After the previous two days debugging, Simo Sorce suggested that I need to tell the OS to show all AVCs, some are hidden by default.
The problem is that not all AVCs are reported. We can disable this.
First I needed to install setools:
sudo yum install setools-console |
With that I could confirm that there were hidden AVCs:
sudo seinfo --stats | grep audit Audit allow: 157 Dontaudit: 8036 |
I disabled the hiding of the AVCs:
sudo semodule --disable_dontaudit --build |
And a bunch more AVCs now show up when I deploy a VM. But…after a couple iterations, its obvious that the same errors keep showing up. Here’s a sample:
type=AVC msg=audit(1504306852.970:3169): avc: denied { search } for pid=27918 comm="cat" name="27821" dev="proc" ino=275493 scontext=system_u:system_r:svirt_tcg_t:s0:c130,c773 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c0,c5 tclass=dir type=AVC msg=audit(1504306852.984:3173): avc: denied { search } for pid=27929 comm="nsenter" name="27821" dev="proc" ino=275493 scontext=system_u:system_r:svirt_tcg_t:s0:c130,c773 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c0,c5 tclass=dir type=AVC msg=audit(1504306852.994:3174): avc: denied { search } for pid=27930 comm="pkill" name="498" dev="proc" ino=12227 scontext=system_u:system_r:svirt_tcg_t:s0:c130,c773 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir |
Looking at the policy generated by audit2allow:
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. #Constraint rule: # mlsconstrain dir { ioctl read lock search } ((h1 dom h2 -Fail-) or (t1 != { netlabel_peer_t openshift_t openshift_app_t sandbox_min_t sandbox_x_t sandbox_web_t sandbox_net_t svirt_t svirt_tcg_t svirt_lxc_net_t svirt_qemu_net_t svirt_kvm_net_t } -Fail-) ); Constraint DENIED |
The line is commented out, which tells me I should not just blindly enable it. At the bottom of the policy file I see the comment:
# Possible cause is the source user (system_u) and target user (unconfined_u) are different. # Possible cause is the source role (system_r) and target role (unconfined_r) are different. # Possible cause is the source level (s0:c130,c773) and target level (s0-s0:c0.c1023) are different. |
Curious.