yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #92265
[Bug 1936229] Re: selinux cloud-init-hotplugd.socket not having permissions to fifo sockets
Tracked in Github Issues as https://github.com/canonical/cloud-
init/issues/3890
** Bug watch added: github.com/canonical/cloud-init/issues #3890
https://github.com/canonical/cloud-init/issues/3890
** Changed in: cloud-init
Status: Triaged => Expired
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1936229
Title:
selinux cloud-init-hotplugd.socket not having permissions to fifo
sockets
Status in cloud-init:
Expired
Status in CentOS:
Invalid
Bug description:
Initial cloud-init-hotplugd.socket has some undesirable interactions
with an enforcing SElinux system when trying to listen on a FIFO
socket.
Deploying on rocky linux 8.4 we can see SELinux errors preventing the cloud-init-hotplugd.socket from starting
from journalctl -b 0:
systemd[1]: cloud-init-hotplugd.socket: Failed to listen on sockets: Permission denied
systemd[1]: cloud-init-hotplugd.socket: Failed with result 'resources'.
systemd[1]: Failed to listen on cloud-init hotplug hook socket.
...
setroubleshoot[772]: SELinux is preventing systemd from add_name access on the directory hook-hotplug-cmd. For complete SELinux messages run: sealert -l 8969a264-6637-489a-a329-0aafc0b8ee3a
setroubleshoot[772]: SELinux is preventing systemd from add_name access on the directory hook-hotplug-cmd.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that systemd should be allowed add_name access on the hook-hotplug-cmd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp
[rocky@ip-172-31-3-239 ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
[rocky@ip-172-31-3-239 ~]$ systemctl status cloud-init-hotplugd.socket
● cloud-init-hotplugd.socket - cloud-init hotplug hook socket
Loaded: loaded (/usr/lib/systemd/system/cloud-init-hotplugd.socket; enabled; vendor preset: disabled)
Active: failed (Result: resources)
Listen: /run/cloud-init/hook-hotplug-cmd (FIFO)
Jul 14 03:39:49 ip-172-31-3-239.us-east-2.compute.internal systemd[1]: cloud-init-hotplugd.socket: Failed to listen on sockets: Permission denied
Jul 14 03:39:49 ip-172-31-3-239.us-east-2.compute.internal systemd[1]: cloud-init-hotplugd.socket: Failed with result 'resources'.
Jul 14 03:39:49 ip-172-31-3-239.us-east-2.compute.internal systemd[1]: Failed to listen on cloud-init hotplug hook socket.
[rocky@ip-172-31-3-239 ~]$ systemctl status cloud-init-hotplugd.service
● cloud-init-hotplugd.service - cloud-init hotplug hook daemon
Loaded: loaded (/usr/lib/systemd/system/cloud-init-hotplugd.service; static; vendor preset: disabled)
Active: inactive (dead)
When setting selinux to permissive, we can see no errors from the systemd services
[rocky@ip-172-31-3-239 ~]$ sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config
[rocky@ip-172-31-3-239 ~]$ sudo cloud-init clean --logs --reboot
[rocky@ip-172-31-3-239 ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
[rocky@ip-172-31-3-239 ~]$ systemctl status cloud-init-hotplugd.socket
● cloud-init-hotplugd.socket - cloud-init hotplug hook socket
Loaded: loaded (/usr/lib/systemd/system/cloud-init-hotplugd.socket; enabled; vendor preset: disabled)
Active: active (listening) since Wed 2021-07-14 03:53:19 UTC; 1min 16s ago
Listen: /run/cloud-init/hook-hotplug-cmd (FIFO)
Tasks: 0 (limit: 4797)
Memory: 0B
CGroup: /system.slice/cloud-init-hotplugd.socket
Jul 14 03:53:19 ip-172-31-3-239.us-east-2.compute.internal systemd[1]:
Listening on cloud-init hotplug hook socket.
Attempting to generate a selinux policy for this systemd.socket I get the following:
[rocky@ip-172-31-3-239 ~]$ sudo ausearch -c 'systemd' --raw | audit2allow -m cloud-init-hotplug
module cloud-init-hotplug 1.0;
require {
type init_t;
type net_conf_t;
class dir add_name;
class fifo_file { create open read write };
}
#============= init_t ==============
allow init_t net_conf_t:dir add_name;
allow init_t net_conf_t:fifo_file { create open read write };
[rocky@ip-172-31-3-239 ~]$ sudo ausearch -c 'systemd' --raw | audit2allow -M cloud-init-hotplug
[rocky@ip-172-31-3-239 ~]$ sudo semodule -i cloud-init-hotplug.pp
[rocky@ip-172-31-3-239 ~]$ sudo sed -i 's/SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/config
[rocky@ip-172-31-3-239 ~]$ sudo cloud-init clean --logs --reboot
[rocky@ip-172-31-3-239 ~]$ sudo sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
[rocky@ip-172-31-3-239 ~]$
[rocky@ip-172-31-3-239 ~]$
[rocky@ip-172-31-3-239 ~]$
[rocky@ip-172-31-3-239 ~]$ systemctl status cloud-init-hotplugd.socket
● cloud-init-hotplugd.socket - cloud-init hotplug hook socket
Loaded: loaded (/usr/lib/systemd/system/cloud-init-hotplugd.socket; enabled; vendor preset: disabled)
Active: active (listening) since Wed 2021-07-14 03:59:55 UTC; 1min 51s ago
Listen: /run/cloud-init/hook-hotplug-cmd (FIFO)
Tasks: 0 (limit: 4797)
Memory: 0B
CGroup: /system.slice/cloud-init-hotplugd.socket
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1936229/+subscriptions
References