├── os-cinder.fc ├── os-monitoring-plugins.te ├── tests ├── bz1153656 ├── bz1167073 ├── bz1180373 ├── bz1351336 ├── bz1469823 ├── bz1547197 ├── bz1751300 ├── bz1962802 ├── bz1116755 ├── bz1144199 ├── bz1284436 ├── bz1581729 ├── bz1642102 ├── bz1109087 ├── bz1174977 ├── bz1195215 ├── bz1310383 ├── bz1357961 ├── bz1372453 ├── bz1554964 ├── bz1134617 ├── bz1327609 ├── bz1334732 ├── bz1395240 ├── bz1452418 ├── bz1466444 ├── bz1083566 ├── bz1119151 ├── bz1149975 ├── bz1176830 ├── bz1294420 ├── bz1313617 ├── bz1715492 ├── bz1772025 ├── bz1170367 ├── bz1280083 ├── bz1306525 ├── bz1362609 ├── bz1926765 ├── bz1179040 ├── bz1302312 ├── bz1377272 ├── bz1671514 ├── bz1145802 ├── bz1437684 ├── bz1687321 ├── bz1142938 ├── bz1181677 ├── bz1211628 ├── lp1864501 ├── bz1278430 ├── bz1108187 ├── bz1789710 ├── bz1566973 ├── bz1652297 ├── bz1777738 ├── bz2020210 ├── osprh16672 ├── bz1572510 ├── bz1707840 ├── bz2013194 ├── lp1944539 ├── bz1115724 ├── bz1542107 ├── bz1893132 ├── bz1119400 ├── bz1130212 ├── bz1185444 ├── bz1628679 ├── bz1108937 ├── bz1119845 ├── bz1180230 ├── bz1112631 ├── bz2091076 ├── bz1284672 ├── bz1778793 ├── bz1464114 ├── bz2255412 ├── bz1206148 ├── bz2053852 ├── bz1478176 ├── lp1853652 ├── bz1727937 ├── bz1847037 ├── bz1232892 ├── bz1127910 ├── bz1114581 ├── bz1180881 ├── bz1223006 ├── bz1105344 ├── bz1162761 ├── bz1107873 ├── bz1110263 ├── bz1259419 ├── bz1168526 ├── bz1448887 ├── bz1283674 ├── bz1650046 ├── bz1777263 ├── bz1176842 ├── osprh3373 ├── bz1315457 ├── bz1969325 ├── bz1325623 ├── bz1230900 ├── bz1243039 ├── bz1231868 ├── bz1872651 ├── bz1430402 ├── bz1419418 ├── bz1561711 ├── bz2053849 ├── bz2254886 ├── bz1210271 ├── bz1568993 ├── bz1375766 ├── bz1765910 ├── bz1249685 ├── bz1081544 ├── bz1789068 ├── bz1170839 ├── bz1498797 ├── bz1820504 ├── bz1169859 ├── bz1732578 ├── bz1219406 ├── check_all ├── bz1640528 ├── bz1111990 ├── bz1558465 ├── bz1397537 ├── bz1941412 ├── bz1431556 ├── osprh960 ├── bz1684885 ├── bz1413775 ├── bz1095869 ├── bz1135510 ├── bz1114254 ├── bz1135637 ├── bz1494907 ├── bz1692325 ├── bz1180679 ├── bz1118859 ├── bz1245846 └── bz1434826 ├── os-ipxe.te ├── os-monitoring-plugins.fc ├── os-timemaster.te ├── os-logrotate.te ├── os-ovs-el9.te ├── os-rsyslog.te ├── os-redis.te ├── os-gnocchi.te ├── os-net-config.te ├── os-dnsmasq.te ├── os-haproxy.te ├── os-certmonger.te ├── os-rsync.te ├── os-collectd.te ├── os-barbican.te ├── os-swift.te ├── utils ├── avc_recorded ├── sortavcs └── testpolicy ├── README ├── os-ceilometer.te ├── os-mysql.te ├── os-keystone.te ├── os-rabbitmq.te ├── os-cinder.te ├── os-virt.te ├── os-httpd.te ├── doc ├── TROUBLESHOOTING.md └── CONTRIBUTING.md ├── os-podman.te ├── os-keepalived.te ├── os-glance.te ├── Makefile ├── os-ovs.te ├── os-neutron.te ├── os-octavia.te └── os-nova.te /os-cinder.fc: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /os-monitoring-plugins.te: -------------------------------------------------------------------------------- 1 | policy_module(os-monitoring-plugins,0.1) 2 | -------------------------------------------------------------------------------- /tests/bz1153656: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1413422314.326:70130): avc: denied { sigkill } for pid=11884 comm="kill" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=process 2 | -------------------------------------------------------------------------------- /tests/bz1167073: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1414504423.908:14689): avc: denied { signal } for pid=55983 comm="keystone-all" scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:system_r:keystone_t:s0 tclass=process -------------------------------------------------------------------------------- /tests/bz1180373: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1418387899.539:2885): avc: denied { write } for pid=28017 ino=249301 scontext=unconfined_u:system_r:nova_network_t:s0 tcontext=unconfined_u:system_r:nova_network_t:s0 tclass=key 2 | -------------------------------------------------------------------------------- /tests/bz1351336: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1467223302.024:526): avc: denied { signull } for pid=21579 comm="keepalived" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=process 2 | -------------------------------------------------------------------------------- /tests/bz1469823: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1499805908.280:4362): avc: denied { setpgid } for pid=16339 comm="keepalived" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=process 2 | -------------------------------------------------------------------------------- /tests/bz1547197: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1519144859.347:11041): avc: denied { setpgid } for pid=844370 comm="dibbler-client" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=process 2 | -------------------------------------------------------------------------------- /tests/bz1751300: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1568239901.789:19443): avc: denied { create } for pid=186828 comm="runc:[2:INIT]" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=key permissive=0 2 | -------------------------------------------------------------------------------- /tests/bz1962802: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1621521322.324:1212399): avc: denied { signal } for pid=1442393 comm="kill" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=process permissive=1 2 | -------------------------------------------------------------------------------- /tests/bz1116755: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1404722961.440:8305): avc: denied { connectto } for pid=1407 comm="neutron-lbaas-a" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=unix_stream_socket 2 | -------------------------------------------------------------------------------- /tests/bz1144199: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1411134377.778:4436): avc: denied { name_bind } for pid=7139 comm="neutron-ns-meta" src=80 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket 2 | -------------------------------------------------------------------------------- /tests/bz1284436: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1448063445.338:2728): avc: denied { name_connect } for pid=30202 comm="redis-server" dest=6379 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:redis_port_t:s0 tclass=tcp_socket 2 | -------------------------------------------------------------------------------- /tests/bz1581729: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1527075675.414:18010): avc: denied { name_bind } for pid=4521 comm="dhcp_release6" src=546 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:dhcpc_port_t:s0 tclass=udp_socket 2 | -------------------------------------------------------------------------------- /tests/bz1642102: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1540216030.840:31215): avc: denied { attach_queue } for pid=34373 comm=43505520312F4B564D scontext=system_u:system_r:svirt_t:s0:c457,c875 tcontext=system_u:system_r:spc_t:s0 tclass=tun_socket 2 | -------------------------------------------------------------------------------- /tests/bz1109087: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1402292494.533:664): avc: denied { name_connect } for pid=2593 comm="swift-container" dest=6002 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket 2 | -------------------------------------------------------------------------------- /tests/bz1174977: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1418765466.759:72017): avc: denied { name_connect } for pid=31996 comm="httpd" dest=5000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_main_port_t:s0 tclass=tcp_socket 2 | -------------------------------------------------------------------------------- /tests/bz1195215: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1424683801.648:4935): avc: denied { getattr } for pid=6376 comm="haproxy" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem 2 | -------------------------------------------------------------------------------- /tests/bz1310383: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1456022999.334:8375): avc: denied { name_connect } for pid=5673 comm="ovs-vswitchd" dest=55 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket 2 | -------------------------------------------------------------------------------- /tests/bz1357961: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1468946225.187:10125): avc: denied { name_bind } for pid=18325 comm="neutron-openvsw" src=6633 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:openflow_port_t:s0 tclass=tcp_socket 2 | -------------------------------------------------------------------------------- /tests/bz1372453: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1472750796.213:4956): avc: denied { name_connect } for pid=17529 comm="ovs-vswitchd" dest=5938 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:vnc_port_t:s0 tclass=tcp_socket 2 | -------------------------------------------------------------------------------- /tests/bz1554964: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1520957807.128:122131): avc: denied { name_bind } for pid=2715 comm="ovsdb-server" src=6640 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ovsdb_port_t:s0 tclass=tcp_socket 2 | -------------------------------------------------------------------------------- /tests/bz1134617: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1409330049.520:333): avc: denied { getattr } for pid=25567 comm="nova-api" name="/" dev="tmpfs" ino=7282 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem 2 | -------------------------------------------------------------------------------- /tests/bz1327609: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1460720246.797:113659): avc: denied { name_connect } for pid=14974 comm="keystone-all" dest=11211 scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket 2 | -------------------------------------------------------------------------------- /tests/bz1334732: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1462877708.253:7143): avc: denied { name_connect } for pid=5765 comm="ovs-vswitchd" dest=6653 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:openvswitch_port_t:s0 tclass=tcp_socket 2 | -------------------------------------------------------------------------------- /tests/bz1395240: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1479212822.497:463): avc: denied { create } for pid=4322 comm="glance-api" name="privsep.sock" scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:glance_tmp_t:s0 tclass=sock_file 2 | -------------------------------------------------------------------------------- /tests/bz1452418: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1495149503.842:3417): avc: denied { name_connect } for pid=24486 comm="glance-api" dest=35357 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:keystone_port_t:s0 tclass=tcp_socket 2 | -------------------------------------------------------------------------------- /tests/bz1466444: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1498672139.870:5641): avc: denied { associate } for pid=365129 comm="httpd" name="gnocchiUvHVPC" scontext=system_u:object_r:httpd_var_lib_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=filesystem 2 | -------------------------------------------------------------------------------- /os-ipxe.te: -------------------------------------------------------------------------------- 1 | policy_module(os-ipxe,0.1) 2 | 3 | gen_require(` 4 | type httpd_t; 5 | type tftpdir_t; 6 | class file { read getattr open }; 7 | ') 8 | 9 | # Bugzilla 1232892 10 | allow httpd_t tftpdir_t:file { read getattr open }; 11 | -------------------------------------------------------------------------------- /tests/bz1083566: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1398155507.427:1096): avc: denied { read } for pid=6960 comm="sudo" name="utmp" dev="tmpfs" ino=18497 scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file 2 | -------------------------------------------------------------------------------- /tests/bz1119151: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1405289981.574:22191): avc: denied { name_connect } for pid=20464 comm="glance-api" dest=6800 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 2 | -------------------------------------------------------------------------------- /tests/bz1149975: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1412368083.631:63869): avc: denied { search } for pid=1332 comm="nova-scheduler" name="pki" dev="vda1" ino=16818314 scontext=system_u:system_r:nova_scheduler_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir -------------------------------------------------------------------------------- /tests/bz1176830: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1419326478.236:14309): avc: denied { getattr } for pid=32013 comm="neutron-ns-meta" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem 2 | -------------------------------------------------------------------------------- /tests/bz1294420: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1451203693.469:240652): avc: denied { create } for pid=6620 comm="su" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket 2 | -------------------------------------------------------------------------------- /tests/bz1313617: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1456857432.481:34143): avc: denied { getattr } for pid=91939 comm="glance-api" name="/" dev="tmpfs" ino=1236 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem 2 | -------------------------------------------------------------------------------- /tests/bz1715492: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1559218642.208:72): avc: denied { dac_override } for pid=6702 comm="haproxy" capability=1 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=capability permissive=1 2 | 3 | -------------------------------------------------------------------------------- /tests/bz1772025: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1573651690.514:4640): avc: denied { create } for pid=34421 comm="ovs-vswitchd" name="dpdk" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1 2 | -------------------------------------------------------------------------------- /tests/bz1170367: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1417638763.636:183): avc: denied { read } for pid=19681 comm="mysqld_safe" name="cores" dev="dm-0" ino=51125914 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:cluster_var_lib_t:s0 tclass=dir 2 | -------------------------------------------------------------------------------- /tests/bz1280083: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1447193408.754:426): avc: denied { search } for pid=26870 comm="neutron-server" name="httpd" dev="sda1" ino=793777 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir 2 | -------------------------------------------------------------------------------- /tests/bz1306525: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1455113474.656:285): avc: denied { name_connect } for pid=3197 comm="glance-registry" dest=5000 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:commplex_main_port_t:s0 tclass=tcp_socket 2 | -------------------------------------------------------------------------------- /tests/bz1362609: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1469800130.190:99833): avc: denied { name_connect } for pid=17120 comm="glance-registry" dest=11211 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket 2 | -------------------------------------------------------------------------------- /tests/bz1926765: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1612971631.581:8655): avc: denied { sigchld } for pid=236718 comm="conmon" scontext=system_u:system_r:container_t:s0:c409,c785 tcontext=unconfined_u:system_r:container_runtime_t:s0 tclass=process permissive=1 2 | -------------------------------------------------------------------------------- /tests/bz1179040: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1420498849.286:269): avc: denied { read } for pid=6298 comm="sh" name="rabbitmq" dev="sda1" ino=2652593 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=unconfined_u:object_r:rabbitmq_var_lib_t:s0 tclass=lnk_file 2 | -------------------------------------------------------------------------------- /tests/bz1302312: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1453889488.386:89570): avc: denied { execute } for pid=8553 comm="swift-object-re" name="rsync" dev="sda2" ino=2006949 scontext=system_u:system_r:swift_t:s0 tcontext=unconfined_u:object_r:rsync_exec_t:s0 tclass=file 2 | -------------------------------------------------------------------------------- /tests/bz1377272: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1474294984.518:10089): avc: denied { dac_override } for pid=13229 comm="virtlogd" capability=1 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=capability 2 | -------------------------------------------------------------------------------- /tests/bz1671514: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1548880833.900:153941): avc: denied { name_connect } for pid=4841 comm="glance-registry" dest=13357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 2 | -------------------------------------------------------------------------------- /tests/bz1145802: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1411046175.546:2138): avc: denied { getattr } for pid=4848 comm="glance-api" path="/var/lib/glance/images" dev="0:36" ino=111738944 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir 2 | -------------------------------------------------------------------------------- /tests/bz1437684: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1490770503.768:2446): avc: denied { open } for pid=16990 comm="httpd" path="/var/log/barbican/api.log" dev="vda1" ino=5772151 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file 2 | -------------------------------------------------------------------------------- /tests/bz1687321: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1552241787.746:60): avc: denied { entrypoint } for pid=3530 comm="(kill)" path="/usr/bin/kill" dev="vda1" ino=43348 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 2 | -------------------------------------------------------------------------------- /tests/bz1142938: -------------------------------------------------------------------------------- 1 | 2014-09-17 13:49:34 type=AVC msg=audit(1410961037.591:47785): avc: denied { read } for pid=30253 comm="haproxy" name="filesystems" dev="proc" ino=4026532019 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 2 | -------------------------------------------------------------------------------- /tests/bz1181677: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1421156344.593:1045): avc: denied { search } for pid=19179 comm="keystone-all" name="keystone" dev="sda1" ino=68483145 scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:object_r:keystone_cgi_script_exec_t:s0 tclass=dir 2 | -------------------------------------------------------------------------------- /tests/bz1211628: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1416249751.708:868196): avc: denied { write } for pid=17881 comm="qemu-kvm" name="console.log" dev="0:36" ino=203187846 scontext=system_u:system_r:svirt_tcg_t:s0:c155,c326 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file 2 | -------------------------------------------------------------------------------- /tests/lp1864501: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1582559167.088:1893): avc: denied { read } for pid=39502 comm="ls" name="puppet" dev="sda1" ino=113293470 scontext=system_u:system_r:container_t:s0:c390,c595 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0 2 | -------------------------------------------------------------------------------- /tests/bz1278430: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1446728340.533:70764): avc: denied { getattr } for pid=14829 comm="sh" path="/usr/bin/systemctl" dev="sda1" ino=662168 scontext=system_u:system_r:keepalived_t:s0 tcontext=unconfined_u:object_r:systemd_systemctl_exec_t:s0 tclass=file 2 | -------------------------------------------------------------------------------- /tests/bz1108187: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1402493890.821:585): avc: denied { write } for pid=31594 comm="ovs-vsctl" path="/tmp/puppet20140611-31236-1adclaf" dev="dm-1" ino=101120987 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file 2 | -------------------------------------------------------------------------------- /tests/bz1789710: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1578626829.434:88494): avc: denied { getattr } for pid=981968 comm="glance-api" name="/" dev="0:46" ino=289429476 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=filesystem permissive=0 2 | -------------------------------------------------------------------------------- /os-monitoring-plugins.fc: -------------------------------------------------------------------------------- 1 | /usr/lib/monitoring/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) 2 | /usr/lib64/monitoring/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) 3 | -------------------------------------------------------------------------------- /tests/bz1566973: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1524017564.805:204): avc: denied { write } for pid=12021 comm="virtlogd" name="bec321f0-2651-4948-ac85-1845a91271a0" dev="0:39" ino=4197515 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir 2 | -------------------------------------------------------------------------------- /tests/bz1652297: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1542830504.754:4792): avc: denied { read } for pid=1378 comm="swift-container" name="aae3e64f909b58ab302a0fbb385eff3f.db" dev="loop0" ino=20 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:swift_data_t:s0 tclass=lnk_file 2 | -------------------------------------------------------------------------------- /tests/bz1777738: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(11/29/2019 14:32:51.557:32236) : avc: denied { write } for pid=205548 comm=iptables path=pipe:[1864791] dev="pipefs" ino=1864791 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=fifo_file permissive=1 2 | -------------------------------------------------------------------------------- /tests/bz2020210: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1635988536.870:9187): avc: denied { append } for pid=128557 comm="redis-server" name="redis.log" dev="vda2" ino=67368647 scontext=system_u:system_r:container_t:s0:c67,c288 tcontext=system_u:object_r:container_log_t:s0 tclass=file permissive=0 2 | -------------------------------------------------------------------------------- /tests/osprh16672: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1747193869.722:197759): avc: denied { write } for pid=321799 comm="NetworkManager" name="db.sock" dev="tmpfs" ino=2393 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=sock_file permissive=0 2 | -------------------------------------------------------------------------------- /tests/bz1572510: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1525078074.900:1198999): avc: denied { read write } for pid=11438 comm="ovs-vswitchd" path="socket:[38710370]" dev="sockfs" ino=38710370 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c14,c629 tclass=unix_stream_socket 2 | -------------------------------------------------------------------------------- /tests/bz1707840: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1557322725.873:12375): avc: denied { read write } for pid=8786 comm="vhost-events" path="socket:[16378370]" dev="sockfs" ino=16378370 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=unix_stream_socket permissive=1 2 | -------------------------------------------------------------------------------- /tests/bz2013194: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1633990096.040:24220): avc: denied { read write } for pid=5337 comm="swift-container" name="container.recon" dev="vda2" ino=46373631 scontext=system_u:system_r:container_t:s0:c50,c57 tcontext=system_u:object_r:swift_var_cache_t:s0 tclass=file permissive=0 2 | -------------------------------------------------------------------------------- /tests/lp1944539: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(09/22/2021 10:46:27.412:11298) : avc: denied { getattr } for pid=338462 comm=lsof path=/dev/sda2 dev="devtmpfs" ino=24765 scontext=system_u:system_r:container_t:s0:c216,c474 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1 2 | -------------------------------------------------------------------------------- /os-timemaster.te: -------------------------------------------------------------------------------- 1 | policy_module(os-timemaster,0.1) 2 | 3 | gen_require(` 4 | type ptp4l_t; 5 | ') 6 | 7 | # Bugzilla 1872651 referencing RHEL bug 1759214. We need this for 8.2 too. 8 | allow ptp4l_t self:capability sys_admin; 9 | allow ptp4l_t self:packet_socket create_socket_perms; 10 | -------------------------------------------------------------------------------- /tests/bz1115724: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1404298251.399:48714): avc: denied { connectto } for pid=20887 comm="neutron-lbaas-a" path="/var/lib/neutron/lbaas/90c7a7d7-336b-4de8-bc49-40c776ef9b72/sock" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=unix_stream_socket 2 | -------------------------------------------------------------------------------- /tests/bz1542107: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1517841541.153:650): avc: denied { read write } for pid=7168 comm="vhost_thread2" path=2F6D656D66643A76686F73742D6C6F67202864656C6574656429 dev="tmpfs" ino=324410 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmpfs_t:s0 tclass=file 2 | -------------------------------------------------------------------------------- /os-logrotate.te: -------------------------------------------------------------------------------- 1 | policy_module(os-logrotate,0.1) 2 | 3 | # Bugzilla 1727937 4 | gen_require(` 5 | type logrotate_t; 6 | type container_file_t; 7 | ') 8 | manage_files_pattern(logrotate_t, container_file_t, container_file_t) 9 | manage_dirs_pattern(logrotate_t, container_file_t, container_file_t) 10 | -------------------------------------------------------------------------------- /os-ovs-el9.te: -------------------------------------------------------------------------------- 1 | # 2 | # openstack-selinux extra OVS policy for RHEL9 3 | # 4 | # Allow openvswitch to write to files in /tmp 5 | # 6 | policy_module(os-ovs-el9,0.1) 7 | 8 | gen_require(` 9 | type openvswitch_t; 10 | type svirt_t; 11 | ') 12 | 13 | # bugzilla 2118908 14 | allow svirt_t openvswitch_t:anon_inode { read write }; 15 | -------------------------------------------------------------------------------- /os-rsyslog.te: -------------------------------------------------------------------------------- 1 | policy_module(os-rsyslog,0.1) 2 | 3 | gen_require(` 4 | type container_file_t; 5 | type syslogd_t; 6 | ') 7 | 8 | # LP #1810422 9 | manage_files_pattern(syslogd_t, container_file_t, container_file_t) 10 | manage_dirs_pattern(syslogd_t, container_file_t, container_file_t) 11 | manage_lnk_files_pattern(syslogd_t, container_file_t, container_file_t) 12 | -------------------------------------------------------------------------------- /os-redis.te: -------------------------------------------------------------------------------- 1 | policy_module(os-redis,0.1) 2 | 3 | gen_require(` 4 | type redis_port_t; 5 | type redis_t; 6 | type cluster_var_log_t; 7 | type sshd_t; 8 | type useradd_t; 9 | class tcp_socket name_connect; 10 | class file { read write }; 11 | ') 12 | 13 | # Bugzilla 1283674 14 | allow sshd_t cluster_var_log_t:file { read write }; 15 | allow useradd_t cluster_var_log_t:file { read write }; 16 | -------------------------------------------------------------------------------- /tests/bz1893132: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1604010639.062:643445): avc: denied { unmount } for pid=753263 comm="privsep-helper" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem 2 | type=AVC msg=audit(1604010639.098:643446): avc: denied { unmount } for pid=753263 comm="privsep-helper" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem 3 | -------------------------------------------------------------------------------- /tests/bz1119400: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1405130267.572:5587): avc: denied { execstack } for pid=8320 comm="glance-api" scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:system_r:glance_api_t:s0 tclass=process 2 | type=AVC msg=audit(1405130267.572:5587): avc: denied { execmem } for pid=8320 comm="glance-api" scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:system_r:glance_api_t:s0 tclass=process -------------------------------------------------------------------------------- /tests/bz1130212: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1407878178.972:27128): avc: denied { execstack } for pid=32444 comm="glance-api" scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:system_r:glance_api_t:s0 tclass=process 2 | type=AVC msg=audit(1407948306.356:36165): avc: denied { execmem } for pid=7085 comm="glance-api" scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:system_r:glance_api_t:s0 tclass=process 3 | -------------------------------------------------------------------------------- /tests/bz1185444: -------------------------------------------------------------------------------- 1 | type=USER_AVC msg=audit(1422033446.927:1930): pid=593 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.159 spid=591 tpid=3187 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' 2 | -------------------------------------------------------------------------------- /tests/bz1628679: -------------------------------------------------------------------------------- 1 | type=USER_AVC msg=audit(1538043682.101:8006): pid=2252 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.410 spid=2405 tpid=19100 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:cinder_volume_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' 2 | -------------------------------------------------------------------------------- /tests/bz1108937: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1403718102.298:671): avc: denied { name_bind } for pid=13262 comm="haproxy" src=5672 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket 2 | type=AVC msg=audit(1403718102.299:672): avc: denied { name_connect } for pid=13263 comm="haproxy" dest=5672 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket 3 | -------------------------------------------------------------------------------- /tests/bz1119845: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1405141351.574:1913): avc: denied { execstack } for pid=22718 comm="qemu-kvm" scontext=system_u:system_r:svirt_t:s0:c62,c1018 tcontext=system_u:system_r:svirt_t:s0:c62,c1018 tclass=process 2 | type=AVC msg=audit(1405141351.574:1913): avc: denied { execmem } for pid=22718 comm="qemu-kvm" scontext=system_u:system_r:svirt_t:s0:c62,c1018 tcontext=system_u:system_r:svirt_t:s0:c62,c1018 tclass=process 3 | -------------------------------------------------------------------------------- /os-gnocchi.te: -------------------------------------------------------------------------------- 1 | policy_module(os-gnocchi,0.1) 2 | 3 | require { 4 | type httpd_var_lib_t; 5 | type var_lib_t; 6 | class filesystem associate; 7 | } 8 | 9 | 10 | # If using var_lib_t for NFS (I believe the default), gnocchi 11 | # needs to do a few things that require this. 12 | # bz#1466444 13 | gen_tunable(os_gnocchi_use_nfs, false) 14 | tunable_policy(`os_gnocchi_use_nfs',` 15 | allow httpd_var_lib_t var_lib_t:filesystem associate; 16 | ') 17 | -------------------------------------------------------------------------------- /tests/bz1180230: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1420693901.582:15510): avc: denied { name_bind } for pid=1147 comm="httpd" src=5000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_main_port_t:s0 tclass=tcp_socket 2 | type=AVC msg=audit(1420694028.935:15621): avc: denied { open } for pid=1363 comm="httpd" path="/var/log/keystone/keystone.log" dev="vda1" ino=25700381 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:keystone_log_t:s0 tclass=file 3 | -------------------------------------------------------------------------------- /tests/bz1112631: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1403597997.050:4426): avc: denied { name_connect } for pid=9106 comm="glusterfs" dest=50023 scontext=system_u:system_r:glusterd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket 2 | type=AVC msg=audit(1403597997.056:4427): avc: denied { name_connect } for pid=9106 comm="glusterfs" dest=50011 scontext=system_u:system_r:glusterd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket 3 | -------------------------------------------------------------------------------- /os-net-config.te: -------------------------------------------------------------------------------- 1 | # 2 | # openstack-selinux policy for os-net-config network manager 3 | # 4 | # Allow NetworkManager to access ovs db.sock 5 | # 6 | # Author: Ella Shulman 7 | # 8 | 9 | policy_module(os-net-config,0.1) 10 | 11 | gen_require(` 12 | type NetworkManager_t; 13 | type container_file_t; 14 | class sock_file write; 15 | ') 16 | 17 | # Jira OSPRH-16672 18 | rw_sock_files_pattern(NetworkManager_t, container_file_t, container_file_t) 19 | -------------------------------------------------------------------------------- /tests/bz2091076: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1663231589.213:223510): avc: denied { create } for pid=1 comm="systemd" name="podman.sock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=sock_file permissive=1 2 | type=AVC msg=audit(1663231589.213:223511): avc: denied { write } for pid=1 comm="systemd" name="podman.sock" dev="vda4" ino=143041949 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=sock_file permissive=1 3 | -------------------------------------------------------------------------------- /tests/bz1284672: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1448300619.049:156): avc: denied { write } for pid=30790 comm="mysqld_safe" path="/tmp/tmp.3eZRnSANSZ" dev="sda2" ino=26429760 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:cluster_tmp_t:s0 tclass=file 2 | type=AVC msg=audit(1448300621.547:157): avc: denied { read } for pid=31659 comm="mysqld_safe" name="cores" dev="sda2" ino=26693278 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=unconfined_u:object_r:cluster_var_lib_t:s0 tclass=dir 3 | -------------------------------------------------------------------------------- /tests/bz1778793: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(12/02/2019 13:32:12.703:5794) : avc: denied { fsetid } for pid=3137 comm=install capability=fsetid scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1 2 | type=AVC msg=audit(12/02/2019 13:32:12.703:5794) : avc: denied { fowner } for pid=3137 comm=install capability=fowner scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1 3 | -------------------------------------------------------------------------------- /os-dnsmasq.te: -------------------------------------------------------------------------------- 1 | policy_module(os-dnsmasq,0.1) 2 | 3 | gen_require(` 4 | type var_lib_t; 5 | type dnsmasq_t; 6 | class file manage_file_perms; 7 | class capability dac_override; 8 | ') 9 | 10 | # bug 1568993 11 | # dnsmasq_t can already create/delete var_lib_t directories 12 | allow dnsmasq_t var_lib_t:file manage_file_perms; 13 | 14 | gen_tunable(os_dnsmasq_dac_override, false) 15 | tunable_policy(`os_dnsmasq_dac_override',` 16 | allow dnsmasq_t self:capability { dac_override }; 17 | ') 18 | -------------------------------------------------------------------------------- /tests/bz1464114: -------------------------------------------------------------------------------- 1 | bz1464114:1:type=AVC msg=audit(1498082689.658:317): avc: denied { open } for pid=24495 comm="touch" path="/tmp/tmp.cgvP0Qe4oc" dev="vda2" ino=910 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:cluster_tmp_t:s0 tclass=file 2 | bz1464114:2:type=AVC msg=audit(1498082689.659:318): avc: denied { setattr } for pid=24496 comm="chown" name="tmp.cgvP0Qe4oc" dev="vda2" ino=910 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:cluster_tmp_t:s0 tclass=file 3 | -------------------------------------------------------------------------------- /tests/bz2255412: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1703084811.884:6481): avc: denied { execute } for pid=72459 comm="sudo" name="unix_chkpwd" dev="vda1" ino=4700890 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=0 2 | type=AVC msg=audit(1703084818.067:6524): avc: denied { execute } for pid=72505 comm="sudo" name="unix_chkpwd" dev="vda1" ino=4700890 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=0 3 | -------------------------------------------------------------------------------- /tests/bz1206148: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1427892592.798:1881233): avc: denied { getattr } for pid=13134 comm="keepalived" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem 2 | type=AVC msg=audit(1427892692.372:1881569): avc: denied { unlink } for pid=12578 comm="keepalived" name="476fee88-54c1-42eb-8f6e-0a7fdddbc628.pid" dev="vda1" ino=192943239 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=file 3 | -------------------------------------------------------------------------------- /tests/bz2053852: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1644681472.535:9235): avc: denied { getattr } for pid=78599 comm="privsep-helper" path="/run/netns/qdhcp-d6afbd95-bfef-44d7-84cc-559cda9a0686" dev="nsfs" ino=4026532244 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1 2 | type=AVC msg=audit(1644681474.970:9248): avc: denied { unmount } for pid=78610 comm="privsep-helper" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=filesystem permissive=1 3 | -------------------------------------------------------------------------------- /os-haproxy.te: -------------------------------------------------------------------------------- 1 | policy_module(os-haproxy,0.1) 2 | 3 | gen_require(` 4 | type haproxy_exec_t; 5 | type haproxy_t; 6 | type ifconfig_t; 7 | type ifconfig_exec_t; 8 | type sysfs_t; 9 | class filesystem getattr; 10 | class file entrypoint; 11 | ') 12 | 13 | # Bugzilla 1195215 14 | allow haproxy_t sysfs_t:filesystem getattr; 15 | 16 | domtrans_pattern(ifconfig_t, haproxy_exec_t, haproxy_t) 17 | 18 | # Bugzilla #1434826 19 | allow haproxy_t ifconfig_exec_t:file entrypoint; 20 | sysnet_domtrans_ifconfig(haproxy_t) 21 | -------------------------------------------------------------------------------- /os-certmonger.te: -------------------------------------------------------------------------------- 1 | policy_module(os-certmonger,0.1) 2 | 3 | gen_require(` 4 | type certmonger_t; 5 | type iptables_t; 6 | type puppet_etc_t; 7 | class dir {search}; 8 | ') 9 | # rhbz#1777263 10 | allow certmonger_t puppet_etc_t:dir search; 11 | read_files_pattern(certmonger_t, puppet_etc_t, puppet_etc_t) 12 | 13 | # rhbz#1777368 14 | container_runtime_domtrans(certmonger_t) 15 | container_runtime_entrypoint(certmonger_t) 16 | 17 | # rhbz#1777738 18 | write_fifo_files_pattern(iptables_t, certmonger_t, certmonger_t) 19 | -------------------------------------------------------------------------------- /tests/bz1478176: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1501609484.063:13177): avc: denied { open } for pid=10111 comm="httpd" path="/var/lib/keystone/.local/share/python_keyring/keyringrc.cfg" dev="dm-0" ino=396418 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:keystone_var_lib_t:s0 tclass=file 2 | type=AVC msg=audit(1501609484.063:13177): avc: denied { read } for pid=10111 comm="httpd" name="keyringrc.cfg" dev="dm-0" ino=396418 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:keystone_var_lib_t:s0 tclass=file 3 | -------------------------------------------------------------------------------- /tests/lp1853652: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1576568492.577:8193): avc: denied { execute } for pid=77376 comm="(sync)" name="sync" dev="vda1" ino=236350363 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1 2 | type=AVC msg=audit(1576568492.577:8193): avc: denied { execute_no_trans } for pid=77376 comm="(sync)" path="/var/lib/neutron/dhcp_dnsmasq/sync" dev="vda1" ino=236350363 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1 3 | 4 | -------------------------------------------------------------------------------- /os-rsync.te: -------------------------------------------------------------------------------- 1 | policy_module(os-rsync,0.1) 2 | 3 | gen_require(` 4 | type load_policy_t; 5 | type init_t; 6 | type cert_t; 7 | type etc_t; 8 | type etc_runtime_t; 9 | type rsync_t; 10 | class fifo_file write; 11 | class file { relabelfrom write relabelto }; 12 | class dir { relabelfrom relabelto }; 13 | ') 14 | 15 | # Bugzilla 1135637 16 | allow rsync_t etc_runtime_t:file relabelto; 17 | allow rsync_t etc_t:file relabelfrom; 18 | allow rsync_t cert_t:dir { relabelfrom relabelto }; 19 | allow load_policy_t init_t:fifo_file write; 20 | -------------------------------------------------------------------------------- /tests/bz1727937: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1567480861.728:31696): avc: denied { write } for pid=683284 comm="logrotate" name="openvswitch" dev="sda2" ino=2881762 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=0 2 | type=AVC msg=audit(1562513521.955:5768): avc: denied { read } for pid=54302 comm="logrotate" name="openvswitch" dev="vda2" ino=1012142 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=0 3 | 4 | -------------------------------------------------------------------------------- /tests/bz1847037: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1592206154.561:5419): avc: denied { execute_no_trans } for pid=3827 comm="sudo" path="/usr/bin/neutron-rootwrap-daemon" dev="sda1" ino=9310801 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:neutron_exec_t:s0 tclass=file permissive=0 2 | type=AVC msg=audit(1592206157.680:5438): avc: denied { execute_no_trans } for pid=3860 comm="sudo" path="/usr/bin/neutron-rootwrap-daemon" dev="sda1" ino=9310801 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:neutron_exec_t:s0 tclass=file permissive=0 3 | -------------------------------------------------------------------------------- /tests/bz1232892: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1418940256.937:191): avc: denied { read } for pid=3481 comm="fakeAVC" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tftpdir_t:s0 tclass=file permissive=1 2 | type=AVC msg=audit(1418940256.937:192): avc: denied { getattr } for pid=3481 comm="fakeAVC" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tftpdir_t:s0 tclass=file permissive=1 3 | type=AVC msg=audit(1418940256.937:192): avc: denied { open } for pid=3481 comm="fakeAVC" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tftpdir_t:s0 tclass=file permissive=1 4 | -------------------------------------------------------------------------------- /os-collectd.te: -------------------------------------------------------------------------------- 1 | policy_module(os-collectd,0.1) 2 | 3 | gen_require(` 4 | type collectd_t; 5 | type var_lock_t; 6 | type cpu_device_t; 7 | class capability sys_rawio; 8 | ') 9 | 10 | # Bugzilla #1558465 11 | allow collectd_t cpu_device_t:chr_file rw_file_perms; 12 | 13 | # FIXME: Upstream policy probably needs collectd_var_lock_t 14 | # and a file transition rule in collectd.te. 15 | allow collectd_t var_lock_t:dir add_entry_dir_perms; 16 | allow collectd_t var_lock_t:file manage_file_perms; 17 | allow collectd_t var_lock_t:lnk_file read_lnk_file_perms; 18 | allow collectd_t self:capability sys_rawio; 19 | -------------------------------------------------------------------------------- /tests/bz1127910: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1409615248.750:4447): avc: denied { name_connect } for pid=8695 comm="httpd" dest=7002 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 2 | type=AVC msg=audit(1409330405.309:350): avc: denied { name_connect } for pid=4076 comm="httpd" dest=5050 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mmcc_port_t:s0 tclass=tcp_socket 3 | type=AVC msg=audit(1409330362.290:337): avc: denied { name_connect } for pid=2873 comm="httpd" dest=5432 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket 4 | -------------------------------------------------------------------------------- /tests/bz1114581: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1404048398.798:253): avc: denied { search } for pid=68331 comm="mysqld" name="/" dev="0:35" ino=7340033 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir 2 | type=AVC msg=audit(1404050797.155:306): avc: denied { name_bind } for pid=76930 comm="haproxy" src=3306 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket 3 | type=AVC msg=audit(1404050797.155:307): avc: denied { name_bind } for pid=76930 comm="haproxy" src=5672 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket 4 | -------------------------------------------------------------------------------- /tests/bz1180881: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1421230145.638:4595): avc: denied { dac_override } for pid=6425 comm="keepalived" capability=1 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=capability 2 | type=AVC msg=audit(1421230145.641:4596): avc: denied { module_request } for pid=6426 comm="keepalived" kmod="net-pf-16-proto-16-family-IPVS" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system 3 | type=AVC msg=audit(1421165045.206:19477): avc: denied { sigkill } for pid=10254 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:neutron_t:s0 tclass=process 4 | -------------------------------------------------------------------------------- /tests/bz1223006: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1432714833.802:3193): avc: denied { write } for pid=27251 comm="httpd" name="keystone" dev="dm-1" ino=35731993 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:keystone_log_t:s0 tclass=dir 2 | type=AVC msg=audit(1432714833.802:3193): avc: denied { add_name } for pid=27251 comm="httpd" name="keystone.log" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:keystone_log_t:s0 tclass=dir 3 | type=AVC msg=audit(1432714833.802:3193): avc: denied { create } for pid=27251 comm="httpd" name="keystone.log" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:keystone_log_t:s0 tclass=file 4 | -------------------------------------------------------------------------------- /os-barbican.te: -------------------------------------------------------------------------------- 1 | policy_module(os-barbican,0.1) 2 | 3 | gen_require(` 4 | type container_t; 5 | type initrc_t; 6 | type pki_common_t; 7 | ') 8 | 9 | # Bugzilla 1732578 10 | allow container_t pki_common_t:dir read; 11 | exec_files_pattern(container_t, pki_common_t, pki_common_t); 12 | 13 | gen_tunable(os_barbican_write_pki, false) 14 | tunable_policy(`os_barbican_write_pki',` 15 | allow container_t initrc_t:unix_stream_socket connectto; 16 | allow container_t pki_common_t:dir { add_name remove_name write }; 17 | allow container_t pki_common_t:file { append create lock rename write }; 18 | allow container_t pki_common_t:sock_file write; 19 | ') 20 | -------------------------------------------------------------------------------- /os-swift.te: -------------------------------------------------------------------------------- 1 | policy_module(os-swift,0.1) 2 | 3 | gen_require(` 4 | type swift_t; 5 | type swift_data_t; 6 | type amqp_port_t; 7 | type var_log_t; 8 | class tcp_socket name_connect; 9 | class file { open }; 10 | ') 11 | 12 | # Emergency tripleo fix 13 | allow swift_t var_log_t:file open; 14 | allow swift_t amqp_port_t:tcp_socket name_connect; 15 | 16 | # Bugzilla 1302312 17 | rsync_exec(swift_t) 18 | 19 | # Bugzilla 1249685 (execmem) 20 | gen_tunable(os_swift_use_execmem, false) 21 | tunable_policy(`os_swift_use_execmem',` 22 | allow swift_t self:process execmem; 23 | ') 24 | 25 | # Bugzilla 1652297 26 | allow swift_t swift_data_t:lnk_file { create read }; 27 | -------------------------------------------------------------------------------- /utils/avc_recorded: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | while read; do 4 | if [ "${REPLY/type=AVC/}" == "$REPLY" ] && \ 5 | [ "${REPLY/type=USER_AVC/}" == "$REPLY" ]; then 6 | continue 7 | fi 8 | 9 | operations=${REPLY/*\{ /} 10 | operations=${operations/ \}*/} 11 | src=${REPLY/*scontext=/} 12 | src=${src/ */} 13 | src=${src/:s0*/} 14 | tgt=${REPLY/*tcontext=/} 15 | tgt=${tgt/ */} 16 | tgt=${tgt/:s0*/} 17 | tclass=${REPLY/*tclass=/} 18 | tclass=${tclass/ */} 19 | 20 | for op in $operations; do 21 | s="$op.*scontext=$src.*tcontext=$tgt.*tclass=$tclass" 22 | [ -d tests ] && grep "$s" tests/bz* 23 | [ -d ../tests ] && grep "$s" ../tests/bz* 24 | done 25 | done 26 | -------------------------------------------------------------------------------- /tests/bz1105344: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1403293198.799:61): avc: denied { search } for pid=14890 comm="swift-proxy-ser" name="httpd" dev="dm-0" ino=26196995 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir 2 | type=AVC msg=audit(1402517105.472:312): avc: denied { name_connect } for pid=14809 comm="swift-proxy-ser" dest=35357 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:keystone_port_t:s0 tclass=tcp_socket 3 | type=AVC msg=audit(1402517105.469:311): avc: denied { name_connect } for pid=14809 comm="swift-proxy-ser" dest=11211 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket 4 | -------------------------------------------------------------------------------- /tests/bz1162761: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1415721028.879:10207): avc: denied { name_connect } for pid=53095 comm="nova-consoleaut" dest=11211 scontext=system_u:system_r:nova_console_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket 2 | type=AVC msg=audit(1415721032.117:10221): avc: denied { name_connect } for pid=53360 comm="nova-scheduler" dest=11211 scontext=system_u:system_r:nova_scheduler_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket 3 | type=AVC msg=audit(1415721039.382:10383): avc: denied { name_connect } for pid=53974 comm="nova-cert" dest=11211 scontext=system_u:system_r:nova_cert_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket -------------------------------------------------------------------------------- /tests/bz1107873: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1402423014.006:8312): avc: denied { name_connect } for pid=23876 comm="nova-cert" dest=15672 scontext=system_u:system_r:nova_cert_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 2 | type=AVC msg=audit(1402423014.781:8313): avc: denied { name_connect } for pid=24440 comm="nova-scheduler" dest=15672 scontext=system_u:system_r:nova_scheduler_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket 3 | type=AVC msg=audit(1402423015.892:8314): avc: denied { name_connect } for pid=23976 comm="nova-consoleaut" dest=15672 scontext=system_u:system_r:nova_console_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 4 | -------------------------------------------------------------------------------- /tests/bz1110263: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1403470895.273:3249): avc: denied { connectto } for pid=17966 comm="neutron-ns-meta" path="/var/lib/neutron/metadata_proxy" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=unix_stream_socket 2 | type=AVC msg=audit(1404139653.265:1447): avc: denied { name_connect } for pid=4151 comm="neutron-metadat" dest=9696 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:neutron_port_t:s0 tclass=tcp_socket 3 | type=AVC msg=audit(1404139758.268:1579): avc: denied { name_connect } for pid=4151 comm="neutron-metadat" dest=8775 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 4 | -------------------------------------------------------------------------------- /tests/bz1259419: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1441204057.176:32748): avc: denied { name_connect } for pid=23947 comm="ovsdb-server" dest=6632 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 2 | type=AVC msg=audit(1441204364.388:32861): avc: denied { getattr } for pid=23982 comm="system_stats4" path="/srv/node/swiftloopback" dev="loop0" ino=2 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir 3 | type=AVC msg=audit(1441204354.383:32858): avc: denied { search } for pid=23982 comm="system_stats4" name="node" dev="sda1" ino=42410035 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir 4 | -------------------------------------------------------------------------------- /tests/bz1168526: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1417089038.047:151800): avc: denied { execute } for pid=9179 comm="neutron-rootwra" name="radvd" dev="sda5" ino=22025167 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:radvd_exec_t:s0 tclass=file 2 | type=AVC msg=audit(1419926040.12:174465): avc: denied { read open } for pid=16738 comm="ip" path="/usr/sbin/radvd" dev="sda5" ino=26219408 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:radvd_exec_t:s0 tclass=file 3 | type=AVC msg=audit(1419926040.12:174465): avc: denied { execute_no_trans } for pid=16738 comm="ip" path="/usr/sbin/radvd" dev="sda5" ino=26219408 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:radvd_exec_t:s0 tclass=file 4 | -------------------------------------------------------------------------------- /tests/bz1448887: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1494905982.458:2181): avc: denied { open } for pid=7404 comm="ovs-vsctl" path="/proc/7357/cmdline" dev="proc" ino=216884 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=file 2 | type=AVC msg=audit(1494905982.458:2182): avc: denied { getattr } for pid=7404 comm="ovs-vsctl" path="/proc/7357/cmdline" dev="proc" ino=216884 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=file 3 | type=AVC msg=audit(1494905982.458:2182): avc: denied { read } for pid=7404 comm="ovs-vsctl" path="/proc/7357/cmdline" dev="proc" ino=216884 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=file 4 | -------------------------------------------------------------------------------- /tests/bz1283674: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1449393248.423:8265): avc: denied { read } for pid=3486 comm="sshd" name="lastlog" dev="sda2" ino=365978 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file 2 | type=AVC msg=audit(1449393248.424:8266): avc: denied { read write } for pid=3486 comm="sshd" name="lastlog" dev="sda2" ino=365978 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file 3 | type=AVC msg=audit(1449393989.852:9113): avc: denied { read write } for pid=26966 comm="useradd" name="lastlog" dev="sda2" ino=365978 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file 4 | -------------------------------------------------------------------------------- /tests/bz1650046: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1583112189.890:19129): avc: denied { read } for pid=13620 comm="inet_gethost" name="unix" dev="proc" ino=4026532003 scontext=system_u:system_r:rabbitmq_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 2 | type=AVC msg=audit(1583136605.180:19713): avc: denied { setrlimit } for pid=20488 comm="runuser" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=process permissive=1 3 | type=AVC msg=audit(1583136606.388:19715): avc: denied { read } for pid=20640 comm="inet_gethost" name="unix" dev="proc" ino=4026532003 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 4 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | This repository contains OpenStack policy workarounds 2 | for EL6 and EL7 and derivatives. Each release has its 3 | own corresponsing branch. 4 | 5 | Branch Operating System 6 | master Red Hat Enterprise Linux 7, CentOS 7, and related 7 | el6 Red Hat Enterprise Linux 6, CentOS 6, and related 8 | 9 | The policies here are not designed to replace - but augment - 10 | the selinux-policy package from your operating system. 11 | 12 | Bugs may be filed against the 'openstack-selinux' package 13 | in the 'RDO' or 'Red Hat OpenStack' products at 14 | https://bugzilla.redhat.com/ 15 | 16 | Running the tests 17 | ----------------- 18 | 19 | See the doc/ directory for more information on reporting and fixing 20 | bugs as well as troubleshooting tips. 21 | -------------------------------------------------------------------------------- /tests/bz1777263: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1574861307.690:5254): avc: denied { getattr } for pid=25373 comm="ruby" path="/etc/puppet/hiera.yaml" dev="sda1" ino=150996716 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file permissive=1 2 | type=AVC msg=audit(1574861307.690:5255): avc: denied { read } for pid=25373 comm="ruby" name="hiera.yaml" dev="sda1" ino=150996716 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file permissive=1 3 | type=AVC msg=audit(1574861307.690:5255): avc: denied { open } for pid=25373 comm="ruby" path="/etc/puppet/hiera.yaml" dev="sda1" ino=150996716 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file permissive=1 4 | -------------------------------------------------------------------------------- /os-ceilometer.te: -------------------------------------------------------------------------------- 1 | policy_module(os-ceilometer, 1.0.0) 2 | 3 | gen_require(` 4 | attribute container_net_domain; 5 | type ceilometer_polling_t; 6 | type container_file_t; 7 | type proc_t; 8 | type virt_var_run_t; 9 | type virtd_t; 10 | ') 11 | 12 | # Get ceilometer_polling_t to work as a container 13 | container_domain_template(ceilometer_polling, container) 14 | container_runtime_domtrans(ceilometer_polling_t) 15 | typeattribute ceilometer_polling_t container_net_domain; 16 | 17 | logging_send_audit_msgs(ceilometer_polling_t) 18 | logging_send_syslog_msg(ceilometer_polling_t) 19 | 20 | # OSPRH-3373 21 | allow ceilometer_polling_t proc_t:filesystem associate; 22 | allow ceilometer_polling_t virt_var_run_t:sock_file write; 23 | allow ceilometer_polling_t virtd_t:unix_stream_socket connectto; 24 | -------------------------------------------------------------------------------- /tests/bz1176842: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1419838568.567:1365): avc: denied { read } for pid=6573 comm="keystone-all" name="keystone-dist.conf" dev="sda5" ino=10753052 scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:object_r:keystone_cgi_script_exec_t:s0 tclass=file 2 | type=AVC msg=audit(1419838568.566:1364): avc: denied { getattr } for pid=6573 comm="keystone-all" path="/usr/share/keystone/keystone-dist.conf" dev="sda5" ino=10753052 scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:object_r:keystone_cgi_script_exec_t:s0 tclass=file 3 | type=AVC msg=audit(1419838568.567:1365): avc: denied { open } for pid=6573 comm="keystone-all" path="/usr/share/keystone/keystone-dist.conf" dev="sda5" ino=10753052 scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:object_r:keystone_cgi_script_exec_t:s0 tclass=file 4 | -------------------------------------------------------------------------------- /tests/osprh3373: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1707395260.099:18787): avc: denied { associate } for pid=74475 comm="ceilometer-poll" name="1" scontext=system_u:object_r:ceilometer_polling_t:s0:c24,c595 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1 2 | type=AVC msg=audit(1707395260.231:18790): avc: denied { write } for pid=74485 comm="ceilometer-poll" name="virtqemud-sock-ro" dev="tmpfs" ino=1703 scontext=system_u:system_r:ceilometer_polling_t:s0:c24,c595 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=sock_file permissive=1 3 | type=AVC msg=audit(1707478033.374:19852): avc: denied { connectto } for pid=86771 comm="ceilometer-poll" path="/run/libvirt/virtqemud-sock-ro" scontext=system_u:system_r:ceilometer_polling_t:s0:c322,c751 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 4 | -------------------------------------------------------------------------------- /tests/bz1315457: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1457378892.760:805): avc: denied { add_name } for pid=21776 comm="httpd" name="nova-api.log" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nova_log_t:s0 tclass=dir 2 | type=AVC msg=audit(1457378892.760:805): avc: denied { write } for pid=21776 comm="httpd" name="nova" dev="vda1" ino=310432274 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nova_log_t:s0 tclass=dir 3 | type=AVC msg=audit(1457378892.760:805): avc: denied { create } for pid=21776 comm="httpd" name="nova-api.log" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nova_log_t:s0 tclass=file 4 | type=AVC msg=audit(1457450838.6:501): avc: denied { name_bind } for pid=23197 comm="httpd" src=8774 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:osapi_compute_port_t:s0 tclass=tcp_socket 5 | -------------------------------------------------------------------------------- /tests/bz1969325: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1622799389.155:390): avc: denied { setattr } for pid=4715 comm="keepalived" name="1171ec49-19e7-4b89-a97c-88d5e8732bf8.pid.keepalived" dev="dm-0" ino=237885 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=file permissive=1 2 | type=AVC msg=audit(1622799392.683:404): avc: denied { setattr } for pid=4808 comm="keepalived" name="0a74a7c4-8735-4aea-8b16-0e46780c9a39.pid.keepalived" dev="dm-0" ino=237887 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=file permissive=1 3 | type=AVC msg=audit(1622799420.386:566): avc: denied { setattr } for pid=5621 comm="keepalived" name="db8f00f6-b84f-4ec1-b96a-24b46200c26b.pid.keepalived" dev="dm-0" ino=232460 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=file permissive=1 4 | -------------------------------------------------------------------------------- /os-mysql.te: -------------------------------------------------------------------------------- 1 | policy_module(os-mysql,0.1) 2 | 3 | gen_require(` 4 | type tram_port_t; 5 | type rsync_exec_t; 6 | type mysqld_t; 7 | type nfs_t; 8 | type mysqld_safe_exec_t; 9 | type cluster_tmp_t; 10 | type cluster_var_lib_t; 11 | type mysqld_safe_t; 12 | class tcp_socket name_connect; 13 | class file { read getattr open execute execute_no_trans write }; 14 | class dir read; 15 | ') 16 | 17 | # Bugzilla 1081544 18 | allow mysqld_t rsync_exec_t:file { read getattr open execute execute_no_trans }; 19 | corenet_tcp_connect_tram_port(mysqld_t) 20 | 21 | # Bugzilla 1114581 22 | # allow mysqld_t nfs_t:dir search; 23 | 24 | # Bugzilla 1118859 25 | allow mysqld_t mysqld_safe_exec_t:file getattr; 26 | 27 | # Bugzilla 1284672 28 | # Bugzilla 1439182 29 | # Bugzilla 1464114 30 | allow mysqld_safe_t cluster_tmp_t:file { setattr write_file_perms }; 31 | allow mysqld_safe_t cluster_var_lib_t:dir read; 32 | -------------------------------------------------------------------------------- /tests/bz1325623: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1460257814.82:8553): avc: denied { open } for pid=14325 comm="httpd" path="/var/log/cinder/cinder-api.log" dev="vda1" ino=318834799 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:cinder_log_t:s0 tclass=file 2 | type=AVC msg=audit(1460418646.779:3276): avc: denied { write } for pid=2209 comm="httpd" name="cinder" dev="vda1" ino=117531620 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_log_t:s0 tclass=dir 3 | type=AVC msg=audit(1460418573.405:3254): avc: denied { add_name } for pid=2191 comm="httpd" name="cinder" dev="vda1" ino=117531620 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_log_t:s0 tclass=dir 4 | type=AVC msg=audit(1460489301.63:483): avc: denied { create } for pid=14118 comm="httpd" name="cinder-api.log" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_log_t:s0 tclass=file 5 | -------------------------------------------------------------------------------- /os-keystone.te: -------------------------------------------------------------------------------- 1 | policy_module(os-keystone,0.1) 2 | 3 | gen_require(` 4 | type httpd_t; 5 | type keystone_log_t; 6 | type keystone_t; 7 | class file { create open }; 8 | ') 9 | 10 | # Bugzilla 1223006 11 | allow httpd_t keystone_log_t:file create; 12 | keystone_manage_log(httpd_t) 13 | 14 | # Bugzilla 1327609 15 | corenet_tcp_connect_memcache_port(keystone_t) 16 | 17 | # Bugzilla 1249685 (execmem) 18 | gen_tunable(os_keystone_use_execmem, false) 19 | tunable_policy(`os_keystone_use_execmem',` 20 | allow keystone_t self:process execmem; 21 | ') 22 | 23 | optional_policy(` 24 | gen_require(` 25 | type keystone_cgi_script_exec_t; 26 | type keystone_t; 27 | class file { read getattr open }; 28 | class dir search; 29 | ') 30 | # Bugzilla 1176842 31 | allow keystone_t keystone_cgi_script_exec_t:file { read getattr open }; 32 | 33 | # Bugzilla 1181677 34 | allow keystone_t keystone_cgi_script_exec_t:dir search; 35 | ') 36 | -------------------------------------------------------------------------------- /tests/bz1230900: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1434131323.679:7807): avc: denied { create } for pid=26750 comm="neutron-rootwra" name="rootwrap.sock" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:neutron_tmp_t:s0 tclass=sock_file 2 | type=AVC msg=audit(1434131323.679:7808): avc: denied { setattr } for pid=26750 comm="neutron-rootwra" name="rootwrap.sock" dev="dm-1" ino=71908034 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:neutron_tmp_t:s0 tclass=sock_file 3 | type=AVC msg=audit(1434131323.679:7809): avc: denied { write } for pid=26673 comm="neutron-openvsw" name="rootwrap.sock" dev="dm-1" ino=71908034 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:neutron_tmp_t:s0 tclass=sock_file 4 | type=AVC msg=audit(1434131631.311:10861): avc: denied { write } for pid=26881 comm="neutron-l3-agen" name="rootwrap.sock" dev="dm-1" ino=68196389 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:neutron_tmp_t:s0 tclass=sock_file 5 | -------------------------------------------------------------------------------- /tests/bz1243039: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1436967882.028:56042): avc: denied { read } for pid=28305 comm="sh" name="systemctl" dev="dm-1" ino=134482906 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file 2 | type=AVC msg=audit(1436967882.028:56043): avc: denied { open } for pid=28305 comm="sh" path="/usr/bin/systemctl" dev="dm-1" ino=134482906 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file 3 | type=AVC msg=audit(1436967882.028:56041): avc: denied { execute } for pid=28305 comm="sh" name="systemctl" dev="dm-1" ino=134482906 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file 4 | type=AVC msg=audit(1436967882.027:56040): avc: denied { getattr } for pid=28305 comm="sh" path="/usr/bin/systemctl" dev="dm-1" ino=134482906 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file 5 | -------------------------------------------------------------------------------- /tests/bz1231868: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1418940256.937:192): avc: denied { getattr } for pid=3481 comm="handler5" path="/proc/sys/net/core/netdev_max_backlog" dev="proc" ino=16646 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 2 | type=AVC msg=audit(1418940256.937:191): avc: denied { read } for pid=3481 comm="handler5" name="netdev_max_backlog" dev="proc" ino=16646 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 3 | type=AVC msg=audit(1418940256.937:191): avc: denied { search } for pid=3481 comm="handler5" name="net" dev="proc" ino=9722 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=1 4 | type=AVC msg=audit(1418940256.937:191): avc: denied { open } for pid=3481 comm="handler5" path="/proc/sys/net/core/netdev_max_backlog" dev="proc" ino=16646 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 5 | -------------------------------------------------------------------------------- /tests/bz1872651: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1598898583.306:659): avc: denied { sys_admin } for pid=2595 comm="ptp4l" capability=21 scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=capability permiss 2 | type=AVC msg=audit(1598898583.306:658): avc: denied { setopt } for pid=2595 comm="ptp4l" scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=packet_socket permissive=1 3 | type=AVC msg=audit(1598898583.298:657): avc: denied { bind } for pid=2595 comm="ptp4l" scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=packet_socket permissive=1 4 | type=AVC msg=audit(1598898583.298:656): avc: denied { ioctl } for pid=2595 comm="ptp4l" path="socket:[186527]" dev="sockfs" ino=186527 ioctlcmd=0x8933 scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:s 5 | type=AVC msg=audit(1598898583.298:655): avc: denied { create } for pid=2595 comm="ptp4l" scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=packet_socket permissive=1 6 | -------------------------------------------------------------------------------- /os-rabbitmq.te: -------------------------------------------------------------------------------- 1 | policy_module(os-rabbitmq,0.1) 2 | 3 | gen_require(` 4 | type epmd_port_t; 5 | type init_tmp_t; 6 | type logrotate_t; 7 | type proc_net_t; 8 | type rabbitmq_epmd_t; 9 | type rabbitmq_port_t; 10 | type rabbitmq_t; 11 | type rabbitmq_var_lib_t; 12 | type security_t; 13 | class dir { read write }; 14 | class file { getattr open read write }; 15 | class passwd passwd; 16 | class security compute_av; 17 | class tcp_socket { name_bind name_connect }; 18 | ') 19 | 20 | # Bugzilla 1135637 21 | allow rabbitmq_epmd_t init_tmp_t:file write; 22 | 23 | # Bugzilla 1413775 24 | allow logrotate_t epmd_port_t:tcp_socket {name_connect name_bind}; 25 | allow logrotate_t rabbitmq_port_t:tcp_socket name_connect; 26 | allow logrotate_t rabbitmq_var_lib_t:dir { read write }; 27 | allow logrotate_t rabbitmq_var_lib_t:file { getattr open read }; 28 | allow logrotate_t security_t:security compute_av; 29 | allow logrotate_t self:passwd passwd; 30 | 31 | # Bugzilla 1650046 32 | allow logrotate_t proc_net_t:file read; 33 | allow logrotate_t self:process setrlimit; 34 | allow rabbitmq_t proc_net_t:file read; 35 | -------------------------------------------------------------------------------- /tests/bz1430402: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1490708508.568:4786): avc: denied { search } for pid=428106 comm="nova-api" name="my.cnf.d" dev="vda2" ino=866 scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=dir 2 | type=AVC msg=audit(1490708839.879:4915): avc: denied { search } for pid=470231 comm="nova-scheduler" name="my.cnf.d" dev="vda2" ino=866 scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=dir 3 | type=AVC msg=audit(1490708833.260:4883): avc: denied { search } for pid=470038 comm="nova-conductor" name="my.cnf.d" dev="vda2" ino=866 scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=dir 4 | type=AVC msg=audit(1490709327.031:5296): avc: denied { search } for pid=430212 comm="glance-api" name="my.cnf.d" dev="vda2" ino=866 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=dir 5 | type=AVC msg=audit(1490708842.508:4919): avc: denied { search } for pid=470319 comm="nova-consoleaut" name="my.cnf.d" dev="vda2" ino=866 scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=dir 6 | -------------------------------------------------------------------------------- /tests/bz1419418: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1486486741.798:28167791): avc: denied { create } for pid=17843 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1 2 | type=AVC msg=audit(1486486741.798:28167792): avc: denied { setopt } for pid=17843 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1 3 | type=AVC msg=audit(1486486741.799:28167794): avc: denied { connect } for pid=17843 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1 4 | type=AVC msg=audit(1486486741.799:28167795): avc: denied { getattr } for pid=17843 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1 5 | type=AVC msg=audit(1486486741.262:28159896): avc: denied { getopt } for pid=17843 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=0 6 | -------------------------------------------------------------------------------- /tests/bz1561711: -------------------------------------------------------------------------------- 1 | type=USER_AVC msg=audit(1520195408.164:1668): pid=1393 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=Inhibit dest=org.freedesktop.login1 spid=3123 tpid=1390 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' 2 | type=USER_AVC msg=audit(1527075220.353:14540): pid=581 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.866 spid=575 tpid=11664 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' 3 | type=AVC msg=audit(1527492439.572:13842): avc: denied { write } for pid=10949 comm="virtlogd" path="/run/systemd/inhibit/4.ref" dev="tmpfs" ino=251799 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_inhibit_var_run_t:s0 tclass=fifo_file 4 | -------------------------------------------------------------------------------- /tests/bz2053849: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1644681031.316:8213): avc: denied { ioctl } for pid=72966 comm="httpd" path="/var/lib/cinder/cinder-attachment_update-3d70b60e-246f-48b1-a711-42ed47305219-centos-9-stream" dev="vda1" ino=6829831 ioctlcmd=0x5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=file permissive=1 2 | type=AVC msg=audit(1644681041.232:8256): avc: denied { remove_name } for pid=72965 comm="httpd" name="cinder-attachment_update-3d70b60e-246f-48b1-a711-42ed47305219-centos-9-stream" dev="vda1" ino=6829831 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=dir permissive=1 3 | type=AVC msg=audit(1644681041.232:8256): avc: denied { unlink } for pid=72965 comm="httpd" name="cinder-attachment_update-3d70b60e-246f-48b1-a711-42ed47305219-centos-9-stream" dev="vda1" ino=6829831 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=file permissive=1 4 | type=AVC msg=audit(1644681192.761:8641): avc: denied { read } for pid=72965 comm="httpd" name="cinder" dev="vda1" ino=6815392 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=dir permissive=1 5 | -------------------------------------------------------------------------------- /tests/bz2254886: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1702821160.556:5348): avc: denied { create } for pid=71109 comm="neutron-server" name="sem.ooVkM5" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 2 | type=AVC msg=audit(1702821160.556:5348): avc: denied { read write open } for pid=71109 comm="neutron-server" path="/dev/shm/sem.ooVkM5" dev="tmpfs" ino=6 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 3 | type=AVC msg=audit(1702821160.556:5349): avc: denied { link } for pid=71109 comm="neutron-server" name="sem.ooVkM5" dev="tmpfs" ino=6 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 4 | type=AVC msg=audit(1702821160.556:5350): avc: denied { getattr } for pid=71109 comm="neutron-server" path="/dev/shm/sem.ooVkM5" dev="tmpfs" ino=6 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 5 | type=AVC msg=audit(1702821160.556:5351): avc: denied { unlink } for pid=71109 comm="neutron-server" name="sem.ooVkM5" dev="tmpfs" ino=6 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 6 | -------------------------------------------------------------------------------- /tests/bz1210271: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1428486597.985:9617409): avc: denied { read } for pid=23724 comm="glance-registry" name="glance" dev="dm-0" ino=134789393 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=lnk_file 2 | type=AVC msg=audit(1428759418.718:823087): avc: denied { read } for pid=73969 comm="qemu-kvm" name="nova" dev="dm-0" ino=135140337 scontext=system_u:system_r:svirt_t:s0:c96,c916 tcontext=unconfined_u:object_r:nova_var_lib_t:s0 tclass=lnk_file 3 | type=AVC msg=audit(1430316923.059:242855): avc: denied { read } for pid=20626 comm="glance-api" name="glance" dev="dm-1" ino=135471215 scontext=system_u:system_r:glance_api_t:s0 tcontext=unconfined_u:object_r:glance_var_lib_t:s0 tclass=lnk_file 4 | type=AVC msg=audit(1430311522.971:227905): avc: denied { read } for pid=20572 comm="glance-registry" name="glance" dev="dm-1" ino=135723583 scontext=system_u:system_r:glance_registry_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file 5 | type=AVC msg=audit(1430311522.890:227904): avc: denied { read } for pid=20627 comm="glance-api" name="glance" dev="dm-1" ino=135723583 scontext=system_u:system_r:glance_api_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file 6 | -------------------------------------------------------------------------------- /os-cinder.te: -------------------------------------------------------------------------------- 1 | policy_module(os-cinder,0.1) 2 | 3 | gen_require(` 4 | type cinder_log_t; 5 | type cinder_backup_t; 6 | type systemd_logind_t; 7 | type cinder_volume_t; 8 | type cinder_var_lib_t; 9 | type httpd_t; 10 | class file { open create append getattr lock }; 11 | class dir { add_name write create }; 12 | class dbus { send_msg }; 13 | attribute cinder_domain; 14 | ') 15 | 16 | # Bugzilla 1325623 17 | allow httpd_t cinder_log_t:file { open create }; 18 | allow httpd_t cinder_log_t:dir { add_name write }; 19 | 20 | # Bugzilla 1820504 and 2053849 21 | manage_dirs_pattern(httpd_t, cinder_var_lib_t, cinder_var_lib_t); 22 | 23 | # Allow httpd to handle files in statedir 24 | manage_files_pattern(httpd_t, cinder_var_lib_t, cinder_var_lib_t); 25 | 26 | # Bugzilla 1384472 27 | iscsid_domtrans(cinder_backup_t); 28 | 29 | # Bugzilla #1628679 30 | allow systemd_logind_t cinder_volume_t:dbus { send_msg }; 31 | 32 | # Bugzilla 1653640 33 | gen_tunable(os_cinder_use_nfs, false) 34 | tunable_policy(`os_cinder_use_nfs',` 35 | fs_manage_nfs_dirs(cinder_domain) 36 | fs_manage_nfs_files(cinder_domain) 37 | fs_manage_nfs_symlinks(cinder_domain) 38 | fs_exec_nfs_files(cinder_domain) 39 | ') 40 | -------------------------------------------------------------------------------- /tests/bz1568993: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1523966763.994:1875): avc: denied { read } for pid=16973 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=113286649 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file 2 | type=AVC msg=audit(1523990351.136:7706): avc: denied { getattr } for pid=31332 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:6b:18:f3" dev="vda1" ino=113286651 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file 3 | type=AVC msg=audit(1523990351.136:7707): avc: denied { getattr } for pid=8168 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:7c:b5:00" dev="vda1" ino=114077529 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file 4 | type=AVC msg=audit(1523990351.136:7708): avc: denied { open } for pid=8168 comm="dnsmasq" path="/var/lib/ironic-inspector/dhcp-hostsdir/52:54:00:7c:b5:00" dev="vda1" ino=114077529 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file 5 | type=AVC msg=audit(1523990351.136:7709): avc: denied { read } for pid=8168 comm="dnsmasq" name="52:54:00:7c:b5:00" dev="vda1" ino=114077529 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file 6 | -------------------------------------------------------------------------------- /tests/bz1375766: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1473797650.030:230): avc: denied { open } for pid=28146 comm="virtlogd" path="/var/lib/nova/instances/c6bea1b7-a9f0-401f-9153-212b4cf26a4f/console.log" dev="sda2" ino=1064491 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file 2 | type=AVC msg=audit(1473797470.584:152): avc: denied { search } for pid=28146 comm="virtlogd" name="nova" dev="sda2" ino=67147 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:nova_var_lib_t:s0 tclass=dir 3 | type=AVC msg=audit(1473797650.030:231): avc: denied { getattr } for pid=28146 comm="virtlogd" path="/var/lib/nova/instances/c6bea1b7-a9f0-401f-9153-212b4cf26a4f/console.log" dev="sda2" ino=1064491 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file 4 | type=AVC msg=audit(1473797650.030:230): avc: denied { search } for pid=28146 comm="virtlogd" name="c6bea1b7-a9f0-401f-9153-212b4cf26a4f" dev="sda2" ino=1064483 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=dir 5 | type=AVC msg=audit(1473797650.030:230): avc: denied { append } for pid=28146 comm="virtlogd" name="console.log" dev="sda2" ino=1064491 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file 6 | -------------------------------------------------------------------------------- /tests/bz1765910: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1572103537.454:113): avc: denied { read } for pid=1752 comm="ip" dev="nsfs" ino=4026531992 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=file permissive=1 2 | type=AVC msg=audit(1572103537.454:113): avc: denied { open } for pid=1752 comm="ip" path="net:[4026531992]" dev="nsfs" ino=4026531992 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=file permissive=1 3 | type=AVC msg=audit(1572356953.842:84): avc: denied { mounton } for pid=4491 comm="ip" path="/sys" dev="vda1" ino=509 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0 4 | type=AVC msg=audit(1572445298.403:73): avc: denied { mounton } for pid=4371 comm="ip" path="/sys" dev="vda1" ino=2097505 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1 5 | type=AVC msg=audit(1572445302.642:75): avc: denied { unmount } for pid=4376 comm="keepalived" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1 6 | type=AVC msg=audit(1572445302.642:76): avc: denied { rmdir } for pid=4376 comm="keepalived" name="amphora-haproxy" dev="tmpfs" ino=30412 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 7 | -------------------------------------------------------------------------------- /tests/bz1249685: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1438557558.744:717): avc: denied { execmem } for pid=6120 comm="nova-api" scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:system_r:nova_api_t:s0 tclass=process 2 | type=AVC msg=audit(1442850911.498:7799): avc: denied { execmem } for pid=14619 comm="nova-consoleaut" scontext=system_u:system_r:nova_console_t:s0 tcontext=system_u:system_r:nova_console_t:s0 tclass=process 3 | type=AVC msg=audit(1442850913.426:7801): avc: denied { execmem } for pid=14658 comm="nova-scheduler" scontext=system_u:system_r:nova_scheduler_t:s0 tcontext=system_u:system_r:nova_scheduler_t:s0 tclass=process 4 | type=AVC msg=audit(1442850920.205:7861): avc: denied { execmem } for pid=14843 comm="nova-cert" scontext=system_u:system_r:nova_cert_t:s0 tcontext=system_u:system_r:nova_cert_t:s0 tclass=process 5 | type=AVC msg=audit(1442850976.792:8446): avc: denied { execmem } for pid=15791 comm="neutron-openvsw" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=process 6 | type=AVC msg=audit(1442851152.972:10390): avc: denied { execmem } for pid=19455 comm="swift-account-r" scontext=system_u:system_r:swift_t:s0 tcontext=system_u:system_r:swift_t:s0 tclass=process 7 | type=AVC msg=audit(1443559246.289:2232): avc: denied { execmem } for pid=13729 comm="keystone-all" scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:system_r:keystone_t:s0 tclass=process 8 | -------------------------------------------------------------------------------- /tests/bz1081544: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1403799224.472:252): avc: denied { execute } for pid=8568 comm="wsrep_sst_rsync" name="rsync" dev="sda3" ino=135632946 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file 2 | type=AVC msg=audit(1403799224.472:253): avc: denied { read } for pid=8568 comm="wsrep_sst_rsync" name="rsync" dev="sda3" ino=135632946 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file 3 | type=AVC msg=audit(1403799224.472:254): avc: denied { execute_no_trans } for pid=8591 comm="wsrep_sst_rsync" path="/usr/bin/rsync" dev="sda3" ino=135632946 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file 4 | type=AVC msg=audit(1403799224.472:254): avc: denied { open } for pid=8591 comm="wsrep_sst_rsync" path="/usr/bin/rsync" dev="sda3" ino=135632946 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file 5 | type=AVC msg=audit(1403800357.209:312): avc: denied { name_connect } for pid=23434 comm="mysqld" dest=4567 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:tram_port_t:s0 tclass=tcp_socket 6 | type=AVC msg=audit(1403800360.571:314): avc: denied { getattr } for pid=23507 comm="wsrep_sst_rsync" path="/usr/bin/rsync" dev="sda3" ino=135632946 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file 7 | -------------------------------------------------------------------------------- /tests/bz1789068: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1578500356.540:5530): avc: denied { getattr } for pid=86851 comm="ha_check_script" path="/usr/bin/ping" dev="dm-0" ino=100718607 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1 2 | type=AVC msg=audit(1578500356.540:5531): avc: denied { execute } for pid=86851 comm="ha_check_script" name="ping" dev="dm-0" ino=100718607 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1 3 | type=AVC msg=audit(1578500356.540:5532): avc: denied { read } for pid=86851 comm="ha_check_script" name="ping" dev="dm-0" ino=100718607 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1 4 | type=AVC msg=audit(1578500356.542:5533): avc: denied { open } for pid=86854 comm="ha_check_script" path="/usr/bin/ping" dev="dm-0" ino=100718607 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1 5 | type=AVC msg=audit(1578500356.542:5533): avc: denied { execute_no_trans } for pid=86854 comm="ha_check_script" path="/usr/bin/ping" dev="dm-0" ino=100718607 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1 6 | type=AVC msg=audit(1578500356.546:5534): avc: denied { setcap } for pid=86854 comm="ping" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=process permissive=1 7 | -------------------------------------------------------------------------------- /tests/bz1170839: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1417690758.589:915): avc: denied { read open } for pid=8511 comm="nova-rootwrap" path="/usr/sbin/arping" dev="vda1" ino=17240309 scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file 2 | type=AVC msg=audit(1417690758.590:916): avc: denied { create } for pid=8511 comm="arping" scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:system_r:nova_network_t:s0 tclass=packet_socket 3 | type=AVC msg=audit(1417690758.591:917): avc: denied { bind } for pid=8511 comm="arping" scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:system_r:nova_network_t:s0 tclass=packet_socket 4 | type=AVC msg=audit(1417690758.589:915): avc: denied { execute_no_trans } for pid=8511 comm="nova-rootwrap" path="/usr/sbin/arping" dev="vda1" ino=17240309 scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file 5 | type=AVC msg=audit(1417690758.591:918): avc: denied { getattr } for pid=8511 comm="arping" scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:system_r:nova_network_t:s0 tclass=packet_socket 6 | type=AVC msg=audit(1417690351.147:8882): avc: denied { signal } for pid=9605 comm="keystone-all" scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:system_r:keystone_t:s0 tclass=process 7 | type=AVC msg=audit(1417690758.588:914): avc: denied { execute } for pid=8510 comm="nova-rootwrap" name="arping" dev="vda1" ino=17240309 scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file 8 | -------------------------------------------------------------------------------- /tests/bz1498797: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1507882760.767:1386): avc: denied { write } for pid=6246 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket 2 | type=AVC msg=audit(1507882834.017:1434): avc: denied { read } for pid=6495 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket 3 | type=AVC msg=audit(1507882927.297:1507): avc: denied { dac_override } for pid=6744 comm="ovs-vsctl" capability=1 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability 4 | type=AVC msg=audit(1507594742.843:184): avc: denied { create } for pid=1424 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket permissive=1 5 | type=AVC msg=audit(1507594742.843:185): avc: denied { nlmsg_relay } for pid=1424 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket permissive=1 6 | type=AVC msg=audit(1507594742.844:186): avc: denied { audit_write } for pid=1424 comm="runuser" capability=29 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1 7 | type=AVC msg=audit(1507594743.049:195): avc: denied { dac_override } for pid=1431 comm="ovs-vsctl" capability=1 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1 8 | -------------------------------------------------------------------------------- /tests/bz1820504: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1585843550.178:7813550): avc: denied { add_name } for pid=3306876 comm="httpd" name="groups" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=dir 2 | type=AVC msg=audit(1585843799.707:7814032): avc: denied { write } for pid=3306876 comm="httpd" name="cinder" dev="dm-0" ino=1230986 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=dir 3 | type=AVC msg=audit(1585843767.395:7814013): avc: denied { create } for pid=3306875 comm="httpd" name="groups" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=dir 4 | 5 | 6 | type=AVC msg=audit(1587719480.723:9252596): avc: denied { append open } for pid=3907385 comm="httpd" path="/var/lib/cinder/cinder-attachment_update-b3b103ae-78a6-424f-b406-642d177c6c20-" dev="dm-0" ino=135032832 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=file 7 | type=AVC msg=audit(1587719779.203:2939539): avc: denied { getattr } for pid=2451695 comm="httpd" path="/var/lib/cinder/cinder-attachment_update-243361c4-189a-423c-963a-89beefac2135-" dev="dm-0" ino=134395353 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=file 8 | type=AVC msg=audit(1587720082.812:2942608): avc: denied { lock } for pid=2451695 comm="httpd" path="/var/lib/cinder/cinder-attachment_update-243361c4-189a-423c-963a-89beefac2135-" dev="dm-0" ino=134395353 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_var_lib_t:s0 tclass=file 9 | -------------------------------------------------------------------------------- /os-virt.te: -------------------------------------------------------------------------------- 1 | policy_module(os-virt,0.1) 2 | 3 | gen_require(` 4 | type container_file_t; 5 | type systemd_logind_t; 6 | type systemd_logind_inhibit_var_run_t; 7 | type virtlogd_t; 8 | type virt_var_run_t; 9 | type svirt_t; 10 | type spc_t; 11 | type unlabeled_t; 12 | class dbus send_msg; 13 | class fifo_file write; 14 | class tun_socket attach_queue; 15 | ') 16 | 17 | # #1561711 - work around inability to send message 18 | # over dbus. Will be superseded once #1547250 is 19 | # fixed. 20 | allow virtlogd_t systemd_logind_t:dbus send_msg; 21 | allow systemd_logind_t virtlogd_t:dbus send_msg; 22 | allow virtlogd_t systemd_logind_inhibit_var_run_t:fifo_file write; 23 | # allow access to /var/lib/nova directories which are labeled with container_file_t 24 | # This is required for https://issues.redhat.com//browse/OSPRH-960 25 | manage_files_pattern(virtlogd_t, container_file_t, container_file_t) 26 | allow virtlogd_t self:capability dac_override; 27 | # #1566973 28 | # Tunable to allow virtlogd to write to NFS 29 | gen_tunable(os_virtlogd_use_nfs, false) 30 | tunable_policy(`os_virtlogd_use_nfs',` 31 | fs_manage_nfs_dirs(virtlogd_t) 32 | fs_manage_nfs_files(virtlogd_t) 33 | fs_read_nfs_symlinks(virtlogd_t) 34 | ') 35 | 36 | # Bugzilla 1642102 37 | allow svirt_t spc_t:tun_socket attach_queue; 38 | 39 | # Bugzilla 1751300 40 | allow spc_t unlabeled_t:key manage_key_perms; 41 | 42 | # Bugzilla 2007314 43 | gen_tunable(os_enable_vtpm, false) 44 | tunable_policy(`os_enable_vtpm',` 45 | manage_sock_files_pattern(svirt_t, container_file_t, container_file_t) 46 | ') 47 | -------------------------------------------------------------------------------- /tests/bz1169859: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1417622542.995:32990): avc: denied { getattr } for pid=27519 comm="keepalived" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=netlink_socket 2 | type=AVC msg=audit(1417622542.995:32989): avc: denied { bind } for pid=27519 comm="keepalived" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=netlink_socket 3 | type=AVC msg=audit(1417622542.995:32987): avc: denied { create } for pid=27519 comm="keepalived" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=netlink_socket 4 | type=AVC msg=audit(1417622542.997:32991): avc: denied { execute } for pid=27521 comm="sh" name="notify_backup.sh" dev="vda3" ino=65030 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=file 5 | type=AVC msg=audit(1417622542.958:32984): avc: denied { read open } for pid=27517 comm="ip" path="/usr/sbin/keepalived" dev="vda3" ino=138190 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:keepalived_exec_t:s0 tclass=file 6 | type=AVC msg=audit(1417622542.944:32983): avc: denied { execute } for pid=27516 comm="neutron-rootwra" name="keepalived" dev="vda3" ino=138190 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:keepalived_exec_t:s0 tclass=file 7 | type=AVC msg=audit(1417622542.997:32991): avc: denied { execute_no_trans } for pid=27521 comm="sh" path="/var/lib/neutron/ha_confs/90ecb37a-7050-4ca6-b4c8-29bf5950c42e/notify_backup.sh" dev="vda3" ino=65030 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=file 8 | -------------------------------------------------------------------------------- /tests/bz1732578: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1563895304.208:14480): avc: denied { read } for pid=81224 comm="barbican-manage" name="libcknfast.so" dev="vda2" ino=35936420 scontext=system_u:system_r:container_t:s0:c194,c638 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file permissive=0 2 | type=AVC msg=audit(1563895442.774:14719): avc: denied { read } for pid=94348 comm="httpd" name="libcknfast.so" dev="vda2" ino=35936420 scontext=system_u:system_r:container_t:s0:c111,c895 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file permissive=0 3 | type=AVC msg=audit(1563899396.472:17769): avc: denied { read } for pid=382136 comm="barbican-manage" name="libcknfast.so" dev="vda2" ino=35936420 scontext=system_u:system_r:container_t:s0:c194,c638 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file permissive=1 4 | type=AVC msg=audit(1563899396.472:17769): avc: denied { open } for pid=382136 comm="barbican-manage" path="/opt/nfast/toolkits/pkcs11/libcknfast.so" dev="vda2" ino=35936420 scontext=system_u:system_r:container_t:s0:c194,c638 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file permissive=1 5 | type=AVC msg=audit(1563899396.472:17770): avc: denied { execute } for pid=382136 comm="barbican-manage" path="/opt/nfast/toolkits/pkcs11/libcknfast.so" dev="vda2" ino=35936420 scontext=system_u:system_r:container_t:s0:c194,c638 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file permissive=1 6 | type=AVC msg=audit(1563907351.675:23726): avc: denied { read } for pid=960024 comm="ls" name="nfast" dev="vda2" ino=33555398 scontext=system_u:system_r:container_t:s0:c353,c747 tcontext=system_u:object_r:pki_common_t:s0 tclass=dir permissive=0 7 | -------------------------------------------------------------------------------- /tests/bz1219406: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1432132985.901:7760): avc: denied { write open } for pid=28929 comm="glance-api" path="/var/lib/glance/images/deb1afcd-a3d0-4356-8431-5eb7d8548783" dev="0:35" ino=42167210 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file 2 | type=AVC msg=audit(1432805984.771:1287): avc: denied { remove_name } for pid=7213 comm="glance-api" name="39ff0be6-94d6-4323-8412-aa282e12da9c" dev="0:35" ino=42167210 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir 3 | type=AVC msg=audit(1432805984.771:1287): avc: denied { write } for pid=7213 comm="glance-api" name="images" dev="0:35" ino=42167206 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir 4 | type=AVC msg=audit(1432132570.541:6707): avc: denied { create } for pid=19280 comm="glance-api" name="images" scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir 5 | type=AVC msg=audit(1432805984.770:1286): avc: denied { getattr } for pid=7213 comm="glance-api" path="/var/lib/glance/images/39ff0be6-94d6-4323-8412-aa282e12da9c" dev="0:35" ino=42167210 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file 6 | type=AVC msg=audit(1432805984.771:1287): avc: denied { unlink } for pid=7213 comm="glance-api" name="39ff0be6-94d6-4323-8412-aa282e12da9c" dev="0:35" ino=42167210 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file 7 | type=AVC msg=audit(1430905710.941:205752): avc: denied { search } for pid=5894 comm="glance-api" name="/" dev="0:37" ino=395 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir 8 | type=AVC msg=audit(1432132422.280:6330): avc: denied { add_name } for pid=15888 comm="glance-api" name="images" scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir 9 | -------------------------------------------------------------------------------- /tests/check_all: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # This test works by reading in each bz* file and then looping through 4 | # line by line. The assumption is that bz* is a list of type=AVC audit 5 | # messages. 6 | # 7 | # The other assumption is that you have the openstack-selinux policies 8 | # loaded. 9 | # 10 | 11 | export LANG=C 12 | 13 | TMP=$(mktemp /tmp/openstack-selinux-test.XXXXXX) 14 | rm -f $TMP 15 | mkdir -p $TMP 16 | 17 | PWD=$(pwd) 18 | cd "$(dirname $0)" 19 | 20 | TEST_FILES=$(/bin/ls -1 bz* lp* osprh* rdo*) 21 | TEST_INPUT=$TMP/input 22 | TEST_OUTPUT=$TMP/output 23 | TEST_FAIL=$TMP/failed_tests 24 | TEST_FAIL_INFO=$TMP/failed_info 25 | 26 | passed=0 27 | failed=0 28 | 29 | rm -f $TEST_INPUT 30 | touch $TEST_INPUT 31 | for f in $TEST_FILES; do 32 | grep '^type=\(USER_\)\?AVC' $f >> $TEST_INPUT 33 | done 34 | 35 | totalAVC=$(wc -l $TEST_INPUT) 36 | audit2why -i $TEST_INPUT > $TEST_OUTPUT 37 | 38 | cat > $TMP/check.awk << EOT 39 | BEGIN { 40 | working = 0 41 | last_line = "" 42 | } 43 | 44 | /^type=AVC/ { 45 | if (working == 1) { 46 | print last_line 47 | last_line = "" 48 | working = 0 49 | } 50 | working = 1 51 | last_line=\$0 52 | } 53 | 54 | /Unknown -/ { 55 | working = 0 56 | last_line = "" 57 | } 58 | 59 | END { 60 | if (working == 1) { 61 | working = 0 62 | print last_line 63 | } 64 | } 65 | EOT 66 | 67 | awk -f $TMP/check.awk $TEST_OUTPUT > $TEST_FAIL 68 | 69 | while read; do 70 | ((failed++)) 71 | grep -n "$REPLY" $TEST_FILES 72 | # echo "$REPLY" | audit2why | grep -v '$REPLY' 73 | done < $TEST_FAIL 74 | 75 | if [ $failed -ne 0 ]; then 76 | audit2why -i $TEST_FAIL > $TEST_FAIL_INFO 77 | fi 78 | 79 | cd "$PWD" 80 | 81 | echo Results: ${totalAVC/ */} total, $failed failed 82 | echo -n "Overall result: " 83 | if [ $failed -ne 0 ]; then 84 | echo FAIL 85 | echo Check $TEST_FAIL_INFO for more information 86 | exit 1 87 | fi 88 | 89 | rm -rf $TMP 90 | 91 | echo PASS 92 | exit 0 93 | -------------------------------------------------------------------------------- /os-httpd.te: -------------------------------------------------------------------------------- 1 | policy_module(os-httpd,0.1) 2 | 3 | gen_require(` 4 | type httpd_t; 5 | type var_log_t; 6 | type nova_log_t; 7 | type cinder_log_t; 8 | type glance_log_t; 9 | type neutron_log_t; 10 | type keystone_log_t; 11 | type nova_api_t; 12 | type keystone_var_lib_t; 13 | type container_file_t; 14 | ') 15 | 16 | # 17 | # XXX 18 | # RH OpenStack Platform services are not all WSGI; some are 19 | # still using eventlet or another WSGI server. Furthermore, 20 | # not all daemons have log files which are covered in base 21 | # SELinux policy. For now, with this boolean, allow access 22 | # for httpd to use all known OpenStack log types and 23 | # var_log_t until these are all more correctly covered. 24 | # 25 | # Bugzilla #1437684 26 | # (... and many others ...) 27 | # 28 | gen_tunable(os_httpd_wsgi, false) 29 | tunable_policy(`os_httpd_wsgi',` 30 | # OpenStack services which have not gotten their own log type yet 31 | manage_files_pattern(httpd_t, var_log_t, var_log_t) 32 | 33 | # OpenStack services which have an assigned log type 34 | manage_files_pattern(httpd_t, nova_log_t, nova_log_t) 35 | manage_files_pattern(httpd_t, cinder_log_t, cinder_log_t) 36 | manage_files_pattern(httpd_t, glance_log_t, glance_log_t) 37 | manage_files_pattern(httpd_t, neutron_log_t, neutron_log_t) 38 | manage_files_pattern(httpd_t, keystone_log_t, keystone_log_t) 39 | 40 | # RHEL 7.4 keystone change 41 | # Bugzilla #1478176 42 | # Bugzilla #1478177 43 | allow httpd_t keystone_var_lib_t:file read_file_perms; 44 | 45 | # Strange issue where nis_enabled disappears 46 | # Bugzilla #1315457 47 | # Bugzilla #1489863 48 | corenet_tcp_bind_all_ports(httpd_t) 49 | 50 | # Allow read-only access to container_file_t 51 | # This is due to image-server, and images being pulled via mistral container 52 | # during an update/upgrade 53 | read_files_pattern(httpd_t, container_file_t, container_file_t) 54 | allow httpd_t container_file_t:dir read; 55 | ') 56 | -------------------------------------------------------------------------------- /utils/sortavcs: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ -n "$1" ] && [ -n "$2" ]; then 4 | echo "Sorting" $1"!" 5 | else 6 | echo "-------Sort AVCs-------" 7 | echo "Sort AVCs will remove duplicate AVCs from you audit.log so you can save them for the regression test in the /openstack-selinux/tests directory." 8 | echo "Use the following format:" 9 | echo "./sortavcs " 10 | exit 1 11 | fi 12 | 13 | rm -f ~/openstack-selinux/tests/*~ ~/openstack-selinux/tests/*# 14 | 15 | path=~/openstack-selinux/tests/$2 16 | duplicate=$(ls ~/openstack-selinux/tests | grep -Fx $2) 17 | 18 | if [ "$duplicate" == "$2" ]; then 19 | echo $path "already exists." 20 | echo "Appending new policy to" $2 21 | else 22 | echo "Created" $2 "in" $path 23 | echo "----Removing duplicates----" 24 | fi 25 | 26 | declare -A avcs 27 | 28 | while read; do 29 | 30 | LINE="$REPLY" 31 | 32 | # Optimization: if not type=AVC, we don't care 33 | [[ $LINE =~ ^type=AVC ]] || continue 34 | 35 | # Look for dest/path 36 | [[ $LINE =~ [^\{]+\{\ (.*)\ \}.*comm=\"([^\"]*)\".*(dest=[0-9]+|path).*scontext=([^\ ]*)\ tcontext=([^\ ]*) ]] 37 | HASH="${BASH_REMATCH[1]}.${BASH_REMATCH[2]}.${BASH_REMATCH[3]}.${BASH_REMATCH[4]}.${BASH_REMATCH[5]}" 38 | 39 | # ... which isn't always there ... 40 | if [ "$HASH" = "...." ]; then 41 | [[ $LINE =~ [^\{]+\{\ (.*)\ \}.*comm=\"([^\"]*)\".*scontext=([^\ ]*)\ tcontext=([^\ ]*) ]] 42 | # XXX the trailing . is important for non-matches 43 | HASH="${BASH_REMATCH[1]}.${BASH_REMATCH[2]}.${BASH_REMATCH[3]}.${BASH_REMATCH[4]}." 44 | fi 45 | 46 | [ "$HASH" = "...." ] && continue 47 | 48 | if [ -z "${avcs[\"$HASH\"]}" ]; then 49 | avcs[\"$HASH\"]="$LINE" 50 | fi 51 | done < $1 52 | 53 | for x in "${!avcs[@]}"; do 54 | echo ${avcs[$x]} >> $path 55 | done 56 | 57 | echo "----SUCCESS----" 58 | echo "AVCs are saved in ~/openstack-selinux/tests/"$2 59 | -------------------------------------------------------------------------------- /tests/bz1640528: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(...): avc: denied { connectto } for pid=... comm="sudo" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:nova_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 2 | type=AVC msg=audit(...): avc: denied { execute } for pid=... comm="sudo" name="unix_chkpwd" dev="vda1" ino=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=1 3 | type=AVC msg=audit(...): avc: denied { execute_no_trans } for pid=... comm="sudo" path="/usr/sbin/unix_chkpwd" dev="vda1" ino=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=1 4 | type=AVC msg=audit(...): avc: denied { getattr } for pid=... comm="unix_chkpwd" path="/etc/shadow" dev="vda1" ino=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 5 | type=AVC msg=audit(...): avc: denied { open } for pid=... comm="unix_chkpwd" path="/etc/shadow" dev="vda1" ino=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 6 | type=AVC msg=audit(...): avc: denied { read } for pid=... comm="unix_chkpwd" name="shadow" dev="vda1" ino=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 7 | type=AVC msg=audit(...): avc: denied { read open } for pid=... comm="sudo" path="/usr/sbin/unix_chkpwd" dev="vda1" ino=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=1 8 | type=USER_AVC msg=audit(): pid=... uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=... spid=... tpid=... scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:nova_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' 9 | -------------------------------------------------------------------------------- /tests/bz1111990: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1403608505.781:201826): avc: denied { connectto } for pid=15088 comm="neutron-lbaas-a" path="/var/lib/neutron/lbaas/7c7fad91-66ab-442f-b515-106e7daf0a39/sock" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=unix_stream_socket 2 | type=AVC msg=audit(1403608527.748:201987): avc: denied { search } for pid=15823 comm="glance-api" name="/" dev="fuse" ino=1 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir 3 | type=AVC msg=audit(1403608560.600:202198): avc: denied { name_connect } for pid=1786 comm="haproxy" dest=80 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket 4 | type=AVC msg=audit(1403610750.803:203470): avc: denied { getattr } for pid=15822 comm="glance-api" path="/var/lib/glance/images" dev="fuse" ino=11615908447317481990 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir 5 | type=AVC msg=audit(1403610750.805:203471): avc: denied { write } for pid=15822 comm="glance-api" name="images" dev="fuse" ino=11615908447317481990 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir 6 | type=AVC msg=audit(1403610750.806:203473): avc: denied { read } for pid=15822 comm="glance-api" name="2833208e-ec22-4cca-944b-e4b7195ff10b" dev="fuse" ino=12487031008510300865 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=file 7 | type=AVC msg=audit(1403610750.806:203473): avc: denied { open } for pid=15822 comm="glance-api" path="/var/lib/glance/images/2833208e-ec22-4cca-944b-e4b7195ff10b" dev="fuse" ino=12487031008510300865 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=file 8 | type=AVC msg=audit(1403611599.573:203828): avc: denied { search } for pid=15806 comm="glance-registry" name="/" dev="fuse" ino=1 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir 9 | -------------------------------------------------------------------------------- /tests/bz1558465: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1521626242.055:83): avc: denied { read } for pid=1443 comm="collectd" name="lock" dev="dm-3" ino=137 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file 2 | type=AVC msg=audit(1521626242.055:83): avc: denied { write } for pid=1443 comm="collectd" name="lock" dev="tmpfs" ino=9300 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir 3 | type=AVC msg=audit(1521626242.055:83): avc: denied { add_name } for pid=1443 comm="collectd" name="libpqos" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir 4 | type=AVC msg=audit(1521626242.055:83): avc: denied { create } for pid=1443 comm="collectd" name="libpqos" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file 5 | type=AVC msg=audit(1521626242.055:84): avc: denied { lock } for pid=1443 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file 6 | type=AVC msg=audit(1521629666.167:1293): avc: denied { open } for pid=20204 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file 7 | type=AVC msg=audit(1521629666.169:1295): avc: denied { read write } for pid=20204 comm="collectd" name="msr" dev="devtmpfs" ino=1108 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file 8 | type=AVC msg=audit(1521629666.169:1295): avc: denied { open } for pid=20204 comm="collectd" path="/dev/cpu/0/msr" dev="devtmpfs" ino=1108 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file 9 | type=AVC msg=audit(1521629666.169:1295): avc: denied { sys_rawio } for pid=20204 comm="collectd" capability=17 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=capability 10 | -------------------------------------------------------------------------------- /tests/bz1397537: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1479734070.102:28): avc: denied { read write } for pid=1232 comm="ovs-vswitchd" name="vfio" dev="devtmpfs" ino=34881 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:vfio_device_t:s0 tclass=chr_file 2 | type=AVC msg=audit(1479734082.245:30): avc: denied { connectto } for pid=1302 comm="plymouth" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket 3 | type=AVC msg=audit(1479734839.323:28): avc: denied { open } for pid=1232 comm="ovs-vswitchd" path="/dev/vfio/vfio" dev="devtmpfs" ino=26699 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:vfio_device_t:s0 tclass=chr_file 4 | type=AVC msg=audit(1479735230.962:28): avc: denied { ioctl } for pid=1236 comm="ovs-vswitchd" path="/dev/vfio/vfio" dev="devtmpfs" ino=22693 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:vfio_device_t:s0 tclass=chr_file 5 | type=AVC msg=audit(1479732749.941:1027): avc: denied { connectto } for pid=110503 comm="qemu-kvm" path="/run/openvswitch/vhue0c9b4b7-8d" scontext=system_u:system_r:svirt_t:s0:c528,c694 tcontext=system_u:system_r:openvswitch_t:s0 tclass=unix_stream_socket 6 | type=AVC msg=audit(1479916498.424:161): avc: denied { read write } for pid=1304 comm="vhost_thread2" path=2F6465762F6875676570616765732F6C6962766972742F71656D752F71656D755F6261636B5F6D656D2E5F6F626A656374735F72616D2D6E6F6465302E764962526D7A202864656C6574656429 dev="hugetlbfs" ino=20127 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_image_t:s0 tclass=file 7 | type=AVC msg=audit(1479916642.551:210): avc: denied { getattr } for pid=1304 comm="vhost_thread2" path=2F6465762F6875676570616765732F6C6962766972742F71656D752F71656D755F6261636B5F6D656D2E5F6F626A656374735F72616D2D6E6F6465302E424535517974202864656C6574656429 dev="hugetlbfs" ino=1916 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_image_t:s0 tclass=file 8 | -------------------------------------------------------------------------------- /tests/bz1941412: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1616384789.103:3183): avc: denied { read } for pid=39321 comm="swift-object-up" name="d1" dev="dm-0" ino=67180559 scontext=system_u:system_r:container_t:s0:c158,c230 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir permissive=0 2 | type=AVC msg=audit(1616384823.339:3274): avc: denied { read } for pid=4456 comm="swift-container" name="containers" dev="dm-0" ino=140452138 scontext=system_u:system_r:container_t:s0:c288,c429 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir permissive=0 3 | type=AVC msg=audit(1616385089.159:3761): avc: denied { read } for pid=46803 comm="swift-object-up" name="d1" dev="dm-0" ino=67180559 scontext=system_u:system_r:container_t:s0:c158,c230 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir permissive=0 4 | type=AVC msg=audit(1616385123.436:3840): avc: denied { read } for pid=4456 comm="swift-container" name="containers" dev="dm-0" ino=140452138 scontext=system_u:system_r:container_t:s0:c288,c429 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir permissive=0 5 | type=AVC msg=audit(1616385389.169:4321): avc: denied { read } for pid=54242 comm="swift-object-up" name="d1" dev="dm-0" ino=67180559 scontext=system_u:system_r:container_t:s0:c158,c230 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir permissive=0 6 | type=AVC msg=audit(1616385423.480:4392): avc: denied { read } for pid=4456 comm="swift-container" name="containers" dev="dm-0" ino=140452138 scontext=system_u:system_r:container_t:s0:c288,c429 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir permissive=0 7 | type=AVC msg=audit(1616385689.197:4888): avc: denied { read } for pid=61777 comm="swift-object-up" name="d1" dev="dm-0" ino=67180559 scontext=system_u:system_r:container_t:s0:c158,c230 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir permissive=0 8 | type=AVC msg=audit(1616385723.573:4959): avc: denied { read } for pid=4456 comm="swift-container" name="containers" dev="dm-0" ino=140452138 scontext=system_u:system_r:container_t:s0:c288,c429 tcontext=system_u:object_r:swift_data_t:s0 tclass=dir permissive=0 9 | -------------------------------------------------------------------------------- /doc/TROUBLESHOOTING.md: -------------------------------------------------------------------------------- 1 | Here is a list of common issues and tips on how to debug them. 2 | 3 | How to resolve 'SELinux boolean os_enable_vtpm does not exist.'? 4 | ---------------------------------------------------------------- 5 | How to resolve 'Missing os-ovs! [...] Found XX missing modules' errors? 6 | ----------------------------------------------------------------------- 7 | 8 | Either of these errors means that the `openstack-selinux` package could 9 | not be installed properly, which can happen for a number of 10 | reasons. Usually, it indicates a missing dependency or that a symbol 11 | required by a policy is not defined on the system. 12 | 13 | A few tips that may help to debug: 14 | 15 | * Try to reinstall the package and look carefully at the output. There 16 | should be some kind of warning. If you need to open a bug, make sure 17 | to include this output in the report as this is the real error. 18 | 19 | # dnf reinstall openstack-selinux 20 | 21 | * Confirm that `container-selinux` is present and also installed 22 | correctly.` openstack-selinux` depends on the symbols defined in it 23 | and will also fail if the package isn't properly installed on the 24 | system. You can check that by running the following command (this may 25 | require installing `setools-console`): 26 | 27 | $ seinfo --type | grep container 28 | 29 | This should return at least a dozen types. If seinfo only returns 30 | three container symbols or less, `container-selinux` is missing or 31 | not installed properly. You can try to reinstall the rpm to look for 32 | a trace with more information. 33 | 34 | Switching to Permissive mode resolves my problem but there are no denials in the audit logs 35 | ------------------------------------------------------------------------------------------- 36 | 37 | You may be hitting an issue with `dontaudit` rules. You can temporarily 38 | allow SELinux to log these with the following command: 39 | 40 | # semodule -DB 41 | 42 | This will rebuild the policy. Once you have reproduced the issue and 43 | are able to check the logs, you can revert back with: 44 | 45 | # semodule -B 46 | -------------------------------------------------------------------------------- /utils/testpolicy: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Test custom rules by building a local policy module 4 | # and see if any AVCs remain. 5 | # 6 | 7 | if [ -n "$1" ] && [ -n "$2" ]; then 8 | echo "Using" $1 "and" $2"!" 9 | else 10 | echo "-------Openstack-selinux policy test-------" 11 | echo "Use the following format:" 12 | echo "./testpolicy.sh " 13 | exit 1 14 | fi 15 | 16 | file=$2 17 | policy=${file//.*/} 18 | extension=${file//*./} 19 | 20 | if [ ! -s $2 ]; then 21 | echo $2 "is empty" 22 | exit 1 23 | fi 24 | 25 | echo "Checking if proper packages are installed.." 26 | sudo yum install selinux* -y 27 | echo "All packages are installed and updated" 28 | 29 | if [ $extension != "te" ]; then 30 | echo "ERROR:" $file "needs to have '.te' extension instead of ."$extension 31 | exit 1 32 | fi 33 | 34 | totalAVC=$(audit2why -i audit.log | grep -s -c "TE") 35 | 36 | if head -n 1 $2 | grep "policy_module("$policy",1.0)"; then 37 | echo "----"$file "READY----" 38 | else 39 | echo "Adding policy_module("$policy",1.0) to" $2 40 | echo "policy_module("$policy",1.0)" | cat - $2 > temp && mv temp $2 41 | fi 42 | 43 | if sudo make -f /usr/share/selinux/devel/Makefile; then 44 | echo "----Makefile completed ----" 45 | else 46 | echo "Makefile FAILED" 47 | exit 1 48 | fi 49 | 50 | if sudo semodule -r $policy; then 51 | echo "----Removing old policy...----" 52 | else 53 | echo "WARNING: Policy removal either failed or there was not active policy before which is OK" 54 | fi 55 | 56 | if sudo semodule -i ./$policy.pp; then 57 | echo "----New policy created from " $file"----" 58 | else 59 | echo "Policy creation FAILED from" $file 60 | exit 1 61 | fi 62 | 63 | newAVC=$(audit2why -i $1 | grep -s -c "TE") 64 | 65 | if audit2why -i $1 | grep -q "TE"; then 66 | echo $newAVC "avc's were found!" 67 | echo $totalAVC "existed on the previous module!" 68 | echo "audit2why loading..." 69 | sleep 3 70 | audit2why -i $1 | less 71 | else 72 | echo "----TEST COMPLETE----" 73 | echo "no avc's were found!" 74 | fi 75 | 76 | exit 0 77 | -------------------------------------------------------------------------------- /tests/bz1431556: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1491476260.819:468): avc: denied { net_raw } for pid=16208 comm="ovs-vswitchd" capability=13 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability 2 | type=AVC msg=audit(1491476260.819:469): avc: denied { setopt } for pid=16208 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=packet_socket 3 | type=AVC msg=audit(1491476260.819:470): avc: denied { bind } for pid=16208 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=packet_socket 4 | type=AVC msg=audit(1491476260.819:468): avc: denied { create } for pid=16208 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=packet_socket 5 | type=AVC msg=audit(1491471288.799:211): avc: denied { search } for pid=16454 comm="ovs-vsctl" name="16445" dev="proc" ino=122913 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=dir 6 | type=AVC msg=audit(1491737286.265:1005): avc: denied { search } for pid=21524 comm="ovs-vswitchd" name="vhost_sockets" dev="sda2" ino=13749162 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir 7 | type=AVC msg=audit(1491737286.491:1014): avc: denied { create } for pid=41979 comm="qemu-kvm" name="vhuda2153ef-bb" scontext=system_u:system_r:svirt_t:s0:c196,c856 tcontext=system_u:object_r:virt_cache_t:s0 tclass=sock_file 8 | type=AVC msg=audit(1491737298.403:1054): avc: denied { create } for pid=42061 comm="qemu-kvm" name="vhuda2153ef-bb" scontext=system_u:system_r:svirt_t:s0:c485,c1012 tcontext=system_u:object_r:virt_cache_t:s0 tclass=sock_file 9 | type=AVC msg=audit(1492005897.842:867): avc: denied { search } for pid=32747 comm="ovs-vswitchd" name="vhost_sockets" dev="sda2" ino=13912914 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir 10 | type=AVC msg=audit(1492075576.802:2437): avc: denied { connectto } for pid=32747 comm="ovs-vswitchd" path="/var/lib/vhost_sockets/vhu7aad635e-67" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c103,c352 tclass=unix_stream_socket 11 | -------------------------------------------------------------------------------- /tests/osprh960: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(11/21/2023 18:43:16.798:56328) : avc: denied { getattr } for pid=194510 comm=virtlogd path=/run/libvirt dev="tmpfs" ino=2396 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir 2 | type=AVC msg=audit(11/21/2023 18:44:45.880:56409) : avc: denied { remove_name } for pid=194763 comm=virtlogd name=console.log dev="vda1" ino=25791090 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir 3 | type=AVC msg=audit(11/21/2023 18:44:45.880:56409) : avc: denied { search } for pid=194763 comm=virtlogd name=nova dev="vda1" ino=9239640 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir 4 | type=AVC msg=audit(11/21/2023 18:44:45.880:56409) : avc: denied { unlink } for pid=194763 comm=virtlogd name=console.log dev="vda1" ino=25791090 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=file 5 | type=AVC msg=audit(11/21/2023 18:44:45.880:56409) : avc: denied { write } for pid=194763 comm=virtlogd name=b450ad46-233c-41a1-838a-2168ae0a131d dev="vda1" ino=25170710 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir 6 | type=AVC msg=audit(11/21/2023 18:44:45.880:56410) : avc: denied { add_name } for pid=194763 comm=virtlogd name=console.log scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir 7 | type=AVC msg=audit(11/21/2023 18:44:45.880:56410) : avc: denied { create } for pid=194763 comm=virtlogd name=console.log scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=file 8 | type=AVC msg=audit(11/21/2023 18:44:45.880:56410) : avc: denied { open } for pid=194763 comm=virtlogd path=/var/lib/nova/instances/b450ad46-233c-41a1-838a-2168ae0a131d/console.log dev="vda1" ino=25791090 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=file 9 | type=AVC msg=audit(11/22/2023 14:02:47.411:58105) : avc: denied { search } for pid=194763 comm=virtlogd name=nova dev="vda1" ino=9239640 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir 10 | -------------------------------------------------------------------------------- /doc/CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | How to report a bug 2 | ------------------- 3 | 4 | 1. Set the system to Permissive and reproduce the issue (*) 5 | 2. When reporting the issue, include the permissive audit logs as well 6 | 3. The `audit2allow` output can be helpful to include in the report 7 | when it's limited to the denials relevant to the issue, but it is 8 | not enough on its own. It's essential to also include the actual AVC 9 | denials (and ideally, the full permissive audit logs around the time 10 | the issue is triggered.) 11 | 12 | If a bug doesn't already exist on Launchpad, Bugzilla or Jira, create a [RDO 13 | bug](https://bugzilla.redhat.com/enter_bug.cgi?product=RDO) with the 14 | `openstack-selinux` component. Having a bug number is necessary to add 15 | unit tests. 16 | 17 | (*) In Enforcing mode, SELinux stops at the first denial which can hide 18 | more of them. Permissive mode enables us to see the full list of 19 | AVC denials, so that they can be resolved all at once rather than 20 | one at a time. 21 | 22 | How to run the tests 23 | -------------------- 24 | 25 | 1. Install the `selinux-policy-devel` package 26 | 2. Ensure the path `/usr/share/openstack-selinux/master` exists 27 | 3. From your local openstack-selinux repository, run the following 28 | command as root: 29 | 30 | $ make clean all install check 31 | 32 | It is recommended to use a VM for this. Note that it is not usually 33 | possible nor recommended to develop or test SELinux policies from within 34 | a container. 35 | 36 | Fixing an issue 37 | ---------------- 38 | 39 | If you are certain a new SELinux rule is necessary, consider a patch 40 | with the minimum amount of new rules. If some of the rules are too 41 | wide, the original code may need to change to allow more restricted 42 | policy changes. If that's really not possible, the new rules may need 43 | to be hidden behind a new boolean that stays turned off by default, 44 | except in specific deployment scenarios. 45 | 46 | When preparing the patch, include the denials fixed by the new rule in 47 | a test file under tests/ to confirm the fix and avoid future 48 | regressions. 49 | 50 | Note: a test file won't help in the case of booleans turned off by 51 | default. In that case, include the denials in the commit message 52 | instead to help reviewers with understanding the issue being resolved 53 | and keeping a record. 54 | -------------------------------------------------------------------------------- /os-podman.te: -------------------------------------------------------------------------------- 1 | policy_module(os-podman, 1.0) 2 | gen_require(` 3 | attribute container_domain; 4 | attribute container_runtime_domain; 5 | type container_t; 6 | type container_file_t; 7 | type container_log_t; 8 | type openvswitch_t; 9 | type puppet_etc_t; 10 | type cluster_var_log_t; 11 | type init_t; 12 | type swift_data_t; 13 | type swift_var_cache_t; 14 | type fixed_disk_device_t; 15 | class blk_file getattr; 16 | ') 17 | #============= container_t ============== 18 | miscfiles_read_generic_certs(container_t) 19 | openvswitch_stream_connect(container_t) 20 | # for posterity: read_files_pattern includes dir accesses 21 | read_files_pattern(container_t, puppet_etc_t, puppet_etc_t) 22 | read_lnk_files_pattern(container_t, puppet_etc_t, puppet_etc_t) 23 | # but read_files_pattern does not allow "read" on tclass=dir 24 | allow container_t puppet_etc_t:dir { read }; 25 | 26 | # bugzilla #1772025 27 | allow openvswitch_t container_file_t:dir create; 28 | 29 | manage_files_pattern(openvswitch_t, container_file_t, container_file_t) 30 | manage_sock_files_pattern(openvswitch_t, container_file_t, container_file_t) 31 | 32 | # Bugzilla 1778793 33 | allow openvswitch_t self:capability { net_broadcast fowner fsetid }; 34 | 35 | # needed for HA containers 36 | manage_files_pattern(container_t, cluster_var_log_t, cluster_var_log_t); 37 | manage_dirs_pattern(container_t, cluster_var_log_t, cluster_var_log_t); 38 | 39 | # Needed for LP#1853652 40 | allow init_t container_file_t:file { execute execute_no_trans }; 41 | 42 | # Bugzilla 1926765. See also container-selinux commit 448dfb 43 | allow container_domain container_runtime_domain:process sigchld; 44 | 45 | # Bugzilla 1941922 + 1941412 46 | manage_files_pattern(container_t, swift_data_t, swift_data_t); 47 | manage_dirs_pattern(container_t, swift_data_t, swift_data_t); 48 | # Bugzilla 2013194 49 | manage_files_pattern(container_t, swift_var_cache_t, swift_var_cache_t); 50 | manage_dirs_pattern(container_t, swift_var_cache_t, swift_var_cache_t); 51 | 52 | # LP 1944539 53 | allow container_t fixed_disk_device_t:blk_file getattr; 54 | 55 | # Bugzilla 2020210 56 | manage_files_pattern(container_t, container_log_t, container_log_t); 57 | manage_dirs_pattern(container_t, container_log_t, container_log_t); 58 | 59 | # Bugzilla 2091076 60 | manage_sock_files_pattern(init_t, container_file_t, container_file_t); 61 | -------------------------------------------------------------------------------- /os-keepalived.te: -------------------------------------------------------------------------------- 1 | policy_module(os-keepalived,0.1) 2 | 3 | gen_require(` 4 | type keepalived_t; 5 | type neutron_var_lib_t; 6 | type var_log_t; 7 | type cloud_var_lib_t; 8 | type var_lib_t; 9 | type init_var_lib_t; 10 | type neutron_t; 11 | type sysfs_t; 12 | type NetworkManager_t; 13 | type systemd_systemctl_exec_t; 14 | type ifconfig_exec_t; 15 | type ifconfig_t; 16 | class filesystem { setattr getattr }; 17 | class process { signull sigkill setpgid setcap }; 18 | class capability { net_admin net_raw kill dac_override sys_admin }; 19 | class file { execute read create ioctl unlink execute_no_trans write getattr open entrypoint }; 20 | ') 21 | 22 | # Bugzilla 1351336 23 | allow keepalived_t NetworkManager_t:process signull; 24 | 25 | # Some files are being created on the fly. 26 | # Therefore, we will have to allow these rules. 27 | # Bugzilla 1180679 and Bugzilla 1180881 28 | neutron_manage_lib_dirs(keepalived_t) 29 | sysnet_exec_ifconfig(keepalived_t) 30 | # Bugzilla 1969325 for setattr below. 31 | allow keepalived_t neutron_var_lib_t:file { execute read create setattr getattr execute_no_trans write ioctl open }; 32 | allow keepalived_t cloud_var_lib_t:file { read getattr open }; 33 | allow keepalived_t init_var_lib_t:file { read getattr open }; 34 | allow keepalived_t var_lib_t:file { read getattr open }; 35 | allow keepalived_t var_log_t:file open; 36 | # bz1434826 - sys_admin 37 | allow keepalived_t self:capability { sys_admin }; 38 | allow keepalived_t neutron_t:process sigkill; 39 | 40 | gen_tunable(os_keepalived_dac_override, false) 41 | tunable_policy(`os_keepalived_dac_override',` 42 | allow keepalived_t self:capability dac_override; 43 | ') 44 | 45 | # Bugzilla 1206148 46 | allow keepalived_t sysfs_t:filesystem getattr; 47 | allow keepalived_t neutron_var_lib_t:file unlink; 48 | 49 | # Bugzilla 1278430 50 | allow keepalived_t systemd_systemctl_exec_t:file getattr; 51 | 52 | # Bugzilla 1243039 53 | # Allow keepalived to monitor haproxy via 'systemctl status haproxy.service' 54 | # by default 55 | optional_policy(` 56 | systemd_systemctl_domain(keepalived) 57 | unconfined_domain(keepalived_systemctl_t) 58 | ') 59 | 60 | # Bugzilla 1469823 61 | allow keepalived_t self:process setpgid; 62 | 63 | # Bugzilla #1434826 64 | allow keepalived_t ifconfig_exec_t:file entrypoint; 65 | sysnet_domtrans_ifconfig(keepalived_t) 66 | 67 | # Bugzilla 1789068 68 | netutils_exec_ping(keepalived_t) 69 | allow keepalived_t self:process setcap; 70 | -------------------------------------------------------------------------------- /tests/bz1684885: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1551866885.134:39): avc: denied { getattr } for pid=1175 comm="sysctl" path="/proc/sys/kernel/core_pattern" dev="proc" ino=10947 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1 2 | type=AVC msg=audit(1551866885.136:40): avc: denied { write } for pid=1175 comm="sysctl" name="core_pattern" dev="proc" ino=10947 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1 3 | type=AVC msg=audit(1551866885.136:40): avc: denied { open } for pid=1175 comm="sysctl" path="/proc/sys/kernel/core_pattern" dev="proc" ino=10947 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1 4 | type=AVC msg=audit(1551866885.485:42): avc: denied { execute_no_trans } for pid=1286 comm="ip" path="/usr/sbin/keepalived" dev="vda1" ino=537483 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:keepalived_exec_t:s0 tclass=file permissive=1 5 | type=AVC msg=audit(1551867084.102:44): avc: denied { read } for pid=1376 comm="ip" dev="nsfs" ino=4026532223 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1 6 | type=AVC msg=audit(1551867084.102:44): avc: denied { open } for pid=1376 comm="ip" path="/run/netns/amphora-haproxy" dev="nsfs" ino=4026532223 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1 7 | type=AVC msg=audit(1551867108.032:46): avc: denied { map } for pid=1431 comm="kill" path="/usr/bin/kill" dev="vda1" ino=538254 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 8 | type=AVC msg=audit(1551867108.032:46): avc: denied { execute } for pid=1431 comm="kill" path="/usr/bin/kill" dev="vda1" ino=538254 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 9 | type=AVC msg=audit(1551867168.534:47): avc: denied { create } for pid=1487 comm="keepalived" name="keepalived" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 10 | type=AVC msg=audit(1551867168.535:48): avc: denied { mounton } for pid=1487 comm="keepalived" path="/run/keepalived" dev="tmpfs" ino=24185 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 11 | -------------------------------------------------------------------------------- /tests/bz1413775: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1520795762.042:230): avc: denied { name_connect } for pid=3149 comm="2_scheduler" dest=4369 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:epmd_port_t:s0 tclass=tcp_socket 2 | type=AVC msg=audit(1520795761.442:226): avc: denied { name_bind } for pid=3161 comm="epmd" src=4369 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:epmd_port_t:s0 tclass=tcp_socket 3 | type=AVC msg=audit(1520795942.068:312): avc: denied { name_connect } for pid=4264 comm="2_scheduler" dest=25672 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rabbitmq_port_t:s0 tclass=tcp_socket 4 | type=AVC msg=audit(1520795761.195:224): avc: denied { read } for pid=3137 comm="async_1" name="rabbitmq" dev="vda1" ino=50372751 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rabbitmq_var_lib_t:s0 tclass=dir 5 | type=AVC msg=audit(1520795821.201:252): avc: denied { write } for pid=3650 comm="async_1" name="rabbitmq" dev="vda1" ino=50372751 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rabbitmq_var_lib_t:s0 tclass=dir 6 | type=AVC msg=audit(1520795761.142:223): avc: denied { getattr } for pid=3111 comm="rabbitmqctl" path="/var/lib/rabbitmq/mnesia/rabbit@openstack.pid" dev="vda1" ino=33616151 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rabbitmq_var_lib_t:s0 tclass=file 7 | type=AVC msg=audit(1520795761.514:227): avc: denied { read } for pid=3171 comm="async_8" name=".erlang.cookie" dev="vda1" ino=50372733 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rabbitmq_var_lib_t:s0 tclass=file 8 | type=AVC msg=audit(1520795761.514:228): avc: denied { open } for pid=3172 comm="async_9" path="/var/lib/rabbitmq/.erlang.cookie" dev="vda1" ino=50372733 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rabbitmq_var_lib_t:s0 tclass=file 9 | type=AVC msg=audit(1520795941.140:300): avc: denied { compute_av } for pid=4172 comm="su" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=security 10 | type=USER_AVC msg=audit(1520795941.141:301): pid=4172 uid=0 auid=0 ses=19 subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 msg='avc: denied { passwd } for scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=passwd exe="/usr/bin/su" sauid=0 hostname=? addr=? terminal=?' 11 | -------------------------------------------------------------------------------- /tests/bz1095869: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1402611890.011:10009): avc: denied { getattr } for pid=11083 comm="sudo" path="/etc/passwd" dev="dm-0" ino=72760027 scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file 2 | type=AVC msg=audit(1402611890.888:10080): avc: denied { read } for pid=11138 comm="sysctl" name="ip_forward" dev="proc" ino=175996 scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file 3 | type=AVC msg=audit(1402611890.888:10079): avc: denied { getattr } for pid=11138 comm="sysctl" path="/proc/sys/net/ipv4/ip_forward" dev="proc" ino=175996 scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file 4 | type=AVC msg=audit(1402611890.888:10080): avc: denied { open } for pid=11138 comm="sysctl" path="/proc/sys/net/ipv4/ip_forward" dev="proc" ino=175996 scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file 5 | type=AVC msg=audit(1402611890.979:10088): avc: denied { getattr } for pid=29513 comm="nova-network" path="/dev/vhost-net" dev="devtmpfs" ino=12363 scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:object_r:vhost_device_t:s0 tclass=chr_file 6 | type=AVC msg=audit(1402611890.011:10008): avc: denied { open } for pid=11083 comm="sudo" path="/etc/passwd" dev="dm-0" ino=72760027 scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file 7 | type=AVC msg=audit(1402611892.747:10105): avc: denied { net_raw } for pid=11159 comm="dnsmasq" capability=13 scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:system_r:nova_network_t:s0 tclass=capability 8 | type=AVC msg=audit(1402611936.578:10217): avc: denied { kill } for pid=11286 comm="kill" capability=5 scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:system_r:nova_network_t:s0 tclass=capability 9 | type=AVC msg=audit(1402611936.576:10216): avc: denied { sys_ptrace } for pid=11285 comm="nova-rootwrap" capability=19 scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:system_r:nova_network_t:s0 tclass=capability 10 | type=AVC msg=audit(1402611890.888:10079): avc: denied { search } for pid=11138 comm="sysctl" name="net" dev="proc" ino=1305 scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir 11 | type=AVC msg=audit(1402611890.011:10008): avc: denied { read } for pid=11083 comm="sudo" name="passwd" dev="dm-0" ino=72760027 scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file 12 | -------------------------------------------------------------------------------- /tests/bz1135510: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1410441955.552:18034): avc: denied { name_connect } for pid=8709 comm="neutron-metadat" dest=8775 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 2 | type=AVC msg=audit(1410436183.087:973): avc: denied { getattr } for pid=9288 comm="ipsec" path="/usr/sbin/ipsec" dev="dm-0" ino=36196395 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_mgmt_exec_t:s0 tclass=file 3 | type=AVC msg=audit(1410441955.156:18033): avc: denied { name_connect } for pid=8709 comm="neutron-metadat" dest=9696 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:neutron_port_t:s0 tclass=tcp_socket 4 | type=AVC msg=audit(1410436273.618:1855): avc: denied { execute } for pid=11176 comm="ip" name="ipsec" dev="dm-0" ino=36196395 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_mgmt_exec_t:s0 tclass=file 5 | type=AVC msg=audit(1410436183.085:971): avc: denied { read open } for pid=9288 comm="ip" path="/usr/sbin/ipsec" dev="dm-0" ino=36196395 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_mgmt_exec_t:s0 tclass=file 6 | type=AVC msg=audit(1410441954.965:18032): avc: denied { name_connect } for pid=8709 comm="neutron-metadat" dest=5000 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:commplex_main_port_t:s0 tclass=tcp_socket 7 | type=AVC msg=audit(1410436183.080:970): avc: denied { execute } for pid=9285 comm="neutron-rootwra" name="ipsec" dev="dm-0" ino=36196395 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_mgmt_exec_t:s0 tclass=file 8 | type=AVC msg=audit(1410436022.299:484): avc: denied { write } for pid=7892 comm="sudo" name="nss" dev="dm-5" ino=16955592 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file 9 | type=AVC msg=audit(1410436178.295:806): avc: denied { name_connect } for pid=9079 comm="glance-api" dest=6800 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 10 | type=AVC msg=audit(1410436021.615:482): avc: denied { read } for pid=7768 comm="nova-scheduler" name="os_ca.crt" dev="dm-2" ino=2112188 scontext=system_u:system_r:nova_scheduler_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file 11 | type=AVC msg=audit(1410436183.085:971): avc: denied { execute_no_trans } for pid=9288 comm="ip" path="/usr/sbin/ipsec" dev="dm-0" ino=36196395 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_mgmt_exec_t:s0 tclass=file 12 | type=AVC msg=audit(1410436021.615:483): avc: denied { getattr } for pid=7768 comm="nova-scheduler" path="/etc/pki/tls/certs/os_ca.crt" dev="dm-2" ino=2112188 scontext=system_u:system_r:nova_scheduler_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file 13 | type=AVC msg=audit(1410436016.349:475): avc: denied { name_bind } for pid=7780 comm="httpd" src=8777 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 14 | type=AVC msg=audit(1410436021.615:482): avc: denied { open } for pid=7768 comm="nova-scheduler" path="/etc/pki/tls/certs/os_ca.crt" dev="dm-2" ino=2112188 scontext=system_u:system_r:nova_scheduler_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file 15 | type=AVC msg=audit(1410436183.087:972): avc: denied { ioctl } for pid=9288 comm="ipsec" path="/usr/sbin/ipsec" dev="dm-0" ino=36196395 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_mgmt_exec_t:s0 tclass=file 16 | -------------------------------------------------------------------------------- /tests/bz1114254: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1404032631.164:19931): avc: denied { execute } for pid=9872 comm="neutron-rootwra" name="haproxy" dev="sda5" ino=28186431 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:haproxy_exec_t:s0 tclass=file 2 | type=AVC msg=audit(1404032984.887:20099): avc: denied { read open } for pid=10369 comm="ip" path="/usr/sbin/haproxy" dev="sda5" ino=28186431 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:haproxy_exec_t:s0 tclass=file 3 | type=AVC msg=audit(1404032987.141:20102): avc: denied { connectto } for pid=10162 comm="neutron-lbaas-a" path="/var/lib/neutron/lbaas/d95fac6f-2988-41a2-9aff-0485c96eb285/sock" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=unix_stream_socket 4 | type=AVC msg=audit(1404250077.752:12084): avc: denied { read } for pid=2202 comm="haproxy" name="conf" dev="sda5" ino=20316186 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=file 5 | type=AVC msg=audit(1404250077.752:12084): avc: denied { open } for pid=2202 comm="haproxy" path="/var/lib/neutron/lbaas/98193a60-84d7-478e-90ee-cf34e48986bb/conf" dev="sda5" ino=20316186 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=file 6 | type=AVC msg=audit(1404250077.752:12085): avc: denied { getattr } for pid=2202 comm="haproxy" path="/var/lib/neutron/lbaas/98193a60-84d7-478e-90ee-cf34e48986bb/conf" dev="sda5" ino=20316186 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=file 7 | type=AVC msg=audit(1404250077.753:12086): avc: denied { write } for pid=2202 comm="haproxy" name="98193a60-84d7-478e-90ee-cf34e48986bb" dev="sda5" ino=20316185 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=dir 8 | type=AVC msg=audit(1404250077.753:12086): avc: denied { add_name } for pid=2202 comm="haproxy" name="sock.2202.tmp" scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=dir 9 | type=AVC msg=audit(1404250077.753:12086): avc: denied { create } for pid=2202 comm="haproxy" name="sock.2202.tmp" scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=sock_file 10 | type=AVC msg=audit(1404250077.753:12087): avc: denied { setattr } for pid=2202 comm="haproxy" name="sock.2202.tmp" dev="sda5" ino=20316187 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=sock_file 11 | type=AVC msg=audit(1404250077.753:12088): avc: denied { remove_name } for pid=2202 comm="haproxy" name="sock.2202.tmp" dev="sda5" ino=20316187 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=dir 12 | type=AVC msg=audit(1404250077.753:12088): avc: denied { rename } for pid=2202 comm="haproxy" name="sock.2202.tmp" dev="sda5" ino=20316187 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=sock_file 13 | type=AVC msg=audit(1404250472.428:12260): avc: denied { link } for pid=2905 comm="haproxy" name="sock" dev="sda5" ino=20316187 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=sock_file 14 | type=AVC msg=audit(1404250472.428:12263): avc: denied { unlink } for pid=2905 comm="haproxy" name="sock" dev="sda5" ino=20316187 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=sock_file 15 | -------------------------------------------------------------------------------- /os-glance.te: -------------------------------------------------------------------------------- 1 | policy_module(os-glance,0.1) 2 | 3 | gen_require(` 4 | type glance_api_t; 5 | type glance_registry_t; 6 | type glance_var_lib_t; 7 | type glance_tmp_t; 8 | type fixed_disk_device_t; 9 | type init_t; 10 | type sysfs_t; 11 | type var_lib_t; 12 | type nfs_t; 13 | type httpd_t; 14 | class dir { write getattr remove_name create add_name }; 15 | class file { write getattr unlink open create read}; 16 | class lnk_file read; 17 | type sudo_exec_t; 18 | class file { execute }; 19 | attribute glance_domain; 20 | ') 21 | 22 | # Bugzilla 1362609 23 | corenet_tcp_connect_memcache_port(glance_registry_t) 24 | 25 | # Bugzilla 1219406 26 | allow glance_api_t nfs_t:dir { search getattr write remove_name create add_name }; 27 | allow glance_api_t nfs_t:file { write getattr unlink open create read }; 28 | allow glance_registry_t nfs_t:dir search; 29 | 30 | # Bugzilla 1210271 31 | allow glance_registry_t glance_var_lib_t:lnk_file read; 32 | allow glance_api_t glance_var_lib_t:lnk_file read; 33 | allow glance_api_t var_lib_t:lnk_file read; 34 | allow glance_registry_t var_lib_t:lnk_file read; 35 | 36 | # Bugzilla 1145802 37 | allow glance_api_t nfs_t:dir getattr; 38 | 39 | # Bugzilla 1306525 40 | corenet_tcp_connect_commplex_main_port(glance_registry_t) 41 | 42 | # Bugzilla 1313617 43 | fs_getattr_tmpfs(glance_api_t) 44 | 45 | # Bugzilla 1395240 46 | manage_sock_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) 47 | allow glance_api_t sudo_exec_t:file { execute }; 48 | 49 | optional_policy(` 50 | gen_require(` 51 | type elasticsearch_port_t; 52 | ') 53 | # bugzilla 1192644 54 | allow glance_api_t elasticsearch_port_t:tcp_socket name_bind; 55 | ') 56 | 57 | # Bug 1430402 58 | optional_policy(` 59 | mysql_read_config(glance_api_t) 60 | ') 61 | 62 | # 63 | # Bug 1475378 64 | # Bug 1447779 65 | # XXX 66 | # Stolen from the Nova base policy. Broken sudo support for glance. 67 | # 68 | gen_tunable(os_glance_use_sudo, false) 69 | tunable_policy(`os_glance_use_sudo',` 70 | sudo_exec(glance_api_t) 71 | logging_send_audit_msgs(glance_api_t) 72 | iscsid_domtrans(glance_api_t) 73 | fstools_domtrans(glance_api_t) 74 | allow glance_api_t fixed_disk_device_t:blk_file { getattr ioctl open read setattr write }; 75 | allow glance_api_t init_t:file { getattr open read }; 76 | allow glance_api_t self:capability { setuid setgid }; 77 | allow glance_api_t self:capability { audit_write setuid setgid chown sys_rawio sys_resource }; 78 | allow glance_api_t self:netlink_audit_socket { create nlmsg_relay }; 79 | allow glance_api_t self:process { setcap setrlimit setsched }; 80 | allow glance_api_t sysfs_t:file append; 81 | ') 82 | 83 | gen_tunable(os_glance_dac_override, false) 84 | tunable_policy(`os_glance_dac_override',` 85 | allow glance_api_t self:capability dac_override; 86 | ') 87 | 88 | # Bugzilla 1653640 89 | gen_tunable(os_glance_use_nfs, false) 90 | tunable_policy(`os_glance_use_nfs',` 91 | fs_manage_nfs_dirs(glance_domain) 92 | fs_manage_nfs_files(glance_domain) 93 | fs_manage_nfs_symlinks(glance_domain) 94 | fs_exec_nfs_files(glance_domain) 95 | ') 96 | 97 | # Bugzilla 1789710 98 | allow glance_api_t glance_var_lib_t:filesystem getattr; 99 | 100 | # Bugzilla 2255412 101 | auth_use_pam(glance_api_t) 102 | init_rw_utmp(glance_api_t) 103 | 104 | # RDO-310 Allow httpd to handle files in statedir 105 | manage_dirs_pattern(httpd_t, glance_var_lib_t, glance_var_lib_t); 106 | manage_files_pattern(httpd_t, glance_var_lib_t, glance_var_lib_t); 107 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | include /etc/os-release 2 | 3 | # De-quote, if quoted. 4 | OS_ID=$(shell echo $(ID)) 5 | OS_VER=$(shell echo $(VERSION_ID)) 6 | OS_MAJ=$(shell OS_VER=$(OS_VER) && echo $${OS_VER/.*/}) 7 | 8 | # RHEL & rebuilds: if we match one of these, we do a version comparison. 9 | ifneq (,$(findstring $(OS_ID),rhel centos rocky almalinux)) 10 | # If version 9 or greater, add extra targets 11 | ifeq ($(OS_MAJ),9) 12 | EXTRA_TARGETS?=os-ovs-el9 13 | endif # version 9 14 | endif # RHEL clones 15 | 16 | TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-barbican os-logrotate os-certmonger os-timemaster os-ceilometer os-net-config $(EXTRA_TARGETS) 17 | MODULES?=${TARGETS:=.pp.bz2} 18 | DATADIR?=/usr/share 19 | LOCALDIR?=/usr/share/openstack-selinux/master 20 | INSTALL?=install 21 | MODULE_TYPE?=services 22 | 23 | all: ${TARGETS:=.pp.bz2} local_settings.sh 24 | 25 | %.pp.bz2: %.pp 26 | @echo Compressing $^ -\> $@ 27 | bzip2 -9 $^ 28 | 29 | %.pp: %.te 30 | make -f ${DATADIR}/selinux/devel/Makefile $@ 31 | 32 | local_settings.sh: local_settings.sh.in 33 | sed -e 's/@MODULES@/${TARGETS}/' $^ > $@ 34 | chmod 0755 $@ 35 | 36 | clean: 37 | rm -f *~ *.if *.tc *.pp *.pp.bz2 local_settings.sh 38 | rm -rf tmp *.tar.gz 39 | 40 | tarball: .git/config 41 | # 42 | # Downloading tarball. Note: this only works if the 43 | # current HEAD matches a previously-pushed tag. 44 | # 45 | @RELEASE=$$(git tag --points-at=$$(git log -1 | awk '/^commit/ { print $$2 }')) ;\ 46 | if [ -z "$$RELEASE" ]; then \ 47 | echo "Failed. Try 'git tag' first." ;\ 48 | else \ 49 | rm -f openstack-selinux-$$RELEASE.tar.gz ;\ 50 | wget -O openstack-selinux-$$RELEASE.tar.gz \ 51 | https://github.com/redhat-openstack/openstack-selinux/archive/$$RELEASE.tar.gz ;\ 52 | fi 53 | 54 | local-tarball: .git/config 55 | # 56 | # Creating local tarball. Note: this only works if the 57 | # current HEAD matches a tag. 58 | # 59 | @RELEASE=$$(git tag --points-at=$$(git log -1 | awk '/^commit/ { print $$2 }')) ;\ 60 | if [ -z "$$RELEASE" ]; then \ 61 | echo "Failed. Try 'git tag' first." ;\ 62 | else \ 63 | TMPDIR=$$(mktemp /tmp/os-XXXXXX) ;\ 64 | rm -f openstack-selinux-$$RELEASE.tar.gz ;\ 65 | make clean ;\ 66 | rm -f $$TMPDIR ;\ 67 | mkdir -p $$TMPDIR/openstack-selinux-$$RELEASE ;\ 68 | cp -a . $$TMPDIR/openstack-selinux-$$RELEASE ;\ 69 | if pushd $$TMPDIR/openstack-selinux-$$RELEASE; then \ 70 | rm -rf .git .git* ;\ 71 | cd .. ;\ 72 | tar -czvf openstack-selinux-$$RELEASE.tar.gz openstack-selinux-$$RELEASE ;\ 73 | popd ;\ 74 | cp $$TMPDIR/*.tar.gz . ;\ 75 | rm -rf $$TMPDIR ;\ 76 | else \ 77 | false ;\ 78 | fi ;\ 79 | fi 80 | 81 | install: 82 | # Install the setup script 83 | ${INSTALL} -d ${LOCALDIR} 84 | ${INSTALL} -m 0755 local_settings.sh ${LOCALDIR} 85 | 86 | # Install tests 87 | ${INSTALL} -d ${LOCALDIR}/tests 88 | ${INSTALL} -m 0644 tests/bz* tests/lp* tests/osprh* tests/rdo* ${LOCALDIR}/tests 89 | ${INSTALL} -m 0755 tests/check_all ${LOCALDIR}/tests 90 | 91 | # Install interfaces 92 | ${INSTALL} -d ${DATADIR}/selinux/devel/include/${MODULE_TYPE} 93 | ${INSTALL} -m 0644 ${TARGETS:=.if} ${DATADIR}/selinux/devel/include/${MODULE_TYPE} 94 | 95 | # Install policy modules 96 | ${INSTALL} -d ${DATADIR}/selinux/packages 97 | ${INSTALL} -m 0644 ${TARGETS:=.pp.bz2} ${DATADIR}/selinux/packages 98 | 99 | # Note: You can't run this in a build system unless the build 100 | # system has access to change the kernel SELinux policies 101 | check: 102 | cd ${LOCALDIR} && ./local_settings.sh ;\ 103 | cd ${LOCALDIR}/tests && ./check_all ;\ 104 | RET=$$? ;\ 105 | cd ${LOCALDIR} && ./local_settings.sh -x ;\ 106 | if [[ "$$RET" -ne 0 ]]; then \ 107 | /bin/false ;\ 108 | else \ 109 | /bin/true ;\ 110 | fi 111 | -------------------------------------------------------------------------------- /os-ovs.te: -------------------------------------------------------------------------------- 1 | # 2 | # openstack-selinux policy for RHEL7 3 | # 4 | # Allow openvswitch to write to files in /tmp 5 | # 6 | # Author: Lon Hohberger 7 | # 8 | policy_module(os-ovs,0.1) 9 | 10 | gen_require(` 11 | type openvswitch_t; 12 | type neutron_t; 13 | type openvswitch_tmp_t; 14 | type svirt_t; 15 | type sysctl_net_t; 16 | type unreserved_port_t; 17 | type init_tmp_t; 18 | type tun_tap_device_t; 19 | type svirt_t; 20 | type svirt_tmpfs_t; 21 | type virt_cache_t; 22 | type spc_t; 23 | class dir search; 24 | class file { write read getattr open }; 25 | class tcp_socket name_bind; 26 | class tun_socket create; 27 | class chr_file open; 28 | class netlink_generic_socket create_socket_perms; 29 | class netlink_audit_socket { create nlmsg_relay read write }; 30 | class capability audit_write; 31 | class packet_socket create_socket_perms; 32 | class unix_stream_socket { read write connectto }; 33 | ') 34 | 35 | # Bugzilla 1108187 36 | allow openvswitch_t init_tmp_t:file write; 37 | 38 | # Bugzilla 1259419 39 | swift_manage_data_files(openvswitch_t) 40 | 41 | # Bugzilla 1284268 42 | corenet_rw_inherited_tun_tap_dev(openvswitch_t) 43 | allow openvswitch_t self:tun_socket create; 44 | allow openvswitch_t tun_tap_device_t:chr_file open; 45 | 46 | # Bugzilla 1284268 47 | corenet_tcp_bind_ovsdb_port(openvswitch_t) 48 | 49 | # Bugzilla 1372453 50 | corenet_tcp_connect_vnc_port(openvswitch_t) 51 | 52 | # Bugzilla 1397537 53 | allow openvswitch_t self:netlink_socket create_socket_perms; 54 | allow svirt_t openvswitch_t:unix_stream_socket connectto; 55 | 56 | exec_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t) 57 | 58 | kernel_stream_connect(openvswitch_t) 59 | 60 | corenet_rw_tun_tap_dev(openvswitch_t) 61 | 62 | dev_rw_vfio_dev(openvswitch_t) 63 | 64 | fs_manage_hugetlbfs_files(openvswitch_t) 65 | fs_manage_hugetlbfs_dirs(openvswitch_t) 66 | 67 | sysnet_exec_ifconfig(openvswitch_t) 68 | 69 | # bugzilla #1419418 70 | allow openvswitch_t self:netlink_generic_socket create_socket_perms; 71 | 72 | # bugzilla #1431556 73 | allow openvswitch_t virt_cache_t:dir list_dir_perms; 74 | allow openvswitch_t virt_cache_t:sock_file manage_sock_file_perms; 75 | allow svirt_t virt_cache_t:sock_file manage_sock_file_perms; 76 | 77 | optional_policy(` 78 | hostname_exec(openvswitch_t) 79 | ') 80 | 81 | optional_policy(` 82 | virt_manage_images(openvswitch_t) 83 | virt_stream_connect_svirt(openvswitch_t) 84 | ') 85 | 86 | # bugzilla #1431556 87 | allow openvswitch_t self:packet_socket create_socket_perms; 88 | allow openvswitch_t self:capability net_raw; 89 | optional_policy(` 90 | gen_require(` 91 | type neutron_t; 92 | ') 93 | allow openvswitch_t neutron_t:dir search; 94 | ') 95 | 96 | # bugzilla #1448887 97 | # 98 | # ovs-vsctl tries to read /proc/[ppid]/cmdline in order to 99 | # Print debugging information. Allowing OVS to read all of 100 | # neutron_t labeled files so the parent's cmdline can be 101 | # printed is not worth this information at this time 102 | # 103 | dontaudit openvswitch_t neutron_t:file { read open getattr }; 104 | 105 | # bugzilla #1489863 106 | # 107 | # Something unsets nis_enabled; this works around that by 108 | # enabling binding to reserved and unreserved ports (bugzillas 109 | # #1259419, #1310383) 110 | corenet_tcp_connect_all_ports(openvswitch_t) 111 | 112 | # #1498797 113 | allow openvswitch_t self:capability { audit_write }; 114 | allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay read write }; 115 | 116 | gen_tunable(os_openvswitch_dac_override, false) 117 | tunable_policy(`os_openvswitch_dac_override',` 118 | allow openvswitch_t self:capability dac_override; 119 | ') 120 | 121 | # #1542107 122 | allow openvswitch_t svirt_tmpfs_t:file { read write }; 123 | 124 | # #1554964 125 | corenet_tcp_bind_all_ports(openvswitch_t) 126 | 127 | # #1572510 128 | allow openvswitch_t svirt_t:unix_stream_socket { read write }; 129 | 130 | # bugzilla #1707840 131 | allow openvswitch_t spc_t:unix_stream_socket { read write }; 132 | -------------------------------------------------------------------------------- /os-neutron.te: -------------------------------------------------------------------------------- 1 | policy_module(os-neutron, 0.1) 2 | 3 | gen_require(` 4 | type neutron_t; 5 | type neutron_var_lib_t; 6 | type neutron_tmp_t; 7 | type neutron_exec_t; 8 | type haproxy_exec_t; 9 | type haproxy_t; 10 | type httpd_config_t; 11 | type ipsec_mgmt_exec_t; 12 | type http_port_t; 13 | type dnsmasq_t; 14 | type proc_t; 15 | type radvd_exec_t; 16 | type modules_object_t; 17 | type ipsec_key_file_t; 18 | type keepalived_t; 19 | type logrotate_t; 20 | type nsfs_t; 21 | type fs_t; 22 | class capability setpcap; 23 | class capability dac_override; 24 | class key_socket { write read create }; 25 | class netlink_xfrm_socket { bind create nlmsg_write }; 26 | class process signal; 27 | class netlink_socket { bind create getattr }; 28 | class file { read ioctl getattr execute open execute_no_trans }; 29 | class tcp_socket name_bind; 30 | class unix_stream_socket connectto; 31 | class dir search; 32 | class netlink_selinux_socket create; 33 | ') 34 | 35 | # Bugzilla 1357961 36 | corenet_tcp_bind_openflow_port(neutron_t) 37 | 38 | # Bugzilla 1180679 39 | allow neutron_t keepalived_t:process signal; 40 | 41 | # Bugzilla 1168526 & 1176830 42 | allow neutron_t radvd_exec_t:file { read open execute execute_no_trans }; 43 | fs_getattr_all_fs(neutron_t) 44 | 45 | # Bugzilla 1180679 46 | neutron_domtrans(keepalived_t) 47 | 48 | # Bugzilla 1169859 & 1171460 & 1171458 49 | can_exec(neutron_t,neutron_var_lib_t) 50 | can_exec(neutron_t,neutron_exec_t) 51 | keepalived_domtrans(neutron_t) 52 | allow neutron_t self:netlink_socket { bind create getattr }; 53 | 54 | # Bugzilla 1153656 55 | allow haproxy_t proc_t:file read; 56 | 57 | # Bugzilla 1135510 58 | allow neutron_t ipsec_mgmt_exec_t:file exec_file_perms; 59 | 60 | # Bugzilla 1144199 61 | allow neutron_t http_port_t:tcp_socket name_bind; 62 | 63 | # Bugzilla 1230900 64 | manage_sock_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) 65 | 66 | # Bugzilla 1245846 67 | allow neutron_t ipsec_key_file_t:file { read ioctl open getattr }; 68 | allow neutron_t modules_object_t:file getattr; 69 | allow neutron_t self:capability { setpcap }; 70 | allow neutron_t self:key_socket { write read create }; 71 | allow neutron_t self:netlink_xfrm_socket { bind create nlmsg_write }; 72 | ipsec_exec_mgmt(neutron_t) 73 | ipsec_manage_key_file(neutron_t) 74 | ipsec_read_config(neutron_t) 75 | seutil_exec_setfiles(neutron_t) 76 | 77 | # Bugzilla 1850973 78 | gen_tunable(os_neutron_dac_override, false) 79 | tunable_policy(`os_neutron_dac_override',` 80 | allow neutron_t self:capability { dac_override }; 81 | ') 82 | 83 | # Bugzilla 1280083 84 | allow neutron_t httpd_config_t:dir search; 85 | 86 | # Bugzilla 1284268 87 | corecmd_getattr_all_executables(neutron_t) 88 | 89 | # Bugzilla 1294420 90 | allow neutron_t radvd_exec_t:file getattr; 91 | 92 | 93 | optional_policy(` 94 | require { 95 | type neutron_t; 96 | type haproxy_t; 97 | type haproxy_exec_t; 98 | type proc_t; 99 | type neutron_var_lib_t; 100 | } 101 | 102 | domtrans_pattern(neutron_t, haproxy_exec_t, haproxy_t) 103 | 104 | # Bugzilla 1114254 105 | manage_files_pattern(haproxy_t, neutron_var_lib_t, neutron_var_lib_t) 106 | manage_sock_files_pattern(haproxy_t, neutron_var_lib_t, neutron_var_lib_t) 107 | # Bugzilla 1115724 and 1962802 108 | allow neutron_t haproxy_t:process { sigkill signal }; 109 | allow neutron_t proc_t:filesystem unmount; 110 | ') 111 | 112 | # Bugzilla 1249685 (execmem) 113 | gen_tunable(os_neutron_use_execmem, false) 114 | tunable_policy(`os_neutron_use_execmem',` 115 | allow neutron_t self:process execmem; 116 | ') 117 | 118 | # Bugzilla 1419418 and 2053852 119 | allow neutron_t nsfs_t:file { open read getattr }; 120 | 121 | # Bugzilla 1893132 122 | allow neutron_t fs_t:filesystem unmount; 123 | 124 | # Bugzilla 2053852 125 | allow neutron_t nsfs_t:filesystem unmount; 126 | 127 | # Bugzilla 1547197 128 | allow neutron_t self:process setpgid; 129 | 130 | # Bugzilla 1581729 131 | corenet_udp_bind_dhcpc_port(neutron_t) 132 | 133 | # Bugzilla 1676954 134 | auth_use_pam(neutron_t) 135 | init_rw_utmp(neutron_t) 136 | 137 | # Bugzilla 2254886 138 | fs_manage_tmpfs_files(neutron_t) 139 | -------------------------------------------------------------------------------- /os-octavia.te: -------------------------------------------------------------------------------- 1 | policy_module(os-octavia,0.1) 2 | 3 | gen_require(` 4 | type keepalived_t; 5 | type haproxy_t; 6 | type ifconfig_t; 7 | type user_tmp_t; 8 | type var_run_t; 9 | type ifconfig_exec_t; 10 | type sysfs_t; 11 | type var_lib_t; 12 | type bin_t; 13 | type root_t; 14 | type sysctl_fs_t; 15 | type proc_security_t; 16 | type sysctl_kernel_t; 17 | type etc_t; 18 | type usermodehelper_t; 19 | type keepalived_exec_t; 20 | type unconfined_service_t; 21 | type NetworkManager_t; 22 | type tmpfs_t; 23 | type nsfs_t; 24 | type shell_exec_t; 25 | type ping_exec_t; 26 | class sock_file { create link rename setattr unlink write }; 27 | class capability { sys_ptrace sys_admin }; 28 | class file { create entrypoint execute execute_no_trans getattr ioctl open read write }; 29 | class dir { add_name mounton write }; 30 | class filesystem { mount unmount }; 31 | ') 32 | 33 | # bind mount capabilities 34 | allow ifconfig_t etc_t:dir mounton; 35 | allow ifconfig_t user_tmp_t:dir mounton; 36 | allow ifconfig_t var_run_t:dir mounton; 37 | allow ifconfig_t self:capability sys_ptrace; 38 | allow ifconfig_t proc_security_t:file manage_file_perms; 39 | allow ifconfig_t sysctl_fs_t:file manage_file_perms; 40 | allow ifconfig_t sysctl_kernel_t:file manage_file_perms; 41 | allow ifconfig_t usermodehelper_t:file { getattr open write }; 42 | 43 | # 44 | # XXX Future work: need to set /var/lib/octavia to something 45 | # haproxy_t / keepalived_t can access, rather than giving 46 | # these two contexts blanket access to var_lib_t. Need to 47 | # work with upstream selinux-policy-contrib developers 48 | # to sort this out. Until then, this set of rules is 49 | # better than using unconfined_domain() 50 | # 51 | # /var/lib/octavia/vrrp (directory) 52 | allow keepalived_t var_lib_t:dir { add_name write remove_name }; 53 | 54 | # /var/lib/octavia/vrrp/octavia-keepalived.pid 55 | # /var/lib/octavia/vrrp/check_script.sh 56 | allow keepalived_t var_lib_t:file { create execute execute_no_trans getattr ioctl open read write unlink }; 57 | 58 | # /var/lib/octavia/[uuid].sock 59 | allow keepalived_t var_lib_t:sock_file { create link rename setattr unlink write }; 60 | 61 | # These are needed during boot when setting up the netns 62 | allow keepalived_t bin_t:file { entrypoint }; 63 | allow keepalived_t etc_t:dir mounton; 64 | allow keepalived_t keepalived_exec_t:file execute_no_trans; 65 | allow keepalived_t root_t:dir mounton; 66 | allow keepalived_t sysfs_t:filesystem { mount unmount }; 67 | allow keepalived_t user_tmp_t:dir mounton; 68 | allow keepalived_t var_run_t:dir { create mounton rmdir }; 69 | allow keepalived_t sysfs_t:dir mounton; 70 | allow keepalived_t tmpfs_t:filesystem unmount; 71 | 72 | # Same access for haproxy_t 73 | allow haproxy_t bin_t:file { entrypoint execute }; 74 | allow haproxy_t unconfined_service_t:file { open read }; 75 | allow haproxy_t var_lib_t:dir { add_name write remove_name }; 76 | allow haproxy_t var_lib_t:file { create execute execute_no_trans getattr ioctl open read write unlink }; 77 | allow haproxy_t var_lib_t:sock_file { create link rename setattr unlink write }; 78 | allow haproxy_t self:capability { sys_admin }; 79 | 80 | gen_tunable(os_haproxy_dac_override, false) 81 | tunable_policy(`os_haproxy_dac_override',` 82 | allow haproxy_t self:capability dac_override; 83 | ') 84 | 85 | # These are needed during boot when setting up the netns 86 | allow haproxy_t etc_t:dir mounton; 87 | allow haproxy_t root_t:dir mounton; 88 | allow haproxy_t sysfs_t:filesystem { mount unmount }; 89 | allow haproxy_t user_tmp_t:dir mounton; 90 | allow haproxy_t NetworkManager_t:file { open read }; 91 | allow haproxy_t sysfs_t:dir mounton; 92 | gen_tunable(os_haproxy_enable_nsfs, false) 93 | tunable_policy(`os_haproxy_enable_nsfs', ` 94 | allow haproxy_t nsfs_t:file { open read }; 95 | ') 96 | gen_tunable(os_haproxy_ping, false) 97 | tunable_policy(`os_haproxy_ping', ` 98 | allow haproxy_t ping_exec_t:file { execute execute_no_trans open read }; 99 | allow haproxy_t self:rawip_socket { create getopt setopt write read }; 100 | allow haproxy_t self:icmp_socket { create getopt setopt write read }; 101 | allow haproxy_t self:process setcap; 102 | allow haproxy_t shell_exec_t:file execute; 103 | ') 104 | 105 | kernel_read_fs_sysctls(ifconfig_t) 106 | 107 | -------------------------------------------------------------------------------- /tests/bz1135637: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1409339636.061:670): avc: denied { write } for pid=7104 comm="rsync" path="/tmp/puppet20140829-3353-1v6cjus" dev="vda3" ino=202811960 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file 2 | type=AVC msg=audit(1409340064.256:752): avc: denied { relabelto } for pid=13973 comm="rsync" name=".01.pem.lUDibG" dev="vda3" ino=68936252 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file 3 | type=AVC msg=audit(1409340064.256:754): avc: denied { remove_name } for pid=13973 comm="rsync" name=".01.pem.lUDibG" dev="vda3" ino=68936252 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir 4 | type=AVC msg=audit(1409339868.552:721): avc: denied { setattr } for pid=7604 comm="rsync" name="galera" dev="vda3" ino=202811960 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir 5 | type=AVC msg=audit(1409339868.551:720): avc: denied { create } for pid=7604 comm="rsync" name="galera" scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir 6 | type=AVC msg=audit(1409340064.256:754): avc: denied { unlink } for pid=13973 comm="rsync" name="01.pem" dev="vda3" ino=68936250 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file 7 | type=AVC msg=audit(1409340064.256:750): avc: denied { write } for pid=13973 comm="rsync" path="/etc/keystone/ssl/certs/.01.pem.lUDibG" dev="vda3" ino=68936252 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file 8 | type=AVC msg=audit(1409340064.256:750): avc: denied { create } for pid=13973 comm="rsync" name=".01.pem.lUDibG" scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file 9 | type=AVC msg=audit(1409340064.251:749): avc: denied { setattr } for pid=13969 comm="rsync" name="ssl" dev="vda3" ino=1005118 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir 10 | type=AVC msg=audit(1409339634.200:668): avc: denied { write } for pid=7094 comm="load_policy" path="pipe:[46647]" dev="pipefs" ino=46647 scontext=system_u:system_r:load_policy_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fifo_file 11 | type=AVC msg=audit(1409339868.553:722): avc: denied { relabelfrom } for pid=7609 comm="rsync" name="galera" dev="vda3" ino=202811960 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir 12 | type=AVC msg=audit(1409339868.551:720): avc: denied { add_name } for pid=7604 comm="rsync" name="galera" scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir 13 | type=AVC msg=audit(1409339510.578:661): avc: denied { write } for pid=6369 comm="epmd" path="/tmp/puppet20140829-3353-yvhqdp" dev="vda3" ino=202811940 scontext=system_u:system_r:rabbitmq_epmd_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file 14 | type=AVC msg=audit(1409340064.256:750): avc: denied { write } for pid=13973 comm="rsync" name="certs" dev="vda3" ino=68936238 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir 15 | type=AVC msg=audit(1409339868.553:726): avc: denied { remove_name } for pid=7609 comm="rsync" name=".galera.crt.FLi7uk" dev="vda3" ino=202811961 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir 16 | type=AVC msg=audit(1409339868.553:723): avc: denied { write } for pid=7609 comm="rsync" path="/etc/pki/galera/.galera.crt.FLi7uk" dev="vda3" ino=202811961 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file 17 | type=AVC msg=audit(1409340064.256:754): avc: denied { rename } for pid=13973 comm="rsync" name=".01.pem.lUDibG" dev="vda3" ino=68936252 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file 18 | type=AVC msg=audit(1409339868.553:726): avc: denied { rename } for pid=7609 comm="rsync" name=".galera.crt.FLi7uk" dev="vda3" ino=202811961 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file 19 | type=AVC msg=audit(1409339868.553:722): avc: denied { relabelto } for pid=7609 comm="rsync" name="galera" dev="vda3" ino=202811960 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir 20 | type=AVC msg=audit(1409340064.256:753): avc: denied { setattr } for pid=13973 comm="rsync" name=".01.pem.lUDibG" dev="vda3" ino=68936252 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file 21 | type=AVC msg=audit(1409340064.256:752): avc: denied { relabelfrom } for pid=13973 comm="rsync" name=".01.pem.lUDibG" dev="vda3" ino=68936252 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file 22 | type=AVC msg=audit(1409339636.180:671): avc: denied { write } for pid=7104 comm="rsync" name="pki" dev="vda3" ino=67110160 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir 23 | type=AVC msg=audit(1409340064.256:750): avc: denied { add_name } for pid=13973 comm="rsync" name=".01.pem.lUDibG" scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir 24 | -------------------------------------------------------------------------------- /os-nova.te: -------------------------------------------------------------------------------- 1 | policy_module(os-nova,0.1) 2 | 3 | gen_require(` 4 | type nova_t; 5 | type nova_network_t; 6 | type nova_var_lib_t; 7 | type nova_api_t; 8 | type nova_scheduler_t; 9 | type nova_console_t; 10 | type nova_cert_t; 11 | type cert_t; 12 | type nova_log_t; 13 | type httpd_t; 14 | type netutils_exec_t; 15 | type virtd_t; 16 | type virt_image_t; 17 | type svirt_t; 18 | type svirt_image_t; 19 | type svirt_tcg_t; 20 | type virtlogd_t; 21 | type virt_log_t; 22 | type iptables_t; 23 | type modules_conf_t; 24 | type container_share_t; 25 | type container_runtime_t; 26 | attribute nova_domain; 27 | class key write; 28 | class packet_socket { bind create getattr }; 29 | class capability { dac_override net_raw sys_ptrace kill }; 30 | class capability2 block_suspend; 31 | class file { getattr read write open create execute execute_no_trans entrypoint }; 32 | class sock_file write; 33 | class dir { add_name write search read }; 34 | class lnk_file read; 35 | class process sigchld; 36 | ') 37 | # Bugzilla 1181428 38 | iscsid_domtrans(virtd_t); 39 | 40 | # Bugzilla 1170839 41 | allow nova_network_t netutils_exec_t:file { read execute open execute_no_trans }; 42 | allow nova_network_t self:packet_socket { bind create getattr }; 43 | netutils_domtrans(nova_network_t) 44 | 45 | # Bugzilla 1149975 46 | allow nova_scheduler_t cert_t:dir search; 47 | 48 | # from upstream - Bugzilla 1107861 49 | auth_read_passwd(nova_domain) 50 | init_read_utmp(nova_domain) 51 | 52 | # Bugzilla 1095869 53 | # Allow create/modify/delete virtual networks 54 | allow nova_network_t self:capability { net_raw sys_ptrace kill }; 55 | allow nova_network_t self:capability2 block_suspend; 56 | 57 | # Bugzilla 1210271 58 | allow svirt_t nova_var_lib_t:lnk_file read; 59 | 60 | # Bugzilla 1211628 61 | allow svirt_t nova_var_lib_t:file write; 62 | allow svirt_tcg_t nova_var_lib_t:file write; 63 | 64 | # Bugzilla 1315457 65 | allow httpd_t nova_log_t:dir { add_name write }; 66 | allow httpd_t nova_log_t:file { open create }; 67 | 68 | # Bugzilla 1375766 69 | nova_manage_lib_files(virtlogd_t) 70 | 71 | # Bugzilla 1377272 72 | gen_tunable(os_virtlog_dac_override, false) 73 | tunable_policy(`os_virtlog_dac_override',` 74 | allow virtlogd_t self:capability dac_override; 75 | ') 76 | 77 | # Bugzilla #1499800 (workaround) 78 | # src: https://eucalyptus.atlassian.net/browse/EUCA-13447 79 | create_files_pattern(virtlogd_t, virt_image_t, virt_log_t) 80 | delete_files_pattern(virtlogd_t, virt_image_t, virt_log_t) 81 | rename_files_pattern(virtlogd_t, virt_image_t, virt_log_t) 82 | 83 | delete_files_pattern(virtlogd_t, virt_image_t, svirt_image_t) 84 | rename_files_pattern(virtlogd_t, virt_image_t, svirt_image_t) 85 | 86 | filetrans_pattern(virtlogd_t, virt_image_t, virt_log_t, file, "console.log") 87 | 88 | # Bugzilla 1249685 89 | gen_tunable(os_nova_use_execmem, false) 90 | tunable_policy(`os_nova_use_execmem',` 91 | allow nova_api_t self:process execmem; 92 | allow nova_cert_t self:process execmem; 93 | allow nova_console_t self:process execmem; 94 | allow nova_scheduler_t self:process execmem; 95 | ') 96 | 97 | kernel_rw_net_sysctls(nova_network_t) 98 | dev_rw_vhost(nova_network_t) 99 | 100 | optional_policy(` 101 | gen_require(` 102 | type nova_t; 103 | type httpd_config_t; 104 | class dir search; 105 | class process execmem; 106 | ') 107 | # bugzilla 1281547 108 | allow nova_t httpd_config_t:dir search; 109 | # bugzilla 1280101 110 | allow nova_t self:process execmem; 111 | ') 112 | 113 | # Bug 1430402 114 | optional_policy(` 115 | mysql_read_config(nova_t) 116 | ') 117 | 118 | # Bug 1494907 and related 119 | allow iptables_t modules_conf_t:file read_file_perms; 120 | optional_policy(` 121 | gen_require(` 122 | type systemd_machined_t; 123 | type container_runtime_t; 124 | type container_share_t; 125 | type container_unit_file_t; 126 | type svirt_sandbox_file_t; 127 | type spc_t; 128 | ') 129 | 130 | # presumably this is "init_start|stop|status" 131 | allow systemd_machined_t container_unit_file_t:service { start stop status }; 132 | 133 | # Already present in 2.26 134 | virt_transition_svirt(spc_t, system_r) 135 | virt_sandbox_entrypoint(svirt_sandbox_file_t) 136 | 137 | # Needs fixed in >2.26 138 | allow svirt_t container_runtime_t:process sigchld; 139 | 140 | container_read_share_files(svirt_t) 141 | allow svirt_t container_share_t:file { entrypoint execute }; 142 | 143 | allow svirt_t spc_t:dir search; 144 | allow svirt_t spc_t:fifo_file write_file_perms; 145 | allow svirt_t spc_t:file read_file_perms; 146 | ') 147 | 148 | # Requested for podman container engine 149 | allow svirt_tcg_t container_runtime_t:process sigchld; 150 | allow svirt_tcg_t container_share_t:file { execute getattr read entrypoint open }; 151 | allow svirt_tcg_t container_share_t:lnk_file read; 152 | allow svirt_tcg_t container_share_t:dir read; 153 | 154 | # Bug 1640528 155 | auth_use_pam(nova_t) 156 | init_rw_utmp(nova_t) 157 | -------------------------------------------------------------------------------- /tests/bz1494907: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1506381584.797:150): avc: denied { read } for pid=20335 comm="grep" name="kvm.conf" dev="sda2" ino=12583138 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file 2 | type=AVC msg=audit(1506522147.108:6883): avc: denied { getattr } for pid=224688 comm="qemu-kvm" path="/proc/34155/cmdline" dev="proc" ino=195421 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:system_r:spc_t:s0 tclass=file 3 | type=AVC msg=audit(1506522177.143:6891): avc: denied { read } for pid=225281 comm="qemu-kvm" name="ld.so.cache" dev="overlay" ino=196770 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:object_r:container_share_t:s0 tclass=file 4 | type=AVC msg=audit(1506522147.136:6884): avc: denied { sigchld } for pid=34139 comm="docker-containe" scontext=system_u:system_r:svirt_t:s0:c391,c860 tcontext=system_u:system_r:container_runtime_t:s0 tclass=process 5 | type=AVC msg=audit(1506522064.398:6871): avc: denied { entrypoint } for pid=224688 comm="libvirtd" path="/usr/libexec/qemu-kvm" dev="vda2" ino=5819701 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:object_r:container_share_t:s0 tclass=file 6 | type=AVC msg=audit(1506522177.143:6892): avc: denied { getattr } for pid=225281 comm="qemu-kvm" path="/etc/ld.so.cache" dev="overlay" ino=196770 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:object_r:container_share_t:s0 tclass=file 7 | type=AVC msg=audit(1506522389.519:6958): avc: denied { entrypoint } for pid=226377 comm="libvirtd" path="/usr/libexec/qemu-kvm" dev="vda2" ino=5819701 scontext=system_u:system_r:svirt_t:s0:c549,c593 tcontext=system_u:object_r:container_share_t:s0 tclass=file 8 | type=AVC msg=audit(1506522064.400:6875): avc: denied { execute } for pid=224688 comm="qemu-kvm" path="/usr/lib64/libz.so.1.2.7" dev="vda2" ino=62914801 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:object_r:container_share_t:s0 tclass=file 9 | type=AVC msg=audit(1506522177.141:6890): avc: denied { write } for pid=225281 comm="qemu-kvm" path="pipe:[2814876]" dev="pipefs" ino=2814876 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:system_r:spc_t:s0 tclass=fifo_file 10 | type=AVC msg=audit(1506522064.400:6872): avc: denied { read } for pid=224688 comm="qemu-kvm" name="ld.so.cache" dev="overlay" ino=196770 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:object_r:container_share_t:s0 tclass=file 11 | type=AVC msg=audit(1506522147.136:6884): avc: denied { sigchld } for pid=34139 comm="docker-containe" scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:system_r:container_runtime_t:s0 tclass=process 12 | type=AVC msg=audit(1506522064.398:6871): avc: denied { write } for pid=224688 comm="qemu-kvm" path="pipe:[2816199]" dev="pipefs" ino=2816199 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:system_r:spc_t:s0 tclass=fifo_file 13 | type=AVC msg=audit(1506522147.107:6882): avc: denied { open } for pid=224688 comm="qemu-kvm" path="/proc/34155/cmdline" dev="proc" ino=195421 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:system_r:spc_t:s0 tclass=file 14 | type=AVC msg=audit(1506522147.107:6882): avc: denied { read } for pid=224688 comm="qemu-kvm" name="cmdline" dev="proc" ino=195421 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:system_r:spc_t:s0 tclass=file 15 | type=AVC msg=audit(1506522224.531:6901): avc: denied { read } for pid=225281 comm="qemu-kvm" name="cmdline" dev="proc" ino=195421 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:system_r:spc_t:s0 tclass=file 16 | type=AVC msg=audit(1506522147.107:6882): avc: denied { search } for pid=224688 comm="qemu-kvm" name="34155" dev="proc" ino=195743 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:system_r:spc_t:s0 tclass=dir 17 | type=AVC msg=audit(1506522224.558:6904): avc: denied { sigchld } for pid=34139 comm="docker-containe" scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:system_r:container_runtime_t:s0 tclass=process 18 | type=AVC msg=audit(1506522177.143:6891): avc: denied { open } for pid=225281 comm="qemu-kvm" path="/etc/ld.so.cache" dev="vda2" ino=21009912 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:object_r:container_share_t:s0 tclass=file 19 | type=AVC msg=audit(1506522224.531:6901): avc: denied { open } for pid=225281 comm="qemu-kvm" path="/proc/34155/cmdline" dev="proc" ino=195421 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:system_r:spc_t:s0 tclass=file 20 | type=AVC msg=audit(1506522064.400:6873): avc: denied { getattr } for pid=224688 comm="qemu-kvm" path="/etc/ld.so.cache" dev="overlay" ino=196770 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:object_r:container_share_t:s0 tclass=file 21 | type=AVC msg=audit(1506522224.531:6901): avc: denied { search } for pid=225281 comm="qemu-kvm" name="34155" dev="proc" ino=195743 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:system_r:spc_t:s0 tclass=dir 22 | type=AVC msg=audit(1506522177.141:6890): avc: denied { entrypoint } for pid=225281 comm="libvirtd" path="/usr/libexec/qemu-kvm" dev="vda2" ino=5819701 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:object_r:container_share_t:s0 tclass=file 23 | type=AVC msg=audit(1506522064.400:6872): avc: denied { open } for pid=224688 comm="qemu-kvm" path="/etc/ld.so.cache" dev="vda2" ino=21009912 scontext=system_u:system_r:svirt_t:s0:c899,c918 tcontext=system_u:object_r:container_share_t:s0 tclass=file 24 | type=AVC msg=audit(1506522177.143:6894): avc: denied { execute } for pid=225281 comm="qemu-kvm" path="/usr/lib64/libz.so.1.2.7" dev="vda2" ino=62914801 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:object_r:container_share_t:s0 tclass=file 25 | type=AVC msg=audit(1506522224.533:6902): avc: denied { getattr } for pid=225281 comm="qemu-kvm" path="/proc/34155/cmdline" dev="proc" ino=195421 scontext=system_u:system_r:svirt_t:s0:c395,c947 tcontext=system_u:system_r:spc_t:s0 tclass=file 26 | -------------------------------------------------------------------------------- /tests/bz1692325: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1553504112.730:7560): avc: denied { write } for pid=41771 comm="mkdir" name="galera-bundle-0" dev="vda2" ino=8512171 scontext=system_u:system_r:container_t:s0:c296,c382 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 2 | type=AVC msg=audit(1553504112.730:7560): avc: denied { add_name } for pid=41771 comm="mkdir" name="kolla" scontext=system_u:system_r:container_t:s0:c296,c382 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 3 | type=AVC msg=audit(1553504112.730:7560): avc: denied { create } for pid=41771 comm="mkdir" name="kolla" scontext=system_u:system_r:container_t:s0:c296,c382 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 4 | type=AVC msg=audit(1553504112.730:7561): avc: denied { read } for pid=41771 comm="mkdir" name="kolla" dev="vda2" ino=65194464 scontext=system_u:system_r:container_t:s0:c296,c382 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 5 | type=AVC msg=audit(1553504118.347:7565): avc: denied { create } for pid=42078 comm="su" name="lastlog" scontext=system_u:system_r:container_t:s0:c296,c382 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 6 | type=AVC msg=audit(1553504118.347:7565): avc: denied { read write open } for pid=42078 comm="su" path="/var/log/lastlog" dev="vda2" ino=8512175 scontext=system_u:system_r:container_t:s0:c296,c382 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 7 | type=AVC msg=audit(1553504118.347:7566): avc: denied { lock } for pid=42078 comm="su" path="/var/log/lastlog" dev="vda2" ino=8512175 scontext=system_u:system_r:container_t:s0:c296,c382 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 8 | type=AVC msg=audit(1553504226.542:7628): avc: denied { write } for pid=46749 comm="python" name="rabbitmq-bundle-0" dev="vda2" ino=67376550 scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 9 | type=AVC msg=audit(1553504226.542:7628): avc: denied { add_name } for pid=46749 comm="python" name="btmp" scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 10 | type=AVC msg=audit(1553504226.542:7628): avc: denied { create } for pid=46749 comm="python" name="btmp" scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 11 | type=AVC msg=audit(1553504226.542:7628): avc: denied { write open } for pid=46749 comm="python" path="/var/log/btmp" dev="vda2" ino=67376554 scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 12 | type=AVC msg=audit(1553504226.542:7629): avc: denied { ioctl } for pid=46749 comm="python" path="/var/log/btmp" dev="vda2" ino=67376554 ioctlcmd=0x5401 scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 13 | type=AVC msg=audit(1553504226.542:7630): avc: denied { setattr } for pid=46749 comm="python" name="btmp" dev="vda2" ino=67376554 scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 14 | type=AVC msg=audit(1553504226.564:7633): avc: denied { create } for pid=46774 comm="mkdir" name="kolla" scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 15 | type=AVC msg=audit(1553504226.564:7634): avc: denied { read } for pid=46774 comm="mkdir" name="kolla" dev="vda2" ino=35865839 scontext=system_u:system_r:container_t:s0:c527,c559 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 16 | type=AVC msg=audit(1553504307.112:7757): avc: denied { write } for pid=52665 comm="mkdir" name="redis-bundle-0" dev="vda2" ino=73669291 scontext=system_u:system_r:container_t:s0:c383,c514 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 17 | type=AVC msg=audit(1553504307.112:7757): avc: denied { add_name } for pid=52665 comm="mkdir" name="kolla" scontext=system_u:system_r:container_t:s0:c383,c514 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 18 | type=AVC msg=audit(1553504307.112:7757): avc: denied { create } for pid=52665 comm="mkdir" name="kolla" scontext=system_u:system_r:container_t:s0:c383,c514 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 19 | type=AVC msg=audit(1553504307.112:7758): avc: denied { read } for pid=52665 comm="mkdir" name="kolla" dev="vda2" ino=31565583 scontext=system_u:system_r:container_t:s0:c383,c514 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 20 | type=AVC msg=audit(1553504312.069:7762): avc: denied { create } for pid=52961 comm="su" name="lastlog" scontext=system_u:system_r:container_t:s0:c383,c514 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 21 | type=AVC msg=audit(1553504312.069:7762): avc: denied { read write open } for pid=52961 comm="su" path="/var/log/lastlog" dev="vda2" ino=73669296 scontext=system_u:system_r:container_t:s0:c383,c514 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 22 | type=AVC msg=audit(1553504312.069:7763): avc: denied { lock } for pid=52961 comm="su" path="/var/log/lastlog" dev="vda2" ino=73669296 scontext=system_u:system_r:container_t:s0:c383,c514 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file permissive=1 23 | type=AVC msg=audit(1553504532.565:8213): avc: denied { write } for pid=73801 comm="mkdir" name="ovn-dbs-bundle-0" dev="vda2" ino=86202322 scontext=system_u:system_r:container_t:s0:c670,c1013 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 24 | type=AVC msg=audit(1553504532.565:8213): avc: denied { add_name } for pid=73801 comm="mkdir" name="kolla" scontext=system_u:system_r:container_t:s0:c670,c1013 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 25 | type=AVC msg=audit(1553504532.565:8213): avc: denied { create } for pid=73801 comm="mkdir" name="kolla" scontext=system_u:system_r:container_t:s0:c670,c1013 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 26 | type=AVC msg=audit(1553504532.565:8214): avc: denied { read } for pid=73801 comm="mkdir" name="kolla" dev="vda2" ino=38118009 scontext=system_u:system_r:container_t:s0:c670,c1013 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=dir permissive=1 27 | -------------------------------------------------------------------------------- /tests/bz1180679: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1420828502.323:1254): avc: denied { open } for pid=9180 comm="keepalived" path="/run/neutron/ha_confs/70486958-f838-4f4d-adcc-ea20a93dc3b4/keepalived.conf" dev="tmpfs" ino=83903 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=file 2 | type=AVC msg=audit(1420828263.958:217): avc: denied { getattr } for pid=4421 comm="keepalived_vip_" path="/usr/sbin/ip" dev="sda1" ino=4547471 scontext=system_u:system_r:keepalived_t:s0 tcontext=unconfined_u:object_r:ifconfig_exec_t:s0 tclass=file 3 | type=AVC msg=audit(1420828499.282:995): avc: denied { search } for pid=9178 comm="keepalived" name="neutron" dev="tmpfs" ino=20357 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=dir 4 | type=AVC msg=audit(1420828263.921:215): avc: denied { getattr } for pid=4424 comm="os-apply-config" path="/var/lib/cloud/data/cfn-init-data" dev="sda1" ino=4194783 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:cloud_var_lib_t:s0 tclass=file 5 | type=AVC msg=audit(1420828499.283:996): avc: denied { write open } for pid=9179 comm="keepalived" path="/run/neutron/ha_confs/70486958-f838-4f4d-adcc-ea20a93dc3b4.pid" dev="tmpfs" ino=81216 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=file 6 | type=AVC msg=audit(1420828263.921:216): avc: denied { read } for pid=4424 comm="os-apply-config" name="cfn-init-data" dev="sda1" ino=4194783 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:cloud_var_lib_t:s0 tclass=file 7 | type=AVC msg=audit(1420828263.920:214): avc: denied { open } for pid=4424 comm="os-apply-config" path="/var/lib/heat-cfntools/cfn-init-data" dev="sda1" ino=12627872 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file 8 | type=AVC msg=audit(1420828263.919:210): avc: denied { open } for pid=4424 comm="os-apply-config" path="/var/log/os-apply-config.log" dev="sda1" ino=8732425 scontext=system_u:system_r:keepalived_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file 9 | type=AVC msg=audit(1420828499.283:996): avc: denied { add_name } for pid=9179 comm="keepalived" name="70486958-f838-4f4d-adcc-ea20a93dc3b4.pid" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=dir 10 | type=AVC msg=audit(1420828499.283:996): avc: denied { create } for pid=9179 comm="keepalived" name="70486958-f838-4f4d-adcc-ea20a93dc3b4.pid" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=file 11 | type=AVC msg=audit(1420828263.958:220): avc: denied { execute_no_trans } for pid=4433 comm="keepalived_vip_" path="/usr/sbin/ip" dev="sda1" ino=4547471 scontext=system_u:system_r:keepalived_t:s0 tcontext=unconfined_u:object_r:ifconfig_exec_t:s0 tclass=file 12 | type=AVC msg=audit(1420828263.958:219): avc: denied { read } for pid=4421 comm="keepalived_vip_" name="ip" dev="sda1" ino=4547471 scontext=system_u:system_r:keepalived_t:s0 tcontext=unconfined_u:object_r:ifconfig_exec_t:s0 tclass=file 13 | type=AVC msg=audit(1420828499.290:1001): avc: denied { execute_no_trans } for pid=9182 comm="sh" path="/run/neutron/ha_confs/70486958-f838-4f4d-adcc-ea20a93dc3b4/notify_backup.sh" dev="tmpfs" ino=81133 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=file 14 | type=AVC msg=audit(1420828263.920:212): avc: denied { open } for pid=4424 comm="os-apply-config" path="/var/lib/os-collect-config/os_config_files.json" dev="sda1" ino=12627907 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=file 15 | type=AVC msg=audit(1420828263.921:216): avc: denied { open } for pid=4424 comm="os-apply-config" path="/var/lib/cloud/data/cfn-init-data" dev="sda1" ino=4194783 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:cloud_var_lib_t:s0 tclass=file 16 | type=AVC msg=audit(1420828263.958:220): avc: denied { open } for pid=4433 comm="keepalived_vip_" path="/usr/sbin/ip" dev="sda1" ino=4547471 scontext=system_u:system_r:keepalived_t:s0 tcontext=unconfined_u:object_r:ifconfig_exec_t:s0 tclass=file 17 | type=AVC msg=audit(1420828263.958:218): avc: denied { execute } for pid=4421 comm="keepalived_vip_" name="ip" dev="sda1" ino=4547471 scontext=system_u:system_r:keepalived_t:s0 tcontext=unconfined_u:object_r:ifconfig_exec_t:s0 tclass=file 18 | type=AVC msg=audit(1420828263.920:214): avc: denied { read } for pid=4424 comm="os-apply-config" name="cfn-init-data" dev="sda1" ino=12627872 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file 19 | type=AVC msg=audit(1420828263.920:212): avc: denied { read } for pid=4424 comm="os-apply-config" name="os_config_files.json" dev="sda1" ino=12627907 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=file 20 | type=AVC msg=audit(1420828502.329:1257): avc: denied { write } for pid=9450 comm="bash" name="state" dev="tmpfs" ino=81272 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=file 21 | type=AVC msg=audit(1420828499.283:997): avc: denied { getattr } for pid=9179 comm="keepalived" path="/run/neutron/ha_confs/70486958-f838-4f4d-adcc-ea20a93dc3b4.pid" dev="tmpfs" ino=81216 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=file 22 | type=AVC msg=audit(1420828263.920:213): avc: denied { getattr } for pid=4424 comm="os-apply-config" path="/var/lib/heat-cfntools/cfn-init-data" dev="sda1" ino=12627872 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file 23 | type=AVC msg=audit(1420828499.292:1002): avc: denied { ioctl } for pid=9182 comm="bash" path="/run/neutron/ha_confs/70486958-f838-4f4d-adcc-ea20a93dc3b4/notify_backup.sh" dev="tmpfs" ino=81133 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=file 24 | type=AVC msg=audit(1420828499.283:996): avc: denied { write } for pid=9179 comm="keepalived" name="ha_confs" dev="tmpfs" ino=75523 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=dir 25 | type=AVC msg=audit(1420828502.311:1250): avc: denied { signal } for pid=9448 comm="kill" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=process 26 | type=AVC msg=audit(1420828499.290:1001): avc: denied { execute } for pid=9182 comm="sh" name="notify_backup.sh" dev="tmpfs" ino=81133 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=file 27 | type=AVC msg=audit(1420828499.286:998): avc: denied { read } for pid=9180 comm="keepalived" name="keepalived.conf" dev="tmpfs" ino=79863 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:neutron_var_lib_t:s0 tclass=file 28 | type=AVC msg=audit(1420828263.920:211): avc: denied { getattr } for pid=4424 comm="os-apply-config" path="/var/lib/os-collect-config/os_config_files.json" dev="sda1" ino=12627907 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=file 29 | -------------------------------------------------------------------------------- /tests/bz1118859: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1405371699.582:201): avc: denied { getattr } for pid=14592 comm="lsof" path="/usr/bin/mysqld_safe" dev="dm-0" ino=17369661 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:mysqld_safe_exec_t:s0 tclass=file 2 | type=AVC msg=audit(1405100993.988:293594): avc: denied { getattr } for pid=9114 comm="lsof" path="/run/rpcbind.sock" dev="tmpfs" ino=47850 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:rpcbind_var_run_t:s0 tclass=sock_file 3 | type=AVC msg=audit(1405100993.988:293589): avc: denied { getattr } for pid=9114 comm="lsof" path="/run/systemd/private" dev="tmpfs" ino=10503 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file 4 | type=AVC msg=audit(1405100994.947:293685): avc: denied { getattr } for pid=9125 comm="lsof" path="/proc/11889" dev="proc" ino=45466 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:memcached_t:s0 tclass=dir 5 | type=AVC msg=audit(1405100993.987:293580): avc: denied { getattr } for pid=9114 comm="lsof" path="/proc/26487" dev="proc" ino=135626 scontext=system_u:system_r:mysqld_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir 6 | type=AVC msg=audit(1405100994.946:293680): avc: denied { getattr } for pid=9125 comm="lsof" path="/proc/1804" dev="proc" ino=30382 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:postfix_qmgr_t:s0 tclass=dir 7 | type=AVC msg=audit(1405100993.987:293587): avc: denied { getattr } for pid=9114 comm="lsof" path="/proc/31673" dev="proc" ino=276639 scontext=system_u:system_r:mysqld_t:s0 tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dir 8 | type=AVC msg=audit(1405100993.987:293582): avc: denied { getattr } for pid=9114 comm="lsof" path="/proc/26891" dev="proc" ino=141445 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=dir 9 | type=AVC msg=audit(1405100993.987:293588): avc: denied { getattr } for pid=9114 comm="lsof" path="/proc/31701" dev="proc" ino=276728 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_safe_t:s0 tclass=dir 10 | type=AVC msg=audit(1405100994.947:293690): avc: denied { getattr } for pid=9125 comm="lsof" path="/proc/12523" dev="proc" ino=47859 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:rpcbind_t:s0 tclass=dir 11 | type=AVC msg=audit(1405100994.946:293677): avc: denied { getattr } for pid=9125 comm="lsof" path="/proc/1787" dev="proc" ino=18074 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=dir 12 | type=AVC msg=audit(1405100994.198:293657): avc: denied { getattr } for pid=9125 comm="lsof" path="/proc/441" dev="proc" ino=11668 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir 13 | type=AVC msg=audit(1405100993.020:293575): avc: denied { getattr } for pid=9114 comm="lsof" path="/proc/13177" dev="proc" ino=51282 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dir 14 | type=AVC msg=audit(1405100994.947:293686): avc: denied { getattr } for pid=9125 comm="lsof" path="/proc/11969" dev="proc" ino=45758 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=dir 15 | type=AVC msg=audit(1405100994.946:293668): avc: denied { getattr } for pid=9125 comm="lsof" path="/proc/549" dev="proc" ino=14357 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=dir 16 | type=AVC msg=audit(1405100994.946:293674): avc: denied { getattr } for pid=9125 comm="lsof" path="/proc/704" dev="proc" ino=15585 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:policykit_t:s0 tclass=dir 17 | type=AVC msg=audit(1405100994.946:293673): avc: denied { getattr } for pid=9125 comm="lsof" path="/proc/654" dev="proc" ino=15370 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dir 18 | type=AVC msg=audit(1405100994.198:293655): avc: denied { getattr } for pid=9125 comm="lsof" path="/proc/422" dev="proc" ino=11188 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=dir 19 | type=AVC msg=audit(1405100994.946:293679): avc: denied { getattr } for pid=9125 comm="lsof" path="/proc/1803" dev="proc" ino=30381 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:postfix_pickup_t:s0 tclass=dir 20 | type=AVC msg=audit(1405100994.946:293669): avc: denied { getattr } for pid=9125 comm="lsof" path="/proc/565" dev="proc" ino=14594 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tclass=dir 21 | type=AVC msg=audit(1405100993.988:293592): avc: denied { getattr } for pid=9114 comm="lsof" path="/run/udev/control" dev="tmpfs" ino=10581 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=sock_file 22 | type=AVC msg=audit(1405100994.946:293670): avc: denied { getattr } for pid=9125 comm="lsof" path="/proc/574" dev="proc" ino=14967 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mdadm_t:s0 tclass=dir 23 | type=AVC msg=audit(1405100994.946:293676): avc: denied { getattr } for pid=9125 comm="lsof" path="/proc/1533" dev="proc" ino=17227 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=dir 24 | type=AVC msg=audit(1405100993.987:293577): avc: denied { getattr } for pid=9114 comm="lsof" path="/proc/13844" dev="proc" ino=53907 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=dir 25 | type=AVC msg=audit(1405100994.946:293678): avc: denied { getattr } for pid=9125 comm="lsof" path="/proc/1798" dev="proc" ino=18255 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=dir 26 | type=AVC msg=audit(1405100994.198:293656): avc: denied { getattr } for pid=9125 comm="lsof" path="/proc/428" dev="proc" ino=11357 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=dir 27 | type=AVC msg=audit(1405100994.946:293675): avc: denied { getattr } for pid=9125 comm="lsof" path="/proc/1032" dev="proc" ino=16604 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:rhsmcertd_t:s0 tclass=dir 28 | type=AVC msg=audit(1405100994.198:293667): avc: denied { getattr } for pid=9125 comm="lsof" path="/proc/546" dev="proc" ino=13957 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dir 29 | type=AVC msg=audit(1405100994.198:293665): avc: denied { getattr } for pid=9125 comm="lsof" path="/proc/543" dev="proc" ino=13904 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:tuned_t:s0 tclass=dir 30 | type=AVC msg=audit(1405100994.198:293666): avc: denied { getattr } for pid=9125 comm="lsof" path="/proc/545" dev="proc" ino=13955 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dir 31 | type=AVC msg=audit(1405100994.947:293687): avc: denied { getattr } for pid=9125 comm="lsof" path="/proc/12260" dev="proc" ino=46922 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:rabbitmq_beam_t:s0 tclass=dir 32 | type=AVC msg=audit(1405100993.987:293579): avc: denied { getattr } for pid=9114 comm="lsof" path="/proc/26053" dev="proc" ino=238294 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir 33 | -------------------------------------------------------------------------------- /tests/bz1245846: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(07/20/2015 14:23:28.857:957) : avc: denied { read } for pid=8935 comm=addconn name=ipsec.conf dev="sda5" ino=4064066 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=file 2 | type=AVC msg=audit(07/20/2015 14:29:06.309:1060) : avc: denied { read } for pid=9770 comm=addconn name=ipsec.conf dev="sda5" ino=4064066 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=file 3 | type=AVC msg=audit(07/20/2015 14:33:49.323:1161) : avc: denied { read } for pid=10405 comm=addconn name=ipsec.conf dev="sda5" ino=4064066 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=file 4 | type=AVC msg=audit(07/20/2015 14:39:38.152:1276) : avc: denied { read } for pid=11201 comm=addconn name=ipsec.conf dev="sda5" ino=4064066 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=file 5 | type=AVC msg=audit(07/20/2015 14:41:48.746:1337) : avc: denied { read } for pid=11543 comm=addconn name=ipsec.conf dev="sda5" ino=4064066 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=file 6 | type=AVC msg=audit(07/21/2015 19:42:10.339:32387) : avc: denied { read } for pid=11771 comm=addconn name=ipsec.conf dev="sda5" ino=4064066 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=file 7 | type=AVC msg=audit(07/21/2015 19:43:56.403:32430) : avc: denied { read } for pid=12017 comm=addconn name=ipsec.conf dev="sda5" ino=4064066 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=file 8 | type=AVC msg=audit(07/21/2015 19:45:22.446:32474) : avc: denied { open } for pid=12270 comm=addconn path=/etc/ipsec.conf dev="sda5" ino=4064066 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=file 9 | type=AVC msg=audit(07/21/2015 19:45:22.446:32474) : avc: denied { read } for pid=12270 comm=addconn name=ipsec.conf dev="sda5" ino=4064066 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=file 10 | type=AVC msg=audit(07/21/2015 19:45:22.446:32475) : avc: denied { ioctl } for pid=12270 comm=addconn path=/etc/ipsec.conf dev="sda5" ino=4064066 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=file 11 | type=AVC msg=audit(07/21/2015 19:45:22.446:32476) : avc: denied { getattr } for pid=12270 comm=addconn path=/etc/ipsec.conf dev="sda5" ino=4064066 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=file 12 | type=AVC msg=audit(07/21/2015 19:45:22.446:32477) : avc: denied { open } for pid=12270 comm=addconn path=/etc/ipsec.d dev="sda5" ino=4197937 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_key_file_t:s0 tclass=dir 13 | type=AVC msg=audit(07/21/2015 19:45:22.446:32477) : avc: denied { read } for pid=12270 comm=addconn name=ipsec.d dev="sda5" ino=4197937 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_key_file_t:s0 tclass=dir 14 | type=AVC msg=audit(07/21/2015 19:45:22.447:32478) : avc: denied { open } for pid=12270 comm=addconn path=/etc/ipsec.d/v6neighbor-hole.conf dev="sda5" ino=4197946 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_key_file_t:s0 tclass=file 15 | type=AVC msg=audit(07/21/2015 19:45:22.447:32478) : avc: denied { read } for pid=12270 comm=addconn name=v6neighbor-hole.conf dev="sda5" ino=4197946 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_key_file_t:s0 tclass=file 16 | type=AVC msg=audit(07/21/2015 19:45:22.447:32479) : avc: denied { ioctl } for pid=12270 comm=addconn path=/etc/ipsec.d/v6neighbor-hole.conf dev="sda5" ino=4197946 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_key_file_t:s0 tclass=file 17 | type=AVC msg=audit(07/21/2015 19:45:22.447:32480) : avc: denied { getattr } for pid=12270 comm=addconn path=/etc/ipsec.d/v6neighbor-hole.conf dev="sda5" ino=4197946 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_key_file_t:s0 tclass=file 18 | type=AVC msg=audit(07/21/2015 19:45:22.534:32481) : avc: denied { getattr } for pid=12287 comm=ls path=/usr/lib/modules/3.10.0-229.7.2.el7.x86_64/kernel/arch/x86/crypto/ablk_helper.ko dev="sda5" ino=3803379 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file 19 | type=AVC msg=audit(07/21/2015 19:45:23.159:32482) : avc: denied { execute } for pid=12515 comm=ipsec name=setfiles dev="sda5" ino=2886252 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file 20 | type=AVC msg=audit(07/21/2015 19:45:23.159:32483) : avc: denied { getattr } for pid=12515 comm=ipsec path=/usr/sbin/setfiles dev="sda5" ino=2886252 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file 21 | type=AVC msg=audit(07/21/2015 19:45:23.159:32484) : avc: denied { read } for pid=12515 comm=ipsec name=setfiles dev="sda5" ino=2886252 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file 22 | type=AVC msg=audit(07/21/2015 19:45:23.160:32485) : avc: denied { execute_no_trans } for pid=12521 comm=ipsec path=/usr/sbin/setfiles dev="sda5" ino=2886252 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file 23 | type=AVC msg=audit(07/21/2015 19:45:23.160:32485) : avc: denied { open } for pid=12521 comm=ipsec path=/usr/sbin/setfiles dev="sda5" ino=2886252 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file 24 | type=AVC msg=audit(07/21/2015 19:45:23.219:32486) : avc: denied { execute } for pid=12523 comm=ipsec name=pluto dev="sda5" ino=4723870 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_exec_t:s0 tclass=file 25 | type=AVC msg=audit(07/21/2015 19:45:23.220:32487) : avc: denied { execute_no_trans } for pid=12523 comm=ipsec path=/usr/libexec/ipsec/pluto dev="sda5" ino=4723870 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_exec_t:s0 tclass=file 26 | type=AVC msg=audit(07/21/2015 19:45:23.220:32487) : avc: denied { read open } for pid=12523 comm=ipsec path=/usr/libexec/ipsec/pluto dev="sda5" ino=4723870 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_exec_t:s0 tclass=file 27 | type=AVC msg=audit(07/21/2015 19:45:23.299:32488) : avc: denied { setpcap } for pid=12524 comm=pluto capability=setpcap scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=capability 28 | type=AVC msg=audit(07/21/2015 19:45:23.449:32489) : avc: denied { getattr } for pid=12527 comm=fipscheck path=/usr/libexec/ipsec/pluto dev="sda5" ino=4723870 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:ipsec_exec_t:s0 tclass=file 29 | type=AVC msg=audit(07/21/2015 19:45:23.599:32490) : avc: denied { create } for pid=12524 comm=pluto scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=netlink_xfrm_socket 30 | type=AVC msg=audit(07/21/2015 19:45:23.599:32491) : avc: denied { bind } for pid=12524 comm=pluto scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=netlink_xfrm_socket 31 | type=AVC msg=audit(07/21/2015 19:45:23.599:32492) : avc: denied { create } for pid=12524 comm=pluto scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=key_socket 32 | type=AVC msg=audit(07/21/2015 19:45:23.600:32493) : avc: denied { write } for pid=12524 comm=pluto path=socket:[7796583] dev="sockfs" ino=7796583 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=key_socket 33 | type=AVC msg=audit(07/21/2015 19:45:23.684:32494) : avc: denied { read } for pid=12524 comm=pluto path=socket:[7796583] dev="sockfs" ino=7796583 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=key_socket 34 | type=AVC msg=audit(07/21/2015 19:45:24.721:32500) : avc: denied { nlmsg_write } for pid=12524 comm=pluto scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=netlink_xfrm_socket 35 | -------------------------------------------------------------------------------- /tests/bz1434826: -------------------------------------------------------------------------------- 1 | type=AVC msg=audit(1521755700.743:68): avc: denied { entrypoint } for pid=1528 comm="(ip)" path="/usr/sbin/ip" dev="vda1" ino=36286 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file 2 | type=AVC msg=audit(1521755700.847:73): avc: denied { write } for pid=1529 comm="keepalived" name="vrrp" dev="vda1" ino=535343 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir 3 | type=AVC msg=audit(1521755700.847:73): avc: denied { add_name } for pid=1529 comm="keepalived" name="octavia-keepalived.pid" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir 4 | type=AVC msg=audit(1521755700.847:73): avc: denied { create } for pid=1529 comm="keepalived" name="octavia-keepalived.pid" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file 5 | type=AVC msg=audit(1521755700.913:75): avc: denied { execute } for pid=1534 comm="sh" name="check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file 6 | type=AVC msg=audit(1521755700.913:75): avc: denied { execute_no_trans } for pid=1534 comm="sh" path="/var/lib/octavia/vrrp/check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file 7 | type=AVC msg=audit(1521755700.914:76): avc: denied { ioctl } for pid=1534 comm="sh" path="/var/lib/octavia/vrrp/check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file 8 | type=AVC msg=audit(1521756001.706:137): avc: denied { mounton } for pid=1765 comm="ip" path="/run/netns" dev="tmpfs" ino=18861 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir 9 | type=AVC msg=audit(1521756001.760:138): avc: denied { mounton } for pid=1766 comm="ip" path="/sys" dev="vda1" ino=2881 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir 10 | type=AVC msg=audit(1521756001.762:139): avc: denied { mounton } for pid=1766 comm="ip" path="/etc/sysconfig" dev="vda1" ino=446 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir 11 | type=AVC msg=audit(1521756001.794:140): avc: denied { write } for pid=1766 comm="sysctl" name="ptrace_scope" dev="proc" ino=8640 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file 12 | type=AVC msg=audit(1521756001.794:141): avc: denied { sys_ptrace } for pid=1766 comm="sysctl" capability=19 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability 13 | type=AVC msg=audit(1521756001.797:142): avc: denied { getattr } for pid=1766 comm="sysctl" path="/proc/sys/fs/protected_hardlinks" dev="proc" ino=8670 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file 14 | type=AVC msg=audit(1521756001.797:143): avc: denied { write } for pid=1766 comm="sysctl" name="protected_hardlinks" dev="proc" ino=8670 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file 15 | type=AVC msg=audit(1521756001.797:143): avc: denied { open } for pid=1766 comm="sysctl" path="/proc/sys/fs/protected_hardlinks" dev="proc" ino=8670 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file 16 | type=AVC msg=audit(1521756001.799:144): avc: denied { getattr } for pid=1766 comm="sysctl" path="/proc/sys/fs/file-max" dev="proc" ino=11686 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file 17 | type=AVC msg=audit(1521756001.800:145): avc: denied { write } for pid=1766 comm="sysctl" name="file-max" dev="proc" ino=11686 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file 18 | type=AVC msg=audit(1521756001.800:145): avc: denied { open } for pid=1766 comm="sysctl" path="/proc/sys/fs/file-max" dev="proc" ino=11686 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file 19 | type=AVC msg=audit(1521756002.536:147): avc: denied { read } for pid=1859 comm="haproxy" name="haproxy.cfg" dev="vda1" ino=537368 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file 20 | type=AVC msg=audit(1521756002.536:147): avc: denied { open } for pid=1859 comm="haproxy" path="/var/lib/octavia/90723fd2-3dc8-4488-8078-899be972eec3/haproxy.cfg" dev="vda1" ino=537368 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file 21 | type=AVC msg=audit(1521756002.536:148): avc: denied { getattr } for pid=1859 comm="haproxy" path="/var/lib/octavia/90723fd2-3dc8-4488-8078-899be972eec3/haproxy.cfg" dev="vda1" ino=537368 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file 22 | type=AVC msg=audit(1521756002.573:150): avc: denied { entrypoint } for pid=1860 comm="(ip)" path="/usr/sbin/ip" dev="vda1" ino=36286 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file 23 | type=AVC msg=audit(1521756002.580:151): avc: denied { read } for pid=1860 comm="ip" path="/usr/sbin/ip" dev="vda1" ino=36286 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file 24 | type=AVC msg=audit(1521756002.596:152): avc: denied { mounton } for pid=1860 comm="ip" path="/" dev="vda1" ino=2 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir 25 | type=AVC msg=audit(1521756002.596:154): avc: denied { mounton } for pid=1860 comm="ip" path="/sys" dev="vda1" ino=2881 scontext=system_u:system_r:haproxy_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir 26 | type=AVC msg=audit(1521756002.597:155): avc: denied { mounton } for pid=1860 comm="ip" path="/etc/sysconfig" dev="vda1" ino=446 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir 27 | type=AVC msg=audit(1521756002.621:156): avc: denied { create } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock.1862.tmp" scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file 28 | type=AVC msg=audit(1521756002.626:157): avc: denied { setattr } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock.1862.tmp" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file 29 | type=AVC msg=audit(1521756002.626:158): avc: denied { rename } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock.1862.tmp" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file 30 | type=AVC msg=audit(1521756002.651:159): avc: denied { write } for pid=1862 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file 31 | type=AVC msg=audit(1521756005.967:160): avc: denied { execute } for pid=1867 comm="sh" name="check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file 32 | type=AVC msg=audit(1521756005.967:160): avc: denied { execute_no_trans } for pid=1867 comm="sh" path="/var/lib/octavia/vrrp/check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file 33 | type=AVC msg=audit(1521756005.968:161): avc: denied { ioctl } for pid=1867 comm="sh" path="/var/lib/octavia/vrrp/check_script.sh" dev="vda1" ino=537359 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file 34 | type=AVC msg=audit(1521756006.438:162): avc: denied { write } for pid=1869 comm="haproxy-vrrp-ch" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file 35 | type=AVC msg=audit(1521756015.580:163): avc: denied { entrypoint } for pid=1899 comm="(kill)" path="/usr/bin/kill" dev="vda1" ino=20196 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file 36 | type=AVC msg=audit(1521756015.616:164): avc: denied { link } for pid=1900 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file 37 | type=AVC msg=audit(1521756015.626:165): avc: denied { unlink } for pid=1900 comm="haproxy" name="90723fd2-3dc8-4488-8078-899be972eec3.sock" dev="vda1" ino=537381 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file 38 | --------------------------------------------------------------------------------