Project

General

Profile

Actions
Copy link

Bug #54304

closed

qa/suites/orch/cephadm: SELinux denials on centos 8.stream tests

Added by Adam King about 2 years ago. Updated about 2 years ago.

Status:
Rejected
Priority:
High
Assignee:
-
Category:
-
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

in pacific:

http://pulpito.front.sepia.ceph.com/adking-2022-02-15_22:33:11-orch:cephadm-wip-adk2-testing-2022-02-15-1304-pacific-distro-basic-smithi/6685838
http://pulpito.front.sepia.ceph.com/adking-2022-02-15_22:33:11-orch:cephadm-wip-adk2-testing-2022-02-15-1304-pacific-distro-basic-smithi/6685891

in master:

http://pulpito.front.sepia.ceph.com/adking-2022-02-15_02:34:44-orch:cephadm-wip-adk-testing-2022-02-14-1625-distro-basic-smithi/6683709

Related issues 1 (1 open0 closed)

Has duplicate Infrastructure - Bug #54337: Selinux denials seen on fs/rados teuthology runsFix Under ReviewDavid Galloway

Actions
Actions
Copy link
 #1

Updated by Brad Hubbard about 2 years ago

  • Status changed from New to Rejected

The 'dhclient/chrony' issues seem to be a system issue similar to https://bugzilla.redhat.com/show_bug.cgi?id=1897388 (fedora)

SELinux is preventing /usr/bin/bash from getattr access on the file /var/lib/sss/mc/passwd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that bash should be allowed getattr access on the passwd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '11-dhclient' --raw | audit2allow -M my-11dhclient
# semodule -X 300 -i my-11dhclient.pp

Additional Information:
Source Context                system_u:system_r:NetworkManager_dispatcher_t:s0
Target Context                system_u:object_r:sssd_public_t:s0
Target Objects                /var/lib/sss/mc/passwd [ file ]
Source                        11-dhclient
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           bash-4.4.20-3.el8.x86_64
Target RPM Packages           sssd-common-2.6.1-2.el8.x86_64
SELinux Policy RPM            selinux-policy-targeted-3.14.3-91.el8.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-91.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     smithi190
Platform                      Linux smithi190 4.18.0-365.el8.x86_64 #1 SMP Thu
                              Feb 10 16:11:23 UTC 2022 x86_64 x86_64
Alert Count                   1
First Seen                    2022-02-22 00:00:00 UTC
Last Seen                     2022-02-22 00:00:00 UTC
Local ID                      00a65883-67b5-4aea-9c3e-02a1076ef1d4

SELinux is preventing /usr/bin/bash from execute access on the file chrony.sh.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that bash should be allowed execute access on the chrony.sh file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '11-dhclient' --raw | audit2allow -M my-11dhclient
# semodule -X 300 -i my-11dhclient.pp

Additional Information:
Source Context                system_u:system_r:NetworkManager_dispatcher_t:s0
Target Context                system_u:object_r:bin_t:s0
Target Objects                chrony.sh [ file ]
Source                        11-dhclient
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           bash-4.4.20-3.el8.x86_64
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-3.14.3-91.el8.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-91.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     smithi190
Platform                      Linux smithi190 4.18.0-365.el8.x86_64 #1 SMP Thu
                              Feb 10 16:11:23 UTC 2022 x86_64 x86_64
Alert Count                   1
First Seen                    2022-02-22 00:00:00 UTC
Last Seen                     2022-02-22 00:00:00 UTC
Local ID                      64fdeff5-fa9f-4406-86f0-901da47af39f

Looking at the original messages they pretty much all seem to be related to 'chrony/dhcp'.

SELinux denials found on ubuntu@smithi085.front.sepia.ceph.com: ['type=AVC msg=audit(1645015431.335:3623): 
avc: denied { map } for pid=55982 comm="11-dhclient" path="/usr/bin/bash" dev="sda1" ino=6040 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.339:3631): 
avc: denied { map } for pid=55986 comm="rm" path="/usr/bin/rm" dev="sda1" ino=10810 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.336:3627): 
avc: denied { write } for pid=55982 comm="11-dhclient" name="nss" dev="sda1" ino=2052 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1', 'type=AVC msg=audit(1645015431.348:3642): 
avc: denied { write } for pid=55994 comm="chronyc" name="chrony" dev="tmpfs" ino=23201 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=dir permissive=1', 'type=AVC msg=audit(1645015431.337:3629): 
avc: denied { getattr } for pid=55982 comm="11-dhclient" path="/etc/passwd" dev="sda1" ino=39866 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.348:3644): 
avc: denied { write } for pid=55994 comm="chronyc" name="chronyd.sock" dev="tmpfs" ino=98937 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=sock_file permissive=1', 'type=AVC msg=audit(1645015431.342:3635): 
avc: denied { write } for pid=55988 comm="chrony-helper" name="lock" dev="tmpfs" ino=25954 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.340:3632): 
avc: denied { read open } for pid=55988 comm="20-chrony-dhcp" path="/usr/libexec/chrony-helper" dev="sda1" ino=20468 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.337:3628): 
avc: denied { read } for pid=55982 comm="11-dhclient" name="passwd" dev="sda1" ino=39866 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.348:3643): 
avc: denied { setattr } for pid=55994 comm="chronyc" name="chronyc.55994.sock" dev="tmpfs" ino=260616 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=sock_file permissive=1', 'type=AVC msg=audit(1645015431.345:3637): 
avc: denied { read } for pid=55991 comm="chrony-helper" name="chrony-helper" dev="tmpfs" ino=26794 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=dir permissive=1', 'type=AVC msg=audit(1645015431.336:3625): 
avc: denied { getattr } for pid=55982 comm="11-dhclient" path="/var/lib/sss/mc/passwd" dev="sda1" ino=39864 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.335:3623): 
avc: denied { execute } for pid=55982 comm="nm-dispatcher" name="11-dhclient" dev="sda1" ino=66 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:NetworkManager_dispatcher_script_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.340:3632): 
avc: denied { execute_no_trans } for pid=55988 comm="20-chrony-dhcp" path="/usr/libexec/chrony-helper" dev="sda1" ino=20468 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.348:3644): 
avc: denied { sendto } for pid=55994 comm="chronyc" path="/run/chrony/chronyd.sock" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=unix_dgram_socket permissive=1', 'type=AVC msg=audit(1645015431.336:3624): 
avc: denied { open } for pid=55982 comm="11-dhclient" path="/var/lib/sss/mc/passwd" dev="sda1" ino=39864 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.335:3623): 
avc: denied { execute_no_trans } for pid=55982 comm="nm-dispatcher" path="/etc/NetworkManager/dispatcher.d/11-dhclient" dev="sda1" ino=66 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:NetworkManager_dispatcher_script_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.337:3628): 
avc: denied { open } for pid=55982 comm="11-dhclient" path="/etc/passwd" dev="sda1" ino=39866 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.345:3638): 
avc: denied { read } for pid=55991 comm="chrony-helper" name="dhclient" dev="sda1" ino=1965 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=dir permissive=1', 'type=AVC msg=audit(1645015431.343:3636): 
avc: denied { lock } for pid=55990 comm="flock" path="/run/chrony-helper/lock" dev="tmpfs" ino=25954 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.337:3630): 
avc: denied { execute } for pid=55982 comm="11-dhclient" name="chrony.sh" dev="sda1" ino=662 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.348:3640): 
avc: denied { create } for pid=55994 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tclass=udp_socket permissive=1', 'type=AVC msg=audit(1645015431.349:3646): 
avc: denied { unlink } for pid=55994 comm="chronyc" name="chronyc.55994.sock" dev="tmpfs" ino=260616 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=sock_file permissive=1', 'type=AVC msg=audit(1645015431.341:3633): 
avc: denied { getattr } for pid=55988 comm="chrony-helper" path="/usr/libexec/chrony-helper" dev="sda1" ino=20468 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.336:3624): 
avc: denied { read } for pid=55982 comm="11-dhclient" name="passwd" dev="sda1" ino=39864 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.342:3635): 
avc: denied { open } for pid=55988 comm="chrony-helper" path="/run/chrony-helper/lock" dev="tmpfs" ino=25954 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.341:3634): 
avc: denied { ioctl } for pid=55988 comm="chrony-helper" path="/usr/libexec/chrony-helper" dev="sda1" ino=20468 ioctlcmd=0x5401 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.348:3645): 
avc: denied { sendto } for pid=16759 comm="chronyd" path="/run/chrony/chronyc.55994.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tclass=unix_dgram_socket permissive=1', 'type=AVC msg=audit(1645015431.339:3631): 
avc: denied { execute_no_trans } for pid=55986 comm="20-chrony-dhcp" path="/usr/bin/rm" dev="sda1" ino=10810 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.335:3623): 
avc: denied { execute } for pid=55982 comm="nm-dispatcher" name="bash" dev="sda1" ino=6040 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.347:3639): 
avc: denied { read open } for pid=55994 comm="20-chrony-onoff" path="/usr/bin/chronyc" dev="sda1" ino=12976 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyc_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.347:3639): 
avc: denied { map } for pid=55994 comm="chronyc" path="/usr/bin/chronyc" dev="sda1" ino=12976 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyc_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.348:3642): 
avc: denied { dac_override } for pid=55994 comm="chronyc" capability=1 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tclass=capability permissive=1', 'type=AVC msg=audit(1645015431.340:3632): 
avc: denied { execute } for pid=55988 comm="20-chrony-dhcp" name="chrony-helper" dev="sda1" ino=20468 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.348:3641): 
avc: denied { dac_read_search } for pid=55994 comm="chronyc" capability=2 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tclass=capability permissive=1', 'type=AVC msg=audit(1645015431.348:3642): 
avc: denied { create } for pid=55994 comm="chronyc" name="chronyc.55994.sock" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=sock_file permissive=1', 'type=AVC msg=audit(1645015431.349:3646): 
avc: denied { remove_name } for pid=55994 comm="chronyc" name="chronyc.55994.sock" dev="tmpfs" ino=260616 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=dir permissive=1', 'type=AVC msg=audit(1645015431.336:3627): 
avc: denied { connectto } for pid=55982 comm="11-dhclient" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1', 'type=AVC msg=audit(1645015431.336:3626): 
avc: denied { map } for pid=55982 comm="11-dhclient" path="/var/lib/sss/mc/passwd" dev="sda1" ino=39864 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.347:3639): 
avc: denied { execute } for pid=55994 comm="20-chrony-onoff" name="chronyc" dev="sda1" ino=12976 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyc_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.347:3639): 
avc: denied { execute_no_trans } for pid=55994 comm="20-chrony-onoff" path="/usr/bin/chronyc" dev="sda1" ino=12976 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyc_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.348:3642): 
avc: denied { add_name } for pid=55994 comm="chronyc" name="chronyc.55994.sock" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=dir permissive=1']

Not sure this is something the ceph project should be fixing?

Actions
Copy link
 #2

Updated by Venky Shankar about 2 years ago

  • Has duplicate Bug #54337: Selinux denials seen on fs/rados teuthology runs added
Actions
Copy link

Also available in: Atom PDF