Bug 1135617
Summary: | AVC denied messages when creating new gears | ||||||
---|---|---|---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Simon Sekidde <ssekidde> | ||||
Component: | Containers | Assignee: | Brenton Leanhardt <bleanhar> | ||||
Status: | CLOSED ERRATA | QA Contact: | libra bugs <libra-bugs> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 2.1.0 | CC: | adellape, anli, dswegen, erich, gpei, jokerman, lvrabec, mgrepl, mmccomas, pruan, rhallise | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | openshift-origin-node-util-1.22.20.3-1 | Doc Type: | Bug Fix | ||||
Doc Text: |
When using the apache-vhost front-end server plug-in, the systemu Ruby library attempted to create temporary files that were blocked by SELinux. This resulted in an AVC denial in the /var/log/audit/audit.log file, though no functionality was actually affected. Because the systemu library is redundant, this bug fix updates nodes to use the OpenShift library that provides the same utility in the rest of the node runtime. As a result, the AVC denials no longer occur.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2014-10-02 13:59:48 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Simon Sekidde
2014-08-29 19:32:10 UTC
The /tmp/systemu* files are likely being created by that library. There are two tools that use systemu in OpenShift Enterprise. One is MCollective and the other is called oo-httpd-singular. I'm guessing somehow the latter is involved since we see exe="/usr/sbin/httpd" in the AVC mentioned above. What version of the following packages are you running?: openshift-origin-node-util ruby193-rubygem-systemu Can you verify that no other ruby193 systemu gems are installed? One way to do this is: scl enable ruby193 "gem list systemu" rpm -qV ruby193-rubygem-systemu I was able to figure out how to reproduce this. It happens whenever rubygem-openshift-origin-frontend-apache-vhost is in use. The rubygem-openshift-origin-frontend-apache-mod-rewrite plugin is the default an is probably what most people who were trying to reproduce this bug were using. So people are in the loop, here's the chain of events that lead to this: 1) Broker submits an application create message to the Node 2) Node (mcollective) is running one of the apache frontend plugins 3) The frontend plugin calls /usr/sbin/oo-httpd-singular to gracefully restart apache 4) Apache restarts #3 only happens when the vhost plugin is in use. For the rewrite plugin it's not needed on application create. One workaround it to replace the use of systemu in that script with another library. We already have openshift-origin-node/utils/shell_exec so I will propose we switch to that. If you would like to try out a modified version in a non-production environment I will attach it to this bug. Created attachment 934631 [details]
/usr/sbin/oo-httpd-singular
For non-production use only. You can overwrite the default contents of /usr/sbin/oo-httpd-singular with this file.
Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/06a5cdb5fa50188a014cf4b672ef776bb0d97a5e Bug 1135617 - AVC denied messages when creating new gears Recreated on ose-2.1 puddle-2-1-2014-09-04, and verified puddle-2-1-2014-09-09 Recreated steps. 1) setenforce 0 2) rhc app-create supportcase jbosseap-6 3) grep -i denied audit.log [root@node1 audit]# grep -i denied audit.log type=AVC msg=audit(1410329916.366:9711): avc: denied { read } for pid=18524 comm="httpd" path="/tmp/systemu_node1.ose21z-manual.com.cn_1121_18506_0.42876805572889265_1/stdin" dev=dm-0 ino=145617 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:openshift_initrc_tmp_t:s0 tclass=file type=AVC msg=audit(1410329916.415:9712): avc: denied { write } for pid=18525 comm="httpd" path="/tmp/systemu_node1.ose21z-manual.com.cn_1121_18506_0.42876805572889265_1/stdout" dev=dm-0 ino=145618 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:openshift_initrc_tmp_t:s0 tclass=file Verified steps: 1) setenforce 0 2) rhc app-create supportcase jbosseap-6 3) grep -i denied audit.log No denied message can be found. 4) rhc app restart supportcase and check audit.log No denied message can be found *** Bug 1134842 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1353.html |