[Bug 1190918] New: [Staging:A.270.1] openQA test fails in journal_check (audit hardening)
http://bugzilla.opensuse.org/show_bug.cgi?id=1190918 Bug ID: 1190918 Summary: [Staging:A.270.1] openQA test fails in journal_check (audit hardening) Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other URL: https://openqa.opensuse.org/tests/1937572/modules/jour nal_check/steps/22 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: screening-team-bugs@suse.de Reporter: dimstar@opensuse.org QA Contact: qa-bugs@suse.de Found By: openQA Blocker: Yes ## Observation openQA test in scenario microos-Staging:A-Staging-DVD-x86_64-container-host-microos@64bit-2G-HD40G fails in [journal_check](https://openqa.opensuse.org/tests/1937572/modules/journal_check/steps/22) Sep 25 18:42:45.201774 localhost systemd[610]: Failed to mount /run/systemd/unit-root/etc/audit to /run/systemd/unit-root/etc/audit: Permission denied ## Test suite description ## Reproducible Fails since (at least) Build [A.270.1](https://openqa.opensuse.org/tests/1936261) ## Expected result Last good: [A.267.2](https://openqa.opensuse.org/tests/1936009) (or more recent) ## Further details Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=microos&flavor=Staging-DVD&machine=64bit-2G-HD40G&test=container-host-microos&version=Staging%3AA) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1190918 Dominique Leuenberger <dimstar@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|Basesystem |Basesystem Version|Leap 15.4 |Current Assignee|screening-team-bugs@suse.de |ematsumiya@suse.com Product|openSUSE Distribution |openSUSE Tumbleweed -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1190918 http://bugzilla.opensuse.org/show_bug.cgi?id=1190918#c1 Enzo Matsumiya <ematsumiya@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dimstar@opensuse.org Flags| |needinfo?(dimstar@opensuse. | |org) --- Comment #1 from Enzo Matsumiya <ematsumiya@suse.com> --- Hi Dominique, (In reply to Dominique Leuenberger from comment #0)
Sep 25 18:42:45.201774 localhost systemd[610]: Failed to mount /run/systemd/unit-root/etc/audit to /run/systemd/unit-root/etc/audit: Permission denied
I can see those error messages ok, and I already have an idea on what's failing (probably some systemd unit hardening directives from bsc#1181400, but I would like to reproduce to confirm before taking action).
Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/ latest?arch=x86_64&distri=microos&flavor=Staging-DVD&machine=64bit-2G- HD40G&test=container-host-microos&version=Staging%3AA)
That interface is very confusing to me, could you help me gathering/confirming some information please? - this is trigged by "systemctl start auditd.service", yes or no? - what's the host setup like? I don't have experience with microOS and container technologies whatsoever, so if you could give me a step-by-step guide how to get a similar environment I'd appreciate it Thanks in advance. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1190918 http://bugzilla.opensuse.org/show_bug.cgi?id=1190918#c3 --- Comment #3 from Enzo Matsumiya <ematsumiya@suse.com> --- (In reply to Dominique Leuenberger from comment #2)
In what way confusing? i.e. https://openqa.opensuse.org/tests/1937572
It runs multiple 'test modules' - mainly taking the MicroOS medium (can be downloaded from the test under Logs&Assets) and install it (as role MicroOS container Host) using mostly defaults.
Thanks. I couldn't really see what's being run/logged before audit errors.
- this is trigged by "systemctl start auditd.service", yes or no?
Triggered right after bootup (audit is a default-enabled service). According to the journal, boot happened (in the linked test) at Sep 25 18:42:10, the log from audit appeared at 18:42:45 (regular bootup delay with selinux relabeling and first boot)
Ack.
- what's the host setup like? I don't have experience with microOS and container technologies whatsoever, so if you could give me a step-by-step guide how to get a similar environment I'd appreciate it
Nothing special there: default install of MicroOS from DVD (online repo disabled, role MicroOS Container Host); the VM used is kvm/qemu, 40GB HDD and 2GB RAM)
Ok, I'll try to reproduce it. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1190918 http://bugzilla.opensuse.org/show_bug.cgi?id=1190918#c4 --- Comment #4 from Enzo Matsumiya <ematsumiya@suse.com> --- This failure is related to my latest addition to auditd.service: ReadWritePaths=/etc/audit This is required to have the other systemd service hardening in place (cf. https://bugzilla.suse.com/show_bug.cgi?id=1181400#c17). However, this bug only happens when selinux is in enforcing mode. This is because the selinux' auditd_etc_t type doesn't have mounton permission (for namespace mounting). I've spent the day trying to make this work (systemd and selinux are way out of my league), but I think I've managed to fix it. I'll update here tomorrow at the latest. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1190918 Dominique Leuenberger <dimstar@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fbui@suse.com, | |jsegitz@suse.com Flags| |needinfo?(jsegitz@suse.com) | |, needinfo?(fbui@suse.com) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1190918 http://bugzilla.opensuse.org/show_bug.cgi?id=1190918#c5 --- Comment #5 from Dominique Leuenberger <dimstar@opensuse.org> --- Let's ask fbui (systemd) and jsegitz (sec team, selinux) for help then -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1190918 http://bugzilla.opensuse.org/show_bug.cgi?id=1190918#c6 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(jsegitz@suse.com) | --- Comment #6 from Johannes Segitz <jsegitz@suse.com> --- Seems like Enzo already found the problem. How did you fix it Enzo? Seems to me like this needs changes to the policy -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1190918 http://bugzilla.opensuse.org/show_bug.cgi?id=1190918#c7 --- Comment #7 from Enzo Matsumiya <ematsumiya@suse.com> --- (In reply to Johannes Segitz from comment #6)
Seems like Enzo already found the problem. How did you fix it Enzo? Seems to me like this needs changes to the policy
That's right. Here's the patch I'm testing: https://build.opensuse.org/package/view_file/home:ematsumiya:branches:securi... Works fine on TW, but I'll test on microOS to make sure I didn't miss anything else. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1190918 http://bugzilla.opensuse.org/show_bug.cgi?id=1190918#c8 Enzo Matsumiya <ematsumiya@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED Flags|needinfo?(fbui@suse.com) |needinfo?(jsegitz@suse.com) --- Comment #8 from Enzo Matsumiya <ematsumiya@suse.com> --- (In reply to Enzo Matsumiya from comment #7)
Works fine on TW, but I'll test on microOS to make sure I didn't miss anything else.
Everything is working again on auditd side, and it doesn't seem to have any side-effects on other selinux policies. I could manage/edit audit.rules and auditd.conf, restart auditd.service, and see my changes applied, in both TW and and MicroOS. @Johannes should I push my selinux-policy patch or will you do so? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1190918 http://bugzilla.opensuse.org/show_bug.cgi?id=1190918#c12 Enzo Matsumiya <ematsumiya@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(dimstar@opensuse. | |org) --- Comment #12 from Enzo Matsumiya <ematsumiya@suse.com> --- @Dominique What are the next steps here? Do I need to resubmit auditd? (https://build.opensuse.org/request/show/920362) Or will you resume QA for that request once selinux-policy is updated? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1190918 http://bugzilla.opensuse.org/show_bug.cgi?id=1190918#c13 Dominique Leuenberger <dimstar@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |RESOLVED Resolution|--- |FIXED --- Comment #13 from Dominique Leuenberger <dimstar@opensuse.org> --- Actually, all done https://build.opensuse.org/request/show/920362 has been accepted 4 days ago together with the selinux-policy fix and has been published as part of snapshot 1001. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com