Project

General

Profile

Bug #41994

stop requiring that CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks be overridden

Added by Jeff Layton over 4 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Crash signature (v1):
Crash signature (v2):

Description

The ceph-client/testing tree has been carrying this patch for a couple of years:

commit c75b60474d20c6e4b2ce27ef5bd9b1c9f50007c1
Author: Ilya Dryomov <idryomov@gmail.com>
Date:   Wed Jun 14 19:26:08 2017 +0200

    [DO NOT MERGE] Revert "fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks" 

    This reverts commit 2a4c22426955d4fc04069811997b7390c0fb858e.

    Until teuthology/task/selinux.py is taught to ignore dac_read_search.

Fix teuthology so that we can drop this patch in our test environment.

History

#1 Updated by Ilya Dryomov over 4 years ago

Links to those runs:

http://pulpito.ceph.com/teuthology-2017-06-14_04:15:01-krbd-jewel-testing-basic-smithi/
http://pulpito.ceph.com/teuthology-2017-06-14_04:20:03-kcephfs-jewel-testing-basic-smithi/

This was observed only with -k testing. If that commit got backported to RHEL/CentOS kernels, selinux-policy and others are probably caught up by now.

#2 Updated by Jeff Layton over 4 years ago

I'm pretty sure RHEL7 didn't get 2a4c22426955d, but RHEL8 would almost certainly have it. I'll see about building a kernel w/o that patch, do a similar test run and see what fails.

#3 Updated by Jeff Layton over 4 years ago

I ran a small set of kcephfs:cephfs tests on a kernel that I built today without c75b60474. I think this test corresponds to the first failure in the kcephfs run from 2017:

http://qa-proxy.ceph.com/teuthology/jlayton-2019-09-23_16:55:51-kcephfs:cephfs-wip-jlayton-41892-wip-41994-basic-mira/4330056/teuthology.log

If the others don't seem to fail due to SELinux then I'm going to suggest we try dropping that patch from the testing branch and see what happens. If we see failures we can always reinstate it while we work on correcting them.

#4 Updated by Ilya Dryomov over 4 years ago

It ran on bionic, so no selinux:

os_type: ubuntu
os_version: '18.04'

Since the testing kernel is also run against older branches, I'd like to see a centos7 run. It may be fixed in rhel8, but it was centos7 that prompted this revert.

#5 Updated by Jeff Layton over 4 years ago

Got this on one of my runs on a kernel without that commit:

SELinux denials found on ubuntu@mira085.front.sepia.ceph.com: ['type=USER_AVC msg=audit(1569270749.378:7981): pid=4153 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg=\'avc: denied { send_msg } for msgtype=method_return dest=:1.801 spid=16148 tpid=16146 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?\''] 

I suspect that this is probably unrelated to cephfs though. I have to wonder if maybe the selinux-policy in the rhel7 userland bits may have some gaps when used with newer kernels?

#6 Updated by Ilya Dryomov over 4 years ago

This one seems different. It is coming from userspace -- dbus is doing its own enforcing. The revert was for kernel denials looking like:

SELinux denials found on ubuntu@smithi023.front.sepia.ceph.com: ['type=AVC msg=audit(1497430221.520:219): avc: denied { dac_read_search } for pid=13022
comm="unix_chkpwd" capability=2 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=capability
permissive=1', 'type=AVC msg=audit(1497430548.720:3412): avc: denied { dac_read_search } for pid=1822 comm="master" capability=2
scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability permissive=1', 'type=AVC
msg=audit(1497431569.557:4096): avc: denied { dac_read_search } for pid=1822 comm="master" capability=2 scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability permissive=1', 'type=AVC msg=audit(1497431023.036:4081): avc: denied { dac_read_search } for
pid=31220 comm="systemd-tmpfile" capability=2 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0
tclass=capability permissive=1', 'type=AVC msg=audit(1497430448.727:3265): avc: denied { dac_read_search } for pid=25069 comm="unix_chkpwd" capability=2
scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=capability permissive=1', 'type=AVC
msg=audit(1497430608.781:3638): avc: denied { dac_read_search } for pid=1822 comm="master" capability=2 scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability permissive=1', 'type=AVC msg=audit(1497430501.342:3398): avc: denied { dac_read_search } for
pid=637 comm="systemd-logind" capability=2 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability
permissive=1', 'type=AVC msg=audit(1497430356.835:2464): avc: denied { dac_read_search } for pid=12901 comm=72733A6D61696E20513A526567 capability=2
scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=capability permissive=1', 'type=AVC msg=audit(1497430368.536:2623): avc:
denied { dac_read_search } for pid=1822 comm="master" capability=2 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0
tclass=capability permissive=1', 'type=AVC msg=audit(1497430681.517:4059): avc: denied { dac_read_search } for pid=637 comm="systemd-logind" capability=2
scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=1', 'type=AVC
msg=audit(1497430488.659:3384): avc: denied { dac_read_search } for pid=1822 comm="master" capability=2 scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability permissive=1', 'type=AVC msg=audit(1497430501.038:3388): avc: denied { dac_read_search } for
pid=25552 comm="unix_chkpwd" capability=2 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023
tclass=capability permissive=1', 'type=AVC msg=audit(1497430428.597:3031): avc: denied { dac_read_search } for pid=1822 comm="master" capability=2
scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability permissive=1', 'type=AVC
msg=audit(1497430728.903:4060): avc: denied { dac_read_search } for pid=1822 comm="master" capability=2 scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability permissive=1', 'type=AVC msg=audit(1497430681.355:4051): avc: denied { dac_read_search } for
pid=29244 comm="unix_chkpwd" capability=2 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023
tclass=capability permissive=1', 'type=AVC msg=audit(1497430248.508:581): avc: denied { dac_read_search } for pid=1822 comm="master" capability=2
scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability permissive=1', 'type=AVC
msg=audit(1497430801.522:4061): avc: denied { dac_read_search } for pid=30073 comm="unix_chkpwd" capability=2 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=capability permissive=1']

#7 Updated by Jeff Layton over 4 years ago

Yes, I think the problem that prompted that patch may already be corrected. I think the next step is to just drop that patch from the testing branch and see what breaks.

#8 Updated by Ilya Dryomov over 4 years ago

Yeah, that must have been on CentOS 7.4 if not 7.3. Makes sense, given that you didn't see any dac_read_search denials in your test.

#9 Updated by Jeff Layton over 4 years ago

Patrick kicked off a kcephfs run yesterday. None of the test failures seem to be related to SELinux:

http://pulpito.ceph.com/pdonnell-2019-09-24_18:47:10-kcephfs-wip-pdonnell-testing-20190924.140036-distro-basic-smithi/

I'll go ahead and close this as Resolved. We can reopen if we have a need to reintroduce the patch.

#10 Updated by Jeff Layton over 4 years ago

  • Status changed from New to Resolved

Also available in: Atom PDF