Actions
Bug #40683
closedselinux allow ceph_t to call sudo
Added by Torben Hørup almost 5 years ago. Updated over 4 years ago.
% Done:
0%
Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
Since device management relies on being able to run smartctl via sudo, ceph-selinux should allow the call to sudo
Updated by Boris Ranto almost 5 years ago
Can you be more specific, here? What is getting denied? SELinux monitors the syscalls for binaries, not the binaries themselves. Can you attach the audit.log if you are hitting some denials?
Updated by Torben Hørup almost 5 years ago
This might be to broad in scope of permissions, but it works (created on a Centos7 host):
module ceph_sudo 1.0;
require {
type ceph_t;
type udev_var_run_t;
type chkpwd_exec_t;
type systemd_logind_t;
type pam_var_run_t;
type system_dbusd_t;
type cgroup_t;
type sudo_db_t;
type shadow_t;
type initrc_var_run_t;
type sudo_exec_t;
class process { setrlimit setsched };
class unix_stream_socket connectto;
class dbus send_msg;
class capability { audit_write sys_resource };
class file { create execute execute_no_trans getattr lock open read write };
class netlink_audit_socket { create nlmsg_relay };
class dir { add_name getattr search write };
}
#============= ceph_t ==============
allow ceph_t cgroup_t:dir search;
allow ceph_t cgroup_t:file { getattr open read };
#!!!! This avc is allowed in the current policy
allow ceph_t chkpwd_exec_t:file { execute execute_no_trans open read };
#!!!! This avc is allowed in the current policy
allow ceph_t initrc_var_run_t:file { lock open read };
#!!!! This avc is allowed in the current policy
allow ceph_t pam_var_run_t:dir { add_name write };
#!!!! This avc is allowed in the current policy
allow ceph_t pam_var_run_t:file { create getattr lock open read write };
#!!!! This avc is allowed in the current policy
allow ceph_t self:capability { audit_write sys_resource };
#!!!! This avc is allowed in the current policy
allow ceph_t self:netlink_audit_socket { create nlmsg_relay };
#!!!! This avc is allowed in the current policy
allow ceph_t self:process { setrlimit setsched };
allow ceph_t shadow_t:file { getattr open read };
#!!!! This avc is allowed in the current policy
allow ceph_t sudo_db_t:dir { getattr search };
#!!!! This avc is allowed in the current policy
allow ceph_t sudo_exec_t:file { execute execute_no_trans open read };
allow ceph_t system_dbusd_t:dbus send_msg;
#!!!! This avc is allowed in the current policy
allow ceph_t system_dbusd_t:unix_stream_socket connectto;
allow ceph_t systemd_logind_t:dbus send_msg;
allow ceph_t udev_var_run_t:file { getattr open read };
#============= systemd_logind_t ==============
allow systemd_logind_t ceph_t:dbus send_msg;
Updated by Sage Weil over 4 years ago
- Status changed from New to 12
- Priority changed from Normal to Urgent
The ceph user has this sudoers.d file:
## allow ceph-osd (which runs as user ceph) to collect device health metrics ceph ALL=NOPASSWD: /usr/sbin/smartctl -a --json=o /dev/* ceph ALL=NOPASSWD: /usr/sbin/nvme * smart-log-add --json /dev/*
Its actually the osd and the mon that use this to scrape smart health metrics from devices.
Updated by Boris Ranto over 4 years ago
We should probably define transition rules when running these commands. It should help at least for the smartctl case. Its context is fsadm_exec_t so we should transition to the fsadm_t when running the command. The nvme binary seems to have the default context (bin_t) so the transition rules likely wouldn't help (if it actually needs any special access/generates any denials).
Updated by Sage Weil over 4 years ago
- Status changed from New to Can't reproduce
I'm not able to reproduce this (from a cephadm mon container on rhel 8 or centos 7.6), and we're not seeing this denial from teuthology runs either.
Updated by Oliver Freyermuth over 4 years ago
I still observe this on CentOS 7.7 with 14.2.6.
# ceph --version
ceph version 14.2.6
# lsb_release -r
Release: 7.7.1908
# grep denied /var/log/audit/audit.log | grep ceph_t
type=AVC msg=audit(1580258235.870:553827): avc: denied { read } for pid=2501681 comm="sudo" name="utmp" dev="tmpfs" ino=32040 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1580258235.870:553827): avc: denied { open } for pid=2501681 comm="sudo" path="/run/utmp" dev="tmpfs" ino=32040 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1580258235.870:553828): avc: denied { lock } for pid=2501681 comm="sudo" path="/run/utmp" dev="tmpfs" ino=32040 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1580258235.891:553832): avc: denied { read } for pid=163761 comm="tp_osd_cmd" name="b8:144" dev="tmpfs" ino=27831 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1580258235.891:553832): avc: denied { open } for pid=163761 comm="tp_osd_cmd" path="/run/udev/data/b8:144" dev="tmpfs" ino=27831 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1580258235.891:553833): avc: denied { getattr } for pid=163761 comm="tp_osd_cmd" path="/run/udev/data/b8:144" dev="tmpfs" ino=27831 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1580258236.470:553834): avc: denied { sys_resource } for pid=2501718 comm="sudo" capability=24 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1580258236.470:553834): avc: denied { setrlimit } for pid=2501718 comm="sudo" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=process permissive=1
type=AVC msg=audit(1580258236.472:553835): avc: denied { read write } for pid=2501718 comm="sudo" name="ceph" dev="tmpfs" ino=327162 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1580258236.472:553835): avc: denied { open } for pid=2501718 comm="sudo" path="/run/sudo/ts/ceph" dev="tmpfs" ino=327162 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1580258236.472:553836): avc: denied { getattr } for pid=2501718 comm="sudo" path="/run/sudo/ts/ceph" dev="tmpfs" ino=327162 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1580258236.473:553837): avc: denied { lock } for pid=2501718 comm="sudo" path="/run/sudo/ts/ceph" dev="tmpfs" ino=327162 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1580258236.473:553838): avc: denied { getattr } for pid=2501718 comm="sudo" path="/var/db/sudo/lectured" dev="sdn1" ino=1311177 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sudo_db_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1580258236.856:553839): avc: denied { create } for pid=2501718 comm="sudo" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1580258236.856:553840): avc: denied { nlmsg_relay } for pid=2501718 comm="sudo" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1580258236.856:553840): avc: denied { audit_write } for pid=2501718 comm="sudo" capability=29 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1580258240.987:553847): avc: denied { setsched } for pid=2501726 comm="sudo" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=process permissive=1
type=AVC msg=audit(1580258240.987:553848): avc: denied { connectto } for pid=2501726 comm="sudo" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
type=USER_AVC msg=audit(1580258241.001:553849): pid=1732 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.155338 spid=1773 tpid=2501726 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1580258270.276:553859): pid=1732 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.155339 spid=1773 tpid=2501767 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
These denials show up periodically.
Ideas how to provide more info to help reproducing this?
Also @Torben Hørup, do you still see it?
Updated by Brad Hubbard about 4 years ago
- Related to Bug #44940: type=AVC msg=audit(1585577327.298:6404): avc: denied { sys_resource } for pid=27385 comm="sudo" capability=24 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability permissive=1 added
Updated by Brad Hubbard about 4 years ago
- Related to Bug #44942: type=AVC msg=audit(1585577327.422:6424): avc: denied { nlmsg_relay } for pid=27385 comm="sudo" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=netlink_audit_socket permissive=1 added
Updated by Brad Hubbard about 4 years ago
- Related to Bug #44944: type=AVC msg=audit(1585577327.422:6421): avc: denied { open } for pid=27385 comm="sudo" path="/run/utmp" dev="tmpfs" ino=1191 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1 added
Actions