Add SELinux policies for bare metal agents

The recent move to bare metal neutron agents brought the processes
spawned by each agent under the watch of SELinux policies. This
patch ensures that neutron can still start important daemons, such
as dnsmasq or haproxy, without causing SELinux AVCs.

Closes-Bug: 1742552
Change-Id: Id1ae9d2b43cd0fb4c38460501da24733b29566e2
This commit is contained in:
Major Hayden 2018-01-11 08:01:06 -06:00
parent 767e9ceccf
commit 261a789342
4 changed files with 127 additions and 0 deletions

View File

@ -0,0 +1,57 @@
# Copyright 2017, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
module osa-neutron 1.0;
require {
type unconfined_t;
type ifconfig_t;
type neutron_var_lib_t;
type haproxy_exec_t;
type var_run_t;
type iptables_t;
type dnsmasq_t;
type var_log_t;
type http_port_t;
class process setrlimit;
class capability { dac_override net_bind_service setgid setuid };
class tcp_socket { listen name_bind };
class file { create execute execute_no_trans getattr open read relabelto setattr unlink write };
class lnk_file read;
class dir { add_name remove_name write };
}
# NOTE(mhayden): This allows dnsmasq, when run under neutron, to write logs
# within /var/log. This policy no longer exists in CentOS 7 since dnsmasq only
# writes to the systemd journal.
#============= dnsmasq_t ==============
allow dnsmasq_t var_log_t:file { open setattr };
allow dnsmasq_t var_log_t:lnk_file read;
# NOTE(mhayden): Neutron starts haproxy within a network namespace, so the
# process transitions to the ifconfig_t context after it starts. Normally,
# haproxy should switch to the ifconfig_t context. This should be fixed in
# the future.
#============= ifconfig_t ==============
allow ifconfig_t haproxy_exec_t:file { execute execute_no_trans open read };
allow ifconfig_t http_port_t:tcp_socket name_bind;
allow ifconfig_t neutron_var_lib_t:dir { add_name remove_name write };
allow ifconfig_t neutron_var_lib_t:file { create getattr open read unlink write };
allow ifconfig_t self:capability { dac_override net_bind_service setgid setuid };
allow ifconfig_t self:process setrlimit;
allow ifconfig_t self:tcp_socket listen;
# NOTE(mhayden): This allows neutron to use /usr/sbin/xtables-multi to quickly
# manage iptables/ip6tables rules.
#============= iptables_t ==============
allow iptables_t var_run_t:file read;

View File

@ -0,0 +1,6 @@
---
fixes:
- |
SELinux policy for neutron on CentOS 7 is now provided to fix SELinux
AVCs that occur when neutron's agents attempt to start daemons such as
haproxy and dnsmasq.

View File

@ -173,3 +173,9 @@
section: neutron
option: venv_tag
value: "{{ neutron_venv_tag }}"
- include: neutron_selinux.yml
when:
- ansible_pkg_mgr in ['dnf', 'yum']
- ansible_selinux.status is defined
- ansible_selinux.status == "enabled"

58
tasks/neutron_selinux.yml Normal file
View File

@ -0,0 +1,58 @@
---
# Copyright 2017, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Ensure SELinux packages are installed
package:
name: "{{ item }}"
state: present
with_items:
- libselinux
- libselinux-devel
- checkpolicy
- policycoreutils-python
- name: Create directory for compiling SELinux role
file:
path: "/tmp/osa-neutron-selinux"
state: directory
mode: '0755'
- name: Deploy SELinux policy source file
copy:
src: "osa-neutron-selinux.te"
dest: "/tmp/osa-neutron-selinux/"
owner: root
group: root
mode: "0755"
# NOTE(mhayden): Linting checks are skipped here because there isn't a
# reliable way to determine if this SELinux module is newer than the one that
# is currently in use on the system. The linter expects there to be a
# "creates" argument below.
- name: Compile and load SELinux module
command: "{{ item }}"
args:
chdir: "/tmp/osa-neutron-selinux/"
with_items:
- checkmodule -M -m -o osa-neutron-selinux.mod osa-neutron-selinux.te
- semodule_package -o osa-neutron-selinux.pp -m osa-neutron-selinux.mod
- semodule -i osa-neutron-selinux.pp
tags:
- skip_ansible_lint
- name: Remove temporary directory
file:
path: "/tmp/osa-neutron-selinux/"
state: absent