[Yahoo-eng-team] [Bug 1936229] Re: selinux cloud-init-hotplugd.socket not having permissions to fifo sockets

Fri, 12 May 2023 07:12:18 -0700 

Tracked in Github Issues as https://github.com/canonical/cloud-
init/issues/3890

** Bug watch added: github.com/canonical/cloud-init/issues #3890
   https://github.com/canonical/cloud-init/issues/3890

** Changed in: cloud-init
       Status: Triaged => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1936229

Title:
  selinux cloud-init-hotplugd.socket not having permissions to fifo
  sockets

Status in cloud-init:
  Expired
Status in CentOS:
  Invalid

Bug description:
  Initial cloud-init-hotplugd.socket has some undesirable interactions
  with an enforcing SElinux system when trying to listen on a FIFO
  socket.

  
  Deploying on rocky linux 8.4 we can see SELinux errors preventing the 
cloud-init-hotplugd.socket from starting

  
  from journalctl -b 0:
     

   systemd[1]: cloud-init-hotplugd.socket: Failed to listen on sockets: 
Permission denied
   systemd[1]: cloud-init-hotplugd.socket: Failed with result 'resources'.
   systemd[1]: Failed to listen on cloud-init hotplug hook socket.

  ...

   setroubleshoot[772]: SELinux is preventing systemd from add_name access on 
the directory hook-hotplug-cmd. For complete SELinux messages run: sealert -l 
8969a264-6637-489a-a329-0aafc0b8ee3a
   setroubleshoot[772]: SELinux is preventing systemd from add_name access on 
the directory hook-hotplug-cmd.
                                                                                
  
                                                                                
  *****  Plugin catchall (100. confidence) suggests   **************************
                                                                                
  
                                                                                
  If you believe that systemd should be allowed add_name access on the 
hook-hotplug-cmd directory by default.
                                                                                
  Then you should report this as a bug.
                                                                                
  You can generate a local policy module to allow this access.
                                                                                
  Do
                                                                                
  allow this access for now by executing:
                                                                                
  # ausearch -c 'systemd' --raw | audit2allow -M my-systemd
                                                                                
  # semodule -X 300 -i my-systemd.pp

  [rocky@ip-172-31-3-239 ~]$ sestatus
  SELinux status:                 enabled
  SELinuxfs mount:                /sys/fs/selinux
  SELinux root directory:         /etc/selinux
  Loaded policy name:             targeted
  Current mode:                   enforcing
  Mode from config file:          enforcing
  Policy MLS status:              enabled
  Policy deny_unknown status:     allowed
  Memory protection checking:     actual (secure)
  Max kernel policy version:      33


  [rocky@ip-172-31-3-239 ~]$ systemctl status cloud-init-hotplugd.socket
  ● cloud-init-hotplugd.socket - cloud-init hotplug hook socket
     Loaded: loaded (/usr/lib/systemd/system/cloud-init-hotplugd.socket; 
enabled; vendor preset: disabled)
     Active: failed (Result: resources)
     Listen: /run/cloud-init/hook-hotplug-cmd (FIFO)

  Jul 14 03:39:49 ip-172-31-3-239.us-east-2.compute.internal systemd[1]: 
cloud-init-hotplugd.socket: Failed to listen on sockets: Permission denied
  Jul 14 03:39:49 ip-172-31-3-239.us-east-2.compute.internal systemd[1]: 
cloud-init-hotplugd.socket: Failed with result 'resources'.
  Jul 14 03:39:49 ip-172-31-3-239.us-east-2.compute.internal systemd[1]: Failed 
to listen on cloud-init hotplug hook socket.

  [rocky@ip-172-31-3-239 ~]$ systemctl status cloud-init-hotplugd.service
  ● cloud-init-hotplugd.service - cloud-init hotplug hook daemon
     Loaded: loaded (/usr/lib/systemd/system/cloud-init-hotplugd.service; 
static; vendor preset: disabled)
     Active: inactive (dead)


  
  When setting selinux to permissive, we can see no errors from the systemd 
services

  [rocky@ip-172-31-3-239 ~]$ sudo sed -i 
's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config
  [rocky@ip-172-31-3-239 ~]$ sudo cloud-init clean --logs --reboot

  [rocky@ip-172-31-3-239 ~]$ sestatus
  SELinux status:                 enabled
  SELinuxfs mount:                /sys/fs/selinux
  SELinux root directory:         /etc/selinux
  Loaded policy name:             targeted
  Current mode:                   permissive
  Mode from config file:          permissive
  Policy MLS status:              enabled
  Policy deny_unknown status:     allowed
  Memory protection checking:     actual (secure)
  Max kernel policy version:      33
  [rocky@ip-172-31-3-239 ~]$ systemctl status cloud-init-hotplugd.socket
  ● cloud-init-hotplugd.socket - cloud-init hotplug hook socket
     Loaded: loaded (/usr/lib/systemd/system/cloud-init-hotplugd.socket; 
enabled; vendor preset: disabled)
     Active: active (listening) since Wed 2021-07-14 03:53:19 UTC; 1min 16s ago
     Listen: /run/cloud-init/hook-hotplug-cmd (FIFO)
      Tasks: 0 (limit: 4797)
     Memory: 0B
     CGroup: /system.slice/cloud-init-hotplugd.socket

  Jul 14 03:53:19 ip-172-31-3-239.us-east-2.compute.internal systemd[1]:
  Listening on cloud-init hotplug hook socket.

  
  Attempting to generate a selinux policy for this systemd.socket I get the 
following:
  [rocky@ip-172-31-3-239 ~]$ sudo ausearch -c 'systemd' --raw | audit2allow -m 
cloud-init-hotplug

  module cloud-init-hotplug 1.0;

  require {
        type init_t;
        type net_conf_t;
        class dir add_name;
        class fifo_file { create open read write };
  }

  #============= init_t ==============
  allow init_t net_conf_t:dir add_name;
  allow init_t net_conf_t:fifo_file { create open read write };

  [rocky@ip-172-31-3-239 ~]$ sudo ausearch -c 'systemd' --raw | audit2allow -M 
cloud-init-hotplug
  [rocky@ip-172-31-3-239 ~]$ sudo semodule -i cloud-init-hotplug.pp
  [rocky@ip-172-31-3-239 ~]$ sudo sed -i 
's/SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/config

  [rocky@ip-172-31-3-239 ~]$ sudo cloud-init clean --logs --reboot

  [rocky@ip-172-31-3-239 ~]$ sudo sestatus
  SELinux status:                 enabled
  SELinuxfs mount:                /sys/fs/selinux
  SELinux root directory:         /etc/selinux
  Loaded policy name:             targeted
  Current mode:                   enforcing
  Mode from config file:          enforcing
  Policy MLS status:              enabled
  Policy deny_unknown status:     allowed
  Memory protection checking:     actual (secure)
  Max kernel policy version:      33
  [rocky@ip-172-31-3-239 ~]$ 
  [rocky@ip-172-31-3-239 ~]$ 
  [rocky@ip-172-31-3-239 ~]$ 
  [rocky@ip-172-31-3-239 ~]$ systemctl status cloud-init-hotplugd.socket
  ● cloud-init-hotplugd.socket - cloud-init hotplug hook socket
     Loaded: loaded (/usr/lib/systemd/system/cloud-init-hotplugd.socket; 
enabled; vendor preset: disabled)
     Active: active (listening) since Wed 2021-07-14 03:59:55 UTC; 1min 51s ago
     Listen: /run/cloud-init/hook-hotplug-cmd (FIFO)
      Tasks: 0 (limit: 4797)
     Memory: 0B
     CGroup: /system.slice/cloud-init-hotplugd.socket

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1936229/+subscriptions


-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to