }; + class sock_file write; + class dir { add_name write search }; + class lnk_file read; ') # Bugzilla 1181428 iscsid_domtrans(virtd_t); From c36595e724973f7f6c555571a74bfe9aba8ca553 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Wed, 17 Oct 2018 08:43:16 +0200 Subject: [PATCH 090/192] Added new policies for podman container engine In order to be able to use podman instead of docker, we have to allow some new accesses. Those rules have been tested and validated against a "standalone" deploy and a tempest run against it. --- os-nova.te | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/os-nova.te b/os-nova.te index 519fbd6..09b6d9a 100644 --- a/os-nova.te +++ b/os-nova.te @@ -21,15 +21,18 @@ gen_require(` type virt_log_t; type iptables_t; type modules_conf_t; + type container_share_t; + type container_runtime_t; attribute nova_domain; class key write; class packet_socket { bind create getattr }; class capability { dac_override net_raw sys_ptrace kill }; class capability2 block_suspend; - class file { getattr read write open create execute execute_no_trans }; + class file { getattr read write open create execute execute_no_trans entrypoint }; class sock_file write; - class dir { add_name write search }; + class dir { add_name write search read }; class lnk_file read; + class process sigchld; ') # Bugzilla 1181428 iscsid_domtrans(virtd_t); @@ -138,3 +141,9 @@ optional_policy(` allow svirt_t spc_t:fifo_file write_file_perms; allow svirt_t spc_t:file read_file_perms; ') + +# Requested for podman container engine +allow svirt_tcg_t container_runtime_t:process sigchld; +allow svirt_tcg_t container_share_t:file { execute getattr read entrypoint open }; +allow svirt_tcg_t container_share_t:lnk_file read; +allow svirt_tcg_t container_share_t:dir read; From 91e66b392ffc44f5c751bf4d6422f4c966f45678 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Fri, 19 Oct 2018 08:47:53 -0400 Subject: [PATCH 091/192] os-nova: Add nova workarounds for sudo Related: rhbz#1640528 Signed-off-by: Lon Hohberger --- os-nova.te | 4 ++++ tests/bz1640528 | 8 ++++++++ 2 files changed, 12 insertions(+) create mode 100644 tests/bz1640528 diff --git a/os-nova.te b/os-nova.te index 09b6d9a..705b6ab 100644 --- a/os-nova.te +++ b/os-nova.te @@ -147,3 +147,7 @@ allow svirt_tcg_t container_runtime_t:process sigchld; allow svirt_tcg_t container_share_t:file { execute getattr read entrypoint open }; allow svirt_tcg_t container_share_t:lnk_file read; allow svirt_tcg_t container_share_t:dir read; + +# Bug 1640528 +auth_use_pam(nova_t) +init_rw_utmp(nova_t) diff --git a/tests/bz1640528 b/tests/bz1640528 new file mode 100644 index 0000000..396f171 --- /dev/null +++ b/tests/bz1640528 @@ -0,0 +1,8 @@ +type=AVC msg=audit(...): avc: denied { connectto } for pid=... comm="sudo" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:nova_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 +type=AVC msg=audit(...): avc: denied { execute } for pid=... comm="sudo" name="unix_chkpwd" dev="vda1" ino=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=1 +type=AVC msg=audit(...): avc: denied { execute_no_trans } for pid=... comm="sudo" path="/usr/sbin/unix_chkpwd" dev="vda1" ino=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=1 +type=AVC msg=audit(...): avc: denied { getattr } for pid=... comm="unix_chkpwd" path="/etc/shadow" dev="vda1" ino=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 +type=AVC msg=audit(...): avc: denied { open } for pid=... comm="unix_chkpwd" path="/etc/shadow" dev="vda1" ino=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 +type=AVC msg=audit(...): avc: denied { read } for pid=... comm="unix_chkpwd" name="shadow" dev="vda1" ino=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 +type=AVC msg=audit(...): avc: denied { read open } for pid=... comm="sudo" path="/usr/sbin/unix_chkpwd" dev="vda1" ino=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=1 +type=USER_AVC msg=audit(): pid=... uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=... spid=... tpid=... scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:nova_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' From 4c71a37dc03468c41cf122cad1640ff70cd6d407 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Thu, 15 Nov 2018 05:42:18 -0500 Subject: [PATCH 092/192] Fix location of bz1434826 Signed-off-by: Lon Hohberger --- bz1434826 | 37 --------------------- tests/bz1434826 | 85 +++++++++++++++++++++---------------------------- 2 files changed, 37 insertions(+), 85 deletions(-) delete mode 100644 bz1434826 diff --git a/bz1434826 b/bz1434826 deleted file mode 100644 index cee0238..0000000 --- a/bz1434826 +++ /dev/null @@ -1,37 +0,0 @@ -type=AVC msg=audit(1521755700.743:68): avc: denied { entrypoint } for pid=1528 comm="(ip)" path="/usr/sbin/ip" dev="vda1" ino=36286 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file -type=AVC msg=audit(1521755700.847:73): avc: denied { write } for pid=1529 comm="keepalived" name="vrrp" dev="vda1" ino=535343 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir -type=AVC msg=audit(1521755700.847:73): avc: denied { add_name } for pid=1529 comm="keepalived" name="octavia-keepalived.pid" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir -type=AVC msg=audit(1521755700.847:73): avc: denied { create } for pid=1529 comm="keepalived" name="octavia-keepalived.pid" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file -type=AVC msg=audit(1521755700.913:75): avc: denied { execute } for pid=1534 comm="sh" name="check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file -type=AVC msg=audit(1521755700.913:75): avc: denied { execute_no_trans } for pid=1534 comm="sh" path="/var/lib/octavia/vrrp/check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file -type=AVC msg=audit(1521755700.914:76): avc: denied { ioctl } for pid=1534 comm="sh" path="/var/lib/octavia/vrrp/check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file -type=AVC msg=audit(1521756001.706:137): avc: denied { mounton } for pid=1765 comm="ip" path="/run/netns" dev="tmpfs" ino=18861 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir -type=AVC msg=audit(1521756001.760:138): avc: denied { mounton } for pid=1766 comm="ip" path="/sys" dev="vda1" ino=2881 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir -type=AVC msg=audit(1521756001.762:139): avc: denied { mounton } for pid=1766 comm="ip" path="/etc/sysconfig" dev="vda1" ino=446 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir -type=AVC msg=audit(1521756001.794:140): avc: denied { write } for pid=1766 comm="sysctl" name="ptrace_scope" dev="proc" ino=8640 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file -type=AVC msg=audit(1521756001.794:141): avc: denied { sys_ptrace } for pid=1766 comm="sysctl" capability=19 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability -type=AVC msg=audit(1521756001.797:142): avc: denied { getattr } for pid=1766 comm="sysctl" path="/proc/sys/fs/protected_hardlinks" dev="proc" ino=8670 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file -type=AVC msg=audit(1521756001.797:143): avc: denied { write } for pid=1766 comm="sysctl" name="protected_hardlinks" dev="proc" ino=8670 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file -type=AVC msg=audit(1521756001.797:143): avc: denied { open } for pid=1766 comm="sysctl" path="/proc/sys/fs/protected_hardlinks" dev="proc" ino=8670 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file -type=AVC msg=audit(1521756001.799:144): avc: denied { getattr } for pid=1766 comm="sysctl" path="/proc/sys/fs/file-max" dev="proc" ino=11686 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file -type=AVC msg=audit(1521756001.800:145): avc: denied { write } for pid=1766 comm="sysctl" name="file-max" dev="proc" ino=11686 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file -type=AVC msg=audit(1521756001.800:145): avc: denied { open } for pid=1766 comm="sysctl" path="/proc/sys/fs/file-max" dev="proc" ino=11686 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file -type=AVC msg=audit(1521756002.536:147): avc: denied { read } for pid=1859 comm="haproxy" name="haproxy.cfg" dev="vda1" ino=537368 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file -type=AVC msg=audit(1521756002.536:147): avc: denied { open } for pid=1859 comm="haproxy" path="/var/lib/octavia/90723fd2-3dc8-4488-8078-899be972eec3/haproxy.cfg" dev="vda1" ino=537368 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file -type=AVC msg=audit(1521756002.536:148): avc: denied { getattr } for pid=1859 comm="haproxy" path="/var/lib/octavia/90723fd2-3dc8-4488-8078-899be972eec3/haproxy.cfg" dev="vda1" ino=537368 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file -type=AVC msg=audit(1521756002.573:150): avc: denied { entrypoint } for pid=1860 comm="(ip)" path="/usr/sbin/ip" dev="vda1" ino=36286 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file -type=AVC msg=audit(1521756002.580:151): avc: denied { read } for pid=1860 comm="ip" path="/usr/sbin/ip" dev="vda1" ino=36286 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file -type=AVC msg=audit(1521756002.596:152): avc: denied { mounton } for pid=1860 comm="ip" path="/" dev="vda1" ino=2 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir -type=AVC msg=audit(1521756002.596:154): avc: denied { mounton } for pid=1860 comm="ip" path="/sys" dev="vda1" ino=2881 scontext=system_u:system_r:haproxy_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir -type=AVC msg=audit(1521756002.597:155): avc: denied { mounton } for pid=1860 comm="ip" path="/etc/sysconfig" dev="vda1" ino=446 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir -type=AVC msg=audit(1521756002.621:156): avc: denied { create } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock.1862.tmp" scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file -type=AVC msg=audit(1521756002.626:157): avc: denied { setattr } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock.1862.tmp" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file -type=AVC msg=audit(1521756002.626:158): avc: denied { rename } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock.1862.tmp" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file -type=AVC msg=audit(1521756002.651:159): avc: denied { write } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file -type=AVC msg=audit(1521756005.967:160): avc: denied { execute } for pid=1867 comm="sh" name="check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file -type=AVC msg=audit(1521756005.967:160): avc: denied { execute_no_trans } for pid=1867 comm="sh" path="/var/lib/octavia/vrrp/check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file -type=AVC msg=audit(1521756005.968:161): avc: denied { ioctl } for pid=1867 comm="sh" path="/var/lib/octavia/vrrp/check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file -type=AVC msg=audit(1521756006.438:162): avc: denied { write } for pid=1869 comm="haproxy-vrrp-ch" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file -type=AVC msg=audit(1521756015.580:163): avc: denied { entrypoint } for pid=1899 comm="(kill)" path="/usr/bin/kill" dev="vda1" ino=20196 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file -type=AVC msg=audit(1521756015.616:164): avc: denied { link } for pid=1900 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file -type=AVC msg=audit(1521756015.626:165): avc: denied { unlink } for pid=1900 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file diff --git a/tests/bz1434826 b/tests/bz1434826 index 6926904..cee0238 100644 --- a/tests/bz1434826 +++ b/tests/bz1434826 @@ -1,48 +1,37 @@ -type=AVC msg=audit(1521756002.651:159): avc: denied { write } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file -type=AVC msg=audit(1521756001.797:143): avc: denied { write } for pid=1766 comm="sysctl" name="protected_hardlinks" dev="proc" ino=8670 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file -type=AVC msg=audit(1521756001.797:143): avc: denied { open } for pid=1766 comm="sysctl" path="/proc/sys/fs/protected_hardlinks" dev="proc" ino=8670 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file -type=AVC msg=audit(1521756015.580:163): avc: denied { entrypoint } for pid=1899 comm="(kill)" path="/usr/bin/kill" dev="vda1" ino=20196 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file -type=AVC msg=audit(1521756001.800:145): avc: denied { open } for pid=1766 comm="sysctl" path="/proc/sys/fs/file-max" dev="proc" ino=11686 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file -type=AVC msg=audit(1521756002.626:157): avc: denied { setattr } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock.1862.tmp" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file -type=AVC msg=audit(1521756002.621:156): avc: denied { create } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock.1862.tmp" scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file -type=AVC msg=audit(1521755700.847:73): avc: denied { add_name } for pid=1529 comm="keepalived" name="octavia-keepalived.pid" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir -type=AVC msg=audit(1521755700.847:73): avc: denied { write } for pid=1529 comm="keepalived" name="vrrp" dev="vda1" ino=535343 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir -type=AVC msg=audit(1521756002.580:151): avc: denied { read } for pid=1860 comm="ip" path="/usr/sbin/ip" dev="vda1" ino=36286 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file -type=AVC msg=audit(1521756001.799:144): avc: denied { getattr } for pid=1766 comm="sysctl" path="/proc/sys/fs/file-max" dev="proc" ino=11686 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file -type=AVC msg=audit(1521756002.536:147): avc: denied { open } for pid=1859 comm="haproxy" path="/var/lib/octavia/90723fd2-3dc8-4488-8078-899be972eec3/haproxy.cfg" dev="vda1" ino=537368 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file -type=AVC msg=audit(1521756015.616:164): avc: denied { link } for pid=1900 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file -type=AVC msg=audit(1521756001.797:142): avc: denied { getattr } for pid=1766 comm="sysctl" path="/proc/sys/fs/protected_hardlinks" dev="proc" ino=8670 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file -type=AVC msg=audit(1521756001.794:141): avc: denied { sys_ptrace } for pid=1766 comm="sysctl" capability=19 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability -type=AVC msg=audit(1521756001.706:137): avc: denied { mounton } for pid=1765 comm="ip" path="/run/netns" dev="tmpfs" ino=18861 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir -type=AVC msg=audit(1521755700.913:75): avc: denied { execute_no_trans } for pid=1534 comm="sh" path="/var/lib/octavia/vrrp/check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file -type=AVC msg=audit(1521756006.438:162): avc: denied { write } for pid=1869 comm="haproxy-vrrp-ch" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file -type=AVC msg=audit(1521756015.626:165): avc: denied { unlink } for pid=1900 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file -type=AVC msg=audit(1521755700.847:73): avc: denied { create } for pid=1529 comm="keepalived" name="octavia-keepalived.pid" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file -type=AVC msg=audit(1521756001.760:138): avc: denied { mounton } for pid=1766 comm="ip" path="/sys" dev="vda1" ino=2881 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir -type=AVC msg=audit(1521755700.913:75): avc: denied { execute } for pid=1534 comm="sh" name="check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file -type=AVC msg=audit(1521756002.573:150): avc: denied { entrypoint } for pid=1860 comm="(ip)" path="/usr/sbin/ip" dev="vda1" ino=36286 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file -type=AVC msg=audit(1521755700.914:76): avc: denied { ioctl } for pid=1534 comm="sh" path="/var/lib/octavia/vrrp/check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file -type=AVC msg=audit(1521756002.536:148): avc: denied { getattr } for pid=1859 comm="haproxy" path="/var/lib/octavia/90723fd2-3dc8-4488-8078-899be972eec3/haproxy.cfg" dev="vda1" ino=537368 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file -type=AVC msg=audit(1521756001.762:139): avc: denied { mounton } for pid=1766 comm="ip" path="/etc/sysconfig" dev="vda1" ino=446 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir -type=AVC msg=audit(1521755700.743:68): avc: denied { entrypoint } for pid=1528 comm="(ip)" path="/usr/sbin/ip" dev="vda1" ino=36286 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file -type=AVC msg=audit(1521756002.536:147): avc: denied { read } for pid=1859 comm="haproxy" name="haproxy.cfg" dev="vda1" ino=537368 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file -type=AVC msg=audit(1521756002.626:158): avc: denied { rename } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock.1862.tmp" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file -type=AVC msg=audit(1521756001.794:140): avc: denied { write } for pid=1766 comm="sysctl" name="ptrace_scope" dev="proc" ino=8640 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file -type=AVC msg=audit(1521756001.800:145): avc: denied { write } for pid=1766 comm="sysctl" name="file-max" dev="proc" ino=11686 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file -type=AVC msg=audit(1525382110.500:85): avc: denied { sys_admin } for pid=1855 comm="ip" capability=21 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=capability -type=AVC msg=audit(1526390359.992:77): avc: denied { mount } for pid=1671 comm="ip" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem -type=AVC msg=audit(1526391382.560:75): avc: denied { mount } for pid=1570 comm="ip" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem -type=AVC msg=audit(1526390359.992:75): avc: denied { mounton } for pid=1671 comm="ip" path="/" dev="vda1" ino=2 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir -type=AVC msg=audit(1526391382.555:73): avc: denied { mounton } for pid=1570 comm="ip" path="/" dev="vda1" ino=2 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir -type=AVC msg=audit(1526390359.992:77): avc: denied { mounton } for pid=1671 comm="ip" path="/sys" dev="vda1" ino=2899 scontext=system_u:system_r:haproxy_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir -type=AVC msg=audit(1526391382.560:75): avc: denied { mounton } for pid=1570 comm="ip" path="/sys" dev="vda1" ino=2899 scontext=system_u:system_r:keepalived_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir -type=AVC msg=audit(1526390359.992:76): avc: denied { unmount } for pid=1671 comm="ip" scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem -type=AVC msg=audit(1526391382.558:74): avc: denied { unmount } for pid=1570 comm="ip" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem -type=AVC msg=audit(1526392042.896:85): avc: denied { mounton } for pid=1983 comm="ip" path="/etc/sysconfig" dev="vda1" ino=2401 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir -type=AVC msg=audit(1526391382.569:76): avc: denied { mounton } for pid=1570 comm="ip" path="/etc/sysconfig" dev="vda1" ino=2401 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir -type=AVC msg=audit(1526572380.517:156): avc: denied { remove_name } for pid=1570 comm="keepalived" name="octavia-keepalived.pid" dev="vda1" ino=41955 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir -type=AVC msg=audit(1526572380.517:156): avc: denied { unlink } for pid=1570 comm="keepalived" name="octavia-keepalived.pid" dev="vda1" ino=41955 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file -type=AVC msg=audit(1526572380.517:156): avc: denied { remove_name } for pid=1570 comm="keepalived" name="octavia-keepalived.pid" dev="vda1" ino=41955 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir -type=AVC msg=audit(1526572380.517:156): avc: denied { unlink } for pid=1570 comm="keepalived" name="octavia-keepalived.pid" dev="vda1" ino=41955 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file -type=AVC msg=audit(1526651537.202:89): avc: denied { search } for pid=1724 comm="sysctl" name="fs" dev="proc" ino=8645 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir -type=AVC msg=audit(1526989034.757:148): avc: denied { sys_admin } for pid=1752 comm="ip" capability=21 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=capability +type=AVC msg=audit(1521755700.743:68): avc: denied { entrypoint } for pid=1528 comm="(ip)" path="/usr/sbin/ip" dev="vda1" ino=36286 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file +type=AVC msg=audit(1521755700.847:73): avc: denied { write } for pid=1529 comm="keepalived" name="vrrp" dev="vda1" ino=535343 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir +type=AVC msg=audit(1521755700.847:73): avc: denied { add_name } for pid=1529 comm="keepalived" name="octavia-keepalived.pid" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir +type=AVC msg=audit(1521755700.847:73): avc: denied { create } for pid=1529 comm="keepalived" name="octavia-keepalived.pid" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521755700.913:75): avc: denied { execute } for pid=1534 comm="sh" name="check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521755700.913:75): avc: denied { execute_no_trans } for pid=1534 comm="sh" path="/var/lib/octavia/vrrp/check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521755700.914:76): avc: denied { ioctl } for pid=1534 comm="sh" path="/var/lib/octavia/vrrp/check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756001.706:137): avc: denied { mounton } for pid=1765 comm="ip" path="/run/netns" dev="tmpfs" ino=18861 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir +type=AVC msg=audit(1521756001.760:138): avc: denied { mounton } for pid=1766 comm="ip" path="/sys" dev="vda1" ino=2881 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir +type=AVC msg=audit(1521756001.762:139): avc: denied { mounton } for pid=1766 comm="ip" path="/etc/sysconfig" dev="vda1" ino=446 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir +type=AVC msg=audit(1521756001.794:140): avc: denied { write } for pid=1766 comm="sysctl" name="ptrace_scope" dev="proc" ino=8640 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file +type=AVC msg=audit(1521756001.794:141): avc: denied { sys_ptrace } for pid=1766 comm="sysctl" capability=19 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability +type=AVC msg=audit(1521756001.797:142): avc: denied { getattr } for pid=1766 comm="sysctl" path="/proc/sys/fs/protected_hardlinks" dev="proc" ino=8670 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file +type=AVC msg=audit(1521756001.797:143): avc: denied { write } for pid=1766 comm="sysctl" name="protected_hardlinks" dev="proc" ino=8670 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file +type=AVC msg=audit(1521756001.797:143): avc: denied { open } for pid=1766 comm="sysctl" path="/proc/sys/fs/protected_hardlinks" dev="proc" ino=8670 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file +type=AVC msg=audit(1521756001.799:144): avc: denied { getattr } for pid=1766 comm="sysctl" path="/proc/sys/fs/file-max" dev="proc" ino=11686 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file +type=AVC msg=audit(1521756001.800:145): avc: denied { write } for pid=1766 comm="sysctl" name="file-max" dev="proc" ino=11686 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file +type=AVC msg=audit(1521756001.800:145): avc: denied { open } for pid=1766 comm="sysctl" path="/proc/sys/fs/file-max" dev="proc" ino=11686 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file +type=AVC msg=audit(1521756002.536:147): avc: denied { read } for pid=1859 comm="haproxy" name="haproxy.cfg" dev="vda1" ino=537368 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756002.536:147): avc: denied { open } for pid=1859 comm="haproxy" path="/var/lib/octavia/90723fd2-3dc8-4488-8078-899be972eec3/haproxy.cfg" dev="vda1" ino=537368 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756002.536:148): avc: denied { getattr } for pid=1859 comm="haproxy" path="/var/lib/octavia/90723fd2-3dc8-4488-8078-899be972eec3/haproxy.cfg" dev="vda1" ino=537368 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756002.573:150): avc: denied { entrypoint } for pid=1860 comm="(ip)" path="/usr/sbin/ip" dev="vda1" ino=36286 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file +type=AVC msg=audit(1521756002.580:151): avc: denied { read } for pid=1860 comm="ip" path="/usr/sbin/ip" dev="vda1" ino=36286 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file +type=AVC msg=audit(1521756002.596:152): avc: denied { mounton } for pid=1860 comm="ip" path="/" dev="vda1" ino=2 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir +type=AVC msg=audit(1521756002.596:154): avc: denied { mounton } for pid=1860 comm="ip" path="/sys" dev="vda1" ino=2881 scontext=system_u:system_r:haproxy_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir +type=AVC msg=audit(1521756002.597:155): avc: denied { mounton } for pid=1860 comm="ip" path="/etc/sysconfig" dev="vda1" ino=446 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir +type=AVC msg=audit(1521756002.621:156): avc: denied { create } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock.1862.tmp" scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file +type=AVC msg=audit(1521756002.626:157): avc: denied { setattr } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock.1862.tmp" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file +type=AVC msg=audit(1521756002.626:158): avc: denied { rename } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock.1862.tmp" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file +type=AVC msg=audit(1521756002.651:159): avc: denied { write } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file +type=AVC msg=audit(1521756005.967:160): avc: denied { execute } for pid=1867 comm="sh" name="check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756005.967:160): avc: denied { execute_no_trans } for pid=1867 comm="sh" path="/var/lib/octavia/vrrp/check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756005.968:161): avc: denied { ioctl } for pid=1867 comm="sh" path="/var/lib/octavia/vrrp/check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file +type=AVC msg=audit(1521756006.438:162): avc: denied { write } for pid=1869 comm="haproxy-vrrp-ch" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file +type=AVC msg=audit(1521756015.580:163): avc: denied { entrypoint } for pid=1899 comm="(kill)" path="/usr/bin/kill" dev="vda1" ino=20196 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file +type=AVC msg=audit(1521756015.616:164): avc: denied { link } for pid=1900 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file +type=AVC msg=audit(1521756015.626:165): avc: denied { unlink } for pid=1900 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file From ded06be72f12d0cd6772124974eb95faab9925ec Mon Sep 17 00:00:00 2001 From: Zoltan Caplovic Date: Tue, 11 Dec 2018 15:28:00 +0100 Subject: [PATCH 093/192] os-swift: Allow container to container synchronization os-virt: Allow launching multiqueue-enabled instances Resolves: rhbz#1642102 and rhbz#1652297 --- os-swift.te | 3 +++ os-virt.te | 3 +++ tests/bz1642102 | 1 + tests/bz1652297 | 1 + 4 files changed, 8 insertions(+) create mode 100644 tests/bz1642102 create mode 100644 tests/bz1652297 diff --git a/os-swift.te b/os-swift.te index dfdfcd3..e7289ff 100644 --- a/os-swift.te +++ b/os-swift.te @@ -20,3 +20,6 @@ gen_tunable(os_swift_use_execmem, false) tunable_policy(`os_swift_use_execmem',` allow swift_t self:process execmem; ') + +# Bugzilla 1652297 +allow swift_t swift_data_t:lnk_file create; diff --git a/os-virt.te b/os-virt.te index a8c987c..402a4a8 100644 --- a/os-virt.te +++ b/os-virt.te @@ -23,3 +23,6 @@ tunable_policy(`os_virtlogd_use_nfs',` fs_manage_nfs_files(virtlogd_t) fs_read_nfs_symlinks(virtlogd_t) ') + +# Bugzilla 1642102 +allow svirt_t spc_t:tun_socket attach_queue; diff --git a/tests/bz1642102 b/tests/bz1642102 new file mode 100644 index 0000000..b624011 --- /dev/null +++ b/tests/bz1642102 @@ -0,0 +1 @@ +type=AVC msg=audit(1540216030.840:31215): avc: denied { attach_queue } for pid=34373 comm=43505520312F4B564D scontext=system_u:system_r:svirt_t:s0:c457,c875 tcontext=system_u:system_r:spc_t:s0 tclass=tun_socket diff --git a/tests/bz1652297 b/tests/bz1652297 new file mode 100644 index 0000000..cfd8115 --- /dev/null +++ b/tests/bz1652297 @@ -0,0 +1 @@ +type=AVC msg=audit(1542830504.754:4792): avc: denied { read } for pid=1378 comm="swift-container" name="aae3e64f909b58ab302a0fbb385eff3f.db" dev="loop0" ino=20 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:swift_data_t:s0 tclass=lnk_file From b470bcfcdb7230addb89fbd26ef5f011d6f90d67 Mon Sep 17 00:00:00 2001 From: Zoltan Caplovic Date: Tue, 11 Dec 2018 16:48:36 +0100 Subject: [PATCH 094/192] Add missing types Related: rhbz#1642102 and rhbz#1652297 --- os-swift.te | 1 + os-virt.te | 3 +++ 2 files changed, 4 insertions(+) diff --git a/os-swift.te b/os-swift.te index e7289ff..15c6bcd 100644 --- a/os-swift.te +++ b/os-swift.te @@ -2,6 +2,7 @@ policy_module(os-swift,0.1) gen_require(` type swift_t; + type swift_data_t; type amqp_port_t; type var_log_t; class tcp_socket name_connect; diff --git a/os-virt.te b/os-virt.te index 402a4a8..68180dc 100644 --- a/os-virt.te +++ b/os-virt.te @@ -4,8 +4,11 @@ gen_require(` type systemd_logind_t; type systemd_logind_inhibit_var_run_t; type virtlogd_t; + type svirt_t; + type spc_t; class dbus send_msg; class fifo_file write; + class tun_socket attach_queue; ') # #1561711 - work around inability to send message From fda88ec67ff2cde6dce0a450ce7d5a50cf3f055b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Wed, 16 Jan 2019 16:41:14 +0100 Subject: [PATCH 095/192] Allow container_t to access puppet_etc_t content With tripleo, we read-only bind-mount /etc/puppet into the containers and run puppet from within them. Apparently, with RHEL8 and latest Podman (1.0 as of today), something changed in the default selinux rules, preventing these accesses. --- os-podman.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/os-podman.te b/os-podman.te index 63ff1b9..0a52075 100644 --- a/os-podman.te +++ b/os-podman.te @@ -1,7 +1,11 @@ policy_module(os-podman, 1.0) gen_require(` type container_t; + type puppet_etc_t; ') #============= container_t ============== miscfiles_read_generic_certs(container_t) openvswitch_stream_connect(container_t) +# for posterity: read_files_pattern includes dir accesses +read_files_pattern(container_t, puppet_etc_t, puppet_etc_t) +read_lnk_files_pattern(container_t, puppet_etc_t, puppet_etc_t) From f9b45cede356c0e09f78ffb8a3c01fb80b6aac36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Tue, 15 Jan 2019 17:44:33 +0100 Subject: [PATCH 096/192] Allow ryslog to write in container_file_t context Some services cannot write their own logs, like haproxy, and trow their logs directly in /dev/log. Rsyslog has then to write the log content in some file. The location for all logs is in /var/log/containers/, and the parent directory /var/log/containers is mounted with ":rw,z" flag by the crontab container, meaning all the content will see its context switched to container_file_t. This context currently prevents rsyslog writing haproxy logs in the standard location /var/log/containers/haproxy. We considered moving the haproxy logs to /var/log/haproxy location, but this creates another issue regarding the log rotation itself. More information are available on the related LP issue: https://bugs.launchpad.net/tripleo/+bug/1810422 --- Makefile | 2 +- os-rsyslog.te | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 os-rsyslog.te diff --git a/Makefile b/Makefile index c96395f..6e6c8e7 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman +TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog MODULES?=${TARGETS:=.pp.bz2} DATADIR?=/usr/share LOCALDIR?=/usr/share/openstack-selinux/master diff --git a/os-rsyslog.te b/os-rsyslog.te new file mode 100644 index 0000000..2c3bd61 --- /dev/null +++ b/os-rsyslog.te @@ -0,0 +1,11 @@ +policy_module(os-rsyslog,0.1) + +gen_require(` + type container_file_t; + type syslogd_t; +') + +# LP #1810422 +manage_files_pattern(syslogd_t, container_file_t, container_file_t) +manage_dirs_pattern(syslogd_t, container_file_t, container_file_t) +manage_lnk_files_pattern(syslogd_t, container_file_t, container_file_t) From e73cc0ec21eb0fc33812d4fa44a432751aa067d1 Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Mon, 28 Jan 2019 15:33:39 +0000 Subject: [PATCH 097/192] Add pointers on how to run the tests to the README --- README | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/README b/README index faa0c5b..87b14d0 100644 --- a/README +++ b/README @@ -12,3 +12,13 @@ the selinux-policy package from your operating system. Bugs may be filed against the 'openstack-selinux' package in the 'RDO' or 'Red Hat OpenStack' products at https://bugzilla.redhat.com/ + +Running the tests +----------------- + +1. Install the selinux-policy-devel package +2. Ensure the path /usr/share/openstack-selinux/master exists +3. From your local openstack-selinux repository, run the following + command as root: + + $ make clean all install check From d917185c23243dac70a693c41771ec5197c95985 Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Tue, 29 Jan 2019 09:34:58 +0000 Subject: [PATCH 098/192] Allow swift_t to read links as well The referenced bugzilla mentions both create and read, somewhat. This fixes the currently broken test. --- os-swift.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/os-swift.te b/os-swift.te index 15c6bcd..8327a58 100644 --- a/os-swift.te +++ b/os-swift.te @@ -23,4 +23,4 @@ tunable_policy(`os_swift_use_execmem',` ') # Bugzilla 1652297 -allow swift_t swift_data_t:lnk_file create; +allow swift_t swift_data_t:lnk_file { create read }; From c33f756059ec9d623d821032384be7dba8037277 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Mon, 28 Jan 2019 10:27:05 +0100 Subject: [PATCH 099/192] Allow openvswitch to manage its files/sockets in a container context As we're using and managing openvswitch from within containers, we must enable a couple of new policies so that it can actually manage its socket and directories, especially if they are bind-mounts --- os-podman.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/os-podman.te b/os-podman.te index 0a52075..f61a77f 100644 --- a/os-podman.te +++ b/os-podman.te @@ -1,6 +1,8 @@ policy_module(os-podman, 1.0) gen_require(` type container_t; + type container_file_t; + type openvswitch_t; type puppet_etc_t; ') #============= container_t ============== @@ -9,3 +11,7 @@ openvswitch_stream_connect(container_t) # for posterity: read_files_pattern includes dir accesses read_files_pattern(container_t, puppet_etc_t, puppet_etc_t) read_lnk_files_pattern(container_t, puppet_etc_t, puppet_etc_t) + +manage_files_pattern(openvswitch_t, container_file_t, container_file_t) +manage_sock_files_pattern(openvswitch_t, container_file_t, container_file_t) +allow openvswitch_t self:capability net_broadcast; From 659864803fc3c4762825333d06e64bd3e9d14df2 Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Tue, 29 Jan 2019 11:34:07 +0000 Subject: [PATCH 100/192] Delete the file contexts when uninstalling Otherwise, when run again (e.g. while running the tests) the entire transaction will fail and cause issues. --- local_settings.sh.in | 51 +++++++++++++++++++++++++++----------------- 1 file changed, 32 insertions(+), 19 deletions(-) diff --git a/local_settings.sh.in b/local_settings.sh.in index 965ce46..7581675 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -73,6 +73,30 @@ set_port() fi } +# usage: set_file_context a|d (add/delete) +set_file_contexts() +{ + INPUT="fcontext -N -$1 -t named_zone_t \"$SHAREDSTATEDIR/designate/bind9(/.*)?\" + fcontext -N -$1 -t virt_cache_t \"$SHAREDSTATEDIR/vhost_sockets(/.*)?\" + fcontext -N -$1 -t httpd_var_lib_t $SHAREDSTATEDIR/openstack-dashboard + fcontext -N -$1 -t mongod_var_lib_t \"$SHAREDSTATEDIR/mongodb(/.*)?\" + fcontext -N -$1 -t httpd_log_t $LOCALSTATEDIR/log/gnocchi/app.log + fcontext -N -$1 -t httpd_log_t $LOCALSTATEDIR/log/aodh/app.log + fcontext -N -$1 -t httpd_log_t $LOCALSTATEDIR/log/ceilometer/app.log + fcontext -N -$1 -t httpd_log_t $LOCALSTATEDIR/log/panko/app.log + fcontext -N -$1 -t httpd_log_t $LOCALSTATEDIR/log/zaqar/zaqar.log + fcontext -N -$1 -t neutron_exec_t $BINDIR/neutron-rootwrap-daemon + fcontext -N -$1 -t neutron_exec_t $BINDIR/neutron-vpn-agent + fcontext -N -$1 -t swift_var_cache_t \"$LOCALSTATEDIR/cache/swift(/.*)\" + fcontext -N -$1 -t swift_exec_t $BINDIR/swift-object-reconstructor + fcontext -N -$1 -t swift_exec_t $BINDIR/swift-object-relinker + fcontext -N -$1 -t httpd_sys_content_t \"${ROOTDIR}httpboot(/.*)?\" + fcontext -N -$1 -t ssh_home_t \"$SHAREDSTATEDIR/nova/.ssh(/.*)?\" + fcontext -N -$1 -t tftpdir_t \"${ROOTDIR}tftpboot(/.*)?\"" + + echo "$INPUT" | $SBINDIR/semanage import -N +} + _cache_file_modes() { if ! [ -d '/etc/selinux/targeted/active' ]; then @@ -127,9 +151,12 @@ install_policies() { set_port tcp 6641 ovsdb_port_t set_port tcp 6642 ovsdb_port_t + # Create all the file contexts + set_file_contexts "a" + # Build up a script to pass to semanage # - # Booleans & file contexts + # Booleans # -N -> don't reload policy # -m -> modify # @@ -150,24 +177,7 @@ install_policies() { boolean -N -m --on httpd_can_network_connect boolean -N -m --on swift_can_network boolean -N -m --on httpd_use_openstack - boolean -N -m --on collectd_tcp_network_connect - fcontext -N -a -t named_zone_t \"$SHAREDSTATEDIR/designate/bind9(/.*)?\" - fcontext -N -a -t virt_cache_t \"$SHAREDSTATEDIR/vhost_sockets(/.*)?\" - fcontext -N -a -t httpd_var_lib_t $SHAREDSTATEDIR/openstack-dashboard - fcontext -N -a -t mongod_var_lib_t \"$SHAREDSTATEDIR/mongodb(/.*)?\" - fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/gnocchi/app.log - fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/aodh/app.log - fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/ceilometer/app.log - fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/panko/app.log - fcontext -N -a -t httpd_log_t $LOCALSTATEDIR/log/zaqar/zaqar.log - fcontext -N -a -t neutron_exec_t $BINDIR/neutron-rootwrap-daemon - fcontext -N -a -t neutron_exec_t $BINDIR/neutron-vpn-agent - fcontext -N -a -t swift_var_cache_t \"$LOCALSTATEDIR/cache/swift(/.*)\" - fcontext -N -a -t swift_exec_t $BINDIR/swift-object-reconstructor - fcontext -N -a -t swift_exec_t $BINDIR/swift-object-relinker - fcontext -N -a -t httpd_sys_content_t \"${ROOTDIR}httpboot(/.*)?\" - fcontext -N -a -t ssh_home_t \"$SHAREDSTATEDIR/nova/.ssh(/.*)?\" - fcontext -N -a -t tftpdir_t \"${ROOTDIR}tftpboot(/.*)?\"" + boolean -N -m --on collectd_tcp_network_connect" # # Append modules to our semanage script @@ -223,6 +233,9 @@ uninstall_policies() { do_echo "Removing OpenStack modules..." $SBINDIR/semodule -n -r $MODULES &> /dev/null || : + # Delete all the file contexts + set_file_contexts "d" + relabel_files if $SBINDIR/selinuxenabled ; then From e88afee2dbbbda12b3ae287a145ac525f486be3d Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Tue, 29 Jan 2019 12:10:20 +0000 Subject: [PATCH 101/192] Always clean up after the tests Until now, a test failure meant the settings wouldn't get cleaned up/uninstalled. --- Makefile | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 6e6c8e7..cb743dd 100644 --- a/Makefile +++ b/Makefile @@ -84,6 +84,12 @@ install: # Note: You can't run this in a build system unless the build # system has access to change the kernel SELinux policies check: - cd ${LOCALDIR} && ./local_settings.sh - cd ${LOCALDIR}/tests && ./check_all - cd ${LOCALDIR} && ./local_settings.sh -x + cd ${LOCALDIR} && ./local_settings.sh ;\ + cd ${LOCALDIR}/tests && ./check_all ;\ + RET=$$? ;\ + cd ${LOCALDIR} && ./local_settings.sh -x ;\ + if [[ "$$RET" -ne 0 ]]; then \ + /bin/false ;\ + else \ + /bin/true ;\ + fi From a0227d1158efa0c06cf96bc8b5050a08693953b7 Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Tue, 29 Jan 2019 15:51:06 +0000 Subject: [PATCH 102/192] Allow Cinder and Glance to access NFS Cf. rhbz#1653640 --- local_settings.sh.in | 4 +++- os-cinder.te | 10 ++++++++++ os-glance.te | 10 ++++++++++ 3 files changed, 23 insertions(+), 1 deletion(-) diff --git a/local_settings.sh.in b/local_settings.sh.in index 965ce46..29cff78 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -194,7 +194,9 @@ install_policies() { boolean -N -m --on os_glance_use_sudo boolean -N -m --on os_httpd_wsgi boolean -N -m --on os_gnocchi_use_nfs - boolean -N -m --on os_virtlogd_use_nfs" + boolean -N -m --on os_virtlogd_use_nfs + boolean -N -m --on os_glance_use_nfs + boolean -N -m --on os_cinder_use_nfs" do_echo "Setting OpenStack booleans..." echo "$INPUT" | $SBINDIR/semanage import -N diff --git a/os-cinder.te b/os-cinder.te index 5154d58..f727be2 100644 --- a/os-cinder.te +++ b/os-cinder.te @@ -9,6 +9,7 @@ gen_require(` class file { open create }; class dir { add_name write }; class dbus { send_msg }; + attribute cinder_domain; ') # Bugzilla 1325623 @@ -20,3 +21,12 @@ iscsid_domtrans(cinder_backup_t); # Bugzilla #1628679 allow systemd_logind_t cinder_volume_t:dbus { send_msg }; + +# Bugzilla 1653640 +gen_tunable(os_cinder_use_nfs, false) +tunable_policy(`os_cinder_use_nfs',` + fs_manage_nfs_dirs(cinder_domain) + fs_manage_nfs_files(cinder_domain) + fs_manage_nfs_symlinks(cinder_domain) + fs_exec_nfs_files(cinder_domain) +') diff --git a/os-glance.te b/os-glance.te index 1db7c70..8ff15fd 100644 --- a/os-glance.te +++ b/os-glance.te @@ -15,6 +15,7 @@ gen_require(` class lnk_file read; type sudo_exec_t; class file { execute }; + attribute glance_domain; ') # Bugzilla 1362609 @@ -77,3 +78,12 @@ tunable_policy(`os_glance_use_sudo',` allow glance_api_t self:process { setcap setrlimit setsched }; allow glance_api_t sysfs_t:file append; ') + +# Bugzilla 1653640 +gen_tunable(os_glance_use_nfs, false) +tunable_policy(`os_glance_use_nfs',` + fs_manage_nfs_dirs(glance_domain) + fs_manage_nfs_files(glance_domain) + fs_manage_nfs_symlinks(glance_domain) + fs_exec_nfs_files(glance_domain) +') From 282e8a1e450703e7c9f78121c9b0d2e00228fb55 Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Fri, 8 Feb 2019 11:51:51 +0000 Subject: [PATCH 103/192] Add nis_enabled boolean Some services, like glance-registry, rely on it when run with custom ports. Resolves: rhbz#1671514 --- local_settings.sh.in | 1 + tests/bz1671514 | 1 + 2 files changed, 2 insertions(+) create mode 100644 tests/bz1671514 diff --git a/local_settings.sh.in b/local_settings.sh.in index 530ee67..1854544 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -166,6 +166,7 @@ install_policies() { boolean -N -m --on neutron_can_network boolean -N -m --on glance_use_fusefs boolean -N -m --on haproxy_connect_any + boolean -N -m --on nis_enabled boolean -N -m --on rsync_full_access boolean -N -m --on rsync_client boolean -N -m --on virt_use_execmem diff --git a/tests/bz1671514 b/tests/bz1671514 new file mode 100644 index 0000000..5bf8d77 --- /dev/null +++ b/tests/bz1671514 @@ -0,0 +1 @@ +type=AVC msg=audit(1548880833.900:153941): avc: denied { name_connect } for pid=4841 comm="glance-registry" dest=13357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket From 53fb7049bb01e4d7970816bd4c1613ae78103ed5 Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Fri, 22 Feb 2019 17:03:43 +0000 Subject: [PATCH 104/192] os-neutron: Add pam authentication support This should help with rootwrap issues. Related: rhbz#1676954 --- os-neutron.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/os-neutron.te b/os-neutron.te index 765279b..be32b9c 100644 --- a/os-neutron.te +++ b/os-neutron.te @@ -114,3 +114,7 @@ allow neutron_t self:process setpgid; # Bugzilla 1581729 corenet_udp_bind_dhcpc_port(neutron_t) + +# Bugzilla 1676954 +auth_use_pam(neutron_t) +init_rw_utmp(neutron_t) From 0f46cf99c3b44f8e58918ed23185a43c50aa7501 Mon Sep 17 00:00:00 2001 From: Nir Magnezi Date: Sun, 3 Mar 2019 18:33:59 +0200 Subject: [PATCH 105/192] Octavia: RHEL8 Amphora policy additions - Octavia Policies - Tests based on audit2why Resolves: rhbz#1684885 --- local_settings.sh.in | 3 ++- os-octavia.te | 10 +++++++++- tests/bz1684885 | 10 ++++++++++ 3 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 tests/bz1684885 diff --git a/local_settings.sh.in b/local_settings.sh.in index 1854544..e9d93cd 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -178,7 +178,8 @@ install_policies() { boolean -N -m --on httpd_can_network_connect boolean -N -m --on swift_can_network boolean -N -m --on httpd_use_openstack - boolean -N -m --on collectd_tcp_network_connect" + boolean -N -m --on collectd_tcp_network_connect + boolean -N -m --on domain_can_mmap_files" # # Append modules to our semanage script diff --git a/os-octavia.te b/os-octavia.te index 3d292ee..b9e23ec 100644 --- a/os-octavia.te +++ b/os-octavia.te @@ -15,6 +15,9 @@ gen_require(` type proc_security_t; type sysctl_kernel_t; type etc_t; + type usermodehelper_t; + type keepalived_exec_t; + type unconfined_service_t; class sock_file { create link rename setattr unlink write }; class capability { sys_ptrace sys_admin }; class file { create entrypoint execute execute_no_trans getattr ioctl open read write }; @@ -30,6 +33,7 @@ allow ifconfig_t self:capability sys_ptrace; allow ifconfig_t proc_security_t:file manage_file_perms; allow ifconfig_t sysctl_fs_t:file manage_file_perms; allow ifconfig_t sysctl_kernel_t:file manage_file_perms; +allow ifconfig_t usermodehelper_t:file { getattr open write }; # # XXX Future work: need to set /var/lib/octavia to something @@ -51,12 +55,15 @@ allow keepalived_t var_lib_t:sock_file { create link rename setattr unlink write # These are needed during boot when setting up the netns allow keepalived_t etc_t:dir mounton; +allow keepalived_t keepalived_exec_t:file execute_no_trans; allow keepalived_t root_t:dir mounton; allow keepalived_t sysfs_t:filesystem { mount unmount }; allow keepalived_t user_tmp_t:dir mounton; +allow keepalived_t var_run_t:dir { create mounton }; # Same access for haproxy_t -allow haproxy_t bin_t:file { entrypoint }; +allow haproxy_t bin_t:file { entrypoint execute }; +allow haproxy_t unconfined_service_t:file { open read }; allow haproxy_t var_lib_t:dir { add_name write remove_name }; allow haproxy_t var_lib_t:file { create execute execute_no_trans getattr ioctl open read write unlink }; allow haproxy_t var_lib_t:sock_file { create link rename setattr unlink write }; @@ -69,3 +76,4 @@ allow haproxy_t sysfs_t:filesystem { mount unmount }; allow haproxy_t user_tmp_t:dir mounton; kernel_read_fs_sysctls(ifconfig_t) + diff --git a/tests/bz1684885 b/tests/bz1684885 new file mode 100644 index 0000000..9c3e1f2 --- /dev/null +++ b/tests/bz1684885 @@ -0,0 +1,10 @@ +type=AVC msg=audit(1551866885.134:39): avc: denied { getattr } for pid=1175 comm="sysctl" path="/proc/sys/kernel/core_pattern" dev="proc" ino=10947 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1551866885.136:40): avc: denied { write } for pid=1175 comm="sysctl" name="core_pattern" dev="proc" ino=10947 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1551866885.136:40): avc: denied { open } for pid=1175 comm="sysctl" path="/proc/sys/kernel/core_pattern" dev="proc" ino=10947 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1551866885.485:42): avc: denied { execute_no_trans } for pid=1286 comm="ip" path="/usr/sbin/keepalived" dev="vda1" ino=537483 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:keepalived_exec_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1551867084.102:44): avc: denied { read } for pid=1376 comm="ip" dev="nsfs" ino=4026532223 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1551867084.102:44): avc: denied { open } for pid=1376 comm="ip" path="/run/netns/amphora-haproxy" dev="nsfs" ino=4026532223 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1551867108.032:46): avc: denied { map } for pid=1431 comm="kill" path="/usr/bin/kill" dev="vda1" ino=538254 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1551867108.032:46): avc: denied { execute } for pid=1431 comm="kill" path="/usr/bin/kill" dev="vda1" ino=538254 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1551867168.534:47): avc: denied { create } for pid=1487 comm="keepalived" name="keepalived" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1551867168.535:48): avc: denied { mounton } for pid=1487 comm="keepalived" path="/run/keepalived" dev="tmpfs" ino=24185 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 From 1b65945ea05a34e3de3aa92d994b9f6221fe3e0b Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Thu, 7 Mar 2019 17:38:40 +0000 Subject: [PATCH 106/192] Add boolean to optionally enable PBIS support for nova_t/neutron_t Because the boolean is disabled by default, we can't add tests but these are the AVC denials fixed: type=AVC msg=audit(1544557830.595:1357): avc: denied { write } for pid=10185 comm="sudo" name=".lsassd" dev="dm-3" ino=262401 scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file permissive=0 type=AVC msg=audit(1551481878.901:639): avc: denied { write } for pid=8456 comm="sudo" name=".lsassd" dev="dm-3" ino=262405 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file permissive=0 This is a temporary workaround until PBIS upstream is updated. The boolean will be deprecated once that is the case. Resolves: rhbz#1658815 --- Makefile | 4 ++-- os-pbis.if | 25 +++++++++++++++++++++++++ os-pbis.te | 13 +++++++++++++ 3 files changed, 40 insertions(+), 2 deletions(-) create mode 100644 os-pbis.if create mode 100644 os-pbis.te diff --git a/Makefile b/Makefile index cb743dd..b4f15c3 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog +TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-pbis MODULES?=${TARGETS:=.pp.bz2} DATADIR?=/usr/share LOCALDIR?=/usr/share/openstack-selinux/master @@ -19,7 +19,7 @@ local_settings.sh: local_settings.sh.in chmod 0755 $@ clean: - rm -f *~ *.if *.tc *.pp *.pp.bz2 local_settings.sh + rm -f *~ *.tc *.pp *.pp.bz2 local_settings.sh rm -rf tmp *.tar.gz tarball: .git/config diff --git a/os-pbis.if b/os-pbis.if new file mode 100644 index 0000000..ecf4c8b --- /dev/null +++ b/os-pbis.if @@ -0,0 +1,25 @@ +# +# This comes from pbis-open's pbis.if +# https://github.com/BeyondTrust/pbis-open/blob/master/config/linux/redhat/rhel/7.0/pbis.if (GPL v2) +# +######################################## +## +## Connect to pbis services. +## +## +## +## Domain allowed access. +## +## +# + +interface(`os_pbis_client',` + gen_require(` + class unix_stream_socket connectto; + class sock_file { write create unlink getattr }; + type var_lib_t, unconfined_t; + ') + + allow $1 unconfined_t:unix_stream_socket connectto; + allow $1 var_lib_t:sock_file write; +') diff --git a/os-pbis.te b/os-pbis.te new file mode 100644 index 0000000..cbec695 --- /dev/null +++ b/os-pbis.te @@ -0,0 +1,13 @@ +policy_module(os-pbis,0.1) + +gen_require(` + type neutron_t; + type nova_t; +') + +# Bug 1658815 - Temporary workaround until PBIS is updated +gen_tunable(openstack_pbis_support, false) +tunable_policy(`openstack_pbis_support',` + os_pbis_client(neutron_t) + os_pbis_client(nova_t) +') From ad57362dca3f6e172dbe7de3c8852c535be17ee0 Mon Sep 17 00:00:00 2001 From: Nir Magnezi Date: Mon, 11 Mar 2019 11:53:00 +0200 Subject: [PATCH 107/192] Add Policies for Octavia Active/Standby Resolves: rhbz#1687321 --- os-octavia.te | 1 + tests/bz1687321 | 1 + 2 files changed, 2 insertions(+) create mode 100644 tests/bz1687321 diff --git a/os-octavia.te b/os-octavia.te index 3d292ee..9a25f75 100644 --- a/os-octavia.te +++ b/os-octavia.te @@ -50,6 +50,7 @@ allow keepalived_t var_lib_t:file { create execute execute_no_trans getattr ioct allow keepalived_t var_lib_t:sock_file { create link rename setattr unlink write }; # These are needed during boot when setting up the netns +allow keepalived_t bin_t:file { entrypoint }; allow keepalived_t etc_t:dir mounton; allow keepalived_t root_t:dir mounton; allow keepalived_t sysfs_t:filesystem { mount unmount }; diff --git a/tests/bz1687321 b/tests/bz1687321 new file mode 100644 index 0000000..1577de1 --- /dev/null +++ b/tests/bz1687321 @@ -0,0 +1 @@ +type=AVC msg=audit(1552241787.746:60): avc: denied { entrypoint } for pid=3530 comm="(kill)" path="/usr/bin/kill" dev="vda1" ino=43348 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 From 9d5f9f02baa6c10c14301e8d55269216f4107e6a Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Mon, 25 Mar 2019 12:09:51 +0100 Subject: [PATCH 108/192] Fix HA containers denials with rhel8 and podman We get currently two type of denials when starting HA containers on OSP15: A) Rabbitmq creates and deletes a bmtp file denied { remove_name } for pid=538235 comm="python" name="btmp" dev="vda2" ino=73787843 scontext=system_u:system_r:container_t:s0:c208,c543 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 denied { unlink } for pid=538235 comm="python" name="btmp" dev="vda2" ino=73787843 scontext=system_u:system_r:container_t:s0:c208,c543 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 denied { create } for pid=538235 comm="python" name="btmp" scontext=system_u:system_r:container_t:s0:c208,c543 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 denied { ioctl } for pid=538235 comm="python" path="/var/log/btmp" dev="vda2" ino=73787840 ioctlcmd=0x5401 scontext=system_u:system_r:container_t:s0:c208,c543 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 denied { setattr } for pid=538235 comm="python" name="btmp" dev="vda2" ino=73787840 scontext=system_u:system_r:container_t:s0:c208,c543 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 denied { add_name } for pid=46749 comm="python" name="btmp" scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 denied { write open } for pid=46749 comm="python" path="/var/log/btmp" dev="vda2" ino=67376554 scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 B) Kolla needs to open, read, lock and create folders denied { add_name } for pid=41771 comm="mkdir" name="kolla" scontext=system_u:system_r:container_t:s0:c296,c382 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 denied { create } for pid=41771 comm="mkdir" name="kolla" scontext=system_u:system_r:container_t:s0:c296,c382 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 denied { create } for pid=42078 comm="su" name="lastlog" scontext=system_u:system_r:container_t:s0:c296,c382 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 denied { lock } for pid=52961 comm="su" path="/var/log/lastlog" dev="vda2" ino=73669296 scontext=system_u:system_r:container_t:s0:c383,c514 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 denied { read } for pid=73801 comm="mkdir" name="kolla" dev="vda2" ino=38118009 scontext=system_u:system_r:container_t:s0:c670,c1013 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 denied { read write open } for pid=52961 comm="su" path="/var/log/lastlog" dev="vda2" ino=73669296 scontext=system_u:system_r:container_t:s0:c383,c514 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 denied { write } for pid=46749 comm="python" name="rabbitmq-bundle-0" dev="vda2" ino=67376550 scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 denied { write } for pid=73801 comm="mkdir" name="ovn-dbs-bundle-0" dev="vda2" ino=86202322 scontext=system_u:system_r:container_t:s0:c670,c1013 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 We tested this patch and subsequently restart all HA containers: [root@controller-1 ~]# jobs [2]+ Running tail -f /var/log/audit/audit.log | grep --color=auto enied & [root@controller-1 ~]# pcs resource restart galera-bundle controller-1 galera-bundle successfully restarted [root@controller-1 ~]# pcs resource restart haproxy-bundle controller-1 haproxy-bundle successfully restarted [root@controller-1 ~]# pcs resource restart rabbitmq-bundle controller-1 rabbitmq-bundle successfully restarted [root@controller-1 ~]# pcs resource restart ovn-dbs-bundle controller-1 ovn-dbs-bundle successfully restarted [root@controller-1 ~]# pcs resource restart openstack-cinder-volume controller-1 openstack-cinder-volume successfully restarted And could not observe any denials any longer. Closes-Bug: rhbz#1692325 Co-Authored-By: Damien Ciabrini --- os-podman.te | 5 +++++ tests/bz1692325 | 26 ++++++++++++++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 tests/bz1692325 diff --git a/os-podman.te b/os-podman.te index f61a77f..1d0a43f 100644 --- a/os-podman.te +++ b/os-podman.te @@ -4,6 +4,7 @@ gen_require(` type container_file_t; type openvswitch_t; type puppet_etc_t; + type cluster_var_log_t; ') #============= container_t ============== miscfiles_read_generic_certs(container_t) @@ -15,3 +16,7 @@ read_lnk_files_pattern(container_t, puppet_etc_t, puppet_etc_t) manage_files_pattern(openvswitch_t, container_file_t, container_file_t) manage_sock_files_pattern(openvswitch_t, container_file_t, container_file_t) allow openvswitch_t self:capability net_broadcast; + +# needed for HA containers +manage_files_pattern(container_t, cluster_var_log_t, cluster_var_log_t); +manage_dirs_pattern(container_t, cluster_var_log_t, cluster_var_log_t); diff --git a/tests/bz1692325 b/tests/bz1692325 new file mode 100644 index 0000000..f860209 --- /dev/null +++ b/tests/bz1692325 @@ -0,0 +1,26 @@ +type=AVC msg=audit(1553504112.730:7560): avc: denied { write } for pid=41771 comm="mkdir" name="galera-bundle-0" dev="vda2" ino=8512171 scontext=system_u:system_r:container_t:s0:c296,c382 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504112.730:7560): avc: denied { add_name } for pid=41771 comm="mkdir" name="kolla" scontext=system_u:system_r:container_t:s0:c296,c382 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504112.730:7560): avc: denied { create } for pid=41771 comm="mkdir" name="kolla" scontext=system_u:system_r:container_t:s0:c296,c382 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504112.730:7561): avc: denied { read } for pid=41771 comm="mkdir" name="kolla" dev="vda2" ino=65194464 scontext=system_u:system_r:container_t:s0:c296,c382 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504118.347:7565): avc: denied { create } for pid=42078 comm="su" name="lastlog" scontext=system_u:system_r:container_t:s0:c296,c382 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1553504118.347:7565): avc: denied { read write open } for pid=42078 comm="su" path="/var/log/lastlog" dev="vda2" ino=8512175 scontext=system_u:system_r:container_t:s0:c296,c382 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1553504118.347:7566): avc: denied { lock } for pid=42078 comm="su" path="/var/log/lastlog" dev="vda2" ino=8512175 scontext=system_u:system_r:container_t:s0:c296,c382 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1553504226.542:7628): avc: denied { write } for pid=46749 comm="python" name="rabbitmq-bundle-0" dev="vda2" ino=67376550 scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504226.542:7628): avc: denied { add_name } for pid=46749 comm="python" name="btmp" scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504226.542:7628): avc: denied { create } for pid=46749 comm="python" name="btmp" scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1553504226.542:7628): avc: denied { write open } for pid=46749 comm="python" path="/var/log/btmp" dev="vda2" ino=67376554 scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1553504226.542:7629): avc: denied { ioctl } for pid=46749 comm="python" path="/var/log/btmp" dev="vda2" ino=67376554 ioctlcmd=0x5401 scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1553504226.542:7630): avc: denied { setattr } for pid=46749 comm="python" name="btmp" dev="vda2" ino=67376554 scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1553504226.564:7633): avc: denied { create } for pid=46774 comm="mkdir" name="kolla" scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504226.564:7634): avc: denied { read } for pid=46774 comm="mkdir" name="kolla" dev="vda2" ino=35865839 scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504307.112:7757): avc: denied { write } for pid=52665 comm="mkdir" name="redis-bundle-0" dev="vda2" ino=73669291 scontext=system_u:system_r:container_t:s0:c383,c514 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504307.112:7757): avc: denied { add_name } for pid=52665 comm="mkdir" name="kolla" scontext=system_u:system_r:container_t:s0:c383,c514 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504307.112:7757): avc: denied { create } for pid=52665 comm="mkdir" name="kolla" scontext=system_u:system_r:container_t:s0:c383,c514 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504307.112:7758): avc: denied { read } for pid=52665 comm="mkdir" name="kolla" dev="vda2" ino=31565583 scontext=system_u:system_r:container_t:s0:c383,c514 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504312.069:7762): avc: denied { create } for pid=52961 comm="su" name="lastlog" scontext=system_u:system_r:container_t:s0:c383,c514 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1553504312.069:7762): avc: denied { read write open } for pid=52961 comm="su" path="/var/log/lastlog" dev="vda2" ino=73669296 scontext=system_u:system_r:container_t:s0:c383,c514 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1553504312.069:7763): avc: denied { lock } for pid=52961 comm="su" path="/var/log/lastlog" dev="vda2" ino=73669296 scontext=system_u:system_r:container_t:s0:c383,c514 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1553504532.565:8213): avc: denied { write } for pid=73801 comm="mkdir" name="ovn-dbs-bundle-0" dev="vda2" ino=86202322 scontext=system_u:system_r:container_t:s0:c670,c1013 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504532.565:8213): avc: denied { add_name } for pid=73801 comm="mkdir" name="kolla" scontext=system_u:system_r:container_t:s0:c670,c1013 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504532.565:8213): avc: denied { create } for pid=73801 comm="mkdir" name="kolla" scontext=system_u:system_r:container_t:s0:c670,c1013 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1553504532.565:8214): avc: denied { read } for pid=73801 comm="mkdir" name="kolla" dev="vda2" ino=38118009 scontext=system_u:system_r:container_t:s0:c670,c1013 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 From 3c3db5f27babeb20816141c1ab8869d9837d2a31 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Wed, 15 May 2019 11:41:20 -0400 Subject: [PATCH 109/192] Allow OVS to connect to spc_t stream sockets Resolves: rhbz#1707840 Signed-off-by: Lon Hohberger --- os-ovs.te | 4 ++++ tests/bz1707840 | 1 + 2 files changed, 5 insertions(+) create mode 100644 tests/bz1707840 diff --git a/os-ovs.te b/os-ovs.te index 988be6a..16788e2 100644 --- a/os-ovs.te +++ b/os-ovs.te @@ -19,6 +19,7 @@ gen_require(` type svirt_t; type svirt_tmpfs_t; type virt_cache_t; + type spc_t; class dir search; class file { write read getattr open }; class tcp_socket name_bind; @@ -28,6 +29,7 @@ gen_require(` class netlink_audit_socket { create nlmsg_relay read write }; class capability audit_write; class packet_socket create_socket_perms; + class unix_stream_socket { read write connectto }; ') # Bugzilla 1108187 @@ -120,3 +122,5 @@ corenet_tcp_bind_all_ports(openvswitch_t) # #1572510 allow openvswitch_t svirt_t:unix_stream_socket { read write }; +# bugzilla #1707840 +allow openvswitch_t spc_t:unix_stream_socket { read write }; diff --git a/tests/bz1707840 b/tests/bz1707840 new file mode 100644 index 0000000..e8651a1 --- /dev/null +++ b/tests/bz1707840 @@ -0,0 +1 @@ +type=AVC msg=audit(1557322725.873:12375): avc: denied { read write } for pid=8786 comm="vhost-events" path="socket:[16378370]" dev="sockfs" ino=16378370 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=unix_stream_socket permissive=1 From 38c2a78ad2cd187717a9dc638270a4ec663f6772 Mon Sep 17 00:00:00 2001 From: Nir Magnezi Date: Thu, 30 May 2019 16:47:30 +0300 Subject: [PATCH 110/192] Octavia: Adds capability dac_override to haproxty_t Resolves: rhbz#1715492 --- os-octavia.te | 2 +- tests/bz1715492 | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 tests/bz1715492 diff --git a/os-octavia.te b/os-octavia.te index b9e23ec..ae508d4 100644 --- a/os-octavia.te +++ b/os-octavia.te @@ -67,7 +67,7 @@ allow haproxy_t unconfined_service_t:file { open read }; allow haproxy_t var_lib_t:dir { add_name write remove_name }; allow haproxy_t var_lib_t:file { create execute execute_no_trans getattr ioctl open read write unlink }; allow haproxy_t var_lib_t:sock_file { create link rename setattr unlink write }; -allow haproxy_t self:capability { sys_admin }; +allow haproxy_t self:capability { sys_admin dac_override }; # These are needed during boot when setting up the netns allow haproxy_t etc_t:dir mounton; diff --git a/tests/bz1715492 b/tests/bz1715492 new file mode 100644 index 0000000..8463d08 --- /dev/null +++ b/tests/bz1715492 @@ -0,0 +1,2 @@ +type=AVC msg=audit(1559218642.208:72): avc: denied { dac_override } for pid=6702 comm="haproxy" capability=1 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=capability permissive=1 + From 022ddee7ce7eecf4a4b171000f8c8cb56242f4d3 Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Tue, 6 Aug 2019 11:38:58 +0100 Subject: [PATCH 111/192] Allow Barbican containers to read pki_common_t labels Resolves: rhbz#1732578 --- Makefile | 2 +- os-barbican.te | 10 ++++++++++ tests/bz1732578 | 6 ++++++ 3 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 os-barbican.te create mode 100644 tests/bz1732578 diff --git a/Makefile b/Makefile index b4f15c3..76a817c 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-pbis +TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-pbis os-barbican MODULES?=${TARGETS:=.pp.bz2} DATADIR?=/usr/share LOCALDIR?=/usr/share/openstack-selinux/master diff --git a/os-barbican.te b/os-barbican.te new file mode 100644 index 0000000..61917d5 --- /dev/null +++ b/os-barbican.te @@ -0,0 +1,10 @@ +policy_module(os-barbican,0.1) + +gen_require(` + type container_t; + type pki_common_t; +') + +# Bugzilla 1732578 +allow container_t pki_common_t:dir read; +exec_files_pattern(container_t, pki_common_t, pki_common_t); diff --git a/tests/bz1732578 b/tests/bz1732578 new file mode 100644 index 0000000..e6fbbbb --- /dev/null +++ b/tests/bz1732578 @@ -0,0 +1,6 @@ +type=AVC msg=audit(1563895304.208:14480): avc: denied { read } for pid=81224 comm="barbican-manage" name="libcknfast.so" dev="vda2" ino=35936420 scontext=system_u:system_r:container_t:s0:c194,c638 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file permissive=0 +type=AVC msg=audit(1563895442.774:14719): avc: denied { read } for pid=94348 comm="httpd" name="libcknfast.so" dev="vda2" ino=35936420 scontext=system_u:system_r:container_t:s0:c111,c895 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file permissive=0 +type=AVC msg=audit(1563899396.472:17769): avc: denied { read } for pid=382136 comm="barbican-manage" name="libcknfast.so" dev="vda2" ino=35936420 scontext=system_u:system_r:container_t:s0:c194,c638 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1563899396.472:17769): avc: denied { open } for pid=382136 comm="barbican-manage" path="/opt/nfast/toolkits/pkcs11/libcknfast.so" dev="vda2" ino=35936420 scontext=system_u:system_r:container_t:s0:c194,c638 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1563899396.472:17770): avc: denied { execute } for pid=382136 comm="barbican-manage" path="/opt/nfast/toolkits/pkcs11/libcknfast.so" dev="vda2" ino=35936420 scontext=system_u:system_r:container_t:s0:c194,c638 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1563907351.675:23726): avc: denied { read } for pid=960024 comm="ls" name="nfast" dev="vda2" ino=33555398 scontext=system_u:system_r:container_t:s0:c353,c747 tcontext=system_u:object_r:pki_common_t:s0 tclass=dir permissive=0 From 66e8a6f7313b5fbe9954396960e05f35f62c4e5c Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Thu, 8 Aug 2019 13:43:02 +0100 Subject: [PATCH 112/192] Sensu: Allow containers to connect to systemd sockets Resolves: rhbz#1738134 --- Makefile | 2 +- os-sensu.te | 11 +++++++++++ tests/bz1738134 | 2 ++ 3 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 os-sensu.te create mode 100644 tests/bz1738134 diff --git a/Makefile b/Makefile index 76a817c..29b27db 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-pbis os-barbican +TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-pbis os-barbican os-sensu MODULES?=${TARGETS:=.pp.bz2} DATADIR?=/usr/share LOCALDIR?=/usr/share/openstack-selinux/master diff --git a/os-sensu.te b/os-sensu.te new file mode 100644 index 0000000..8ed392b --- /dev/null +++ b/os-sensu.te @@ -0,0 +1,11 @@ +policy_module(os-sensu,0.1) + +gen_require(` + type container_t; + type init_t; + type system_dbusd_t; +') + +# Bugzilla 1738134 +allow container_t init_t:unix_stream_socket connectto; +allow container_t system_dbusd_t:unix_stream_socket connectto; diff --git a/tests/bz1738134 b/tests/bz1738134 new file mode 100644 index 0000000..fded820 --- /dev/null +++ b/tests/bz1738134 @@ -0,0 +1,2 @@ +type=AVC msg=audit(1565094042.901:130455): avc: denied { connectto } for pid=812858 comm="systemctl" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:container_t:s0:c400,c976 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 +type=AVC msg=audit(1565098666.014:137948): avc: denied { connectto } for pid=219615 comm="systemctl" path="/run/systemd/private" scontext=system_u:system_r:container_t:s0:c104,c864 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1 From 3d1872243242c3e810f03fb2877a8fd799947772 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Tue, 13 Aug 2019 14:40:55 +0200 Subject: [PATCH 113/192] Allows httpd_t to read container_file_t content For now, Mistral containers are pulling and pushing images on the filesystem, using a bind-mounted directory with ":z" flag in order to allow write access. This relabels the directory to container_file_t, preventing httpd "image-serve" vhost to work. This behavior is seen during update process, since mistral runs dedicated workflows in order to fetch/pull the new images. The change that will create this issue is: https://review.opendev.org/676102 type=AVC msg=audit(1565686468.423:11563): avc: denied { getattr } for pid=15019 comm="httpd" path="/var/lib/image-serve/v2/index.json" dev="vda1" ino=6268331 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1 type=AVC msg=audit(1565686468.426:11564): avc: denied { read } for pid=15019 comm="httpd" name="index.json" dev="vda1" ino=6268331 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1 type=AVC msg=audit(1565686468.426:11564): avc: denied { open } for pid=15019 comm="httpd" path="/var/lib/image-serve/v2/index.json" dev="vda1" ino=6268331 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1 type=AVC msg=audit(1565686468.434:11565): avc: denied { read } for pid=14913 comm="httpd" name="manifests" dev="vda1" ino=7850670 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1 The current patch is a preventive action in order to avoid live issues. --- os-httpd.te | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/os-httpd.te b/os-httpd.te index 4456ff0..2bd24ce 100644 --- a/os-httpd.te +++ b/os-httpd.te @@ -10,6 +10,7 @@ gen_require(` type keystone_log_t; type nova_api_t; type keystone_var_lib_t; + type container_file_t; ') # @@ -45,4 +46,10 @@ tunable_policy(`os_httpd_wsgi',` # Bugzilla #1315457 # Bugzilla #1489863 corenet_tcp_bind_all_ports(httpd_t) + + # Allow read-only access to container_file_t + # This is due to image-server, and images being pulled via mistral container + # during an update/upgrade + read_files_pattern(httpd_t, container_file_t, container_file_t) + allow httpd_t container_file_t:dir read; ') From 596c60e3b40812bcd6d910fa2dafbd4a03bddfd0 Mon Sep 17 00:00:00 2001 From: rpm-build Date: Thu, 22 Aug 2019 10:25:01 +0200 Subject: [PATCH 114/192] Make sure that /var/log/pacemaker/* is of cluster_var_log_t type So this commit is fundamentally a workaround to be put in place until the official selinux-policy fixes https://bugzilla.redhat.com/show_bug.cgi?id=1712058 make it into a supported distro. The rationale is the following: via https://github.com/redhat-openstack/openstack-selinux/pull/31 we allowed containers to write and manage files/dirs that have the cluster_var_log_t type. The problem is that on RHEL8.0 the official policy (until rhbz#1712058 is fixed) labels /var/log/pacemaker/bundles with var_log_t instead. So we will get errors like the following: type=AVC msg=audit(1566400443.299:224052): avc: denied { write } for pid=530083 comm="python" name="btmp" dev="vda2" ino=31700395 scontext=system_u:system_r:container_t:s0:c590,c683 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0 type=AVC msg=audit(1566401139.130:228828): avc: denied { write } for pid=559096 comm="python" name="btmp" dev="vda2" ino=31700395 scontext=system_u:system_r:container_t:s0:c841,c880 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0 type=AVC msg=audit(1566401210.316:229325): avc: denied { write } for pid=562314 comm="python" name="btmp" dev="vda2" ino=31700395 scontext=system_u:system_r:container_t:s0:c136,c787 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0 So let's anticipate the upcoming selinux change and bring it in openstack-selinux policy. We can drop it once we're positive none will upgrade to a newer openstack-selinux without the updated selinux-policy-targeted package. Tested as follows: 0) Starting point (broken) [root@controller-2 ~]# rpm -q openstack-selinux selinux-policy-targeted openstack-selinux-0.8.19-0.20190813150447.72046d3.el8ost.noarch selinux-policy-targeted-3.14.1-61.el8_0.1.noarch [root@controller-2 ~]# ls -lZd /var/log/pacemaker/bundles/* drwxr-x--x. 5 root root system_u:object_r:cluster_var_log_t:s0 62 Aug 21 16:38 /var/log/pacemaker/bundles/galera-bundle-2 drwxr-x--x. 4 root root system_u:object_r:cluster_var_log_t:s0 38 Aug 21 16:45 /var/log/pacemaker/bundles/ovn-dbs-bundle-2 drwxr-x--x. 4 root root system_u:object_r:cluster_var_log_t:s0 47 Aug 21 16:39 /var/log/pacemaker/bundles/rabbitmq-bundle-2 drwxr-x--x. 4 root root system_u:object_r:cluster_var_log_t:s0 47 Aug 21 16:41 /var/log/pacemaker/bundles/redis-bundle-2 Run restorecon: [root@controller-2 ~]# restorecon -Rv /var/log/pacemaker/bundles/ Relabeled /var/log/pacemaker/bundles/galera-bundle-2 from system_u:object_r:cluster_var_log_t:s0 to system_u:object_r:var_log_t:s0 .... 1) Manually remove the fcontexts by hand cat >undo.sh< --- local_settings.sh.in | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/local_settings.sh.in b/local_settings.sh.in index e9d93cd..31a9ab3 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -92,7 +92,9 @@ set_file_contexts() fcontext -N -$1 -t swift_exec_t $BINDIR/swift-object-relinker fcontext -N -$1 -t httpd_sys_content_t \"${ROOTDIR}httpboot(/.*)?\" fcontext -N -$1 -t ssh_home_t \"$SHAREDSTATEDIR/nova/.ssh(/.*)?\" - fcontext -N -$1 -t tftpdir_t \"${ROOTDIR}tftpboot(/.*)?\"" + fcontext -N -$1 -t tftpdir_t \"${ROOTDIR}tftpboot(/.*)?\" + fcontext -N -$1 -t cluster_var_log_t \"$LOCALSTATEDIR/log/pacemaker\.log.*\" + fcontext -N -$1 -t cluster_var_log_t \"$LOCALSTATEDIR/log/pacemaker(/.*)?\"" echo "$INPUT" | $SBINDIR/semanage import -N } From 2ab4fae89fbdffa5b1a7c5bd95fba0c5296d3dfe Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Thu, 22 Aug 2019 13:19:47 -0400 Subject: [PATCH 115/192] local_settings: Fix file context addition on upgrade This is an order of magnitude slower than batching things, however, it fixes the issue where conflicts prevent new file context overrides from being loaded. Signed-off-by: Lon Hohberger --- local_settings.sh.in | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/local_settings.sh.in b/local_settings.sh.in index 31a9ab3..75f4837 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -96,7 +96,15 @@ set_file_contexts() fcontext -N -$1 -t cluster_var_log_t \"$LOCALSTATEDIR/log/pacemaker\.log.*\" fcontext -N -$1 -t cluster_var_log_t \"$LOCALSTATEDIR/log/pacemaker(/.*)?\"" - echo "$INPUT" | $SBINDIR/semanage import -N + # Load these one by one so upgrades work properly. + # TODO (future): Make upgrades (only) do one by one; + # install/remove can do batches to save time. + while read; do + eval semanage $REPLY &> /dev/null + done < <(echo "$INPUT") + + # TODO (future): install/remove can do this to save time + # echo "$INPUT" | $SBINDIR/semanage import -N } From 1b8a97c1b2ccb4573cc4a38edee07545f5b26bef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Mon, 2 Sep 2019 15:51:40 +0200 Subject: [PATCH 116/192] Ensure SELinux type is correct for a couple of directories Until now, when the openstack-selinux package is updated, it will revert the content of /var/log/containers to var_log_t. This is breaking OpenStack, since containers bind-mount a specific directory and write their logs directly in it. For instance, "nova" will bind-mount /var/log/containers/nova in /var/log/nova, and write its logs directly, meaning we need to ensure the host directory type is set to svirt_sandbox_file_t. Related to: https://bugzilla.redhat.com/show_bug.cgi?id=1747948 --- local_settings.sh.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/local_settings.sh.in b/local_settings.sh.in index e9d93cd..eee896e 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -85,6 +85,8 @@ set_file_contexts() fcontext -N -$1 -t httpd_log_t $LOCALSTATEDIR/log/ceilometer/app.log fcontext -N -$1 -t httpd_log_t $LOCALSTATEDIR/log/panko/app.log fcontext -N -$1 -t httpd_log_t $LOCALSTATEDIR/log/zaqar/zaqar.log + fcontext -N -$1 -t container_file_t \"$LOCALSTATEDIR/log/containers/(.*)?\" + fcontext -N -$1 -t var_log_t \"$LOCALSTATEDIR/log/containers(/haproxy)?\" fcontext -N -$1 -t neutron_exec_t $BINDIR/neutron-rootwrap-daemon fcontext -N -$1 -t neutron_exec_t $BINDIR/neutron-vpn-agent fcontext -N -$1 -t swift_var_cache_t \"$LOCALSTATEDIR/cache/swift(/.*)\" From 1a0588f6edbad764f119a5924b8e633e3aea10d0 Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Mon, 2 Sep 2019 12:13:13 +0100 Subject: [PATCH 117/192] Add off-by-default boolean for barbican containers Resolves: rhbz#1732578 --- os-barbican.te | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/os-barbican.te b/os-barbican.te index 61917d5..689705e 100644 --- a/os-barbican.te +++ b/os-barbican.te @@ -2,9 +2,18 @@ policy_module(os-barbican,0.1) gen_require(` type container_t; + type initrc_t; type pki_common_t; ') # Bugzilla 1732578 allow container_t pki_common_t:dir read; exec_files_pattern(container_t, pki_common_t, pki_common_t); + +gen_tunable(os_barbican_write_pki, false) +tunable_policy(`os_barbican_write_pki',` + allow container_t initrc_t:unix_stream_socket connectto; + allow container_t pki_common_t:dir { add_name remove_name write }; + allow container_t pki_common_t:file { append create lock rename write }; + allow container_t pki_common_t:sock_file write; +') From 2d755c77002d82da0f8c413dbc366610c8aa74e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Wed, 4 Sep 2019 10:35:43 +0200 Subject: [PATCH 118/192] Drop HAProxy log exception Although the HAProxy logs are written by host syslog, there is no need to worry about syslog access permissions: f9b45cede356c0e09f78ffb8a3c01fb80b6aac36 introduced a new policy allowing syslogd_t to have full access on container_file_t files and directories. This patch is therefore more a cleanup and consistency work, in order to keep a clean tree. It should also speed up a bit, since applying labels take some time. --- local_settings.sh.in | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/local_settings.sh.in b/local_settings.sh.in index 31afb71..8c19c82 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -85,8 +85,7 @@ set_file_contexts() fcontext -N -$1 -t httpd_log_t $LOCALSTATEDIR/log/ceilometer/app.log fcontext -N -$1 -t httpd_log_t $LOCALSTATEDIR/log/panko/app.log fcontext -N -$1 -t httpd_log_t $LOCALSTATEDIR/log/zaqar/zaqar.log - fcontext -N -$1 -t container_file_t \"$LOCALSTATEDIR/log/containers/(.*)?\" - fcontext -N -$1 -t var_log_t \"$LOCALSTATEDIR/log/containers(/haproxy)?\" + fcontext -N -$1 -t container_file_t \"$LOCALSTATEDIR/log/containers(/.*)?\" fcontext -N -$1 -t neutron_exec_t $BINDIR/neutron-rootwrap-daemon fcontext -N -$1 -t neutron_exec_t $BINDIR/neutron-vpn-agent fcontext -N -$1 -t swift_var_cache_t \"$LOCALSTATEDIR/cache/swift(/.*)\" From 5e46652dd0ea227cd3eef32a865e56f8c35554cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Wed, 4 Sep 2019 14:35:01 +0200 Subject: [PATCH 119/192] Allow logrotate to access and write within container_file_t OpenVSwitch service gets its logs written in /var/log/openvswitch, using container_file_t context. Although we allowed logrotate to read container_file_t with[1], it also wants to actually write in there, since the /var/log/openvswitch directory is under its control, from within the host directly. [1] https://review.opendev.org/669987 Related: https://bugzilla.redhat.com/show_bug.cgi?id=1727937 --- Makefile | 2 +- os-logrotate.te | 9 +++++++++ tests/bz1727937 | 4 ++++ 3 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 os-logrotate.te create mode 100644 tests/bz1727937 diff --git a/Makefile b/Makefile index 29b27db..1b0da74 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-pbis os-barbican os-sensu +TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-pbis os-barbican os-sensu os-logrotate MODULES?=${TARGETS:=.pp.bz2} DATADIR?=/usr/share LOCALDIR?=/usr/share/openstack-selinux/master diff --git a/os-logrotate.te b/os-logrotate.te new file mode 100644 index 0000000..e39d60a --- /dev/null +++ b/os-logrotate.te @@ -0,0 +1,9 @@ +policy_module(os-logrotate,0.1) + +# Bugzilla 1727937 +gen_require(` + type logrotate_t; + type container_file_t; +') +manage_files_pattern(logrotate_t, container_file_t, container_file_t) +manage_dirs_pattern(logrotate_t, container_file_t, container_file_t) diff --git a/tests/bz1727937 b/tests/bz1727937 new file mode 100644 index 0000000..50aed9e --- /dev/null +++ b/tests/bz1727937 @@ -0,0 +1,4 @@ +type=AVC msg=audit(1567480861.728:31696): avc: denied { write } for pid=683284 comm="logrotate" name="openvswitch" dev="sda2" ino=2881762 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=0 +type=AVC msg=audit(1562508548.724:40): avc: denied { execute_no_trans } for pid=1212 comm="modprobe" path="/usr/bin/bash" dev="vda2" ino=4215568 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0 +type=AVC msg=audit(1562513521.955:5768): avc: denied { read } for pid=54302 comm="logrotate" name="openvswitch" dev="vda2" ino=1012142 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=0 + From 17f259082cdd770e724eb34464efcc0873d13742 Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Thu, 12 Sep 2019 09:18:34 +0100 Subject: [PATCH 120/192] Allow spc_t to create unlabeled_t keyrings This is already allowed in more recent versions of container-selinux (cf. commit 3b78187c). Resolves: rhbz#1751300 --- os-virt.te | 4 ++++ tests/bz1751300 | 1 + 2 files changed, 5 insertions(+) create mode 100644 tests/bz1751300 diff --git a/os-virt.te b/os-virt.te index 68180dc..44613d7 100644 --- a/os-virt.te +++ b/os-virt.te @@ -6,6 +6,7 @@ gen_require(` type virtlogd_t; type svirt_t; type spc_t; + type unlabeled_t; class dbus send_msg; class fifo_file write; class tun_socket attach_queue; @@ -29,3 +30,6 @@ tunable_policy(`os_virtlogd_use_nfs',` # Bugzilla 1642102 allow svirt_t spc_t:tun_socket attach_queue; + +# Bugzilla 1751300 +allow spc_t unlabeled_t:key manage_key_perms; diff --git a/tests/bz1751300 b/tests/bz1751300 new file mode 100644 index 0000000..9de2aa1 --- /dev/null +++ b/tests/bz1751300 @@ -0,0 +1 @@ +type=AVC msg=audit(1568239901.789:19443): avc: denied { create } for pid=186828 comm="runc:[2:INIT]" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=key permissive=0 From c206a884df7b85e1bc4ce65f52ff148741c362d6 Mon Sep 17 00:00:00 2001 From: Gregory Thiemonge Date: Mon, 4 Nov 2019 18:30:51 +0100 Subject: [PATCH 121/192] Adds new policies for Octavia amphora with RHEL8.1 Resolves: rhbz#1765910 --- os-octavia.te | 8 +++++++- tests/bz1765910 | 6 ++++++ 2 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 tests/bz1765910 diff --git a/os-octavia.te b/os-octavia.te index 7798aec..3e709ed 100644 --- a/os-octavia.te +++ b/os-octavia.te @@ -18,6 +18,8 @@ gen_require(` type usermodehelper_t; type keepalived_exec_t; type unconfined_service_t; + type NetworkManager_t; + type tmpfs_t; class sock_file { create link rename setattr unlink write }; class capability { sys_ptrace sys_admin }; class file { create entrypoint execute execute_no_trans getattr ioctl open read write }; @@ -60,7 +62,9 @@ allow keepalived_t keepalived_exec_t:file execute_no_trans; allow keepalived_t root_t:dir mounton; allow keepalived_t sysfs_t:filesystem { mount unmount }; allow keepalived_t user_tmp_t:dir mounton; -allow keepalived_t var_run_t:dir { create mounton }; +allow keepalived_t var_run_t:dir { create mounton rmdir }; +allow keepalived_t sysfs_t:dir mounton; +allow keepalived_t tmpfs_t:filesystem unmount; # Same access for haproxy_t allow haproxy_t bin_t:file { entrypoint execute }; @@ -75,6 +79,8 @@ allow haproxy_t etc_t:dir mounton; allow haproxy_t root_t:dir mounton; allow haproxy_t sysfs_t:filesystem { mount unmount }; allow haproxy_t user_tmp_t:dir mounton; +allow haproxy_t NetworkManager_t:file { open read }; +allow haproxy_t sysfs_t:dir mounton; kernel_read_fs_sysctls(ifconfig_t) diff --git a/tests/bz1765910 b/tests/bz1765910 new file mode 100644 index 0000000..ef12b0a --- /dev/null +++ b/tests/bz1765910 @@ -0,0 +1,6 @@ +type=AVC msg=audit(1572103537.454:113): avc: denied { read } for pid=1752 comm="ip" dev="nsfs" ino=4026531992 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1572103537.454:113): avc: denied { open } for pid=1752 comm="ip" path="net:[4026531992]" dev="nsfs" ino=4026531992 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1572356953.842:84): avc: denied { mounton } for pid=4491 comm="ip" path="/sys" dev="vda1" ino=509 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0 +type=AVC msg=audit(1572445298.403:73): avc: denied { mounton } for pid=4371 comm="ip" path="/sys" dev="vda1" ino=2097505 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1572445302.642:75): avc: denied { unmount } for pid=4376 comm="keepalived" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1 +type=AVC msg=audit(1572445302.642:76): avc: denied { rmdir } for pid=4376 comm="keepalived" name="amphora-haproxy" dev="tmpfs" ino=30412 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 From 5020daf9926ea7e98d2f5fd791ecf47e3a97046c Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Fri, 8 Nov 2019 11:25:55 +0000 Subject: [PATCH 122/192] Remove build-time warnings - libsepol.context_from_record: type openvswitch_load_module_t is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:system_r:openvswitch_load_module_t:s0 to sid Although openvswitch_load_module_t shows up in one of the tests, we don't actually do anything related to it and the type isn't defined anywhere in policy. This is handled by openvswitch-selinux-extra-policy. - os-neutron.te:72: Warning: seutil_exec_restorecon(neutron_t) has been deprecated, please use seutil_exec_setfiles() instead. seutil_exec_restorecon redirects straight to seutil_exec_setfiles [1] and has done so since 2007. The deprecation was already present in the selinux-policy shipped with RHEL 7.0 so using the new interface should be safe. [1] https://github.com/fedora-selinux/selinux-policy/blob/c8c08d777f/policy/modules/system/selinuxutil.if#L402-L405 --- os-neutron.te | 2 +- tests/bz1727937 | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/os-neutron.te b/os-neutron.te index be32b9c..8bfba41 100644 --- a/os-neutron.te +++ b/os-neutron.te @@ -69,7 +69,7 @@ allow neutron_t self:netlink_xfrm_socket { bind create nlmsg_write }; ipsec_exec_mgmt(neutron_t) ipsec_manage_key_file(neutron_t) ipsec_read_config(neutron_t) -seutil_exec_restorecon(neutron_t) +seutil_exec_setfiles(neutron_t) # Bugzilla 1280083 allow neutron_t httpd_config_t:dir search; diff --git a/tests/bz1727937 b/tests/bz1727937 index 50aed9e..323113e 100644 --- a/tests/bz1727937 +++ b/tests/bz1727937 @@ -1,4 +1,3 @@ type=AVC msg=audit(1567480861.728:31696): avc: denied { write } for pid=683284 comm="logrotate" name="openvswitch" dev="sda2" ino=2881762 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=0 -type=AVC msg=audit(1562508548.724:40): avc: denied { execute_no_trans } for pid=1212 comm="modprobe" path="/usr/bin/bash" dev="vda2" ino=4215568 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(1562513521.955:5768): avc: denied { read } for pid=54302 comm="logrotate" name="openvswitch" dev="vda2" ino=1012142 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=0 From 1e92dfaf16239c39fe0a9cd712dad3a474b700e6 Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Fri, 22 Nov 2019 13:22:52 +0000 Subject: [PATCH 123/192] Allow openvswitch_t to create container_file_t directories Resolves: rhbz#1772025 --- os-podman.te | 3 +++ tests/bz1772025 | 1 + 2 files changed, 4 insertions(+) create mode 100644 tests/bz1772025 diff --git a/os-podman.te b/os-podman.te index 1d0a43f..6c45c67 100644 --- a/os-podman.te +++ b/os-podman.te @@ -13,6 +13,9 @@ openvswitch_stream_connect(container_t) read_files_pattern(container_t, puppet_etc_t, puppet_etc_t) read_lnk_files_pattern(container_t, puppet_etc_t, puppet_etc_t) +# bugzilla #1772025 +allow openvswitch_t container_file_t:dir create; + manage_files_pattern(openvswitch_t, container_file_t, container_file_t) manage_sock_files_pattern(openvswitch_t, container_file_t, container_file_t) allow openvswitch_t self:capability net_broadcast; diff --git a/tests/bz1772025 b/tests/bz1772025 new file mode 100644 index 0000000..eba7dfd --- /dev/null +++ b/tests/bz1772025 @@ -0,0 +1 @@ +type=AVC msg=audit(1573651690.514:4640): avc: denied { create } for pid=34421 comm="ovs-vswitchd" name="dpdk" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1 From f3686f13f83ab9715db9ca9ea1ddf85d4f94f859 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Wed, 27 Nov 2019 15:49:50 +0100 Subject: [PATCH 124/192] Allow certmonger to access puppet_etc_t content Certmonger is calling scripts in order to reload containers. Those scripts call hiera in order to get a bunch of parameters, and certmonger_t isn't allowed to search/open/read puppet_etc_file_t content. This issue has been described in the following rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1777263 --- Makefile | 2 +- os-certmonger.te | 10 ++++++++++ tests/bz1777263 | 3 +++ 3 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 os-certmonger.te create mode 100644 tests/bz1777263 diff --git a/Makefile b/Makefile index 1b0da74..4276e95 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-pbis os-barbican os-sensu os-logrotate +TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-pbis os-barbican os-sensu os-logrotate os-certmonger MODULES?=${TARGETS:=.pp.bz2} DATADIR?=/usr/share LOCALDIR?=/usr/share/openstack-selinux/master diff --git a/os-certmonger.te b/os-certmonger.te new file mode 100644 index 0000000..be7f0eb --- /dev/null +++ b/os-certmonger.te @@ -0,0 +1,10 @@ +policy_module(os-certmonger,0.1) + +gen_require(` + type certmonger_t; + type puppet_etc_t; + class dir {search}; +') +# rhbz#1777263 +allow certmonger_t puppet_etc_t:dir search; +read_files_pattern(certmonger_t, puppet_etc_t, puppet_etc_t) diff --git a/tests/bz1777263 b/tests/bz1777263 new file mode 100644 index 0000000..866135d --- /dev/null +++ b/tests/bz1777263 @@ -0,0 +1,3 @@ +type=AVC msg=audit(1574861307.690:5254): avc: denied { getattr } for pid=25373 comm="ruby" path="/etc/puppet/hiera.yaml" dev="sda1" ino=150996716 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1574861307.690:5255): avc: denied { read } for pid=25373 comm="ruby" name="hiera.yaml" dev="sda1" ino=150996716 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1574861307.690:5255): avc: denied { open } for pid=25373 comm="ruby" path="/etc/puppet/hiera.yaml" dev="sda1" ino=150996716 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file permissive=1 From 8cd93366f5d96be5e419825a4cd22235ad60e083 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Fri, 29 Nov 2019 15:39:29 +0100 Subject: [PATCH 125/192] Allow certmonger to actually manage containers Certmonger needs to run ps, exec and kill on containers in order to update the certificates used by the service within them. The following patch allow certmonger_t to "transition" to container_t and run the wanted commands. To my knowledge, we can't push example AVCs in the "test" directory because the transition is something the current test can't properly catch. This fixes rhbz#1777368 https://bugzilla.redhat.com/show_bug.cgi?id=1777368 Co-Authored-By: Julie Pichon --- os-certmonger.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/os-certmonger.te b/os-certmonger.te index be7f0eb..33e337c 100644 --- a/os-certmonger.te +++ b/os-certmonger.te @@ -8,3 +8,7 @@ gen_require(` # rhbz#1777263 allow certmonger_t puppet_etc_t:dir search; read_files_pattern(certmonger_t, puppet_etc_t, puppet_etc_t) + +# rhbz#1777368 +container_runtime_domtrans(certmonger_t) +container_runtime_entrypoint(certmonger_t) From cc0060a8851e2ac7c639595954522f1420d29046 Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Mon, 2 Dec 2019 09:37:05 +0000 Subject: [PATCH 126/192] Allow iptables to write to certmonger pipes Resolves: rhbz#1777738 --- os-certmonger.te | 4 ++++ tests/bz1777738 | 1 + 2 files changed, 5 insertions(+) create mode 100644 tests/bz1777738 diff --git a/os-certmonger.te b/os-certmonger.te index 33e337c..6f6e3be 100644 --- a/os-certmonger.te +++ b/os-certmonger.te @@ -2,6 +2,7 @@ policy_module(os-certmonger,0.1) gen_require(` type certmonger_t; + type iptables_t; type puppet_etc_t; class dir {search}; ') @@ -12,3 +13,6 @@ read_files_pattern(certmonger_t, puppet_etc_t, puppet_etc_t) # rhbz#1777368 container_runtime_domtrans(certmonger_t) container_runtime_entrypoint(certmonger_t) + +# rhbz#1777738 +write_fifo_files_pattern(iptables_t, certmonger_t, certmonger_t) diff --git a/tests/bz1777738 b/tests/bz1777738 new file mode 100644 index 0000000..3d7c9b4 --- /dev/null +++ b/tests/bz1777738 @@ -0,0 +1 @@ +type=AVC msg=audit(11/29/2019 14:32:51.557:32236) : avc: denied { write } for pid=205548 comm=iptables path=pipe:[1864791] dev="pipefs" ino=1864791 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=fifo_file permissive=1 From a0521ff0179c39f300665419f6b7753cf2286167 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Tue, 17 Dec 2019 13:17:42 +0100 Subject: [PATCH 127/192] Systemd needs to access container_file_t for side-cars Neutron "side-cars" containers are now managed by Systemd instead of in-container wrappers. Basically, Systemd is instructed to check a certain location and take action upon file creation|change|deletion. Since this "flag" is managed from within neutron container(s), Systemd must be allowed to go in there. Related: https://bugs.launchpad.net/tripleo/+bug/1853652 --- os-podman.te | 4 ++++ tests/lp1853652 | 3 +++ 2 files changed, 7 insertions(+) create mode 100644 tests/lp1853652 diff --git a/os-podman.te b/os-podman.te index 6c45c67..628c19a 100644 --- a/os-podman.te +++ b/os-podman.te @@ -5,6 +5,7 @@ gen_require(` type openvswitch_t; type puppet_etc_t; type cluster_var_log_t; + type init_t; ') #============= container_t ============== miscfiles_read_generic_certs(container_t) @@ -23,3 +24,6 @@ allow openvswitch_t self:capability net_broadcast; # needed for HA containers manage_files_pattern(container_t, cluster_var_log_t, cluster_var_log_t); manage_dirs_pattern(container_t, cluster_var_log_t, cluster_var_log_t); + +# Needed for LP#1853652 +allow init_t container_file_t:file { execute execute_no_trans }; diff --git a/tests/lp1853652 b/tests/lp1853652 new file mode 100644 index 0000000..74c9040 --- /dev/null +++ b/tests/lp1853652 @@ -0,0 +1,3 @@ +type=AVC msg=audit(1576568492.577:8193): avc: denied { execute } for pid=77376 comm="(sync)" name="sync" dev="vda1" ino=236350363 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1576568492.577:8193): avc: denied { execute_no_trans } for pid=77376 comm="(sync)" path="/var/lib/neutron/dhcp_dnsmasq/sync" dev="vda1" ino=236350363 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1 + From 00e8b1269a511ec465bcb64976297e7c85fb13bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Tue, 17 Dec 2019 14:27:53 +0100 Subject: [PATCH 128/192] Enable tests for issues coming from Launchpad --- Makefile | 2 +- tests/check_all | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 4276e95..f7bacad 100644 --- a/Makefile +++ b/Makefile @@ -70,7 +70,7 @@ install: # Install tests ${INSTALL} -d ${LOCALDIR}/tests - ${INSTALL} -m 0644 tests/bz* ${LOCALDIR}/tests + ${INSTALL} -m 0644 tests/bz* tests/lp* ${LOCALDIR}/tests ${INSTALL} -m 0755 tests/check_all ${LOCALDIR}/tests # Install interfaces diff --git a/tests/check_all b/tests/check_all index fc1ce16..f6e4297 100755 --- a/tests/check_all +++ b/tests/check_all @@ -17,7 +17,7 @@ mkdir -p $TMP PWD=$(pwd) cd "$(dirname $0)" -TEST_FILES=$(/bin/ls -1 bz*) +TEST_FILES=$(/bin/ls -1 bz* lp*) TEST_INPUT=$TMP/input TEST_OUTPUT=$TMP/output TEST_FAIL=$TMP/failed_tests From 2f2c4235a35c02eb60ebab812428b53c1c09edf8 Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Thu, 19 Dec 2019 11:47:47 +0000 Subject: [PATCH 129/192] Allow fowner/fsetid for openvswitch_t due to RuntimeDir changes Resolves rhbz#1778793 Related to rhbz#1759695 --- os-podman.te | 4 +++- tests/bz1778793 | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 tests/bz1778793 diff --git a/os-podman.te b/os-podman.te index 628c19a..46f875b 100644 --- a/os-podman.te +++ b/os-podman.te @@ -19,7 +19,9 @@ allow openvswitch_t container_file_t:dir create; manage_files_pattern(openvswitch_t, container_file_t, container_file_t) manage_sock_files_pattern(openvswitch_t, container_file_t, container_file_t) -allow openvswitch_t self:capability net_broadcast; + +# Bugzilla 1778793 +allow openvswitch_t self:capability { net_broadcast fowner fsetid }; # needed for HA containers manage_files_pattern(container_t, cluster_var_log_t, cluster_var_log_t); diff --git a/tests/bz1778793 b/tests/bz1778793 new file mode 100644 index 0000000..032a8ad --- /dev/null +++ b/tests/bz1778793 @@ -0,0 +1,2 @@ +type=AVC msg=audit(12/02/2019 13:32:12.703:5794) : avc: denied { fsetid } for pid=3137 comm=install capability=fsetid scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1 +type=AVC msg=audit(12/02/2019 13:32:12.703:5794) : avc: denied { fowner } for pid=3137 comm=install capability=fowner scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1 From b38f68052c35b18dc02635259604a70381d70b43 Mon Sep 17 00:00:00 2001 From: Lukas Steiner Date: Mon, 6 Jan 2020 16:36:51 +0100 Subject: [PATCH 130/192] Fix ping_exec_t access for keepalived_t --- os-keepalived.te | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/os-keepalived.te b/os-keepalived.te index 3b00519..18b8f81 100644 --- a/os-keepalived.te +++ b/os-keepalived.te @@ -14,7 +14,7 @@ gen_require(` type ifconfig_exec_t; type ifconfig_t; class filesystem getattr; - class process { signull sigkill setpgid }; + class process { signull sigkill setpgid setcap }; class capability { net_admin net_raw kill dac_override sys_admin }; class file { execute read create ioctl unlink execute_no_trans write getattr open entrypoint }; ') @@ -57,3 +57,7 @@ allow keepalived_t self:process setpgid; # Bugzilla #1434826 allow keepalived_t ifconfig_exec_t:file entrypoint; sysnet_domtrans_ifconfig(keepalived_t) + +# Bugzilla 1789068 +netutils_exec_ping(keepalived_t) +allow keepalived_t self:process setcap; From 9059e3690e0fa9db83663b3983031fe0f1f431a9 Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Thu, 9 Jan 2020 14:47:13 +0000 Subject: [PATCH 131/192] Add tests for rhbz#1789068 Rules added with commit b38f6805/PR#54. --- tests/bz1789068 | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 tests/bz1789068 diff --git a/tests/bz1789068 b/tests/bz1789068 new file mode 100644 index 0000000..7dc41a4 --- /dev/null +++ b/tests/bz1789068 @@ -0,0 +1,6 @@ +type=AVC msg=audit(1578500356.540:5530): avc: denied { getattr } for pid=86851 comm="ha_check_script" path="/usr/bin/ping" dev="dm-0" ino=100718607 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1578500356.540:5531): avc: denied { execute } for pid=86851 comm="ha_check_script" name="ping" dev="dm-0" ino=100718607 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1578500356.540:5532): avc: denied { read } for pid=86851 comm="ha_check_script" name="ping" dev="dm-0" ino=100718607 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1578500356.542:5533): avc: denied { open } for pid=86854 comm="ha_check_script" path="/usr/bin/ping" dev="dm-0" ino=100718607 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1578500356.542:5533): avc: denied { execute_no_trans } for pid=86854 comm="ha_check_script" path="/usr/bin/ping" dev="dm-0" ino=100718607 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1578500356.546:5534): avc: denied { setcap } for pid=86854 comm="ping" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=process permissive=1 From b6a9ca1e9d4c3dbe905e19e6a093d317a7fbd2e3 Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Fri, 10 Jan 2020 15:46:02 +0000 Subject: [PATCH 132/192] Allow glance_api_t to get glance_var_lib_t filesystem attributes Resolves: rhbz#1789710 --- os-glance.te | 3 +++ tests/bz1789710 | 1 + 2 files changed, 4 insertions(+) create mode 100644 tests/bz1789710 diff --git a/os-glance.te b/os-glance.te index 8ff15fd..a606bd6 100644 --- a/os-glance.te +++ b/os-glance.te @@ -87,3 +87,6 @@ tunable_policy(`os_glance_use_nfs',` fs_manage_nfs_symlinks(glance_domain) fs_exec_nfs_files(glance_domain) ') + +# Bugzilla 1789710 +allow glance_api_t glance_var_lib_t:filesystem getattr; diff --git a/tests/bz1789710 b/tests/bz1789710 new file mode 100644 index 0000000..7cd6e68 --- /dev/null +++ b/tests/bz1789710 @@ -0,0 +1 @@ +type=AVC msg=audit(1578626829.434:88494): avc: denied { getattr } for pid=981968 comm="glance-api" name="/" dev="0:46" ino=289429476 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=filesystem permissive=0 From a777f20f3c6e2efe1f981f1a70bc06b50859873f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Mon, 13 Jan 2020 16:37:20 +0100 Subject: [PATCH 133/192] Revert "Sensu: Allow containers to connect to systemd sockets" This reverts commit 66e8a6f7313b5fbe9954396960e05f35f62c4e5c. The added policy created a security risk where a compromised container could stop services with a crafted DBus call. --- Makefile | 2 +- os-sensu.te | 11 ----------- tests/bz1738134 | 2 -- 3 files changed, 1 insertion(+), 14 deletions(-) delete mode 100644 os-sensu.te delete mode 100644 tests/bz1738134 diff --git a/Makefile b/Makefile index f7bacad..520f3f8 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-pbis os-barbican os-sensu os-logrotate os-certmonger +TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-pbis os-barbican os-logrotate os-certmonger MODULES?=${TARGETS:=.pp.bz2} DATADIR?=/usr/share LOCALDIR?=/usr/share/openstack-selinux/master diff --git a/os-sensu.te b/os-sensu.te deleted file mode 100644 index 8ed392b..0000000 --- a/os-sensu.te +++ /dev/null @@ -1,11 +0,0 @@ -policy_module(os-sensu,0.1) - -gen_require(` - type container_t; - type init_t; - type system_dbusd_t; -') - -# Bugzilla 1738134 -allow container_t init_t:unix_stream_socket connectto; -allow container_t system_dbusd_t:unix_stream_socket connectto; diff --git a/tests/bz1738134 b/tests/bz1738134 deleted file mode 100644 index fded820..0000000 --- a/tests/bz1738134 +++ /dev/null @@ -1,2 +0,0 @@ -type=AVC msg=audit(1565094042.901:130455): avc: denied { connectto } for pid=812858 comm="systemctl" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:container_t:s0:c400,c976 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 -type=AVC msg=audit(1565098666.014:137948): avc: denied { connectto } for pid=219615 comm="systemctl" path="/run/systemd/private" scontext=system_u:system_r:container_t:s0:c104,c864 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1 From e435a175c34e66f7257d27e497a1550a8c0f704a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Tue, 28 Jan 2020 13:41:52 +0100 Subject: [PATCH 134/192] Ensure fcontext has a rule for /var/lib/config-data Currently, running a restorecon on the system will change the selinux type for /var/lib/config-data. This change might break an on-going deploy or even running containers at some point. --- local_settings.sh.in | 1 + 1 file changed, 1 insertion(+) diff --git a/local_settings.sh.in b/local_settings.sh.in index 8c19c82..7d41262 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -86,6 +86,7 @@ set_file_contexts() fcontext -N -$1 -t httpd_log_t $LOCALSTATEDIR/log/panko/app.log fcontext -N -$1 -t httpd_log_t $LOCALSTATEDIR/log/zaqar/zaqar.log fcontext -N -$1 -t container_file_t \"$LOCALSTATEDIR/log/containers(/.*)?\" + fcontext -N -$1 -t container_file_t \"$LOCALSTATEDIR/lib/config-data(/.*)?\" fcontext -N -$1 -t neutron_exec_t $BINDIR/neutron-rootwrap-daemon fcontext -N -$1 -t neutron_exec_t $BINDIR/neutron-vpn-agent fcontext -N -$1 -t swift_var_cache_t \"$LOCALSTATEDIR/cache/swift(/.*)\" From fa7947ab03fa51fc5810ceaeb7d1dcf9ab4873c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Mon, 24 Feb 2020 16:57:41 +0100 Subject: [PATCH 135/192] The read_file_pattern doesn't allow "read" on directory Closes-Bug: lp#1864501 --- os-podman.te | 2 ++ tests/lp1864501 | 1 + 2 files changed, 3 insertions(+) create mode 100644 tests/lp1864501 diff --git a/os-podman.te b/os-podman.te index 46f875b..65ffbba 100644 --- a/os-podman.te +++ b/os-podman.te @@ -13,6 +13,8 @@ openvswitch_stream_connect(container_t) # for posterity: read_files_pattern includes dir accesses read_files_pattern(container_t, puppet_etc_t, puppet_etc_t) read_lnk_files_pattern(container_t, puppet_etc_t, puppet_etc_t) +# but read_files_pattern does not allow "read" on tclass=dir +allow container_t puppet_etc_t:dir { read }; # bugzilla #1772025 allow openvswitch_t container_file_t:dir create; diff --git a/tests/lp1864501 b/tests/lp1864501 new file mode 100644 index 0000000..1210689 --- /dev/null +++ b/tests/lp1864501 @@ -0,0 +1 @@ +type=AVC msg=audit(1582559167.088:1893): avc: denied { read } for pid=39502 comm="ls" name="puppet" dev="sda1" ino=113293470 scontext=system_u:system_r:container_t:s0:c390,c595 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0 From 617734f2f7c034bc5fb398f455929ab9e707d143 Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Mon, 9 Mar 2020 11:18:32 +0000 Subject: [PATCH 136/192] Additional rules to help with rabbitmq log rotation Resolves: rhbz#1650046 --- os-rabbitmq.te | 7 +++++++ tests/bz1650046 | 3 +++ 2 files changed, 10 insertions(+) create mode 100644 tests/bz1650046 diff --git a/os-rabbitmq.te b/os-rabbitmq.te index e2de7b9..67b75bf 100644 --- a/os-rabbitmq.te +++ b/os-rabbitmq.te @@ -4,8 +4,10 @@ gen_require(` type epmd_port_t; type init_tmp_t; type logrotate_t; + type proc_net_t; type rabbitmq_epmd_t; type rabbitmq_port_t; + type rabbitmq_t; type rabbitmq_var_lib_t; type security_t; class dir { read write }; @@ -25,3 +27,8 @@ allow logrotate_t rabbitmq_var_lib_t:dir { read write }; allow logrotate_t rabbitmq_var_lib_t:file { getattr open read }; allow logrotate_t security_t:security compute_av; allow logrotate_t self:passwd passwd; + +# Bugzilla 1650046 +allow logrotate_t proc_net_t:file read; +allow logrotate_t self:process setrlimit; +allow rabbitmq_t proc_net_t:file read; diff --git a/tests/bz1650046 b/tests/bz1650046 new file mode 100644 index 0000000..015fe8e --- /dev/null +++ b/tests/bz1650046 @@ -0,0 +1,3 @@ +type=AVC msg=audit(1583112189.890:19129): avc: denied { read } for pid=13620 comm="inet_gethost" name="unix" dev="proc" ino=4026532003 scontext=system_u:system_r:rabbitmq_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1583136605.180:19713): avc: denied { setrlimit } for pid=20488 comm="runuser" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=process permissive=1 +type=AVC msg=audit(1583136606.388:19715): avc: denied { read } for pid=20640 comm="inet_gethost" name="unix" dev="proc" ino=4026532003 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 From 0d05e7cd811f8f739c4d8e386038fc0eca057e4b Mon Sep 17 00:00:00 2001 From: Tobias Urdin Date: Thu, 2 Apr 2020 15:49:04 +0200 Subject: [PATCH 137/192] Cinder in WSGI needs to create dir in statedir --- os-cinder.te | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/os-cinder.te b/os-cinder.te index f727be2..21a36aa 100644 --- a/os-cinder.te +++ b/os-cinder.te @@ -5,9 +5,10 @@ gen_require(` type cinder_backup_t; type systemd_logind_t; type cinder_volume_t; + type cinder_var_lib_t; type httpd_t; class file { open create }; - class dir { add_name write }; + class dir { add_name write create }; class dbus { send_msg }; attribute cinder_domain; ') @@ -16,6 +17,10 @@ gen_require(` allow httpd_t cinder_log_t:file { open create }; allow httpd_t cinder_log_t:dir { add_name write }; +# Cinder in WSGI needs to create directory +# See https://review.rdoproject.org/r/#/c/26194/ +allow httpd_t cinder_var_lib_t:dir { add_name write create }; + # Bugzilla 1384472 iscsid_domtrans(cinder_backup_t); From 386b429d8c78c37cd9941d4cd9db7b8ccd52bf08 Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Fri, 3 Apr 2020 10:06:07 +0100 Subject: [PATCH 138/192] Tests for Cinder WSGI denials (rhbz#1820504) --- os-cinder.te | 3 +-- tests/bz1820504 | 3 +++ 2 files changed, 4 insertions(+), 2 deletions(-) create mode 100644 tests/bz1820504 diff --git a/os-cinder.te b/os-cinder.te index 21a36aa..52d9883 100644 --- a/os-cinder.te +++ b/os-cinder.te @@ -17,8 +17,7 @@ gen_require(` allow httpd_t cinder_log_t:file { open create }; allow httpd_t cinder_log_t:dir { add_name write }; -# Cinder in WSGI needs to create directory -# See https://review.rdoproject.org/r/#/c/26194/ +# Bugzilla 1820504 allow httpd_t cinder_var_lib_t:dir { add_name write create }; # Bugzilla 1384472 diff --git a/tests/bz1820504 b/tests/bz1820504 new file mode 100644 index 0000000..c15524e --- /dev/null +++ b/tests/bz1820504 @@ -0,0 +1,3 @@ +type=AVC msg=audit(1585843550.178:7813550): avc: denied { add_name } for pid=3306876 comm="httpd" name="groups" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=dir +type=AVC msg=audit(1585843799.707:7814032): avc: denied { write } for pid=3306876 comm="httpd" name="cinder" dev="dm-0" ino=1230986 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=dir +type=AVC msg=audit(1585843767.395:7814013): avc: denied { create } for pid=3306875 comm="httpd" name="groups" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=dir From d68977569f0adbb2fee6a40feec1d952f3cf6c6f Mon Sep 17 00:00:00 2001 From: Tobias Urdin Date: Fri, 24 Apr 2020 11:30:18 +0200 Subject: [PATCH 139/192] Allow httpd to handle files in cinder statedir The statedir is used for locking files during operations such as managing volume attachments. --- os-cinder.te | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/os-cinder.te b/os-cinder.te index 52d9883..54d4a79 100644 --- a/os-cinder.te +++ b/os-cinder.te @@ -7,7 +7,7 @@ gen_require(` type cinder_volume_t; type cinder_var_lib_t; type httpd_t; - class file { open create }; + class file { open create append getattr lock }; class dir { add_name write create }; class dbus { send_msg }; attribute cinder_domain; @@ -20,6 +20,9 @@ allow httpd_t cinder_log_t:dir { add_name write }; # Bugzilla 1820504 allow httpd_t cinder_var_lib_t:dir { add_name write create }; +# Allow httpd to handle files in statedir +allow httpd_t cinder_var_lib_t:file { open create append getattr lock }; + # Bugzilla 1384472 iscsid_domtrans(cinder_backup_t); From 33007469f17225b5eec9c081cfbf6bff31aa3875 Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Fri, 24 Apr 2020 13:17:42 +0100 Subject: [PATCH 140/192] Tests for cinder_var_lib_t file denials --- tests/bz1820504 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tests/bz1820504 b/tests/bz1820504 index c15524e..ca46c1a 100644 --- a/tests/bz1820504 +++ b/tests/bz1820504 @@ -1,3 +1,8 @@ type=AVC msg=audit(1585843550.178:7813550): avc: denied { add_name } for pid=3306876 comm="httpd" name="groups" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=dir type=AVC msg=audit(1585843799.707:7814032): avc: denied { write } for pid=3306876 comm="httpd" name="cinder" dev="dm-0" ino=1230986 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=dir type=AVC msg=audit(1585843767.395:7814013): avc: denied { create } for pid=3306875 comm="httpd" name="groups" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=dir + + +type=AVC msg=audit(1587719480.723:9252596): avc: denied { append open } for pid=3907385 comm="httpd" path="/var/lib/cinder/cinder-attachment_update-b3b103ae-78a6-424f-b406-642d177c6c20-" dev="dm-0" ino=135032832 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=file +type=AVC msg=audit(1587719779.203:2939539): avc: denied { getattr } for pid=2451695 comm="httpd" path="/var/lib/cinder/cinder-attachment_update-243361c4-189a-423c-963a-89beefac2135-" dev="dm-0" ino=134395353 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=file +type=AVC msg=audit(1587720082.812:2942608): avc: denied { lock } for pid=2451695 comm="httpd" path="/var/lib/cinder/cinder-attachment_update-243361c4-189a-423c-963a-89beefac2135-" dev="dm-0" ino=134395353 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=file From a2255baf6f51bf50b9f9b02b08f2408182f64277 Mon Sep 17 00:00:00 2001 From: Tobias Urdin Date: Mon, 15 Jun 2020 09:38:20 +0200 Subject: [PATCH 141/192] Allow neutron_t exec on neutron_exec_t When running on CentOS 8 the openvswitch daemon cannot spawn the rootwrap daemon. --- os-neutron.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/os-neutron.te b/os-neutron.te index 8bfba41..06b2b16 100644 --- a/os-neutron.te +++ b/os-neutron.te @@ -4,6 +4,7 @@ gen_require(` type neutron_t; type neutron_var_lib_t; type neutron_tmp_t; + type neutron_exec_t; type haproxy_exec_t; type haproxy_t; type httpd_config_t; @@ -45,6 +46,7 @@ neutron_domtrans(keepalived_t) # Bugzilla 1169859 & 1171460 & 1171458 can_exec(neutron_t,neutron_var_lib_t) +can_exec(neutron_t,neutron_exec_t) keepalived_domtrans(neutron_t) allow neutron_t self:netlink_socket { bind create getattr }; From 137ecf6876f60271e8739c996f15ec5064d03008 Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Mon, 15 Jun 2020 14:38:17 +0100 Subject: [PATCH 142/192] Tests for PR#62 Resolves: rhbz#1847037 --- tests/bz1847037 | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 tests/bz1847037 diff --git a/tests/bz1847037 b/tests/bz1847037 new file mode 100644 index 0000000..3a911c4 --- /dev/null +++ b/tests/bz1847037 @@ -0,0 +1,2 @@ +type=AVC msg=audit(1592206154.561:5419): avc: denied { execute_no_trans } for pid=3827 comm="sudo" path="/usr/bin/neutron-rootwrap-daemon" dev="sda1" ino=9310801 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:neutron_exec_t:s0 tclass=file permissive=0 +type=AVC msg=audit(1592206157.680:5438): avc: denied { execute_no_trans } for pid=3860 comm="sudo" path="/usr/bin/neutron-rootwrap-daemon" dev="sda1" ino=9310801 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:neutron_exec_t:s0 tclass=file permissive=0 From 8fd961d88a6895645897385e147cf4007ff6f96a Mon Sep 17 00:00:00 2001 From: Tobias Urdin Date: Thu, 25 Jun 2020 11:27:45 +0200 Subject: [PATCH 143/192] Add dac_override capability to neutron_t The dac_override capability is required when spawning the privsep-helper. It's spawned by neutron-rootwrap which in itself is executed by sudo. Bugzilla #1850973 --- os-neutron.te | 5 +++-- tests/bz1850973 | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) create mode 100644 tests/bz1850973 diff --git a/os-neutron.te b/os-neutron.te index 06b2b16..3ce4fd4 100644 --- a/os-neutron.te +++ b/os-neutron.te @@ -20,6 +20,7 @@ gen_require(` type nsfs_t; class capability setpcap; class capability setpgid; + class capability dac_override; class key_socket { write read create }; class netlink_xfrm_socket { bind create nlmsg_write }; class process signal; @@ -62,10 +63,10 @@ allow neutron_t http_port_t:tcp_socket name_bind; # Bugzilla 1230900 manage_sock_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) -# Bugzilla 1245846 +# Bugzilla 1245846 & 1850973 allow neutron_t ipsec_key_file_t:file { read ioctl open getattr }; allow neutron_t modules_object_t:file getattr; -allow neutron_t self:capability setpcap; +allow neutron_t self:capability { setpcap dac_override }; allow neutron_t self:key_socket { write read create }; allow neutron_t self:netlink_xfrm_socket { bind create nlmsg_write }; ipsec_exec_mgmt(neutron_t) diff --git a/tests/bz1850973 b/tests/bz1850973 new file mode 100644 index 0000000..6de8b2c --- /dev/null +++ b/tests/bz1850973 @@ -0,0 +1 @@ +type=AVC msg=audit(1593076023.722:2752): avc: denied { dac_override } for pid=91081 comm="privsep-helper" capability=1 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=capability permissive=0 From 0b62b003f99217d63d9b4eeff25699b418e2a02f Mon Sep 17 00:00:00 2001 From: Emilien Macchi Date: Thu, 25 Jun 2020 10:53:15 -0400 Subject: [PATCH 144/192] local_settings.sh.in: add container_file_t context to /var/lib/tripleo-config We have been managing the container_file_t context for /var/lib/tripleo-config directory via Ansible until now; but this is an expensive and risky operation as we rely on another framework. It would be much simpler for to just use openstack-selinux like we already do for other directories (e.g. /var/lib/config-data); so this patch aims to do it. /var/lib/tripleo-config is a directory which contains tripleo containers configuration files and it needs this context to operate when SElinux is enforcing. --- local_settings.sh.in | 1 + 1 file changed, 1 insertion(+) diff --git a/local_settings.sh.in b/local_settings.sh.in index 7d41262..d099e0b 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -87,6 +87,7 @@ set_file_contexts() fcontext -N -$1 -t httpd_log_t $LOCALSTATEDIR/log/zaqar/zaqar.log fcontext -N -$1 -t container_file_t \"$LOCALSTATEDIR/log/containers(/.*)?\" fcontext -N -$1 -t container_file_t \"$LOCALSTATEDIR/lib/config-data(/.*)?\" + fcontext -N -$1 -t container_file_t \"$LOCALSTATEDIR/lib/tripleo-config(/.*)?\" fcontext -N -$1 -t neutron_exec_t $BINDIR/neutron-rootwrap-daemon fcontext -N -$1 -t neutron_exec_t $BINDIR/neutron-vpn-agent fcontext -N -$1 -t swift_var_cache_t \"$LOCALSTATEDIR/cache/swift(/.*)\" From 9460342f3e5a7214bd05b9cfa73a1896478d8785 Mon Sep 17 00:00:00 2001 From: Tobias Urdin Date: Fri, 26 Jun 2020 14:18:53 +0200 Subject: [PATCH 145/192] Add tuneable dnsmasq_t needs dac_override boolean --- os-dnsmasq.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/os-dnsmasq.te b/os-dnsmasq.te index abdfb3b..85bbb8c 100644 --- a/os-dnsmasq.te +++ b/os-dnsmasq.te @@ -4,9 +4,14 @@ gen_require(` type var_lib_t; type dnsmasq_t; class file manage_file_perms; + class capability dac_override; ') # bug 1568993 # dnsmasq_t can already create/delete var_lib_t directories allow dnsmasq_t var_lib_t:file manage_file_perms; +gen_tunable(os_dnsmasq_dac_override, false) +tunable_policy(`os_dnsmasq_dac_override',` + allow dnsmasq_t self:capability { dac_override }; +') From 9cfdb0f0aa681d57ca52948f632ce679d9e1f465 Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Mon, 29 Jun 2020 13:41:14 +0100 Subject: [PATCH 146/192] Move Neutron dac_override rule to a boolean --- os-neutron.te | 10 ++++++++-- tests/bz1850973 | 1 - 2 files changed, 8 insertions(+), 3 deletions(-) delete mode 100644 tests/bz1850973 diff --git a/os-neutron.te b/os-neutron.te index 3ce4fd4..80eee5a 100644 --- a/os-neutron.te +++ b/os-neutron.te @@ -63,10 +63,10 @@ allow neutron_t http_port_t:tcp_socket name_bind; # Bugzilla 1230900 manage_sock_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) -# Bugzilla 1245846 & 1850973 +# Bugzilla 1245846 allow neutron_t ipsec_key_file_t:file { read ioctl open getattr }; allow neutron_t modules_object_t:file getattr; -allow neutron_t self:capability { setpcap dac_override }; +allow neutron_t self:capability { setpcap }; allow neutron_t self:key_socket { write read create }; allow neutron_t self:netlink_xfrm_socket { bind create nlmsg_write }; ipsec_exec_mgmt(neutron_t) @@ -74,6 +74,12 @@ ipsec_manage_key_file(neutron_t) ipsec_read_config(neutron_t) seutil_exec_setfiles(neutron_t) +# Bugzilla 1850973 +gen_tunable(os_neutron_dac_override, false) +tunable_policy(`os_neutron_dac_override',` + allow neutron_t self:capability { dac_override }; +') + # Bugzilla 1280083 allow neutron_t httpd_config_t:dir search; diff --git a/tests/bz1850973 b/tests/bz1850973 deleted file mode 100644 index 6de8b2c..0000000 --- a/tests/bz1850973 +++ /dev/null @@ -1 +0,0 @@ -type=AVC msg=audit(1593076023.722:2752): avc: denied { dac_override } for pid=91081 comm="privsep-helper" capability=1 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=capability permissive=0 From f6ad869bb125b8a1834f62bfa1aeffe2a10ef504 Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Thu, 3 Sep 2020 18:53:11 +0100 Subject: [PATCH 147/192] Allow timemaster/ptp4l_t to create sockets Resolves: rhbz#1872651 --- Makefile | 2 +- os-timemaster.te | 9 +++++++++ tests/bz1872651 | 5 +++++ 3 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 os-timemaster.te create mode 100644 tests/bz1872651 diff --git a/Makefile b/Makefile index 520f3f8..42c6ab4 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-pbis os-barbican os-logrotate os-certmonger +TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-pbis os-barbican os-logrotate os-certmonger os-timemaster MODULES?=${TARGETS:=.pp.bz2} DATADIR?=/usr/share LOCALDIR?=/usr/share/openstack-selinux/master diff --git a/os-timemaster.te b/os-timemaster.te new file mode 100644 index 0000000..542cd6e --- /dev/null +++ b/os-timemaster.te @@ -0,0 +1,9 @@ +policy_module(os-timemaster,0.1) + +gen_require(` + type ptp4l_t; +') + +# Bugzilla 1872651 referencing RHEL bug 1759214. We need this for 8.2 too. +allow ptp4l_t self:capability sys_admin; +allow ptp4l_t self:packet_socket create_socket_perms; diff --git a/tests/bz1872651 b/tests/bz1872651 new file mode 100644 index 0000000..7c0cfba --- /dev/null +++ b/tests/bz1872651 @@ -0,0 +1,5 @@ +type=AVC msg=audit(1598898583.306:659): avc: denied { sys_admin } for pid=2595 comm="ptp4l" capability=21 scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=capability permiss +type=AVC msg=audit(1598898583.306:658): avc: denied { setopt } for pid=2595 comm="ptp4l" scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=packet_socket permissive=1 +type=AVC msg=audit(1598898583.298:657): avc: denied { bind } for pid=2595 comm="ptp4l" scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=packet_socket permissive=1 +type=AVC msg=audit(1598898583.298:656): avc: denied { ioctl } for pid=2595 comm="ptp4l" path="socket:[186527]" dev="sockfs" ino=186527 ioctlcmd=0x8933 scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:s +type=AVC msg=audit(1598898583.298:655): avc: denied { create } for pid=2595 comm="ptp4l" scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=packet_socket permissive=1 From 353fee3f00a6928a20862a62f941de820e5b95a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Thu, 23 Jul 2020 13:55:52 +0200 Subject: [PATCH 148/192] Attempt to be smarter with fcontext during updates fcontext is a slow process, we shouldn't re-apply everything without any check on the existing rules. This patch attempts to introduce some smart fcontext management, checking what we have and what we want. All the magic is possible thanks to associative arrays, and some string manipulations on `semanage fcontext -Cl' output. This command gets all the custom rules present on the system - we therefore just need to do some filtering in order to keep the rules we actually want. This patch also avoid some useless repetition - since we're using the same file list in multiple method, this allows to avoid some mistakes, wrong copy-paste, or just a "woops, I didn't see I had to add this file in two places". On a performance side, this won't change anything for the first install, but it will make updates faster, since only the needed fcontext calls will be done. --- local_settings.sh.in | 163 ++++++++++++++++++++++++++----------------- 1 file changed, 98 insertions(+), 65 deletions(-) diff --git a/local_settings.sh.in b/local_settings.sh.in index d099e0b..9c4efd0 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -16,6 +16,56 @@ MODULES=${MODULES:-@MODULES@} # See bug for bug #1560019 for more information. declare -A file_modes +# This associative array ("dict", "map", "hash") holds ALL the specific +# location with specific fcontext settings. +declare -A custom_fcontext=( +["$SHAREDSTATEDIR/designate/bind9(/.*)?"]='named_zone_t' +["$SHAREDSTATEDIR/vhost_sockets(/.*)?"]='virt_cache_t' +["$SHAREDSTATEDIR/openstack-dashboard"]='httpd_var_lib_t' +["$SHAREDSTATEDIR/mongodb(/.*)?"]='mongod_var_lib_t' +["$LOCALSTATEDIR/log/gnocchi/app.log"]='httpd_log_t' +["$LOCALSTATEDIR/log/aodh/app.log"]='httpd_log_t' +["$LOCALSTATEDIR/log/ceilometer/app.log"]='httpd_log_t' +["$LOCALSTATEDIR/log/panko/app.log"]='httpd_log_t' +["$LOCALSTATEDIR/log/zaqar/zaqar.log"]='httpd_log_t' +["$LOCALSTATEDIR/log/containers(/.*)?"]='container_file_t' +["$LOCALSTATEDIR/lib/config-data(/.*)?"]='container_file_t' +["$LOCALSTATEDIR/lib/tripleo-config(/.*)?"]='container_file_t' +["$BINDIR/neutron-rootwrap-daemon"]='neutron_exec_t' +["$BINDIR/neutron-vpn-agent"]='neutron_exec_t' +["$LOCALSTATEDIR/cache/swift(/.*)"]='swift_var_cache_t' +["$BINDIR/swift-object-reconstructor"]='swift_exec_t' +["$BINDIR/swift-object-relinker"]='swift_exec_t' +["${ROOTDIR}httpboot(/.*)?"]='httpd_sys_content_t' +["$SHAREDSTATEDIR/nova/.ssh(/.*)?"]='ssh_home_t' +["${ROOTDIR}tftpboot(/.*)?"]='tftpdir_t' +["$LOCALSTATEDIR/log/pacemaker.log.*"]='cluster_var_log_t' +["$LOCALSTATEDIR/log/pacemaker(/.*)?"]='cluster_var_log_t' +) + +# This associative array ("dict", "map", "hash") will holds all the current +# custom fcontext settings +declare -A existing_custom_fcontext + +# This associative array ("dict", "map", "hash") will holds all the differences +# we have between existing custom fcontext, and what we really want. +# It will be used in different methods in this script. +declare -A diff_fcontext + +# Let's populate the existing_custom_fcontext +for l in $(semanage fcontext -Cln | awk -F '[: ]+' '{print $1";"$6}'); do + existing_custom_fcontext+=([$(echo $l|cut -d ';' -f1)]=$(echo $l|cut -d ';' -f2)) +done + +# Let's populate the diff_fcontext +for i in "${!custom_fcontext[@]}"; do + if [[ ! -v existing_custom_fcontext["$i"] ]]; then + diff_fcontext+=([$i]=${custom_fcontext[$i]}) + elif [[ ${existing_custom_fcontext["$i"]} != "${custom_fcontext[$i]}" ]]; then + diff_fcontext+=([$i]=${custom_fcontext[$i]}) + fi +done + do_echo() { if [ $QUIET -eq 0 ]; then return @@ -23,38 +73,40 @@ do_echo() { echo $* } +function get_clean_name() { + if [[ "${1}" =~ '(' ]]; then + echo "$1" | cut -d '(' -f1 + else + echo $1 + fi +} -relabel_files() -{ - local opts="" - - do_echo "Relabeling files..." - if [ $QUIET -ne 0 ]; then - opts="-v" - fi - - # Setfiles is a lot like restorecon, except it takes a policy - # on-disk instead of looking at the kernel-loaded policy - # So, it works inside of image builds. - # - # At a minimum, we need a line for each entry we have where we are - # custominzing the label using 'semanage' below, but also - # others, when applicable. - $SBINDIR/setfiles $opts -F $ROOTDIR/etc/selinux/targeted/contexts/files/file_contexts \ - $BINDIR/swift* \ - $LOCALSTATEDIR/run/swift \ - $LOCALSTATEDIR/swift \ - $SHAREDSTATEDIR/nova/.ssh \ - $SHAREDSTATEDIR/designate/bind9 \ - $SHAREDSTATEDIR/vhost_sockets \ - /srv \ - $BINDIR/neutron* \ - $BINDIR/swift-object-* \ - ${ROOTDIR}httpboot \ - ${ROOTDIR}tftpboot \ - $LOCALSTATEDIR/run/redis \ - $LOCALSTATEDIR/log \ - 2> /dev/null || : +relabel_files() { + local opts="" + + do_echo "Relabeling files..." + if [ $QUIET -ne 0 ]; then + opts="-v" + fi + + # Setfiles is a lot like restorecon, except it takes a policy + # on-disk instead of looking at the kernel-loaded policy + # So, it works inside of image builds. + # + # At a minimum, we need a line for each entry we have where we are + # customizing the label using 'semanage' below, but also + # others, when applicable. + declare -a f_list + for i in "${!custom_fcontext[@]}"; do + f_list=("${f_list[@]}" "$(get_clean_name "$i")") + done + $SBINDIR/setfiles $opts -F $ROOTDIR/etc/selinux/targeted/contexts/files/file_contexts \ + $LOCALSTATEDIR/run/swift \ + $LOCALSTATEDIR/swift \ + /srv \ + $LOCALSTATEDIR/run/redis \ + $LOCALSTATEDIR/log \ + ${f_list[@]} 2> /dev/null || : } @@ -74,40 +126,19 @@ set_port() } # usage: set_file_context a|d (add/delete) -set_file_contexts() -{ - INPUT="fcontext -N -$1 -t named_zone_t \"$SHAREDSTATEDIR/designate/bind9(/.*)?\" - fcontext -N -$1 -t virt_cache_t \"$SHAREDSTATEDIR/vhost_sockets(/.*)?\" - fcontext -N -$1 -t httpd_var_lib_t $SHAREDSTATEDIR/openstack-dashboard - fcontext -N -$1 -t mongod_var_lib_t \"$SHAREDSTATEDIR/mongodb(/.*)?\" - fcontext -N -$1 -t httpd_log_t $LOCALSTATEDIR/log/gnocchi/app.log - fcontext -N -$1 -t httpd_log_t $LOCALSTATEDIR/log/aodh/app.log - fcontext -N -$1 -t httpd_log_t $LOCALSTATEDIR/log/ceilometer/app.log - fcontext -N -$1 -t httpd_log_t $LOCALSTATEDIR/log/panko/app.log - fcontext -N -$1 -t httpd_log_t $LOCALSTATEDIR/log/zaqar/zaqar.log - fcontext -N -$1 -t container_file_t \"$LOCALSTATEDIR/log/containers(/.*)?\" - fcontext -N -$1 -t container_file_t \"$LOCALSTATEDIR/lib/config-data(/.*)?\" - fcontext -N -$1 -t container_file_t \"$LOCALSTATEDIR/lib/tripleo-config(/.*)?\" - fcontext -N -$1 -t neutron_exec_t $BINDIR/neutron-rootwrap-daemon - fcontext -N -$1 -t neutron_exec_t $BINDIR/neutron-vpn-agent - fcontext -N -$1 -t swift_var_cache_t \"$LOCALSTATEDIR/cache/swift(/.*)\" - fcontext -N -$1 -t swift_exec_t $BINDIR/swift-object-reconstructor - fcontext -N -$1 -t swift_exec_t $BINDIR/swift-object-relinker - fcontext -N -$1 -t httpd_sys_content_t \"${ROOTDIR}httpboot(/.*)?\" - fcontext -N -$1 -t ssh_home_t \"$SHAREDSTATEDIR/nova/.ssh(/.*)?\" - fcontext -N -$1 -t tftpdir_t \"${ROOTDIR}tftpboot(/.*)?\" - fcontext -N -$1 -t cluster_var_log_t \"$LOCALSTATEDIR/log/pacemaker\.log.*\" - fcontext -N -$1 -t cluster_var_log_t \"$LOCALSTATEDIR/log/pacemaker(/.*)?\"" - - # Load these one by one so upgrades work properly. - # TODO (future): Make upgrades (only) do one by one; - # install/remove can do batches to save time. - while read; do - eval semanage $REPLY &> /dev/null - done < <(echo "$INPUT") - - # TODO (future): install/remove can do this to save time - # echo "$INPUT" | $SBINDIR/semanage import -N +set_file_contexts() { + case $1 in + 'a') + for f_context in "${!diff_fcontext[@]}"; do + eval semanage fcontext -N -${1} -t ${diff_fcontext[$f_context]} \"${f_context}\" &> /dev/null + done + ;; + 'd') + for f_context in "${!custom_fcontext[@]}"; do + eval semanage fcontext -N -${1} -t ${custom_fcontext[$f_context]} \"${f_context}\" &> /dev/null + done + ;; + esac } @@ -165,6 +196,7 @@ install_policies() { set_port tcp 6642 ovsdb_port_t # Create all the file contexts + do_echo "Add custom fcontext..." set_file_contexts "a" # Build up a script to pass to semanage @@ -251,6 +283,7 @@ uninstall_policies() { $SBINDIR/semodule -n -r $MODULES &> /dev/null || : # Delete all the file contexts + do_echo "Removing custom fcontext..." set_file_contexts "d" relabel_files From 26243bf994efe7184ab474a4b35ff9da0670c7fe Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Tue, 8 Sep 2020 16:11:59 +0100 Subject: [PATCH 149/192] Add container_file_t type for /var/lib/kolla Resolves: rhbz#1859592 --- local_settings.sh.in | 1 + 1 file changed, 1 insertion(+) diff --git a/local_settings.sh.in b/local_settings.sh.in index 9c4efd0..7d0c3ce 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -30,6 +30,7 @@ declare -A custom_fcontext=( ["$LOCALSTATEDIR/log/zaqar/zaqar.log"]='httpd_log_t' ["$LOCALSTATEDIR/log/containers(/.*)?"]='container_file_t' ["$LOCALSTATEDIR/lib/config-data(/.*)?"]='container_file_t' +["$LOCALSTATEDIR/lib/kolla(/.*)?"]='container_file_t' ["$LOCALSTATEDIR/lib/tripleo-config(/.*)?"]='container_file_t' ["$BINDIR/neutron-rootwrap-daemon"]='neutron_exec_t' ["$BINDIR/neutron-vpn-agent"]='neutron_exec_t' From 6268228fc1d90f9a89b6eb90f401ab9b2f5e053c Mon Sep 17 00:00:00 2001 From: Tobias Urdin Date: Thu, 29 Oct 2020 23:41:03 +0100 Subject: [PATCH 150/192] Allow unmount for fs_t to neutron The DHCP agent fails on CentOS 8 with a the standard 4.18 kernel. --- os-neutron.te | 4 ++++ tests/bz1893132 | 2 ++ 2 files changed, 6 insertions(+) create mode 100644 tests/bz1893132 diff --git a/os-neutron.te b/os-neutron.te index 80eee5a..4841074 100644 --- a/os-neutron.te +++ b/os-neutron.te @@ -18,6 +18,7 @@ gen_require(` type keepalived_t; type logrotate_t; type nsfs_t; + type fs_t; class capability setpcap; class capability setpgid; class capability dac_override; @@ -118,6 +119,9 @@ tunable_policy(`os_neutron_use_execmem',` # Bugzilla 1419418 allow neutron_t nsfs_t:file { open read }; +# Bugzilla 1893132 +allow neutron_t fs_t:filesystem unmount; + # Bugzilla 1547197 allow neutron_t self:process setpgid; diff --git a/tests/bz1893132 b/tests/bz1893132 new file mode 100644 index 0000000..bfb20b6 --- /dev/null +++ b/tests/bz1893132 @@ -0,0 +1,2 @@ +type=AVC msg=audit(1604010639.062:643445): avc: denied { unmount } for pid=753263 comm="privsep-helper" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem +type=AVC msg=audit(1604010639.098:643446): avc: denied { unmount } for pid=753263 comm="privsep-helper" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem From 1f3ab78f0d9b5e1d76ca420873889e9c6f54faf0 Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Wed, 10 Feb 2021 17:38:38 +0000 Subject: [PATCH 151/192] Allow container domains to send sigchld to container runtime This is resolved in later versions of container-selinux. We're adding the rule to openstack-selinux for environments where it's not currently possible to install a more recent version of the container-selinux package. Resolves: rhbz#1926765 --- os-podman.te | 5 +++++ tests/bz1926765 | 1 + 2 files changed, 6 insertions(+) create mode 100644 tests/bz1926765 diff --git a/os-podman.te b/os-podman.te index 65ffbba..1252c61 100644 --- a/os-podman.te +++ b/os-podman.te @@ -1,5 +1,7 @@ policy_module(os-podman, 1.0) gen_require(` + attribute container_domain; + attribute container_runtime_domain; type container_t; type container_file_t; type openvswitch_t; @@ -31,3 +33,6 @@ manage_dirs_pattern(container_t, cluster_var_log_t, cluster_var_log_t); # Needed for LP#1853652 allow init_t container_file_t:file { execute execute_no_trans }; + +# Bugzilla 1926765. See also container-selinux commit 448dfb +allow container_domain container_runtime_domain:process sigchld; diff --git a/tests/bz1926765 b/tests/bz1926765 new file mode 100644 index 0000000..2ffc858 --- /dev/null +++ b/tests/bz1926765 @@ -0,0 +1 @@ +type=AVC msg=audit(1612971631.581:8655): avc: denied { sigchld } for pid=236718 comm="conmon" scontext=system_u:system_r:container_t:s0:c409,c785 tcontext=unconfined_u:system_r:container_runtime_t:s0 tclass=process permissive=1 From d1e3cb9409f8579a53bee6004e83d0be7ec9780a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Fri, 26 Mar 2021 09:09:14 +0100 Subject: [PATCH 152/192] Allow container_t to manage swift_data_t files/dirs This is needed in TripleO/OSP environment in order to avoid SELinux denials in case of restorecon or related changes in specific locations. For instance, in rhbz#1941412, a relabelling was done during the system update. Since the containers didn't restart, we ended up with swift service being broken (the :z flag is only applied during container startup). Currently, there are 3 specific locations with this label: - /srv/node(/.*)? - /var/lib/swift(/.*)? - /srv/loopback-device(/.*)? There shouldn't be real security issues with them, especially since they are all swift-only related content. Note regarding the tests: the lo lines were in the related BZ, but since it was enforcing, we don't have everything (like write, unlink and other file/directory actions). But since swift service calls those actions during its runtime, we can expect them to show up anyway - this is why this patch allows the manage_files and manage_dirs patterns. --- os-podman.te | 5 +++++ tests/bz1941412 | 8 ++++++++ 2 files changed, 13 insertions(+) create mode 100644 tests/bz1941412 diff --git a/os-podman.te b/os-podman.te index 1252c61..910a4a1 100644 --- a/os-podman.te +++ b/os-podman.te @@ -8,6 +8,7 @@ gen_require(` type puppet_etc_t; type cluster_var_log_t; type init_t; + type swift_data_t; ') #============= container_t ============== miscfiles_read_generic_certs(container_t) @@ -36,3 +37,7 @@ allow init_t container_file_t:file { execute execute_no_trans }; # Bugzilla 1926765. See also container-selinux commit 448dfb allow container_domain container_runtime_domain:process sigchld; + +# Bugzilla 1941922 + 1941412 +manage_files_pattern(container_t, swift_data_t, swift_data_t); +manage_dirs_pattern(container_t, swift_data_t, swift_data_t); diff --git a/tests/bz1941412 b/tests/bz1941412 new file mode 100644 index 0000000..37f7c39 --- /dev/null +++ b/tests/bz1941412 @@ -0,0 +1,8 @@ +type=AVC msg=audit(1616384789.103:3183): avc: denied { read } for pid=39321 comm="swift-object-up" name="d1" dev="dm-0" ino=67180559 scontext=system_u:system_r:container_t:s0:c158,c230 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir permissive=0 +type=AVC msg=audit(1616384823.339:3274): avc: denied { read } for pid=4456 comm="swift-container" name="containers" dev="dm-0" ino=140452138 scontext=system_u:system_r:container_t:s0:c288,c429 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir permissive=0 +type=AVC msg=audit(1616385089.159:3761): avc: denied { read } for pid=46803 comm="swift-object-up" name="d1" dev="dm-0" ino=67180559 scontext=system_u:system_r:container_t:s0:c158,c230 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir permissive=0 +type=AVC msg=audit(1616385123.436:3840): avc: denied { read } for pid=4456 comm="swift-container" name="containers" dev="dm-0" ino=140452138 scontext=system_u:system_r:container_t:s0:c288,c429 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir permissive=0 +type=AVC msg=audit(1616385389.169:4321): avc: denied { read } for pid=54242 comm="swift-object-up" name="d1" dev="dm-0" ino=67180559 scontext=system_u:system_r:container_t:s0:c158,c230 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir permissive=0 +type=AVC msg=audit(1616385423.480:4392): avc: denied { read } for pid=4456 comm="swift-container" name="containers" dev="dm-0" ino=140452138 scontext=system_u:system_r:container_t:s0:c288,c429 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir permissive=0 +type=AVC msg=audit(1616385689.197:4888): avc: denied { read } for pid=61777 comm="swift-object-up" name="d1" dev="dm-0" ino=67180559 scontext=system_u:system_r:container_t:s0:c158,c230 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir permissive=0 +type=AVC msg=audit(1616385723.573:4959): avc: denied { read } for pid=4456 comm="swift-container" name="containers" dev="dm-0" ino=140452138 scontext=system_u:system_r:container_t:s0:c288,c429 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir permissive=0 From dd99b955a676f8fb8aeadbfba388fdef47ba95f0 Mon Sep 17 00:00:00 2001 From: Tobias Urdin Date: Thu, 20 May 2021 16:52:48 +0200 Subject: [PATCH 153/192] Allow neutron_t to SIGTERM haproxy owned processes Neutron needs to be able to not just send SIGKILL to processes but also SIGTERM for graceful shutdown and in some parts SIGHUP for process reloading. --- os-neutron.te | 4 ++-- tests/bz1962802 | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) create mode 100644 tests/bz1962802 diff --git a/os-neutron.te b/os-neutron.te index 4841074..5a99e2d 100644 --- a/os-neutron.te +++ b/os-neutron.te @@ -105,8 +105,8 @@ optional_policy(` # Bugzilla 1114254 manage_files_pattern(haproxy_t, neutron_var_lib_t, neutron_var_lib_t) manage_sock_files_pattern(haproxy_t, neutron_var_lib_t, neutron_var_lib_t) - # Bugzilla 1115724 - allow neutron_t haproxy_t:process sigkill; + # Bugzilla 1115724 and 1962802 + allow neutron_t haproxy_t:process { sigkill signal }; allow neutron_t proc_t:filesystem unmount; ') diff --git a/tests/bz1962802 b/tests/bz1962802 new file mode 100644 index 0000000..0a7e054 --- /dev/null +++ b/tests/bz1962802 @@ -0,0 +1 @@ +type=AVC msg=audit(1621521322.324:1212399): avc: denied { signal } for pid=1442393 comm="kill" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=process permissive=1 From 2bce35a2b741b7f41d5503342fa295d21c78904e Mon Sep 17 00:00:00 2001 From: Tobias Urdin Date: Fri, 4 Jun 2021 13:17:13 +0200 Subject: [PATCH 154/192] Allow keepalived_t setattr for neutron_var_lib_t --- os-keepalived.te | 5 +++-- tests/bz1969325 | 3 +++ 2 files changed, 6 insertions(+), 2 deletions(-) create mode 100644 tests/bz1969325 diff --git a/os-keepalived.te b/os-keepalived.te index 18b8f81..2a729c0 100644 --- a/os-keepalived.te +++ b/os-keepalived.te @@ -13,7 +13,7 @@ gen_require(` type systemd_systemctl_exec_t; type ifconfig_exec_t; type ifconfig_t; - class filesystem getattr; + class filesystem { setattr getattr }; class process { signull sigkill setpgid setcap }; class capability { net_admin net_raw kill dac_override sys_admin }; class file { execute read create ioctl unlink execute_no_trans write getattr open entrypoint }; @@ -27,7 +27,8 @@ allow keepalived_t NetworkManager_t:process signull; # Bugzilla 1180679 and Bugzilla 1180881 neutron_manage_lib_dirs(keepalived_t) sysnet_exec_ifconfig(keepalived_t) -allow keepalived_t neutron_var_lib_t:file { execute read create getattr execute_no_trans write ioctl open }; +# Bugzilla 1969325 for setattr below. +allow keepalived_t neutron_var_lib_t:file { execute read create setattr getattr execute_no_trans write ioctl open }; allow keepalived_t cloud_var_lib_t:file { read getattr open }; allow keepalived_t init_var_lib_t:file { read getattr open }; allow keepalived_t var_lib_t:file { read getattr open }; diff --git a/tests/bz1969325 b/tests/bz1969325 new file mode 100644 index 0000000..15c42fd --- /dev/null +++ b/tests/bz1969325 @@ -0,0 +1,3 @@ +type=AVC msg=audit(1622799389.155:390): avc: denied { setattr } for pid=4715 comm="keepalived" name="1171ec49-19e7-4b89-a97c-88d5e8732bf8.pid.keepalived" dev="dm-0" ino=237885 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1622799392.683:404): avc: denied { setattr } for pid=4808 comm="keepalived" name="0a74a7c4-8735-4aea-8b16-0e46780c9a39.pid.keepalived" dev="dm-0" ino=237887 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1622799420.386:566): avc: denied { setattr } for pid=5621 comm="keepalived" name="db8f00f6-b84f-4ec1-b96a-24b46200c26b.pid.keepalived" dev="dm-0" ino=232460 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=file permissive=1 From 851d0c545e4ef373c9802dddeea17e099fa39e72 Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Fri, 3 Sep 2021 10:57:46 +0100 Subject: [PATCH 155/192] Move the dac_override rules behind booleans. As a preparation step for bug 2000945 which aims to reduce dac_override usage, move the remaining dac_override rules behind booleans. This patch is currently a noop as the booleans are then enabled. The end goal is to disable them all once the code fixes are ready and merged. Related to rhbz#2000945. --- local_settings.sh.in | 8 +++++++- os-glance.te | 7 ++++++- os-keepalived.te | 7 ++++++- os-nova.te | 5 ++++- os-octavia.te | 7 ++++++- os-ovs.te | 7 ++++++- 6 files changed, 35 insertions(+), 6 deletions(-) diff --git a/local_settings.sh.in b/local_settings.sh.in index 7d0c3ce..4b8c52c 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -254,7 +254,13 @@ install_policies() { boolean -N -m --on os_gnocchi_use_nfs boolean -N -m --on os_virtlogd_use_nfs boolean -N -m --on os_glance_use_nfs - boolean -N -m --on os_cinder_use_nfs" + boolean -N -m --on os_cinder_use_nfs + boolean -N -m --on os_glance_dac_override + boolean -N -m --on os_haproxy_dac_override + boolean -N -m --on os_keepalived_dac_override + boolean -N -m --on os_openvswitch_dac_override + boolean -N -m --on os_virtlog_dac_override" + # Note the last 5 dac_override booleans will be eventually disabled (bugzilla 2000945) do_echo "Setting OpenStack booleans..." echo "$INPUT" | $SBINDIR/semanage import -N diff --git a/os-glance.te b/os-glance.te index a606bd6..ccbf190 100644 --- a/os-glance.te +++ b/os-glance.te @@ -73,12 +73,17 @@ tunable_policy(`os_glance_use_sudo',` allow glance_api_t fixed_disk_device_t:blk_file { getattr ioctl open read setattr write }; allow glance_api_t init_t:file { getattr open read }; allow glance_api_t self:capability { setuid setgid }; - allow glance_api_t self:capability { audit_write setuid setgid chown dac_override sys_rawio sys_resource }; + allow glance_api_t self:capability { audit_write setuid setgid chown sys_rawio sys_resource }; allow glance_api_t self:netlink_audit_socket { create nlmsg_relay }; allow glance_api_t self:process { setcap setrlimit setsched }; allow glance_api_t sysfs_t:file append; ') +gen_tunable(os_glance_dac_override, false) +tunable_policy(`os_glance_dac_override',` + allow glance_api_t self:capability dac_override; +') + # Bugzilla 1653640 gen_tunable(os_glance_use_nfs, false) tunable_policy(`os_glance_use_nfs',` diff --git a/os-keepalived.te b/os-keepalived.te index 2a729c0..1888831 100644 --- a/os-keepalived.te +++ b/os-keepalived.te @@ -34,9 +34,14 @@ allow keepalived_t init_var_lib_t:file { read getattr open }; allow keepalived_t var_lib_t:file { read getattr open }; allow keepalived_t var_log_t:file open; # bz1434826 - sys_admin -allow keepalived_t self:capability { dac_override sys_admin }; +allow keepalived_t self:capability { sys_admin }; allow keepalived_t neutron_t:process sigkill; +gen_tunable(os_keepalived_dac_override, false) +tunable_policy(`os_keepalived_dac_override',` + allow keepalived_t self:capability dac_override; +') + # Bugzilla 1206148 allow keepalived_t sysfs_t:filesystem getattr; allow keepalived_t neutron_var_lib_t:file unlink; diff --git a/os-nova.te b/os-nova.te index 705b6ab..7f45800 100644 --- a/os-nova.te +++ b/os-nova.te @@ -69,7 +69,10 @@ allow httpd_t nova_log_t:file { open create }; nova_manage_lib_files(virtlogd_t) # Bugzilla 1377272 -allow virtlogd_t self:capability dac_override; +gen_tunable(os_virtlog_dac_override, false) +tunable_policy(`os_virtlog_dac_override',` + allow virtlogd_t self:capability dac_override; +') # Bugzilla #1499800 (workaround) # src: https://eucalyptus.atlassian.net/browse/EUCA-13447 diff --git a/os-octavia.te b/os-octavia.te index 3e709ed..552c0fe 100644 --- a/os-octavia.te +++ b/os-octavia.te @@ -72,7 +72,12 @@ allow haproxy_t unconfined_service_t:file { open read }; allow haproxy_t var_lib_t:dir { add_name write remove_name }; allow haproxy_t var_lib_t:file { create execute execute_no_trans getattr ioctl open read write unlink }; allow haproxy_t var_lib_t:sock_file { create link rename setattr unlink write }; -allow haproxy_t self:capability { sys_admin dac_override }; +allow haproxy_t self:capability { sys_admin }; + +gen_tunable(os_haproxy_dac_override, false) +tunable_policy(`os_haproxy_dac_override',` + allow haproxy_t self:capability dac_override; +') # These are needed during boot when setting up the netns allow haproxy_t etc_t:dir mounton; diff --git a/os-ovs.te b/os-ovs.te index 16788e2..96d7da2 100644 --- a/os-ovs.te +++ b/os-ovs.te @@ -110,9 +110,14 @@ dontaudit openvswitch_t neutron_t:file { read open getattr }; corenet_tcp_connect_all_ports(openvswitch_t) # #1498797 -allow openvswitch_t self:capability { audit_write dac_override }; +allow openvswitch_t self:capability { audit_write }; allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay read write }; +gen_tunable(os_openvswitch_dac_override, false) +tunable_policy(`os_openvswitch_dac_override',` + allow openvswitch_t self:capability dac_override; +') + # #1542107 allow openvswitch_t svirt_tmpfs_t:file { read write }; From fb8fe99479bb9106bbcc672068da8c2dc7cb5a33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Wed, 22 Sep 2021 08:41:27 +0200 Subject: [PATCH 156/192] Allow container_t to getattr on fixed_disk_device_t This is needed for container healthchecks based on `lsof' command. Closes-Bug: https://bugs.launchpad.net/tripleo/+bug/1944539 --- os-podman.te | 5 +++++ tests/lp1944539 | 1 + 2 files changed, 6 insertions(+) create mode 100644 tests/lp1944539 diff --git a/os-podman.te b/os-podman.te index 910a4a1..c297314 100644 --- a/os-podman.te +++ b/os-podman.te @@ -9,6 +9,8 @@ gen_require(` type cluster_var_log_t; type init_t; type swift_data_t; + type fixed_disk_device_t; + class blk_file getattr; ') #============= container_t ============== miscfiles_read_generic_certs(container_t) @@ -41,3 +43,6 @@ allow container_domain container_runtime_domain:process sigchld; # Bugzilla 1941922 + 1941412 manage_files_pattern(container_t, swift_data_t, swift_data_t); manage_dirs_pattern(container_t, swift_data_t, swift_data_t); + +# LP 1944539 +allow container_t fixed_disk_device_t:blk_file getattr; diff --git a/tests/lp1944539 b/tests/lp1944539 new file mode 100644 index 0000000..5b3e438 --- /dev/null +++ b/tests/lp1944539 @@ -0,0 +1 @@ +type=AVC msg=audit(09/22/2021 10:46:27.412:11298) : avc: denied { getattr } for pid=338462 comm=lsof path=/dev/sda2 dev="devtmpfs" ino=24765 scontext=system_u:system_r:container_t:s0:c216,c474 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1 From 61b604b10af6315bb570b71776b8ccdec8842221 Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Fri, 24 Sep 2021 09:38:42 +0100 Subject: [PATCH 157/192] Add a boolean to enable rules related to vTPM features Because the boolean is disabled by default, the tests can't be stored in-repo. Including the denials in the commit message instead. type=AVC msg=audit(1632409882.991:1060759): avc: denied { create } for pid=1039169 comm="swtpm" name="9-instance-00000009-swtpm.sock" scontext=system_u:system_r:svirt_t:s0:c50,c343 tcontext=system_u:object_r:container_file_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1632409882.991:1060760): avc: denied { setattr } for pid=1039169 comm="swtpm" name="9-instance-00000009-swtpm.sock" dev="tmpfs" ino=1100774 scontext=system_u:system_r:svirt_t:s0:c50,c343 tcontext=system_u:object_r:container_file_t:s0 tclass=sock_file permissive=1 Related-Bug: rhbz#2007314 --- os-virt.te | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/os-virt.te b/os-virt.te index 44613d7..1a9af9c 100644 --- a/os-virt.te +++ b/os-virt.te @@ -1,6 +1,7 @@ policy_module(os-virt,0.1) gen_require(` + type container_file_t; type systemd_logind_t; type systemd_logind_inhibit_var_run_t; type virtlogd_t; @@ -33,3 +34,9 @@ allow svirt_t spc_t:tun_socket attach_queue; # Bugzilla 1751300 allow spc_t unlabeled_t:key manage_key_perms; + +# Bugzilla 2007314 +gen_tunable(os_enable_vtpm, false) +tunable_policy(`os_enable_vtpm',` + manage_sock_files_pattern(svirt_t, container_file_t, container_file_t) +') From a7269f89aeccb528083c53ce717b45a326b97d3a Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Fri, 29 Oct 2021 14:15:37 +0100 Subject: [PATCH 158/192] Allow container_t to manage Swift cache files Similarly to the issue described in commit d1e3cb, in some cases when a problem occurs during an update and interrupts it, the Swift data/cache files may end up incorrectly labelled. With these new rules, the update can be resumed properly. Resolves: rhbz#2013194 --- os-podman.te | 4 ++++ tests/bz2013194 | 1 + 2 files changed, 5 insertions(+) create mode 100644 tests/bz2013194 diff --git a/os-podman.te b/os-podman.te index c297314..a08b82b 100644 --- a/os-podman.te +++ b/os-podman.te @@ -9,6 +9,7 @@ gen_require(` type cluster_var_log_t; type init_t; type swift_data_t; + type swift_var_cache_t; type fixed_disk_device_t; class blk_file getattr; ') @@ -43,6 +44,9 @@ allow container_domain container_runtime_domain:process sigchld; # Bugzilla 1941922 + 1941412 manage_files_pattern(container_t, swift_data_t, swift_data_t); manage_dirs_pattern(container_t, swift_data_t, swift_data_t); +# Bugzilla 2013194 +manage_files_pattern(container_t, swift_var_cache_t, swift_var_cache_t); +manage_dirs_pattern(container_t, swift_var_cache_t, swift_var_cache_t); # LP 1944539 allow container_t fixed_disk_device_t:blk_file getattr; diff --git a/tests/bz2013194 b/tests/bz2013194 new file mode 100644 index 0000000..fee4ec3 --- /dev/null +++ b/tests/bz2013194 @@ -0,0 +1 @@ +type=AVC msg=audit(1633990096.040:24220): avc: denied { read write } for pid=5337 comm="swift-container" name="container.recon" dev="vda2" ino=46373631 scontext=system_u:system_r:container_t:s0:c50,c57 tcontext=system_u:object_r:swift_var_cache_t:s0 tclass=file permissive=0 From db6cb8e7f024fe010d97cf425617282521ccf568 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Thu, 4 Nov 2021 13:57:13 +0100 Subject: [PATCH 159/192] Allow container_t to manage container_log_t files A new patch in container-selinux[1] adds a new fcontext for /var/log/containers, setting it as "container_log_t". Since it's managed by a package, we don't really want to fight with context. While we could ensure every container are mounting this location with the ":z" flag, leading to a relabelling, it's easier and better to just allow container_t to manage files with this context. Therefore, this patch does two things: - allow container_t on container_log_t for files and directories - remove the specific fcontext for /var/log/containers location Notes: - the "test" log is from an enforcing environment, but we can deduce that other file management related capabilities (create, unlink and so on) are also needed, since it's a log location. - logrotate_t doesn't need any update: it's running in a container, and since container_log_t is of "logfile" type, logrotate can already access it. [1] https://github.com/containers/container-selinux/commit/7e5f3cae10e2d805821fb84dff7418b9e3b0cc1f Resolves: rhbz#2020210 --- local_settings.sh.in | 1 - os-podman.te | 5 +++++ tests/bz2020210 | 1 + 3 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 tests/bz2020210 diff --git a/local_settings.sh.in b/local_settings.sh.in index 4b8c52c..2218aa2 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -28,7 +28,6 @@ declare -A custom_fcontext=( ["$LOCALSTATEDIR/log/ceilometer/app.log"]='httpd_log_t' ["$LOCALSTATEDIR/log/panko/app.log"]='httpd_log_t' ["$LOCALSTATEDIR/log/zaqar/zaqar.log"]='httpd_log_t' -["$LOCALSTATEDIR/log/containers(/.*)?"]='container_file_t' ["$LOCALSTATEDIR/lib/config-data(/.*)?"]='container_file_t' ["$LOCALSTATEDIR/lib/kolla(/.*)?"]='container_file_t' ["$LOCALSTATEDIR/lib/tripleo-config(/.*)?"]='container_file_t' diff --git a/os-podman.te b/os-podman.te index a08b82b..94f2fb2 100644 --- a/os-podman.te +++ b/os-podman.te @@ -4,6 +4,7 @@ gen_require(` attribute container_runtime_domain; type container_t; type container_file_t; + type container_log_t; type openvswitch_t; type puppet_etc_t; type cluster_var_log_t; @@ -50,3 +51,7 @@ manage_dirs_pattern(container_t, swift_var_cache_t, swift_var_cache_t); # LP 1944539 allow container_t fixed_disk_device_t:blk_file getattr; + +# Bugzilla 2020210 +manage_files_pattern(container_t, container_log_t, container_log_t); +manage_dirs_pattern(container_t, container_log_t, container_log_t); diff --git a/tests/bz2020210 b/tests/bz2020210 new file mode 100644 index 0000000..576af71 --- /dev/null +++ b/tests/bz2020210 @@ -0,0 +1 @@ +type=AVC msg=audit(1635988536.870:9187): avc: denied { append } for pid=128557 comm="redis-server" name="redis.log" dev="vda2" ino=67368647 scontext=system_u:system_r:container_t:s0:c67,c288 tcontext=system_u:object_r:container_log_t:s0 tclass=file permissive=0 From 764d6e26560ad03c66885c951893151d95dcd323 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sat, 5 Feb 2022 17:36:16 +0900 Subject: [PATCH 160/192] Fix wrong selinux type of /var/cache/swift Currently files in /var/cache/swift have swift_var_cache_t type but the directory itself has var_t, and swift processes are not allowed to do directory level operations. This change ensures the directory has the swift_var_cache_t type, so that swift processes can access to the directory. Co-Authored-By: Julie Pichon Related: rhbz#2050636 --- local_settings.sh.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/local_settings.sh.in b/local_settings.sh.in index 2218aa2..e1b7220 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -33,7 +33,7 @@ declare -A custom_fcontext=( ["$LOCALSTATEDIR/lib/tripleo-config(/.*)?"]='container_file_t' ["$BINDIR/neutron-rootwrap-daemon"]='neutron_exec_t' ["$BINDIR/neutron-vpn-agent"]='neutron_exec_t' -["$LOCALSTATEDIR/cache/swift(/.*)"]='swift_var_cache_t' +["$LOCALSTATEDIR/cache/swift(/.*)?"]='swift_var_cache_t' ["$BINDIR/swift-object-reconstructor"]='swift_exec_t' ["$BINDIR/swift-object-relinker"]='swift_exec_t' ["${ROOTDIR}httpboot(/.*)?"]='httpd_sys_content_t' From 12f192af00ad37800fd92d3da0095c14e8b7399c Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sun, 13 Feb 2022 03:06:46 +0900 Subject: [PATCH 161/192] Neutron: Fix denied network namespace operations in CentOS 9 Neutron requires access to network namespaces as it creates and deletes namespaces for tenant resources. This change fixes some denials found in functional tests with CentOS 9 Stream and OpenStack service installed by RDO packages. Resolves: rhbz#2053852 --- os-neutron.te | 7 +++++-- tests/bz2053852 | 2 ++ 2 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 tests/bz2053852 diff --git a/os-neutron.te b/os-neutron.te index 5a99e2d..9f85ff5 100644 --- a/os-neutron.te +++ b/os-neutron.te @@ -116,12 +116,15 @@ tunable_policy(`os_neutron_use_execmem',` allow neutron_t self:process execmem; ') -# Bugzilla 1419418 -allow neutron_t nsfs_t:file { open read }; +# Bugzilla 1419418 and 2053852 +allow neutron_t nsfs_t:file { open read getattr }; # Bugzilla 1893132 allow neutron_t fs_t:filesystem unmount; +# Bugzilla 2053852 +allow neutron_t nsfs_t:filesystem unmount; + # Bugzilla 1547197 allow neutron_t self:process setpgid; diff --git a/tests/bz2053852 b/tests/bz2053852 new file mode 100644 index 0000000..5a52d32 --- /dev/null +++ b/tests/bz2053852 @@ -0,0 +1,2 @@ +type=AVC msg=audit(1644681472.535:9235): avc: denied { getattr } for pid=78599 comm="privsep-helper" path="/run/netns/qdhcp-d6afbd95-bfef-44d7-84cc-559cda9a0686" dev="nsfs" ino=4026532244 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1644681474.970:9248): avc: denied { unmount } for pid=78610 comm="privsep-helper" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=filesystem permissive=1 From 9dfb8f2d31bef0e73e4f819026cd9b417e15a27b Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sun, 13 Feb 2022 02:29:40 +0900 Subject: [PATCH 162/192] Cinder: Allow httpd_t to remove lock files in /var/lib/cinder Sinsce the following change was merged, cinder-api creates and deletes lock files in /var/lib/cinder. https://review.opendev.org/c/openstack/cinder/+/671370 This change ensures that httpd_t can remove files in /var/lib/cinder, so that lock files can be deleted even when cinder-api is running by httpd+mod_wsgi, which is currently the most popular setup. Resolves: rhbz#2053849 --- os-cinder.te | 6 +++--- tests/bz2053849 | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) create mode 100644 tests/bz2053849 diff --git a/os-cinder.te b/os-cinder.te index 54d4a79..c815af1 100644 --- a/os-cinder.te +++ b/os-cinder.te @@ -17,11 +17,11 @@ gen_require(` allow httpd_t cinder_log_t:file { open create }; allow httpd_t cinder_log_t:dir { add_name write }; -# Bugzilla 1820504 -allow httpd_t cinder_var_lib_t:dir { add_name write create }; +# Bugzilla 1820504 and 2053849 +manage_dirs_pattern(httpd_t, cinder_var_lib_t, cinder_var_lib_t); # Allow httpd to handle files in statedir -allow httpd_t cinder_var_lib_t:file { open create append getattr lock }; +manage_files_pattern(httpd_t, cinder_var_lib_t, cinder_var_lib_t); # Bugzilla 1384472 iscsid_domtrans(cinder_backup_t); diff --git a/tests/bz2053849 b/tests/bz2053849 new file mode 100644 index 0000000..50a2086 --- /dev/null +++ b/tests/bz2053849 @@ -0,0 +1,4 @@ +type=AVC msg=audit(1644681031.316:8213): avc: denied { ioctl } for pid=72966 comm="httpd" path="/var/lib/cinder/cinder-attachment_update-3d70b60e-246f-48b1-a711-42ed47305219-centos-9-stream" dev="vda1" ino=6829831 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1644681041.232:8256): avc: denied { remove_name } for pid=72965 comm="httpd" name="cinder-attachment_update-3d70b60e-246f-48b1-a711-42ed47305219-centos-9-stream" dev="vda1" ino=6829831 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1644681041.232:8256): avc: denied { unlink } for pid=72965 comm="httpd" name="cinder-attachment_update-3d70b60e-246f-48b1-a711-42ed47305219-centos-9-stream" dev="vda1" ino=6829831 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1644681192.761:8641): avc: denied { read } for pid=72965 comm="httpd" name="cinder" dev="vda1" ino=6815392 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=dir permissive=1 From 892a1fa68f49aaa933a76b09315afd3838e83091 Mon Sep 17 00:00:00 2001 From: Gregory Thiemonge Date: Tue, 12 Apr 2022 12:29:09 +0200 Subject: [PATCH 163/192] Octavia: add new policies for the Amphora VM Resolves: rhbz#2073491 --- os-octavia.te | 4 +++- tests/bz2073491 | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 tests/bz2073491 diff --git a/os-octavia.te b/os-octavia.te index 552c0fe..2937345 100644 --- a/os-octavia.te +++ b/os-octavia.te @@ -20,6 +20,7 @@ gen_require(` type unconfined_service_t; type NetworkManager_t; type tmpfs_t; + type shell_exec_t; class sock_file { create link rename setattr unlink write }; class capability { sys_ptrace sys_admin }; class file { create entrypoint execute execute_no_trans getattr ioctl open read write }; @@ -67,12 +68,13 @@ allow keepalived_t sysfs_t:dir mounton; allow keepalived_t tmpfs_t:filesystem unmount; # Same access for haproxy_t -allow haproxy_t bin_t:file { entrypoint execute }; +allow haproxy_t bin_t:file { entrypoint execute execute_no_trans }; allow haproxy_t unconfined_service_t:file { open read }; allow haproxy_t var_lib_t:dir { add_name write remove_name }; allow haproxy_t var_lib_t:file { create execute execute_no_trans getattr ioctl open read write unlink }; allow haproxy_t var_lib_t:sock_file { create link rename setattr unlink write }; allow haproxy_t self:capability { sys_admin }; +allow haproxy_t shell_exec_t:file { entrypoint execute }; gen_tunable(os_haproxy_dac_override, false) tunable_policy(`os_haproxy_dac_override',` diff --git a/tests/bz2073491 b/tests/bz2073491 new file mode 100644 index 0000000..b301556 --- /dev/null +++ b/tests/bz2073491 @@ -0,0 +1,3 @@ +type=AVC msg=audit(1649425422.841:194): avc: denied { entrypoint } for pid=5633 comm="(sh)" path="/usr/bin/bash" dev="vda1" ino=4215617 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0 +type=AVC msg=audit(1649676510.117:101): avc: denied { execute } for pid=5236 comm="sh" path="/usr/bin/bash" dev="vda1" ino=4215617 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0 +type=AVC msg=audit(1649677973.779:106): avc: denied { execute_no_trans } for pid=5246 comm="sh" path="/usr/bin/socat" dev="vda1" ino=4216601 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 From b4444dc4f631d9c17133d380ea080489151bae5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= <39397510+cjeanner@users.noreply.github.com> Date: Wed, 13 Apr 2022 14:20:02 +0200 Subject: [PATCH 164/192] Revert "Octavia: add new policies for the Amphora VM" --- os-octavia.te | 4 +--- tests/bz2073491 | 3 --- 2 files changed, 1 insertion(+), 6 deletions(-) delete mode 100644 tests/bz2073491 diff --git a/os-octavia.te b/os-octavia.te index 2937345..552c0fe 100644 --- a/os-octavia.te +++ b/os-octavia.te @@ -20,7 +20,6 @@ gen_require(` type unconfined_service_t; type NetworkManager_t; type tmpfs_t; - type shell_exec_t; class sock_file { create link rename setattr unlink write }; class capability { sys_ptrace sys_admin }; class file { create entrypoint execute execute_no_trans getattr ioctl open read write }; @@ -68,13 +67,12 @@ allow keepalived_t sysfs_t:dir mounton; allow keepalived_t tmpfs_t:filesystem unmount; # Same access for haproxy_t -allow haproxy_t bin_t:file { entrypoint execute execute_no_trans }; +allow haproxy_t bin_t:file { entrypoint execute }; allow haproxy_t unconfined_service_t:file { open read }; allow haproxy_t var_lib_t:dir { add_name write remove_name }; allow haproxy_t var_lib_t:file { create execute execute_no_trans getattr ioctl open read write unlink }; allow haproxy_t var_lib_t:sock_file { create link rename setattr unlink write }; allow haproxy_t self:capability { sys_admin }; -allow haproxy_t shell_exec_t:file { entrypoint execute }; gen_tunable(os_haproxy_dac_override, false) tunable_policy(`os_haproxy_dac_override',` diff --git a/tests/bz2073491 b/tests/bz2073491 deleted file mode 100644 index b301556..0000000 --- a/tests/bz2073491 +++ /dev/null @@ -1,3 +0,0 @@ -type=AVC msg=audit(1649425422.841:194): avc: denied { entrypoint } for pid=5633 comm="(sh)" path="/usr/bin/bash" dev="vda1" ino=4215617 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0 -type=AVC msg=audit(1649676510.117:101): avc: denied { execute } for pid=5236 comm="sh" path="/usr/bin/bash" dev="vda1" ino=4215617 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0 -type=AVC msg=audit(1649677973.779:106): avc: denied { execute_no_trans } for pid=5246 comm="sh" path="/usr/bin/socat" dev="vda1" ino=4216601 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 From 0515fae39f8f23aec20e281d73ef013835126c4f Mon Sep 17 00:00:00 2001 From: Gregory Thiemonge Date: Tue, 3 May 2022 08:18:29 +0200 Subject: [PATCH 165/192] Octavia: add new policies for the Amphora Fix an issue when restarting haproxy in a different network namespace This new exception is enabled by the os_haproxy_enable_nsfs boolean. Denials: type=AVC msg=audit(1651494369.458:466): avc: denied { read } for pid=1705 comm="ip" dev="nsfs" ino=4026532274 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1651494369.458:466): avc: denied { open } for pid=1705 comm="ip" path="/run/netns/amphora-haproxy" dev="nsfs" ino=4026532274 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1 Resolves: rhbz#2080966 --- os-octavia.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/os-octavia.te b/os-octavia.te index 552c0fe..7d841e4 100644 --- a/os-octavia.te +++ b/os-octavia.te @@ -20,6 +20,7 @@ gen_require(` type unconfined_service_t; type NetworkManager_t; type tmpfs_t; + type nsfs_t; class sock_file { create link rename setattr unlink write }; class capability { sys_ptrace sys_admin }; class file { create entrypoint execute execute_no_trans getattr ioctl open read write }; @@ -86,6 +87,10 @@ allow haproxy_t sysfs_t:filesystem { mount unmount }; allow haproxy_t user_tmp_t:dir mounton; allow haproxy_t NetworkManager_t:file { open read }; allow haproxy_t sysfs_t:dir mounton; +gen_tunable(os_haproxy_enable_nsfs, false) +tunable_policy(`os_haproxy_enable_nsfs', ` + allow haproxy_t nsfs_t:file { open read }; +') kernel_read_fs_sysctls(ifconfig_t) From 53aacb04dd2469fe1b38af9f3dd3f59bec3b6aff Mon Sep 17 00:00:00 2001 From: Rafael Castillo Date: Tue, 7 Jun 2022 12:31:32 -0700 Subject: [PATCH 166/192] Don't require setpgid capability in os-neutron Requiring setpgid was causing build errors under latest libselinux. This removes the requirement. --- os-neutron.te | 1 - 1 file changed, 1 deletion(-) diff --git a/os-neutron.te b/os-neutron.te index 9f85ff5..b4b40ed 100644 --- a/os-neutron.te +++ b/os-neutron.te @@ -20,7 +20,6 @@ gen_require(` type nsfs_t; type fs_t; class capability setpcap; - class capability setpgid; class capability dac_override; class key_socket { write read create }; class netlink_xfrm_socket { bind create nlmsg_write }; From af18066a2613eb377eea6e112f97213de6cfd394 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Fri, 10 Jun 2022 18:09:06 +0200 Subject: [PATCH 167/192] Add a new option -V to verify installed policies This new parameter will help ensuring the package did properly install. It will ensure we're on an SELinux enabled, Enforcing system, then loop on the different $MODULES to ensure they are present on the system. In the end, this will help ensuring the package is properly installed, avoiding future hide'n'seek parties when we're seeing any weird SELinux issues within TripleO. --- local_settings.sh.in | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/local_settings.sh.in b/local_settings.sh.in index e1b7220..10d49d2 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -303,8 +303,36 @@ uninstall_policies() { _restore_file_modes } +verify_policies() { + if ! selinuxenabled; then + echo "SELinux is disabled" + exit 0 + fi + if [ $(getenforce) != "Enforcing" ]; then + echo "SELinux is permissive"; + exit 0 + fi + + failed_count=0 + INSTALLED_MODULES=$(semodule -l) + for module in $MODULES; do + local_failed=1 + for installed_module in $INSTALLED_MODULES; do + if [ "$module" == "$installed_module" ]; then + local_failed=0 + break + fi + done + test ${local_failed} -ne 0 && echo "Missing ${module}!" + let "failed_count+=$local_failed" + done + echo "Found ${failed_count} missing module(s)." + test ${failed_count} -eq 0 + exit $? +} + -while getopts m:xq opt; do +while getopts m:xqV opt; do case $opt in m) # modules MODULES="$OPTARG" @@ -315,6 +343,9 @@ while getopts m:xq opt; do q) QUIET=0 ;; + V) + MODE=2 + ;; esac done @@ -326,5 +357,8 @@ case $MODE in 1) uninstall_policies ;; + 2) + verify_policies + ;; esac exit $? From 8ac57ecd235ba43d316a3fb3da714124843e5fae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Thu, 16 Jun 2022 11:00:10 +0200 Subject: [PATCH 168/192] Use stderr for error in verification function `rpm -V' filters the output and displays only stderr content, so we'd be missing the important bits of the verification. With this patch in, the command outputs the list of missing modules, the amount of them, and the final, default rpm verification failure message. This patch is a follow-up of https://github.com/redhat-openstack/openstack-selinux/pull/93 --- local_settings.sh.in | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/local_settings.sh.in b/local_settings.sh.in index 10d49d2..f4e3ff7 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -323,12 +323,16 @@ verify_policies() { break fi done - test ${local_failed} -ne 0 && echo "Missing ${module}!" + test ${local_failed} -ne 0 && (echo "Missing ${module}!" >&2) let "failed_count+=$local_failed" done - echo "Found ${failed_count} missing module(s)." - test ${failed_count} -eq 0 - exit $? + if [ ${failed_count} -eq 0 ]; then + echo "All modules are present." + exit 0 + else + echo "Found ${failed_count} missing module(s)." >&2 + exit 1 + fi } From fba731da8e0e3f07a7022ac414c7f453e7814c38 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Wed, 8 Jun 2022 14:57:37 +0200 Subject: [PATCH 169/192] Allow to use the multithreading capability in selinux 3.4 Starting SELinux 3.4[1], a new "-T " has been added to some of the commands related to file management, such as restorecon, setfiles and fixfiles. Setting "-T 0" will allow the command to spawn threads matching the amount of available cores, hopefully making the whole thing faster (while a bit more I/O intensive). Note: we're using "secon" utility, provided by the policycore package, in order to get the actual version. This is the only package found that has a "--version" or such parameter... [1] https://github.com/SELinuxProject/selinux/releases/tag/3.4 --- local_settings.sh.in | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/local_settings.sh.in b/local_settings.sh.in index e1b7220..0178bc8 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -10,6 +10,8 @@ DATADIR=${DATADIR:-/usr/share} SHAREDSTATEDIR=${SHAREDSTATEDIR:-/var/lib} LOCALDIR=${LOCALDIR:-$DATADIR/openstack-selinux/master} MODULES=${MODULES:-@MODULES@} +# libselinux-3.4 introduces a new feature. Let's see if we can use it! +SELINUX_THREAD_VERSION=3.4 # This is for caching the file modes; -A is a bash associative # array ("dict" or "map" in other languages) @@ -73,6 +75,32 @@ do_echo() { echo $* } +# Source : https://stackoverflow.com/questions/4023830/how-to-compare-two-strings-in-dot-separated-version-format-in-bash +vercomp () { + if [[ $1 == $2 ]]; then + return 0 + fi + local IFS=. + local i ver1=($1) ver2=($2) + # fill empty fields in ver1 with zeros + for ((i=${#ver1[@]}; i<${#ver2[@]}; i++)); do + ver1[i]=0 + done + for ((i=0; i<${#ver1[@]}; i++)); do + if [[ -z ${ver2[i]} ]]; then + # fill empty fields in ver2 with zeros + ver2[i]=0 + fi + if ((10#${ver1[i]} > 10#${ver2[i]})); then + return 1 + fi + if ((10#${ver1[i]} < 10#${ver2[i]})); then + return 2 + fi + done + return 0 +} + function get_clean_name() { if [[ "${1}" =~ '(' ]]; then echo "$1" | cut -d '(' -f1 @@ -88,6 +116,12 @@ relabel_files() { if [ $QUIET -ne 0 ]; then opts="-v" fi + current_version=$(/usr/bin/secon --version| grep -oE '[0-9]+(\.[0-9]+)+') # ensure we match 3.3, 3.3.1, 3.3-rc3 and so on + vercomp $current_version $SELINUX_THREAD_VERSION + if [ $? -le 2 ];; then + # "-T 0" will use all available cores. + opts="${opts} -T 0" + fi # Setfiles is a lot like restorecon, except it takes a policy # on-disk instead of looking at the kernel-loaded policy From 19dc4978020fe5240bfe47918a54fbbe01838015 Mon Sep 17 00:00:00 2001 From: Gregory Thiemonge Date: Wed, 6 Jul 2022 11:56:27 +0200 Subject: [PATCH 170/192] Add new boolean os_haproxy_ping for Octavia amphora Add an os_haproxy_ping boolean that allows calling the ping command using haproxy external-check (it fixes PING health-monitor in Octavia). This patch applies to both RHEL8 and Centos 9 Stream. These exceptions are added based on the audit.log files. They also includes additional exceptions (read and write for rawip_socket and icmp_socket) that didn't appear in the logs, but "Permission denied" error was observed with strace. Audit logs from rhel 8: type=AVC msg=audit(1655139472.450:1125): avc: denied { execute } for pid=7167 comm=haproxy name=bash dev=vda1 ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1655139472.452:1126): avc: denied { execute } for pid=7168 comm=ping-wrapper.sh name=ping dev=vda1 ino=4215754 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1655139472.452:1126): avc: denied { read open } for pid=7168 comm=ping-wrapper.sh path=/usr/bin/ping dev=vda1 ino=4215754 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1655139472.452:1126): avc: denied { execute_no_trans } for pid=7168 comm=ping-wrapper.sh path=/usr/bin/ping dev=vda1 ino=4215754 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1655139472.457:1127): avc: denied { setcap } for pid=7168 comm=ping scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=process permissive=1 type=AVC msg=audit(1655139472.457:1128): avc: denied { create } for pid=7168 comm=ping scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=icmp_socket permissive=1 type=AVC msg=audit(1655139472.457:1129): avc: denied { create } for pid=7168 comm=ping scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=rawip_socket permissive=1 type=AVC msg=audit(1655139472.457:1130): avc: denied { setopt } for pid=7168 comm=ping lport=1 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=rawip_socket permissive=1 type=AVC msg=audit(1655139472.457:1131): avc: denied { getopt } for pid=7168 comm=ping lport=1 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=rawip_socket permissive=1 type=AVC msg=audit(1655139496.100:1133): avc: denied { execmem } for pid=7217 comm=haproxy scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=process permissive=1 From centos 9 stream: type=AVC msg=audit(1657006743.881:191): avc: denied { execute } for pid=1012 comm=haproxy name=bash dev=vda1 ino=21130 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1657006743.885:192): avc: denied { execute } for pid=1013 comm=ping-wrapper.sh name=ping dev=vda1 ino=21697 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1657006743.885:192): avc: denied { read open } for pid=1013 comm=ping-wrapper.sh path=/usr/bin/ping dev=vda1 ino=21697 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1657006743.885:192): avc: denied { execute_no_trans } for pid=1013 comm=ping-wrapper.sh path=/usr/bin/ping dev=vda1 ino=21697 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1657006743.890:193): avc: denied { setcap } for pid=1013 comm=ping scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=process permissive=1 type=AVC msg=audit(1657006743.891:194): avc: denied { create } for pid=1013 comm=ping scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=icmp_socket permissive=1 type=AVC msg=audit(1657006743.891:195): avc: denied { setopt } for pid=1013 comm=ping scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=icmp_socket permissive=1 type=AVC msg=audit(1657006743.891:196): avc: denied { getopt } for pid=1013 comm=ping scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=icmp_socket permissive=1 Resolves: rhbz#2096387 --- os-octavia.te | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/os-octavia.te b/os-octavia.te index 7d841e4..3a699e2 100644 --- a/os-octavia.te +++ b/os-octavia.te @@ -21,6 +21,8 @@ gen_require(` type NetworkManager_t; type tmpfs_t; type nsfs_t; + type shell_exec_t; + type ping_exec_t; class sock_file { create link rename setattr unlink write }; class capability { sys_ptrace sys_admin }; class file { create entrypoint execute execute_no_trans getattr ioctl open read write }; @@ -91,6 +93,14 @@ gen_tunable(os_haproxy_enable_nsfs, false) tunable_policy(`os_haproxy_enable_nsfs', ` allow haproxy_t nsfs_t:file { open read }; ') +gen_tunable(os_haproxy_ping, false) +tunable_policy(`os_haproxy_ping', ` + allow haproxy_t ping_exec_t:file { execute execute_no_trans open read }; + allow haproxy_t self:rawip_socket { create getopt setopt write read }; + allow haproxy_t self:icmp_socket { create getopt setopt write read }; + allow haproxy_t self:process setcap; + allow haproxy_t shell_exec_t:file execute; +') kernel_read_fs_sysctls(ifconfig_t) From 0903db99e41baca4dd5ff960db13dc2d63a7cf11 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Tue, 2 Aug 2022 11:05:15 +0200 Subject: [PATCH 171/192] Correct typos Also re-indent correctly. --- local_settings.sh.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/local_settings.sh.in b/local_settings.sh.in index 0e9a370..78a9693 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -117,8 +117,8 @@ relabel_files() { opts="-v" fi current_version=$(/usr/bin/secon --version| grep -oE '[0-9]+(\.[0-9]+)+') # ensure we match 3.3, 3.3.1, 3.3-rc3 and so on - vercomp $current_version $SELINUX_THREAD_VERSION - if [ $? -le 2 ];; then + vercomp $current_version $SELINUX_THREAD_VERSION + if [ $? -le 1 ]; then # we want '>=' # "-T 0" will use all available cores. opts="${opts} -T 0" fi From 76d742a51ee0d66f848c01436b2874a55c0f6102 Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Thu, 4 Aug 2022 11:50:49 +0100 Subject: [PATCH 172/192] Add contributing, dev, and troubleshooting documentation --- README | 10 +++------ doc/CONTRIBUTING.md | 51 ++++++++++++++++++++++++++++++++++++++++++ doc/TROUBLESHOOTING.md | 45 +++++++++++++++++++++++++++++++++++++ 3 files changed, 99 insertions(+), 7 deletions(-) create mode 100644 doc/CONTRIBUTING.md create mode 100644 doc/TROUBLESHOOTING.md diff --git a/README b/README index 87b14d0..3b01980 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ -This repository contains OpenStack policy workarounds +This repository contains OpenStack policy workarounds for EL6 and EL7 and derivatives. Each release has its own corresponsing branch. @@ -16,9 +16,5 @@ https://bugzilla.redhat.com/ Running the tests ----------------- -1. Install the selinux-policy-devel package -2. Ensure the path /usr/share/openstack-selinux/master exists -3. From your local openstack-selinux repository, run the following - command as root: - - $ make clean all install check +See the doc/ directory for more information on reporting and fixing +bugs as well as troubleshooting tips. diff --git a/doc/CONTRIBUTING.md b/doc/CONTRIBUTING.md new file mode 100644 index 0000000..51b55b4 --- /dev/null +++ b/doc/CONTRIBUTING.md @@ -0,0 +1,51 @@ +How to report a bug +------------------- + +1. Set the system to Permissive and reproduce the issue (*) +2. When reporting the issue, include the permissive audit logs as well +3. The `audit2allow` output can be helpful to include in the report + when it's limited to the denials relevant to the issue, but it is + not enough on its own. It's essential to also include the actual AVC + denials (and ideally, the full permissive audit logs around the time + the issue is triggered.) + +If a bug doesn't already exist on Launchpad or Bugzilla, create a [RDO +bug](https://bugzilla.redhat.com/enter_bug.cgi?product=RDO) with the +`openstack-selinux` component. Having a bug number is necessary to add +unit tests. + +(*) In Enforcing mode, SELinux stops at the first denial which can hide + more of them. Permissive mode enables us to see the full list of + AVC denials, so that they can be resolved all at once rather than + one at a time. + +How to run the tests +-------------------- + +1. Install the `selinux-policy-devel` package +2. Ensure the path `/usr/share/openstack-selinux/master` exists +3. From your local openstack-selinux repository, run the following + command as root: + + $ make clean all install check + +It is recommended to use a VM for this. + +Fixing an issue +---------------- + +If you are certain a new SELinux rule is necessary, consider a patch +with the minimum amount of new rules. If some of the rules are too +wide, the original code may need to change to allow more restricted +policy changes. If that's really not possible, the new rules may need +to be hidden behind a new boolean that stays turned off by default, +except in specific deployment scenarios. + +When preparing the patch, include the denials fixed by the new rule in +a test file under tests/ to confirm the fix and avoid future +regressions. + +Note: a test file won't help in the case of booleans turned off by +default. In that case, include the denials in the commit message +instead to help reviewers with understanding the issue being resolved +and keeping a record. diff --git a/doc/TROUBLESHOOTING.md b/doc/TROUBLESHOOTING.md new file mode 100644 index 0000000..7ccbe44 --- /dev/null +++ b/doc/TROUBLESHOOTING.md @@ -0,0 +1,45 @@ +Here is a list of common issues and tips on how to debug them. + +How to resolve 'SELinux boolean os_enable_vtpm does not exist.'? +---------------------------------------------------------------- +How to resolve 'Missing os-ovs! [...] Found XX missing modules' errors? +----------------------------------------------------------------------- + +Either of these errors means that the `openstack-selinux` package could +not be installed properly, which can happen for a number of +reasons. Usually, it indicates a missing dependency or that a symbol +required by a policy is not defined on the system. + +A few tips that may help to debug: + +* Try to reinstall the package and look carefully at the output. There + should be some kind of warning. If you need to open a bug, make sure + to include this output in the report as this is the real error. + + # dnf reinstall openstack-selinux + +* Confirm that `container-selinux` is present and also installed + correctly.` openstack-selinux` depends on the symbols defined in it + and will also fail if the package isn't properly installed on the + system. You can check that by running the following command (this may + require installing `setools-console`): + + $ seinfo --type | grep container + + This should return at least a dozen types. If seinfo only returns + three container symbols or less, `container-selinux` is missing or + not installed properly. You can try to reinstall the rpm to look for + a trace with more information. + +Switching to Permissive mode resolves my problem but there are no denials in the audit logs +------------------------------------------------------------------------------------------- + +You may be hitting an issue with `dontaudit` rules. You can temporarily +allow SELinux to log these with the following command: + + # semodule -DB + +This will rebuild the policy. Once you have reproduced the issue and +are able to check the logs, you can revert back with: + + # semodule -B From f297520e89bc2ec2fb6ba1e7591a94d23d548b5f Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Tue, 16 Aug 2022 11:24:22 -0400 Subject: [PATCH 173/192] docs: Add container note Modifying SELinux policies on a running system requires access to kernel. This is usually disabled within containers, so add a note since we have had questions in the past concerning containers while debugging SELinux policies. --- doc/CONTRIBUTING.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/doc/CONTRIBUTING.md b/doc/CONTRIBUTING.md index 51b55b4..46641d7 100644 --- a/doc/CONTRIBUTING.md +++ b/doc/CONTRIBUTING.md @@ -29,7 +29,9 @@ How to run the tests $ make clean all install check -It is recommended to use a VM for this. +It is recommended to use a VM for this. Note that it is not usually +possible nor recommended to develop or test SELinux policies from within +a container. Fixing an issue ---------------- From 949e35df135bc09aa1ae20c8c33fb1b71b73f65b Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Tue, 23 Aug 2022 14:52:47 +0100 Subject: [PATCH 174/192] Allow svirt_t to read and write openvswitch anon inodes Fixes the following AVC on EL9: type=AVC msg=audit(1661252189.728:38998): avc: denied { read write } for pid=328264 comm="qemu-kvm" path="anon_inode:[userfaultfd]" dev="anon_inodefs" ino=11082987 scontext=system_u:system_r:svirt_t:s0:c277,c570 tcontext=system_u:object_r:openvswitch_t:s0 tclass=anon_inode permissive=1 Resolves: rhbz#2118908 Signed-off-by: Lon Hohberger --- os-ovs-el9.te | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 os-ovs-el9.te diff --git a/os-ovs-el9.te b/os-ovs-el9.te new file mode 100644 index 0000000..06d85ae --- /dev/null +++ b/os-ovs-el9.te @@ -0,0 +1,14 @@ +# +# openstack-selinux extra OVS policy for RHEL9 +# +# Allow openvswitch to write to files in /tmp +# +policy_module(os-ovs-el9,0.1) + +gen_require(` + type openvswitch_t; + type svirt_t; +') + +# bugzilla 2118908 +allow svirt_t openvswitch_t:anon_inode { read write }; From bdc9a401148dccec3c7cef54ec35c1850b492d96 Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Wed, 24 Aug 2022 12:22:43 -0400 Subject: [PATCH 175/192] Enable OS version-specific modules RHEL9 selinux-policy is not entirely backwards compatible with RHEL8. In order to allow building on both releases without having to do extra maintenance, we can add version specific modules (by example, os-ovs-el9) --- Makefile | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 42c6ab4..e1d664c 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,19 @@ -TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-pbis os-barbican os-logrotate os-certmonger os-timemaster +include /etc/os-release + +# De-quote, if quoted. +OS_ID=$(shell echo $(ID)) +OS_VER=$(shell echo $(VERSION_ID)) +OS_MAJ=$(shell OS_VER=$(OS_VER) && echo $${OS_VER/.*/}) + +# RHEL & rebuilds: if we match one of these, we do a version comparison. +ifneq (,$(findstring $(OS_ID),rhel centos rocky almalinux)) +# If version 9 or greater, add extra targets +ifeq ($(OS_MAJ),9) +EXTRA_TARGETS?=os-ovs-el9 +endif # version 9 +endif # RHEL clones + +TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-pbis os-barbican os-logrotate os-certmonger os-timemaster $(EXTRA_TARGETS) MODULES?=${TARGETS:=.pp.bz2} DATADIR?=/usr/share LOCALDIR?=/usr/share/openstack-selinux/master From 7d571767edd026a34d04797dca2d1304217a8e9a Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Fri, 26 Aug 2022 08:49:09 -0400 Subject: [PATCH 176/192] local_settings.sh: Don't check modules when not root Running 'semodule -l' can only be done as root, but package verification (e.g. rpm -V) can be done as any user. Don't break package verification if running as non-root. --- local_settings.sh.in | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/local_settings.sh.in b/local_settings.sh.in index 78a9693..b25216a 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -343,7 +343,11 @@ verify_policies() { exit 0 fi if [ $(getenforce) != "Enforcing" ]; then - echo "SELinux is permissive"; + echo "SELinux is permissive" + exit 0 + fi + if [ "$(id -u)" != "0" ]; then + echo "Note: UID is not 0; cannot check SELinux module status" exit 0 fi From b753cef89ff70cc0bef68f1703fc36a76f99048f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Thu, 15 Sep 2022 13:41:04 +0200 Subject: [PATCH 177/192] Allow init_t to create and mange socket in container_file_t This is needed for some cases, for instance collectd container running podman-remote to get container healthchecks status. Related: rhbz#2091076 --- os-podman.te | 3 +++ tests/bz2091076 | 2 ++ 2 files changed, 5 insertions(+) create mode 100644 tests/bz2091076 diff --git a/os-podman.te b/os-podman.te index 94f2fb2..87c6c55 100644 --- a/os-podman.te +++ b/os-podman.te @@ -55,3 +55,6 @@ allow container_t fixed_disk_device_t:blk_file getattr; # Bugzilla 2020210 manage_files_pattern(container_t, container_log_t, container_log_t); manage_dirs_pattern(container_t, container_log_t, container_log_t); + +# Bugzilla 2091076 +manage_sock_files_pattern(init_t, container_file_t, container_file_t); diff --git a/tests/bz2091076 b/tests/bz2091076 new file mode 100644 index 0000000..dcc8990 --- /dev/null +++ b/tests/bz2091076 @@ -0,0 +1,2 @@ +type=AVC msg=audit(1663231589.213:223510): avc: denied { create } for pid=1 comm="systemd" name="podman.sock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=sock_file permissive=1 +type=AVC msg=audit(1663231589.213:223511): avc: denied { write } for pid=1 comm="systemd" name="podman.sock" dev="vda4" ino=143041949 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=sock_file permissive=1 From 2b13d247c3e429774c8ab04773e24785c930a174 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Wed, 30 Nov 2022 14:35:33 +0100 Subject: [PATCH 178/192] Run the verification even on permissive system That way, it will prevent issues in the current upstream CI, while ensuring we can safely switch back to enforcing later. --- local_settings.sh.in | 4 ---- 1 file changed, 4 deletions(-) diff --git a/local_settings.sh.in b/local_settings.sh.in index b25216a..0addebc 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -342,10 +342,6 @@ verify_policies() { echo "SELinux is disabled" exit 0 fi - if [ $(getenforce) != "Enforcing" ]; then - echo "SELinux is permissive" - exit 0 - fi if [ "$(id -u)" != "0" ]; then echo "Note: UID is not 0; cannot check SELinux module status" exit 0 From c3fcc153c61e9cbb21a19b4ea3ff61a74cbc2e21 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sat, 14 Oct 2023 00:00:54 +0900 Subject: [PATCH 179/192] Drop MongoDB MongoDB was removed from dependencies repo in RDO during the Queens cycle[1]. [1] https://github.com/redhat-openstack/rdoinfo/commit/2df70be02cfdbbb97827dd6361cef20fc8f6adbb --- Makefile | 2 +- local_settings.sh.in | 1 - os-mongodb.te | 1 - tests/bz1192049 | 1 - 4 files changed, 1 insertion(+), 4 deletions(-) delete mode 100644 os-mongodb.te delete mode 100644 tests/bz1192049 diff --git a/Makefile b/Makefile index e1d664c..e49c55a 100644 --- a/Makefile +++ b/Makefile @@ -13,7 +13,7 @@ EXTRA_TARGETS?=os-ovs-el9 endif # version 9 endif # RHEL clones -TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-pbis os-barbican os-logrotate os-certmonger os-timemaster $(EXTRA_TARGETS) +TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-pbis os-barbican os-logrotate os-certmonger os-timemaster $(EXTRA_TARGETS) MODULES?=${TARGETS:=.pp.bz2} DATADIR?=/usr/share LOCALDIR?=/usr/share/openstack-selinux/master diff --git a/local_settings.sh.in b/local_settings.sh.in index 0addebc..869a5dd 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -24,7 +24,6 @@ declare -A custom_fcontext=( ["$SHAREDSTATEDIR/designate/bind9(/.*)?"]='named_zone_t' ["$SHAREDSTATEDIR/vhost_sockets(/.*)?"]='virt_cache_t' ["$SHAREDSTATEDIR/openstack-dashboard"]='httpd_var_lib_t' -["$SHAREDSTATEDIR/mongodb(/.*)?"]='mongod_var_lib_t' ["$LOCALSTATEDIR/log/gnocchi/app.log"]='httpd_log_t' ["$LOCALSTATEDIR/log/aodh/app.log"]='httpd_log_t' ["$LOCALSTATEDIR/log/ceilometer/app.log"]='httpd_log_t' diff --git a/os-mongodb.te b/os-mongodb.te deleted file mode 100644 index 5ef388e..0000000 --- a/os-mongodb.te +++ /dev/null @@ -1 +0,0 @@ -policy_module(os-mongodb,0.1) diff --git a/tests/bz1192049 b/tests/bz1192049 deleted file mode 100644 index 1a233a4..0000000 --- a/tests/bz1192049 +++ /dev/null @@ -1 +0,0 @@ -type=AVC msg=audit(1424715492.561:319885): avc: denied { execmem } for pid=30884 comm="mongod" scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:mongod_t:s0 tclass=process From 36a47dde624e9204bf3be79f157833327e481b2e Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sat, 14 Oct 2023 00:15:49 +0900 Subject: [PATCH 180/192] Revert "Add boolean to optionally enable PBIS support for nova_t/neutron_t" This reverts commit 1b65945ea05a34e3de3aa92d994b9f6221fe3e0b. Reason for revert: The original issue was fixed in the PBIS package by [1]. [1] https://github.com/BeyondTrust/pbis-open/commit/b1ffc871065cb13fcdde0f60c522a80a658c607a Conflicts: Makefile --- Makefile | 4 ++-- os-pbis.if | 25 ------------------------- os-pbis.te | 13 ------------- 3 files changed, 2 insertions(+), 40 deletions(-) delete mode 100644 os-pbis.if delete mode 100644 os-pbis.te diff --git a/Makefile b/Makefile index e49c55a..a145d11 100644 --- a/Makefile +++ b/Makefile @@ -13,7 +13,7 @@ EXTRA_TARGETS?=os-ovs-el9 endif # version 9 endif # RHEL clones -TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-pbis os-barbican os-logrotate os-certmonger os-timemaster $(EXTRA_TARGETS) +TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-barbican os-logrotate os-certmonger os-timemaster $(EXTRA_TARGETS) MODULES?=${TARGETS:=.pp.bz2} DATADIR?=/usr/share LOCALDIR?=/usr/share/openstack-selinux/master @@ -34,7 +34,7 @@ local_settings.sh: local_settings.sh.in chmod 0755 $@ clean: - rm -f *~ *.tc *.pp *.pp.bz2 local_settings.sh + rm -f *~ *.if *.tc *.pp *.pp.bz2 local_settings.sh rm -rf tmp *.tar.gz tarball: .git/config diff --git a/os-pbis.if b/os-pbis.if deleted file mode 100644 index ecf4c8b..0000000 --- a/os-pbis.if +++ /dev/null @@ -1,25 +0,0 @@ -# -# This comes from pbis-open's pbis.if -# https://github.com/BeyondTrust/pbis-open/blob/master/config/linux/redhat/rhel/7.0/pbis.if (GPL v2) -# -######################################## -## -## Connect to pbis services. -## -## -## -## Domain allowed access. -## -## -# - -interface(`os_pbis_client',` - gen_require(` - class unix_stream_socket connectto; - class sock_file { write create unlink getattr }; - type var_lib_t, unconfined_t; - ') - - allow $1 unconfined_t:unix_stream_socket connectto; - allow $1 var_lib_t:sock_file write; -') diff --git a/os-pbis.te b/os-pbis.te deleted file mode 100644 index cbec695..0000000 --- a/os-pbis.te +++ /dev/null @@ -1,13 +0,0 @@ -policy_module(os-pbis,0.1) - -gen_require(` - type neutron_t; - type nova_t; -') - -# Bug 1658815 - Temporary workaround until PBIS is updated -gen_tunable(openstack_pbis_support, false) -tunable_policy(`openstack_pbis_support',` - os_pbis_client(neutron_t) - os_pbis_client(nova_t) -') From 1adf65212ff42d647e807ff63a16fdd8b8f13866 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Thu, 26 Oct 2023 21:45:14 +0900 Subject: [PATCH 181/192] Remove leftover of ceilometer-api The ceilometer-api service was removed during queens cycle[1]. This removes the remaining definition for ceilometer-api run by httpd and mod_wsgi. [1] https://github.com/openstack/ceilometer/commit/d881dd52289d453b9f9d94c7c32c0672a70a8064 --- local_settings.sh.in | 1 - 1 file changed, 1 deletion(-) diff --git a/local_settings.sh.in b/local_settings.sh.in index 869a5dd..769526d 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -26,7 +26,6 @@ declare -A custom_fcontext=( ["$SHAREDSTATEDIR/openstack-dashboard"]='httpd_var_lib_t' ["$LOCALSTATEDIR/log/gnocchi/app.log"]='httpd_log_t' ["$LOCALSTATEDIR/log/aodh/app.log"]='httpd_log_t' -["$LOCALSTATEDIR/log/ceilometer/app.log"]='httpd_log_t' ["$LOCALSTATEDIR/log/panko/app.log"]='httpd_log_t' ["$LOCALSTATEDIR/log/zaqar/zaqar.log"]='httpd_log_t' ["$LOCALSTATEDIR/lib/config-data(/.*)?"]='container_file_t' From 1c7259258cbcc026d64018580794cede87be622d Mon Sep 17 00:00:00 2001 From: Sean Mooney Date: Thu, 23 Nov 2023 08:02:25 +0000 Subject: [PATCH 182/192] [os-virt] allow virtlogd to access /var/lib/nova As part of https://issues.redhat.com//browse/OSPRH-960 libvirt will be installed on the host not in a container. libvirt will be used to execute qemu instances with console files located in /var/lib/nova. As nova is executed in a contaienr /var/lib/nova is labled with container_file_t To enable this we need to allow virtlogd to create, delete and update files in /var/lib/nova Related: OSPRH-960 --- Makefile | 2 +- doc/CONTRIBUTING.md | 2 +- os-virt.te | 6 +++++- tests/check_all | 2 +- tests/osprh960 | 9 +++++++++ 5 files changed, 17 insertions(+), 4 deletions(-) create mode 100644 tests/osprh960 diff --git a/Makefile b/Makefile index e49c55a..d9a5dda 100644 --- a/Makefile +++ b/Makefile @@ -85,7 +85,7 @@ install: # Install tests ${INSTALL} -d ${LOCALDIR}/tests - ${INSTALL} -m 0644 tests/bz* tests/lp* ${LOCALDIR}/tests + ${INSTALL} -m 0644 tests/bz* tests/lp* tests/osprh* ${LOCALDIR}/tests ${INSTALL} -m 0755 tests/check_all ${LOCALDIR}/tests # Install interfaces diff --git a/doc/CONTRIBUTING.md b/doc/CONTRIBUTING.md index 46641d7..d3f9175 100644 --- a/doc/CONTRIBUTING.md +++ b/doc/CONTRIBUTING.md @@ -9,7 +9,7 @@ How to report a bug denials (and ideally, the full permissive audit logs around the time the issue is triggered.) -If a bug doesn't already exist on Launchpad or Bugzilla, create a [RDO +If a bug doesn't already exist on Launchpad, Bugzilla or Jira, create a [RDO bug](https://bugzilla.redhat.com/enter_bug.cgi?product=RDO) with the `openstack-selinux` component. Having a bug number is necessary to add unit tests. diff --git a/os-virt.te b/os-virt.te index 1a9af9c..902c817 100644 --- a/os-virt.te +++ b/os-virt.te @@ -5,6 +5,7 @@ gen_require(` type systemd_logind_t; type systemd_logind_inhibit_var_run_t; type virtlogd_t; + type virt_var_run_t; type svirt_t; type spc_t; type unlabeled_t; @@ -19,7 +20,10 @@ gen_require(` allow virtlogd_t systemd_logind_t:dbus send_msg; allow systemd_logind_t virtlogd_t:dbus send_msg; allow virtlogd_t systemd_logind_inhibit_var_run_t:fifo_file write; - +# allow access to /var/lib/nova directories which are labeled with container_file_t +# This is required for https://issues.redhat.com//browse/OSPRH-960 +manage_files_pattern(virtlogd_t, container_file_t, container_file_t) +allow virtlogd_t self:capability dac_override; # #1566973 # Tunable to allow virtlogd to write to NFS gen_tunable(os_virtlogd_use_nfs, false) diff --git a/tests/check_all b/tests/check_all index f6e4297..333217b 100755 --- a/tests/check_all +++ b/tests/check_all @@ -17,7 +17,7 @@ mkdir -p $TMP PWD=$(pwd) cd "$(dirname $0)" -TEST_FILES=$(/bin/ls -1 bz* lp*) +TEST_FILES=$(/bin/ls -1 bz* lp* osprh*) TEST_INPUT=$TMP/input TEST_OUTPUT=$TMP/output TEST_FAIL=$TMP/failed_tests diff --git a/tests/osprh960 b/tests/osprh960 new file mode 100644 index 0000000..b65bc57 --- /dev/null +++ b/tests/osprh960 @@ -0,0 +1,9 @@ +type=AVC msg=audit(11/21/2023 18:43:16.798:56328) : avc: denied { getattr } for pid=194510 comm=virtlogd path=/run/libvirt dev="tmpfs" ino=2396 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir +type=AVC msg=audit(11/21/2023 18:44:45.880:56409) : avc: denied { remove_name } for pid=194763 comm=virtlogd name=console.log dev="vda1" ino=25791090 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir +type=AVC msg=audit(11/21/2023 18:44:45.880:56409) : avc: denied { search } for pid=194763 comm=virtlogd name=nova dev="vda1" ino=9239640 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir +type=AVC msg=audit(11/21/2023 18:44:45.880:56409) : avc: denied { unlink } for pid=194763 comm=virtlogd name=console.log dev="vda1" ino=25791090 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=file +type=AVC msg=audit(11/21/2023 18:44:45.880:56409) : avc: denied { write } for pid=194763 comm=virtlogd name=b450ad46-233c-41a1-838a-2168ae0a131d dev="vda1" ino=25170710 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir +type=AVC msg=audit(11/21/2023 18:44:45.880:56410) : avc: denied { add_name } for pid=194763 comm=virtlogd name=console.log scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir +type=AVC msg=audit(11/21/2023 18:44:45.880:56410) : avc: denied { create } for pid=194763 comm=virtlogd name=console.log scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=file +type=AVC msg=audit(11/21/2023 18:44:45.880:56410) : avc: denied { open } for pid=194763 comm=virtlogd path=/var/lib/nova/instances/b450ad46-233c-41a1-838a-2168ae0a131d/console.log dev="vda1" ino=25791090 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=file +type=AVC msg=audit(11/22/2023 14:02:47.411:58105) : avc: denied { search } for pid=194763 comm=virtlogd name=nova dev="vda1" ino=9239640 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir From bc5b629142d9ee62dd50cea95a0d8a6d16a0b294 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Mon, 18 Dec 2023 00:29:26 +0900 Subject: [PATCH 183/192] Allow neutron_t to manage files and links in tmpfs The neutron-server service requires to create files and links in tmpfs when ml2 ovn is used. This adds the missing rule to allow these file/ link management. Resolves: rhbz#2254886 --- os-neutron.te | 3 +++ tests/bz2254886 | 5 +++++ 2 files changed, 8 insertions(+) create mode 100644 tests/bz2254886 diff --git a/os-neutron.te b/os-neutron.te index b4b40ed..1879022 100644 --- a/os-neutron.te +++ b/os-neutron.te @@ -133,3 +133,6 @@ corenet_udp_bind_dhcpc_port(neutron_t) # Bugzilla 1676954 auth_use_pam(neutron_t) init_rw_utmp(neutron_t) + +# Bugzilla 2254886 +fs_manage_tmpfs_files(neutron_t) diff --git a/tests/bz2254886 b/tests/bz2254886 new file mode 100644 index 0000000..abf4db6 --- /dev/null +++ b/tests/bz2254886 @@ -0,0 +1,5 @@ +type=AVC msg=audit(1702821160.556:5348): avc: denied { create } for pid=71109 comm="neutron-server" name="sem.ooVkM5" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1702821160.556:5348): avc: denied { read write open } for pid=71109 comm="neutron-server" path="/dev/shm/sem.ooVkM5" dev="tmpfs" ino=6 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1702821160.556:5349): avc: denied { link } for pid=71109 comm="neutron-server" name="sem.ooVkM5" dev="tmpfs" ino=6 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1702821160.556:5350): avc: denied { getattr } for pid=71109 comm="neutron-server" path="/dev/shm/sem.ooVkM5" dev="tmpfs" ino=6 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1702821160.556:5351): avc: denied { unlink } for pid=71109 comm="neutron-server" name="sem.ooVkM5" dev="tmpfs" ino=6 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 From 99cb2d2d6c58e32c754d63ab4d20681332d98614 Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Wed, 7 Feb 2024 11:58:32 +0000 Subject: [PATCH 184/192] Allow ceilometer_polling_t to run as a container and poll necessary data Resolves OSPRH-3373 --- Makefile | 2 +- os-ceilometer.te | 23 +++++++++++++++++++++++ tests/osprh3373 | 3 +++ 3 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 os-ceilometer.te create mode 100644 tests/osprh3373 diff --git a/Makefile b/Makefile index 3e4a87c..2834400 100644 --- a/Makefile +++ b/Makefile @@ -13,7 +13,7 @@ EXTRA_TARGETS?=os-ovs-el9 endif # version 9 endif # RHEL clones -TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-barbican os-logrotate os-certmonger os-timemaster $(EXTRA_TARGETS) +TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-barbican os-logrotate os-certmonger os-timemaster os-ceilometer $(EXTRA_TARGETS) MODULES?=${TARGETS:=.pp.bz2} DATADIR?=/usr/share LOCALDIR?=/usr/share/openstack-selinux/master diff --git a/os-ceilometer.te b/os-ceilometer.te new file mode 100644 index 0000000..4fe7030 --- /dev/null +++ b/os-ceilometer.te @@ -0,0 +1,23 @@ +policy_module(os-ceilometer, 1.0.0) + +gen_require(` + attribute container_net_domain; + type ceilometer_polling_t; + type container_file_t; + type proc_t; + type virt_var_run_t; + type virtd_t; +') + +# Get ceilometer_polling_t to work as a container +container_domain_template(ceilometer_polling, container) +container_runtime_domtrans(ceilometer_polling_t) +typeattribute ceilometer_polling_t container_net_domain; + +logging_send_audit_msgs(ceilometer_polling_t) +logging_send_syslog_msg(ceilometer_polling_t) + +# OSPRH-3373 +allow ceilometer_polling_t proc_t:filesystem associate; +allow ceilometer_polling_t virt_var_run_t:sock_file write; +allow ceilometer_polling_t virtd_t:unix_stream_socket connectto; diff --git a/tests/osprh3373 b/tests/osprh3373 new file mode 100644 index 0000000..324eef4 --- /dev/null +++ b/tests/osprh3373 @@ -0,0 +1,3 @@ +type=AVC msg=audit(1707395260.099:18787): avc: denied { associate } for pid=74475 comm="ceilometer-poll" name="1" scontext=system_u:object_r:ceilometer_polling_t:s0:c24,c595 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1 +type=AVC msg=audit(1707395260.231:18790): avc: denied { write } for pid=74485 comm="ceilometer-poll" name="virtqemud-sock-ro" dev="tmpfs" ino=1703 scontext=system_u:system_r:ceilometer_polling_t:s0:c24,c595 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=sock_file permissive=1 +type=AVC msg=audit(1707478033.374:19852): avc: denied { connectto } for pid=86771 comm="ceilometer-poll" path="/run/libvirt/virtqemud-sock-ro" scontext=system_u:system_r:ceilometer_polling_t:s0:c322,c751 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 From ed74cff4261476b0f1efe539a9373014def95bac Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Tue, 30 Jul 2024 00:39:07 +0900 Subject: [PATCH 185/192] Allow httpd to access glance data When glance-api is run by httpd + mod_wsgi, httpd needs access to the glance data directory. Resolves: RDO-310 --- Makefile | 2 +- os-glance.te | 5 +++ tests/check_all | 2 +- tests/rdo310 | 90 +++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 97 insertions(+), 2 deletions(-) create mode 100644 tests/rdo310 diff --git a/Makefile b/Makefile index 2834400..98096b9 100644 --- a/Makefile +++ b/Makefile @@ -85,7 +85,7 @@ install: # Install tests ${INSTALL} -d ${LOCALDIR}/tests - ${INSTALL} -m 0644 tests/bz* tests/lp* tests/osprh* ${LOCALDIR}/tests + ${INSTALL} -m 0644 tests/bz* tests/lp* tests/osprh* tests/rdo* ${LOCALDIR}/tests ${INSTALL} -m 0755 tests/check_all ${LOCALDIR}/tests # Install interfaces diff --git a/os-glance.te b/os-glance.te index ccbf190..8472813 100644 --- a/os-glance.te +++ b/os-glance.te @@ -10,6 +10,7 @@ gen_require(` type sysfs_t; type var_lib_t; type nfs_t; + type httpd_t; class dir { write getattr remove_name create add_name }; class file { write getattr unlink open create read}; class lnk_file read; @@ -95,3 +96,7 @@ tunable_policy(`os_glance_use_nfs',` # Bugzilla 1789710 allow glance_api_t glance_var_lib_t:filesystem getattr; + +# RDO-310 Allow httpd to handle files in statedir +manage_dirs_pattern(httpd_t, glance_var_lib_t, glance_var_lib_t); +manage_files_pattern(httpd_t, glance_var_lib_t, glance_var_lib_t); diff --git a/tests/check_all b/tests/check_all index 333217b..f270985 100755 --- a/tests/check_all +++ b/tests/check_all @@ -17,7 +17,7 @@ mkdir -p $TMP PWD=$(pwd) cd "$(dirname $0)" -TEST_FILES=$(/bin/ls -1 bz* lp* osprh*) +TEST_FILES=$(/bin/ls -1 bz* lp* osprh* rdo*) TEST_INPUT=$TMP/input TEST_OUTPUT=$TMP/output TEST_FAIL=$TMP/failed_tests diff --git a/tests/rdo310 b/tests/rdo310 new file mode 100644 index 0000000..24575b5 --- /dev/null +++ b/tests/rdo310 @@ -0,0 +1,90 @@ +type=AVC msg=audit(1721753290.030:6163): avc: denied { write } for pid=72846 comm="httpd" name="python-entrypoints" dev="xvda1" ino=7874172 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721753290.030:6163): avc: denied { add_name } for pid=72846 comm="httpd" name="5cef0780e4541cdc8fdde031924d524d2fd27b68b07d2a5d38a7240bd855ebde" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721753290.030:6163): avc: denied { create } for pid=72846 comm="httpd" name="5cef0780e4541cdc8fdde031924d524d2fd27b68b07d2a5d38a7240bd855ebde" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753290.030:6163): avc: denied { write open } for pid=72846 comm="httpd" path="/var/lib/glance/.cache/python-entrypoints/5cef0780e4541cdc8fdde031924d524d2fd27b68b07d2a5d38a7240bd855ebde" dev="xvda1" ino=7875290 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753290.032:6164): avc: denied { getattr } for pid=72846 comm="httpd" path="/var/lib/glance/.cache/python-entrypoints/5cef0780e4541cdc8fdde031924d524d2fd27b68b07d2a5d38a7240bd855ebde" dev="xvda1" ino=7875290 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753290.032:6165): avc: denied { ioctl } for pid=72846 comm="httpd" path="/var/lib/glance/.cache/python-entrypoints/5cef0780e4541cdc8fdde031924d524d2fd27b68b07d2a5d38a7240bd855ebde" dev="xvda1" ino=7875290 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753290.846:6167): avc: denied { write } for pid=72846 comm="httpd" name="glance" dev="xvda1" ino=7463345 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721753290.846:6167): avc: denied { add_name } for pid=72846 comm="httpd" name="os_glance_staging_store" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721753290.846:6167): avc: denied { create } for pid=72846 comm="httpd" name="os_glance_staging_store" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721753291.255:6168): avc: denied { read } for pid=72846 comm="httpd" name="os_glance_staging_store" dev="xvda1" ino=7875358 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721753293.061:6170): avc: denied { read } for pid=72845 comm="httpd" name="5cef0780e4541cdc8fdde031924d524d2fd27b68b07d2a5d38a7240bd855ebde" dev="xvda1" ino=7875290 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753293.831:6173): avc: denied { write } for pid=72845 comm="httpd" name="os_glance_staging_store" dev="xvda1" ino=7875358 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721753294.223:6174): avc: denied { read } for pid=72845 comm="httpd" name="os_glance_staging_store" dev="xvda1" ino=7875358 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721753311.557:6262): avc: denied { write } for pid=72846 comm="httpd" name="glance" dev="xvda1" ino=7463345 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721753311.557:6262): avc: denied { add_name } for pid=72846 comm="httpd" name="tmp" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721753311.557:6262): avc: denied { create } for pid=72846 comm="httpd" name="tmp" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721753311.557:6263): avc: denied { create } for pid=72846 comm="httpd" name="os-brick-connect_volume" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753311.557:6263): avc: denied { append open } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753311.557:6264): avc: denied { getattr } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753311.557:6265): avc: denied { ioctl } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753311.557:6266): avc: denied { lock } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753315.678:6301): avc: denied { append } for pid=72846 comm="httpd" name="os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753315.678:6301): avc: denied { open } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753315.678:6302): avc: denied { getattr } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753315.678:6303): avc: denied { ioctl } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753315.678:6304): avc: denied { lock } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753335.523:6400): avc: denied { append } for pid=72846 comm="httpd" name="os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753335.523:6400): avc: denied { open } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753335.523:6401): avc: denied { getattr } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753335.523:6402): avc: denied { ioctl } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753335.523:6403): avc: denied { lock } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753335.524:6404): avc: denied { write } for pid=72846 comm="httpd" name="tmp" dev="xvda1" ino=7875364 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721753335.524:6404): avc: denied { add_name } for pid=72846 comm="httpd" name="os-brick-connect_to_iscsi_portal-[::1]:3260-iqn.2010-10.org.openstack:volume-83574b8c-e719-4371-b037-4640f833817d" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721753335.524:6404): avc: denied { create } for pid=72846 comm="httpd" name="os-brick-connect_to_iscsi_portal-[::1]:3260-iqn.2010-10.org.openstack:volume-83574b8c-e719-4371-b037-4640f833817d" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753336.677:6417): avc: denied { lock } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753339.608:6442): avc: denied { append } for pid=72846 comm="httpd" name="os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753339.608:6442): avc: denied { open } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753339.608:6443): avc: denied { getattr } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753339.608:6444): avc: denied { ioctl } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753948.221:7345): avc: denied { append } for pid=72845 comm="httpd" name="os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753948.221:7345): avc: denied { open } for pid=72845 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753948.221:7346): avc: denied { getattr } for pid=72845 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753948.221:7347): avc: denied { ioctl } for pid=72845 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753948.221:7348): avc: denied { lock } for pid=72845 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753948.339:7362): avc: denied { lock } for pid=72845 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_to_iscsi_portal-[::1]:3260-iqn.2010-10.org.openstack:volume-1fd802af-84b7-4250-a1e1-710de88986d4" dev="xvda1" ino=7875366 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753952.338:7386): avc: denied { append } for pid=72845 comm="httpd" name="os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753952.338:7386): avc: denied { open } for pid=72845 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753952.338:7387): avc: denied { getattr } for pid=72845 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753952.338:7388): avc: denied { ioctl } for pid=72845 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753952.339:7389): avc: denied { lock } for pid=72845 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753967.935:7563): avc: denied { append } for pid=72846 comm="httpd" name="os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753967.935:7563): avc: denied { open } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753967.935:7564): avc: denied { getattr } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753967.935:7565): avc: denied { ioctl } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753967.935:7566): avc: denied { lock } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753968.057:7579): avc: denied { lock } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_to_iscsi_portal-[::1]:3260-iqn.2010-10.org.openstack:volume-1fd802af-84b7-4250-a1e1-710de88986d4" dev="xvda1" ino=7875366 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753971.772:7620): avc: denied { append } for pid=72846 comm="httpd" name="os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753971.772:7620): avc: denied { open } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753971.772:7621): avc: denied { getattr } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753971.772:7622): avc: denied { ioctl } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721753971.772:7623): avc: denied { lock } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754217.809:8295): avc: denied { append } for pid=72846 comm="httpd" name="os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754217.809:8295): avc: denied { open } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754217.809:8296): avc: denied { getattr } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754217.809:8297): avc: denied { ioctl } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754217.809:8298): avc: denied { lock } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754217.810:8299): avc: denied { write } for pid=72846 comm="httpd" name="tmp" dev="xvda1" ino=7875364 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721754217.810:8299): avc: denied { add_name } for pid=72846 comm="httpd" name="os-brick-connect_to_iscsi_portal-[::1]:3260-iqn.2010-10.org.openstack:volume-3dd46f7d-8161-4280-85bb-60a59cbbc8bc" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(1721754217.810:8299): avc: denied { create } for pid=72846 comm="httpd" name="os-brick-connect_to_iscsi_portal-[::1]:3260-iqn.2010-10.org.openstack:volume-3dd46f7d-8161-4280-85bb-60a59cbbc8bc" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754232.368:8420): avc: denied { append } for pid=72846 comm="httpd" name="os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754232.368:8420): avc: denied { open } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754232.368:8421): avc: denied { getattr } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754232.368:8422): avc: denied { ioctl } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754232.368:8423): avc: denied { lock } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754232.494:8437): avc: denied { lock } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_to_iscsi_portal-[::1]:3260-iqn.2010-10.org.openstack:volume-3dd46f7d-8161-4280-85bb-60a59cbbc8bc" dev="xvda1" ino=7875375 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754235.051:8461): avc: denied { append } for pid=72846 comm="httpd" name="os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754235.051:8461): avc: denied { open } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754235.051:8462): avc: denied { getattr } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754235.052:8463): avc: denied { ioctl } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754361.027:8841): avc: denied { append } for pid=72846 comm="httpd" name="os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754361.027:8841): avc: denied { open } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754361.027:8842): avc: denied { getattr } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754361.027:8843): avc: denied { ioctl } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754361.027:8844): avc: denied { lock } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754361.180:8857): avc: denied { lock } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_to_iscsi_portal-[::1]:3260-iqn.2010-10.org.openstack:volume-1fd802af-84b7-4250-a1e1-710de88986d4" dev="xvda1" ino=7875366 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754365.266:8882): avc: denied { append } for pid=72846 comm="httpd" name="os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754365.266:8882): avc: denied { open } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754365.266:8883): avc: denied { getattr } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754365.266:8884): avc: denied { ioctl } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1721754365.266:8885): avc: denied { lock } for pid=72846 comm="httpd" path="/var/lib/glance/tmp/os-brick-connect_volume" dev="xvda1" ino=7875365 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file permissive=1 From 58756a6d116b42b7750120cd6424b40f319bb29e Mon Sep 17 00:00:00 2001 From: eshulman2 Date: Tue, 20 May 2025 11:31:49 +0300 Subject: [PATCH 186/192] Allow NetworkManager access to OVS DB socket Network configuration using `os-net-config` can now utilize NetworkManager. To enable NetworkManager to configure OVS-related settings, write access to the OVS database socket is required. This policy has been added to allow the necessary access. --- os-net-config.te | 16 ++++++++++++++++ tests/osprh16672 | 1 + 2 files changed, 17 insertions(+) create mode 100644 os-net-config.te create mode 100644 tests/osprh16672 diff --git a/os-net-config.te b/os-net-config.te new file mode 100644 index 0000000..8fdacaa --- /dev/null +++ b/os-net-config.te @@ -0,0 +1,16 @@ +# +# openstack-selinux policy for os-net-config network manager +# +# Allow NetworkManager to access ovs db.sock +# +# Author: Ella Shulman +# + +gen_require(` + type NetworkManager_t; + type container_file_t; + class sock_file write; +') + +# Jira OSPRH-16672 +rw_sock_files_pattern(NetworkManager_t, container_file_t, container_file_t) diff --git a/tests/osprh16672 b/tests/osprh16672 new file mode 100644 index 0000000..d832059 --- /dev/null +++ b/tests/osprh16672 @@ -0,0 +1 @@ +type=AVC msg=audit(1747193869.722:197759): avc: denied { write } for pid=321799 comm="NetworkManager" name="db.sock" dev="tmpfs" ino=2393 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=sock_file permissive=0 From 87bb80d44e084e9e08b92a6746551869ec40c079 Mon Sep 17 00:00:00 2001 From: eshulman2 Date: Wed, 21 May 2025 12:10:05 +0300 Subject: [PATCH 187/192] Fix os-net-config missing polixy module Add missing policy module statement in os-net-config module. seems like this was missed in review --- os-net-config.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/os-net-config.te b/os-net-config.te index 8fdacaa..0f74c14 100644 --- a/os-net-config.te +++ b/os-net-config.te @@ -6,6 +6,8 @@ # Author: Ella Shulman # +policy_module(os-net-config,0.1) + gen_require(` type NetworkManager_t; type container_file_t; From 4ba0bde4a9611e72f86f444de4484499b642438e Mon Sep 17 00:00:00 2001 From: eshulman2 Date: Mon, 26 May 2025 11:24:47 +0300 Subject: [PATCH 188/192] update make file to build os-net-config --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 98096b9..4447f6a 100644 --- a/Makefile +++ b/Makefile @@ -13,7 +13,7 @@ EXTRA_TARGETS?=os-ovs-el9 endif # version 9 endif # RHEL clones -TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-barbican os-logrotate os-certmonger os-timemaster os-ceilometer $(EXTRA_TARGETS) +TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-barbican os-logrotate os-certmonger os-timemaster os-ceilometer os-net-config $(EXTRA_TARGETS) MODULES?=${TARGETS:=.pp.bz2} DATADIR?=/usr/share LOCALDIR?=/usr/share/openstack-selinux/master @@ -96,7 +96,7 @@ install: ${INSTALL} -d ${DATADIR}/selinux/packages ${INSTALL} -m 0644 ${TARGETS:=.pp.bz2} ${DATADIR}/selinux/packages -# Note: You can't run this in a build system unless the build +# Note: You can't run this in a build system unless the build # system has access to change the kernel SELinux policies check: cd ${LOCALDIR} && ./local_settings.sh ;\ From d6332f74467ec30b1f17e0420a9f015ecb987c07 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Thu, 21 Mar 2024 19:11:55 +0900 Subject: [PATCH 189/192] Fix sudo by glance-api The glance-api service requires sudo when cinder backend is used but this has been denied by selinux. ~~~ type=AVC msg=audit(1703084811.884:6481): avc: denied { execute } for pid=72459 comm="sudo" name="unix_chkpwd" dev="vda1" ino=4700890 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(1703084818.067:6524): avc: denied { execute } for pid=72505 comm="sudo" name="unix_chkpwd" dev="vda1" ino=4700890 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=0 ~~~ This fixes the denial and ensures sudo is actually allowed. Resolves: rhbz#2255412 --- os-glance.te | 2 ++ tests/bz2255412 | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 tests/bz2255412 diff --git a/os-glance.te b/os-glance.te index 8472813..5674f53 100644 --- a/os-glance.te +++ b/os-glance.te @@ -68,6 +68,8 @@ optional_policy(` gen_tunable(os_glance_use_sudo, false) tunable_policy(`os_glance_use_sudo',` sudo_exec(glance_api_t) + auth_use_pam(glance_api_t) + init_rw_utmp(glance_api_t) logging_send_audit_msgs(glance_api_t) iscsid_domtrans(glance_api_t) fstools_domtrans(glance_api_t) diff --git a/tests/bz2255412 b/tests/bz2255412 new file mode 100644 index 0000000..a175c8d --- /dev/null +++ b/tests/bz2255412 @@ -0,0 +1,2 @@ +type=AVC msg=audit(1703084811.884:6481): avc: denied { execute } for pid=72459 comm="sudo" name="unix_chkpwd" dev="vda1" ino=4700890 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=0 +type=AVC msg=audit(1703084818.067:6524): avc: denied { execute } for pid=72505 comm="sudo" name="unix_chkpwd" dev="vda1" ino=4700890 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=0 From cea6b6508cad53b166c433add523d02aa36e220a Mon Sep 17 00:00:00 2001 From: Lon Hohberger Date: Tue, 27 May 2025 12:16:39 -0400 Subject: [PATCH 190/192] Fix up compiler errors --- os-glance.te | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/os-glance.te b/os-glance.te index 5674f53..8d7b225 100644 --- a/os-glance.te +++ b/os-glance.te @@ -68,8 +68,6 @@ optional_policy(` gen_tunable(os_glance_use_sudo, false) tunable_policy(`os_glance_use_sudo',` sudo_exec(glance_api_t) - auth_use_pam(glance_api_t) - init_rw_utmp(glance_api_t) logging_send_audit_msgs(glance_api_t) iscsid_domtrans(glance_api_t) fstools_domtrans(glance_api_t) @@ -99,6 +97,10 @@ tunable_policy(`os_glance_use_nfs',` # Bugzilla 1789710 allow glance_api_t glance_var_lib_t:filesystem getattr; +# Bugzilla 2255412 +auth_use_pam(glance_api_t) +init_rw_utmp(glance_api_t) + # RDO-310 Allow httpd to handle files in statedir manage_dirs_pattern(httpd_t, glance_var_lib_t, glance_var_lib_t); manage_files_pattern(httpd_t, glance_var_lib_t, glance_var_lib_t); From 85c221003fa8d1d3aa88b5b97c619be937f7980c Mon Sep 17 00:00:00 2001 From: Luca Miccini Date: Tue, 23 Dec 2025 12:23:48 +0100 Subject: [PATCH 191/192] Add policy for frr (set proper type for /var/run/frr) --- Makefile | 2 +- os-frr.fc | 1 + os-frr.te | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 os-frr.fc create mode 100644 os-frr.te diff --git a/Makefile b/Makefile index 4447f6a..93efd92 100644 --- a/Makefile +++ b/Makefile @@ -13,7 +13,7 @@ EXTRA_TARGETS?=os-ovs-el9 endif # version 9 endif # RHEL clones -TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-barbican os-logrotate os-certmonger os-timemaster os-ceilometer os-net-config $(EXTRA_TARGETS) +TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-barbican os-logrotate os-certmonger os-timemaster os-ceilometer os-net-config os-frr $(EXTRA_TARGETS) MODULES?=${TARGETS:=.pp.bz2} DATADIR?=/usr/share LOCALDIR?=/usr/share/openstack-selinux/master diff --git a/os-frr.fc b/os-frr.fc new file mode 100644 index 0000000..4cdedea --- /dev/null +++ b/os-frr.fc @@ -0,0 +1 @@ +/var/run/frr gen_context(system_u:object_r:container_var_run_t,s0) diff --git a/os-frr.te b/os-frr.te new file mode 100644 index 0000000..c54a34a --- /dev/null +++ b/os-frr.te @@ -0,0 +1 @@ +policy_module(os-frr,0.1) From 32ffd04e08d292a06fce7430cfa8342800f407fa Mon Sep 17 00:00:00 2001 From: rabi Date: Mon, 11 May 2026 10:56:26 +0530 Subject: [PATCH 192/192] Fix EL10 compatibility for SELinux policy modules RHEL 10 moved collectd, puppet, and linuxptp SELinux modules from selinux-policy-targeted to selinux-policy-epel-targeted [1]. This breaks openstack-selinux on EL10 because: - puppet_etc_t (os-certmonger, os-podman), collectd_t (os-collectd), ptp4l_t (os-timemaster) are no longer in the base policy - collectd_tcp_network_connect boolean is undefined - The single semanage import transaction in local_settings.sh rolls back all module loads when any boolean/type is missing Wrap missing type references in optional_policy() and conditionally set collectd_tcp_network_connect only when available. Fold the os-ovs-el9 anon_inode rule into os-ovs.te using optional_policy to avoid version-specific modules. All changes are backward-compatible with EL9. [1] https://access.redhat.com/articles/7133759 Change-Id: I5f2c2097cf7f26ffc8a702036b906823a91d6709 Signed-off-by: rabi --- Makefile | 4 ---- local_settings.sh.in | 6 +++++- os-certmonger.te | 13 +++++++++---- os-collectd.te | 30 ++++++++++++++++-------------- os-ovs.te | 8 ++++++++ os-podman.te | 17 +++++++++++------ os-timemaster.te | 14 ++++++++------ 7 files changed, 57 insertions(+), 35 deletions(-) diff --git a/Makefile b/Makefile index 93efd92..2c9f9f9 100644 --- a/Makefile +++ b/Makefile @@ -7,10 +7,6 @@ OS_MAJ=$(shell OS_VER=$(OS_VER) && echo $${OS_VER/.*/}) # RHEL & rebuilds: if we match one of these, we do a version comparison. ifneq (,$(findstring $(OS_ID),rhel centos rocky almalinux)) -# If version 9 or greater, add extra targets -ifeq ($(OS_MAJ),9) -EXTRA_TARGETS?=os-ovs-el9 -endif # version 9 endif # RHEL clones TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-barbican os-logrotate os-certmonger os-timemaster os-ceilometer os-net-config os-frr $(EXTRA_TARGETS) diff --git a/local_settings.sh.in b/local_settings.sh.in index 769526d..6265e0e 100644 --- a/local_settings.sh.in +++ b/local_settings.sh.in @@ -255,9 +255,13 @@ install_policies() { boolean -N -m --on httpd_can_network_connect boolean -N -m --on swift_can_network boolean -N -m --on httpd_use_openstack - boolean -N -m --on collectd_tcp_network_connect boolean -N -m --on domain_can_mmap_files" + # collectd_tcp_network_connect is not available on EL10+ + if $SBINDIR/semanage boolean -l -n 2>/dev/null | grep -qw collectd_tcp_network_connect; then + INPUT="${INPUT}${CR}boolean -N -m --on collectd_tcp_network_connect" + fi + # # Append modules to our semanage script # diff --git a/os-certmonger.te b/os-certmonger.te index 6f6e3be..277b19e 100644 --- a/os-certmonger.te +++ b/os-certmonger.te @@ -3,12 +3,17 @@ policy_module(os-certmonger,0.1) gen_require(` type certmonger_t; type iptables_t; - type puppet_etc_t; class dir {search}; ') -# rhbz#1777263 -allow certmonger_t puppet_etc_t:dir search; -read_files_pattern(certmonger_t, puppet_etc_t, puppet_etc_t) + +optional_policy(` + gen_require(` + type puppet_etc_t; + ') + # rhbz#1777263 + allow certmonger_t puppet_etc_t:dir search; + read_files_pattern(certmonger_t, puppet_etc_t, puppet_etc_t) +') # rhbz#1777368 container_runtime_domtrans(certmonger_t) diff --git a/os-collectd.te b/os-collectd.te index 2a4015c..693669a 100644 --- a/os-collectd.te +++ b/os-collectd.te @@ -1,18 +1,20 @@ policy_module(os-collectd,0.1) -gen_require(` - type collectd_t; - type var_lock_t; - type cpu_device_t; - class capability sys_rawio; -') +optional_policy(` + gen_require(` + type collectd_t; + type var_lock_t; + type cpu_device_t; + class capability sys_rawio; + ') -# Bugzilla #1558465 -allow collectd_t cpu_device_t:chr_file rw_file_perms; + # Bugzilla #1558465 + allow collectd_t cpu_device_t:chr_file rw_file_perms; -# FIXME: Upstream policy probably needs collectd_var_lock_t -# and a file transition rule in collectd.te. -allow collectd_t var_lock_t:dir add_entry_dir_perms; -allow collectd_t var_lock_t:file manage_file_perms; -allow collectd_t var_lock_t:lnk_file read_lnk_file_perms; -allow collectd_t self:capability sys_rawio; + # FIXME: Upstream policy probably needs collectd_var_lock_t + # and a file transition rule in collectd.te. + allow collectd_t var_lock_t:dir add_entry_dir_perms; + allow collectd_t var_lock_t:file manage_file_perms; + allow collectd_t var_lock_t:lnk_file read_lnk_file_perms; + allow collectd_t self:capability sys_rawio; +') diff --git a/os-ovs.te b/os-ovs.te index 96d7da2..2164b5f 100644 --- a/os-ovs.te +++ b/os-ovs.te @@ -129,3 +129,11 @@ allow openvswitch_t svirt_t:unix_stream_socket { read write }; # bugzilla #1707840 allow openvswitch_t spc_t:unix_stream_socket { read write }; + +# bugzilla 2118908 - anon_inode class available on EL9+ +optional_policy(` + gen_require(` + class anon_inode { read write }; + ') + allow svirt_t openvswitch_t:anon_inode { read write }; +') diff --git a/os-podman.te b/os-podman.te index 87c6c55..0374659 100644 --- a/os-podman.te +++ b/os-podman.te @@ -6,7 +6,6 @@ gen_require(` type container_file_t; type container_log_t; type openvswitch_t; - type puppet_etc_t; type cluster_var_log_t; type init_t; type swift_data_t; @@ -17,11 +16,17 @@ gen_require(` #============= container_t ============== miscfiles_read_generic_certs(container_t) openvswitch_stream_connect(container_t) -# for posterity: read_files_pattern includes dir accesses -read_files_pattern(container_t, puppet_etc_t, puppet_etc_t) -read_lnk_files_pattern(container_t, puppet_etc_t, puppet_etc_t) -# but read_files_pattern does not allow "read" on tclass=dir -allow container_t puppet_etc_t:dir { read }; + +optional_policy(` + gen_require(` + type puppet_etc_t; + ') + # for posterity: read_files_pattern includes dir accesses + read_files_pattern(container_t, puppet_etc_t, puppet_etc_t) + read_lnk_files_pattern(container_t, puppet_etc_t, puppet_etc_t) + # but read_files_pattern does not allow "read" on tclass=dir + allow container_t puppet_etc_t:dir { read }; +') # bugzilla #1772025 allow openvswitch_t container_file_t:dir create; diff --git a/os-timemaster.te b/os-timemaster.te index 542cd6e..6d75713 100644 --- a/os-timemaster.te +++ b/os-timemaster.te @@ -1,9 +1,11 @@ policy_module(os-timemaster,0.1) -gen_require(` - type ptp4l_t; -') +optional_policy(` + gen_require(` + type ptp4l_t; + ') -# Bugzilla 1872651 referencing RHEL bug 1759214. We need this for 8.2 too. -allow ptp4l_t self:capability sys_admin; -allow ptp4l_t self:packet_socket create_socket_perms; + # Bugzilla 1872651 referencing RHEL bug 1759214. We need this for 8.2 too. + allow ptp4l_t self:capability sys_admin; + allow ptp4l_t self:packet_socket create_socket_perms; +')