Fix sudo by glance-api #109
Conversation
The glance-api service requires sudo when cinder backend is used but
this has been denied by selinux.
~~~
type=AVC msg=audit(1703084811.884:6481): avc: denied { execute } for pid=72459 comm="sudo" name="unix_chkpwd" dev="vda1" ino=4700890 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1703084818.067:6524): avc: denied { execute } for pid=72505 comm="sudo" name="unix_chkpwd" dev="vda1" ino=4700890 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=0
~~~
This fixes the denial and ensures sudo is actually allowed.
Resolves: rhbz#2255412
There was a problem hiding this comment.
Hi, apologies for the delay and thank you for the patch! Can you confirm that this resolves the issue in your environment as is? In general, I don't have an objection because we've followed a similar pattern in both os-neutron.te and os-nova.te. However, this doesn't seem to build for me (with the make test command) either on RHEL8 or 9, I get the following error:
os-glance.te:68:ERROR 'syntax error' at token 'typeattribute' on line 4124:
typeattribute glance_api_t nsswitch_domain;
This seems to go away if I move the statement at the top-level in the file, although I don't quite understand why it would be a problem in its current place within the boolean definition. I will dig a bit more and would like to confirm what environment you ran this in? Thank you!
| @@ -67,6 +67,8 @@ optional_policy(` | |||
| gen_tunable(os_glance_use_sudo, false) | |||
| tunable_policy(`os_glance_use_sudo',` | |||
| sudo_exec(glance_api_t) | |||
| auth_use_pam(glance_api_t) | |||
| init_rw_utmp(glance_api_t) | |||
There was a problem hiding this comment.
(Nit, minor) It may be good to reference the bugzilla in a comment near these.
| @@ -0,0 +1,2 @@ | |||
| type=AVC msg=audit(1703084811.884:6481): avc: denied { execute } for pid=72459 comm="sudo" name="unix_chkpwd" dev="vda1" ino=4700890 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=0 | |||
| type=AVC msg=audit(1703084818.067:6524): avc: denied { execute } for pid=72505 comm="sudo" name="unix_chkpwd" dev="vda1" ino=4700890 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=0 | |||
There was a problem hiding this comment.
(question, non-blocking) Is this is the only denial or are there more when running in permissive mode?
The glance-api service requires sudo when cinder backend is used but this has been denied by selinux.
This fixes the denial and ensures sudo is actually allowed.
Resolves: rhbz#2255412