Bug 1049895
Summary: | [RDO][OpenStack-SELinux): AVCs left in messages after deployment of neutron-controller / neutron-compute using foreman. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Community] RDO | Reporter: | Omri Hochman <ohochman> | ||||
Component: | openstack-foreman-installer | Assignee: | Jason Guiditta <jguiditt> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | yeylon <yeylon> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | high | ||||||
Version: | unspecified | CC: | jguiditt, lars, lhh, morazi, ohochman, srevivo, twilson, yeylon | ||||
Target Milestone: | --- | Keywords: | Triaged | ||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | Type: | Bug | |||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1053623 | ||||||
Attachments: |
|
Description
Omri Hochman
2014-01-08 12:57:09 UTC
Created attachment 847114 [details]
messages.log
I'm Adding /var/log/messages.
Note: there is no openstack-selinux package installed on the machine (might be puppet-modules issue?) .
( It's RHEL6.5. ) Adding Info regarding the *foreman-server* packages: foreman-server$ rpm -qa | grep foreman ---------------------------------------- ruby193-rubygem-foreman_simplify-0.0.5-1.el6.noarch foreman-proxy-1.3.0-1.el6.noarch foreman-1.3.2-1.el6.noarch foreman-mysql-1.3.2-1.el6.noarch openstack-foreman-installer-1.0.1-2.el6.noarch foreman-selinux-1.3.0-1.el6.noarch foreman-mysql2-1.3.2-1.el6.noarch rubygem-foreman_api-0.1.9-1.el6.noarch foreman-installer-1.3.1-1.el6.noarch selinux-policy-3.7.19-231.el6.noarch selinux-policy-targeted-3.7.19-231.el6.noarch puppet-server-3.4.2-1.el6.noarch puppet-3.4.2-1.el6.noarch packstack-modules-puppet-2013.2.1-0.27.dev936.el6.noarch Note: I've encountered the same AVCs on the neutron-compute machine after deployment by foreman on /var/log/messages: Jan 8 15:11:31 puma02 kernel: type=1400 audit(1389186691.782:4): avc: denied { read } for pid=25666 comm="ip" path="/proc/25501/status" dev=proc ino=41702 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=file Jan 8 15:11:31 puma02 kernel: type=1400 audit(1389186691.784:5): avc: denied { read } for pid=25667 comm="ip" path="/proc/25501/status" dev=proc ino=41702 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=file Jan 8 15:11:31 puma02 kernel: type=1400 audit(1389186691.791:6): avc: denied { read } for pid=25668 comm="ip" path="/proc/25501/status" dev=proc ino=41702 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=file Jan 8 15:11:31 puma02 kernel: type=1400 audit(1389186691.793:7): avc: denied { read } for pid=25669 comm="ip" path="/proc/25501/status" dev=proc ino=41702 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=file Jan 8 15:11:37 puma02 puppet-agent[25501]: Finished catalog run in 0.10 the thing is: foreman do not deploy openstack-selinux-0.1.3-2.el6ost.noarch on the neutron-controller / neutron-compute machines as opposed to packstack. I checked a neutron machine deployed with packstack and it has openstack-selinux installed and no AVC's in /var/log/messages. And one thing to note is that Fedora doesn't have an openstack-selinux package and also gets these errors. Terry, is there a reason for this not being in the fedora/rdo repo? And this implies that packstack would get AVCs on fedora as well, correct? If yes to both, we may be able to at least partially solve this with a rebuild of the peel package for fedora. Note however that openstack-foreman doesn't run on Fedora currently anyway, due to a combination of no testing, and that foreman doesn't use SCLs for fedora (which we currently depend on in the installer, though that can be fixed as time allows). Jason, I'm not sure why openstack-selinux doesn't exist in Fedora. And yes, packstack gets these errors as well. Lon, do you know why fedora doesn't have an openstack-selinux package? openstack-selinux only provides patches and bridges gaps on EL6 distributions which are updated far less frequently. On Fedora, the selinux-policy package is very close to what is in the upstream selinux-policy git repository, so fixes belong there. Ok, so this needs to simply have openstack-selinux installed. Package openstack-selinux is installed by Packstack on RHEL. So either we need to fix openstack-selinux or Foreman should install the package in it's manifests. Noting can be done on o-p-m side in this case. Unable to reproduce - Seems that openstack-foreman-installer-2.0.8-1.el6ost.noarch --> Is installing on the hosts openstack-selinux-0.5.2-2.el7ost.noarch which solve this issue. |