Project

General

Profile

Bug #40683

selinux allow ceph_t to call sudo

Added by Torben Hørup over 1 year ago. Updated 10 months ago.

Status:
Can't reproduce
Priority:
Urgent
Assignee:
-
Category:
-
Target version:
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature:

Description

Since device management relies on being able to run smartctl via sudo, ceph-selinux should allow the call to sudo


Related issues

Related to Ceph - Bug #44940: type=AVC msg=audit(1585577327.298:6404): avc: denied { sys_resource } for pid=27385 comm="sudo" capability=24 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability permissive=1 New
Related to Ceph - Bug #44942: type=AVC msg=audit(1585577327.422:6424): avc: denied { nlmsg_relay } for pid=27385 comm="sudo" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=netlink_audit_socket permissive=1 New
Related to Ceph - Bug #44944: type=AVC msg=audit(1585577327.422:6421): avc: denied { open } for pid=27385 comm="sudo" path="/run/utmp" dev="tmpfs" ino=1191 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1 New

History

#1 Updated by Boris Ranto over 1 year ago

Can you be more specific, here? What is getting denied? SELinux monitors the syscalls for binaries, not the binaries themselves. Can you attach the audit.log if you are hitting some denials?

#2 Updated by Torben Hørup over 1 year ago

This might be to broad in scope of permissions, but it works (created on a Centos7 host):

module ceph_sudo 1.0;

require {
    type ceph_t;
    type udev_var_run_t;
    type chkpwd_exec_t;
    type systemd_logind_t;
    type pam_var_run_t;
    type system_dbusd_t;
    type cgroup_t;
    type sudo_db_t;
    type shadow_t;
    type initrc_var_run_t;
    type sudo_exec_t;
    class process { setrlimit setsched };
    class unix_stream_socket connectto;
    class dbus send_msg;
    class capability { audit_write sys_resource };
    class file { create execute execute_no_trans getattr lock open read write };
    class netlink_audit_socket { create nlmsg_relay };
    class dir { add_name getattr search write };
}

#============= ceph_t ==============
allow ceph_t cgroup_t:dir search;
allow ceph_t cgroup_t:file { getattr open read };

#!!!! This avc is allowed in the current policy
allow ceph_t chkpwd_exec_t:file { execute execute_no_trans open read };

#!!!! This avc is allowed in the current policy
allow ceph_t initrc_var_run_t:file { lock open read };

#!!!! This avc is allowed in the current policy
allow ceph_t pam_var_run_t:dir { add_name write };

#!!!! This avc is allowed in the current policy
allow ceph_t pam_var_run_t:file { create getattr lock open read write };

#!!!! This avc is allowed in the current policy
allow ceph_t self:capability { audit_write sys_resource };

#!!!! This avc is allowed in the current policy
allow ceph_t self:netlink_audit_socket { create nlmsg_relay };

#!!!! This avc is allowed in the current policy
allow ceph_t self:process { setrlimit setsched };
allow ceph_t shadow_t:file { getattr open read };

#!!!! This avc is allowed in the current policy
allow ceph_t sudo_db_t:dir { getattr search };

#!!!! This avc is allowed in the current policy
allow ceph_t sudo_exec_t:file { execute execute_no_trans open read };
allow ceph_t system_dbusd_t:dbus send_msg;

#!!!! This avc is allowed in the current policy
allow ceph_t system_dbusd_t:unix_stream_socket connectto;
allow ceph_t systemd_logind_t:dbus send_msg;
allow ceph_t udev_var_run_t:file { getattr open read };

#============= systemd_logind_t ==============
allow systemd_logind_t ceph_t:dbus send_msg;

#3 Updated by Sage Weil about 1 year ago

  • Status changed from New to 12
  • Priority changed from Normal to Urgent

The ceph user has this sudoers.d file:

## allow ceph-osd (which runs as user ceph) to collect device health metrics

ceph ALL=NOPASSWD: /usr/sbin/smartctl -a --json=o /dev/*
ceph ALL=NOPASSWD: /usr/sbin/nvme * smart-log-add --json /dev/*

Its actually the osd and the mon that use this to scrape smart health metrics from devices.

#4 Updated by Boris Ranto about 1 year ago

We should probably define transition rules when running these commands. It should help at least for the smartctl case. Its context is fsadm_exec_t so we should transition to the fsadm_t when running the command. The nvme binary seems to have the default context (bin_t) so the transition rules likely wouldn't help (if it actually needs any special access/generates any denials).

#5 Updated by Patrick Donnelly 12 months ago

  • Status changed from 12 to New

#6 Updated by Sage Weil 10 months ago

  • Target version set to v15.0.0

#7 Updated by Sage Weil 10 months ago

  • Status changed from New to Can't reproduce

I'm not able to reproduce this (from a cephadm mon container on rhel 8 or centos 7.6), and we're not seeing this denial from teuthology runs either.

#8 Updated by Oliver Freyermuth 10 months ago

I still observe this on CentOS 7.7 with 14.2.6.

# ceph --version
ceph version 14.2.6
# lsb_release -r
Release:        7.7.1908
# grep denied /var/log/audit/audit.log | grep ceph_t
type=AVC msg=audit(1580258235.870:553827): avc:  denied  { read } for  pid=2501681 comm="sudo" name="utmp" dev="tmpfs" ino=32040 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1580258235.870:553827): avc:  denied  { open } for  pid=2501681 comm="sudo" path="/run/utmp" dev="tmpfs" ino=32040 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1580258235.870:553828): avc:  denied  { lock } for  pid=2501681 comm="sudo" path="/run/utmp" dev="tmpfs" ino=32040 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1580258235.891:553832): avc:  denied  { read } for  pid=163761 comm="tp_osd_cmd" name="b8:144" dev="tmpfs" ino=27831 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1580258235.891:553832): avc:  denied  { open } for  pid=163761 comm="tp_osd_cmd" path="/run/udev/data/b8:144" dev="tmpfs" ino=27831 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1580258235.891:553833): avc:  denied  { getattr } for  pid=163761 comm="tp_osd_cmd" path="/run/udev/data/b8:144" dev="tmpfs" ino=27831 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1580258236.470:553834): avc:  denied  { sys_resource } for  pid=2501718 comm="sudo" capability=24  scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1580258236.470:553834): avc:  denied  { setrlimit } for  pid=2501718 comm="sudo" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=process permissive=1
type=AVC msg=audit(1580258236.472:553835): avc:  denied  { read write } for  pid=2501718 comm="sudo" name="ceph" dev="tmpfs" ino=327162 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1580258236.472:553835): avc:  denied  { open } for  pid=2501718 comm="sudo" path="/run/sudo/ts/ceph" dev="tmpfs" ino=327162 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1580258236.472:553836): avc:  denied  { getattr } for  pid=2501718 comm="sudo" path="/run/sudo/ts/ceph" dev="tmpfs" ino=327162 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1580258236.473:553837): avc:  denied  { lock } for  pid=2501718 comm="sudo" path="/run/sudo/ts/ceph" dev="tmpfs" ino=327162 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1580258236.473:553838): avc:  denied  { getattr } for  pid=2501718 comm="sudo" path="/var/db/sudo/lectured" dev="sdn1" ino=1311177 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sudo_db_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1580258236.856:553839): avc:  denied  { create } for  pid=2501718 comm="sudo" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1580258236.856:553840): avc:  denied  { nlmsg_relay } for  pid=2501718 comm="sudo" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1580258236.856:553840): avc:  denied  { audit_write } for  pid=2501718 comm="sudo" capability=29  scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1580258240.987:553847): avc:  denied  { setsched } for  pid=2501726 comm="sudo" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=process permissive=1
type=AVC msg=audit(1580258240.987:553848): avc:  denied  { connectto } for  pid=2501726 comm="sudo" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
type=USER_AVC msg=audit(1580258241.001:553849): pid=1732 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.155338 spid=1773 tpid=2501726 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1580258270.276:553859): pid=1732 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.155339 spid=1773 tpid=2501767 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

These denials show up periodically.

Ideas how to provide more info to help reproducing this?
Also @Torben Hørup, do you still see it?

#9 Updated by Brad Hubbard 8 months ago

  • Related to Bug #44940: type=AVC msg=audit(1585577327.298:6404): avc: denied { sys_resource } for pid=27385 comm="sudo" capability=24 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability permissive=1 added

#10 Updated by Brad Hubbard 8 months ago

  • Related to Bug #44942: type=AVC msg=audit(1585577327.422:6424): avc: denied { nlmsg_relay } for pid=27385 comm="sudo" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=netlink_audit_socket permissive=1 added

#11 Updated by Brad Hubbard 8 months ago

  • Related to Bug #44944: type=AVC msg=audit(1585577327.422:6421): avc: denied { open } for pid=27385 comm="sudo" path="/run/utmp" dev="tmpfs" ino=1191 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1 added

Also available in: Atom PDF