← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1936229] Re: selinux cloud-init-hotplugd.socket not having permissions to fifo sockets

 

** Also affects: centos
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1936229

Title:
  selinux cloud-init-hotplugd.socket not having permissions to fifo
  sockets

Status in cloud-init:
  New
Status in CentOS:
  New

Bug description:
  Initial cloud-init-hotplugd.socket has some undesirable interactions
  with an enforcing SElinux system when trying to listen on a FIFO
  socket.

  
  Deploying on rocky linux 8.4 we can see SELinux errors preventing the cloud-init-hotplugd.socket from starting

  
  from journalctl -b 0:
     

   systemd[1]: cloud-init-hotplugd.socket: Failed to listen on sockets: Permission denied
   systemd[1]: cloud-init-hotplugd.socket: Failed with result 'resources'.
   systemd[1]: Failed to listen on cloud-init hotplug hook socket.

  ...

   setroubleshoot[772]: SELinux is preventing systemd from add_name access on the directory hook-hotplug-cmd. For complete SELinux messages run: sealert -l 8969a264-6637-489a-a329-0aafc0b8ee3a
   setroubleshoot[772]: SELinux is preventing systemd from add_name access on the directory hook-hotplug-cmd.
                                                                                  
                                                                                  *****  Plugin catchall (100. confidence) suggests   **************************
                                                                                  
                                                                                  If you believe that systemd should be allowed add_name access on the hook-hotplug-cmd directory by default.
                                                                                  Then you should report this as a bug.
                                                                                  You can generate a local policy module to allow this access.
                                                                                  Do
                                                                                  allow this access for now by executing:
                                                                                  # ausearch -c 'systemd' --raw | audit2allow -M my-systemd
                                                                                  # semodule -X 300 -i my-systemd.pp

  [rocky@ip-172-31-3-239 ~]$ sestatus
  SELinux status:                 enabled
  SELinuxfs mount:                /sys/fs/selinux
  SELinux root directory:         /etc/selinux
  Loaded policy name:             targeted
  Current mode:                   enforcing
  Mode from config file:          enforcing
  Policy MLS status:              enabled
  Policy deny_unknown status:     allowed
  Memory protection checking:     actual (secure)
  Max kernel policy version:      33


  [rocky@ip-172-31-3-239 ~]$ systemctl status cloud-init-hotplugd.socket
  ● cloud-init-hotplugd.socket - cloud-init hotplug hook socket
     Loaded: loaded (/usr/lib/systemd/system/cloud-init-hotplugd.socket; enabled; vendor preset: disabled)
     Active: failed (Result: resources)
     Listen: /run/cloud-init/hook-hotplug-cmd (FIFO)

  Jul 14 03:39:49 ip-172-31-3-239.us-east-2.compute.internal systemd[1]: cloud-init-hotplugd.socket: Failed to listen on sockets: Permission denied
  Jul 14 03:39:49 ip-172-31-3-239.us-east-2.compute.internal systemd[1]: cloud-init-hotplugd.socket: Failed with result 'resources'.
  Jul 14 03:39:49 ip-172-31-3-239.us-east-2.compute.internal systemd[1]: Failed to listen on cloud-init hotplug hook socket.

  [rocky@ip-172-31-3-239 ~]$ systemctl status cloud-init-hotplugd.service
  ● cloud-init-hotplugd.service - cloud-init hotplug hook daemon
     Loaded: loaded (/usr/lib/systemd/system/cloud-init-hotplugd.service; static; vendor preset: disabled)
     Active: inactive (dead)


  
  When setting selinux to permissive, we can see no errors from the systemd services

  [rocky@ip-172-31-3-239 ~]$ sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config
  [rocky@ip-172-31-3-239 ~]$ sudo cloud-init clean --logs --reboot

  [rocky@ip-172-31-3-239 ~]$ sestatus
  SELinux status:                 enabled
  SELinuxfs mount:                /sys/fs/selinux
  SELinux root directory:         /etc/selinux
  Loaded policy name:             targeted
  Current mode:                   permissive
  Mode from config file:          permissive
  Policy MLS status:              enabled
  Policy deny_unknown status:     allowed
  Memory protection checking:     actual (secure)
  Max kernel policy version:      33
  [rocky@ip-172-31-3-239 ~]$ systemctl status cloud-init-hotplugd.socket
  ● cloud-init-hotplugd.socket - cloud-init hotplug hook socket
     Loaded: loaded (/usr/lib/systemd/system/cloud-init-hotplugd.socket; enabled; vendor preset: disabled)
     Active: active (listening) since Wed 2021-07-14 03:53:19 UTC; 1min 16s ago
     Listen: /run/cloud-init/hook-hotplug-cmd (FIFO)
      Tasks: 0 (limit: 4797)
     Memory: 0B
     CGroup: /system.slice/cloud-init-hotplugd.socket

  Jul 14 03:53:19 ip-172-31-3-239.us-east-2.compute.internal systemd[1]:
  Listening on cloud-init hotplug hook socket.

  
  Attempting to generate a selinux policy for this systemd.socket I get the following:
  [rocky@ip-172-31-3-239 ~]$ sudo ausearch -c 'systemd' --raw | audit2allow -m cloud-init-hotplug

  module cloud-init-hotplug 1.0;

  require {
  	type init_t;
  	type net_conf_t;
  	class dir add_name;
  	class fifo_file { create open read write };
  }

  #============= init_t ==============
  allow init_t net_conf_t:dir add_name;
  allow init_t net_conf_t:fifo_file { create open read write };

  [rocky@ip-172-31-3-239 ~]$ sudo ausearch -c 'systemd' --raw | audit2allow -M cloud-init-hotplug
  [rocky@ip-172-31-3-239 ~]$ sudo semodule -i cloud-init-hotplug.pp
  [rocky@ip-172-31-3-239 ~]$ sudo sed -i 's/SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/config

  [rocky@ip-172-31-3-239 ~]$ sudo cloud-init clean --logs --reboot

  [rocky@ip-172-31-3-239 ~]$ sudo sestatus
  SELinux status:                 enabled
  SELinuxfs mount:                /sys/fs/selinux
  SELinux root directory:         /etc/selinux
  Loaded policy name:             targeted
  Current mode:                   enforcing
  Mode from config file:          enforcing
  Policy MLS status:              enabled
  Policy deny_unknown status:     allowed
  Memory protection checking:     actual (secure)
  Max kernel policy version:      33
  [rocky@ip-172-31-3-239 ~]$ 
  [rocky@ip-172-31-3-239 ~]$ 
  [rocky@ip-172-31-3-239 ~]$ 
  [rocky@ip-172-31-3-239 ~]$ systemctl status cloud-init-hotplugd.socket
  ● cloud-init-hotplugd.socket - cloud-init hotplug hook socket
     Loaded: loaded (/usr/lib/systemd/system/cloud-init-hotplugd.socket; enabled; vendor preset: disabled)
     Active: active (listening) since Wed 2021-07-14 03:59:55 UTC; 1min 51s ago
     Listen: /run/cloud-init/hook-hotplug-cmd (FIFO)
      Tasks: 0 (limit: 4797)
     Memory: 0B
     CGroup: /system.slice/cloud-init-hotplugd.socket

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1936229/+subscriptions



References