Bug 1136991
| Summary: | SELinux denial on RHEL 7 while creating an OpenStack compute resource | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Og Maciel <omaciel> | ||||||
| Component: | SELinux | Assignee: | Lukas Zapletal <lzap> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Tazim Kolhar <tkolhar> | ||||||
| Severity: | high | Docs Contact: | David O'Brien <daobrien> | ||||||
| Priority: | unspecified | ||||||||
| Version: | 6.0.4 | CC: | aperotti, bbuckingham, bkearney, cwelton, daobrien, dcleal, greartes, jhutar, jmontleo, jraju, lzap, mmccune, omaciel, stbenjam, sthirugn, tkolhar, xdmoon | ||||||
| Target Milestone: | Unspecified | Keywords: | Triaged | ||||||
| Target Release: | Unused | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| URL: | http://projects.theforeman.org/issues/10443 | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2015-08-12 16:04:38 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
*** Bug 1136992 has been marked as a duplicate of this bug. *** Hey, OpenStack runs on nonstandard HTTP(s) port 5000, therefore access to that resource is denied. I think we should allow this by default. WORKAROUND is simple: semanage boolean --on passenger_can_connect_all Fix pending review upstream. https://github.com/theforeman/foreman-selinux/pull/31 Og, Can you provide logs for the other compute resources? The fix above will only address OpenStack and team is requesting additional details. Thanks! Og, Can you provide logs for the other compute resources? The fix above will only address OpenStack and team is requesting additional details. Thanks! Og, Can you provide logs for the other compute resources? The fix above will only address OpenStack and team is requesting additional details. Thanks! Brad FYI: The workaround will work with any other Compute Resrouce or anything in Satellite 6 trying to connect to port that is not in our policy. The boolean will essentially open access to all remote TCP ports. *** Bug 1144737 has been marked as a duplicate of this bug. *** Moving to POST since upstream bug http://projects.theforeman.org/issues/7346 has been closed ------------- Anonymous Applied in changeset commit:24a501be208460fdfd3bc59d47a4fd2b631df622. FAILEDQA: *** This bug is verified in upstream. This fix should eventually land in future downstream builds *** # rpm -qa | grep foreman foreman-1.6.0.47-1.el7sat.noarch foreman-compute-1.6.0.47-1.el7sat.noarch ruby193-rubygem-foreman_hooks-0.3.5-2.el7sat.noarch foreman-gce-1.6.0.47-1.el7sat.noarch ruby193-rubygem-foreman_discovery-1.3.0-2.el7sat.noarch foreman-libvirt-1.6.0.47-1.el7sat.noarch foreman-proxy-1.6.0.30-1.el7sat.noarch ruby193-rubygem-foreman-redhat_access-0.0.4-2.el7sat.noarch foreman-vmware-1.6.0.47-1.el7sat.noarch rubygem-hammer_cli_foreman_tasks-0.0.3-3.el7sat.noarch foreman-selinux-1.6.0.15-1.el7sat.noarch ruby193-rubygem-foreman-tasks-0.6.9-1.1.el7sat.noarch foreman-ovirt-1.6.0.47-1.el7sat.noarch foreman-postgresql-1.6.0.47-1.el7sat.noarch qe-sat6-rhel7.usersys.redhat.com-foreman-proxy-1.0-1.noarch qe-sat6-rhel7.usersys.redhat.com-foreman-client-1.0-1.noarch rubygem-hammer_cli_foreman-0.1.1-16.el7sat.noarch ruby193-rubygem-foreman_bootdisk-2.0.6-1.1.el7sat.noarch Steps to reproduce: 1. Set up Satellite 6 GA Snap 7 Compose 3 2. Attempt to add an Openstack CR 3. Test connection Screenshot attached Tazim, I don't believe this belongs to this BZ. I see some error message, perhaps it has something to do with X.509 certificates. To verify this bug, make sure you have no denials in the log and OpenStack works fine. Show me output of the following please: # getenforce # ausearch -m AVC Created attachment 952469 [details]
/var/log/audit/audit.log
Hi,
# getenforce
Enforcing
# ausearch -m AVC
<no matches>
Thanks
This bug is VERIFIED then, I don't know what is wrong with your setup. Must be different or new bug. Be sure to attach foreman-debug or sosreport when reporting. Created attachment 953625 [details]
Create Openstack Compute Resource success
VERIFIED # rpm -qa | grep foreman foreman-1.6.0.47-1.el7sat.noarch foreman-compute-1.6.0.47-1.el7sat.noarch ruby193-rubygem-foreman_hooks-0.3.5-2.el7sat.noarch foreman-gce-1.6.0.47-1.el7sat.noarch ruby193-rubygem-foreman_discovery-1.3.0-2.el7sat.noarch foreman-libvirt-1.6.0.47-1.el7sat.noarch foreman-proxy-1.6.0.30-1.el7sat.noarch ruby193-rubygem-foreman-redhat_access-0.0.4-2.el7sat.noarch foreman-vmware-1.6.0.47-1.el7sat.noarch rubygem-hammer_cli_foreman_tasks-0.0.3-3.el7sat.noarch foreman-selinux-1.6.0.15-1.el7sat.noarch ruby193-rubygem-foreman-tasks-0.6.9-1.1.el7sat.noarch foreman-ovirt-1.6.0.47-1.el7sat.noarch foreman-postgresql-1.6.0.47-1.el7sat.noarch qe-sat6-rhel7.usersys.redhat.com-foreman-proxy-1.0-1.noarch qe-sat6-rhel7.usersys.redhat.com-foreman-client-1.0-1.noarch rubygem-hammer_cli_foreman-0.1.1-16.el7sat.noarch ruby193-rubygem-foreman_bootdisk-2.0.6-1.1.el7sat.noarch Added attachment Re-opening the issue.
This gets you past *adding* the OpenStack resource but there's additional ports
that are needed for communication for openstack to fully work.
For example, for Foreman to upload the SSH key, it needs port 8774 for Nova, which is denied:
type=AVC msg=audit(1415279429.071:43145): avc: denied { name_connect } for pid=13857 comm="ruby" dest=8774 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:osapi_compute_port_t:s0 tclass=tcp_socket
There may be additional ports. 5000 is just keystone, and keystone is just the broker to other services, so if Fog has any requirement to talk to Nova Network, or any other OpenStack service you'll need those ports too.
Hey, http://docs.openstack.org/trunk/config-reference/content/firewalls-default-ports.html some of the ports are marked as "endpoints", some of them are marked as "publicurl". Do you have any idea which of these sholud be allowed by our SELinux policy? Today, we only need 8774 and 5000. I ran through adding an OS resource, assigning an image, creating a VM, and deleting the VM while running tcpdump, and only those 2 ports were contacted. This is little bit delayed because there is a design decision issue. We need to add a port that is missing in RHEL6 and it's not yet clear how to do that to prevent upgrade error when core policy introduce it as well. Disscusions on lists. WIP Can I get some help putting together the rel note for this? There seems to be quite a lot to consider. thanks Verified so no release note required. Tazim, Jan reproduced this recently. Can you check with him? https://bugzilla.redhat.com/show_bug.cgi?id=1249788 This bug was fixed in Satellite 6.1.1 which was delivered on 12 August, 2015. |
Description of problem: As I tried to configure OpenStack as a compute resource for my Satelite 6 instance I kept getting the following error while loading tenants: String does not start with the prefix 'encrypted-', so Foreman::Model::Openstack qe_openstack was not decrypted Looking through /var/log/audit/audit.log shows: type=AVC msg=audit(1409770421.707:2580): avc: denied { name_connect } for pid=7002 comm="ruby" dest=5000 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:commplex_main_port_t:s0 tclass=tcp_socket Turning SELinux 'off' allowed me to complete the task. Version-Release number of selected component (if applicable): Browser: ===== * Firefox 31.0 (MacOS) Build: ==== * Satellite/Satellite-6.0.4-RHEL-7-20140829.0 Packages: ====== * candlepin-0.9.23-1.el7.noarch * candlepin-common-1.0.1-1.el7.noarch * candlepin-guice-3.0-2_redhat_1.el7.noarch * candlepin-scl-1-5.el7.noarch * candlepin-scl-quartz-2.1.5-6.el7.noarch * candlepin-scl-rhino-1.7R3-3.el7.noarch * candlepin-scl-runtime-1-5.el7.noarch * candlepin-selinux-0.9.23-1.el7.noarch * candlepin-tomcat-0.9.23-1.el7.noarch * elasticsearch-0.90.10-6.el7sat.noarch * foreman-1.6.0.42-1.el7sat.noarch * foreman-compute-1.6.0.42-1.el7sat.noarch * foreman-gce-1.6.0.42-1.el7sat.noarch * foreman-libvirt-1.6.0.42-1.el7sat.noarch * foreman-ovirt-1.6.0.42-1.el7sat.noarch * foreman-postgresql-1.6.0.42-1.el7sat.noarch * foreman-proxy-1.6.0.30-1.el7sat.noarch * foreman-selinux-1.6.0.14-1.el7sat.noarch * foreman-vmware-1.6.0.42-1.el7sat.noarch * katello-1.5.0-30.el7sat.noarch * katello-certs-tools-1.5.6-1.el7sat.noarch * katello-default-ca-1.0-1.noarch * katello-installer-0.0.64-1.el7sat.noarch * katello-server-ca-1.0-1.noarch * openldap-2.4.39-3.el7.x86_64 * pulp-katello-0.3-4.el7sat.noarch * pulp-nodes-common-2.4.1-0.5.rc1.el7sat.noarch * pulp-nodes-parent-2.4.1-0.5.rc1.el7sat.noarch * pulp-puppet-plugins-2.4.1-0.5.rc1.el7sat.noarch * pulp-puppet-tools-2.4.1-0.5.rc1.el7sat.noarch * pulp-rpm-plugins-2.4.1-0.6.beta.el7sat.noarch * pulp-selinux-2.4.1-0.5.rc1.el7sat.noarch * pulp-server-2.4.1-0.5.rc1.el7sat.noarch * python-ldap-2.4.6-6.el7.x86_64 * ruby193-rubygem-net-ldap-0.3.1-3.el7sat.noarch * ruby193-rubygem-runcible-1.1.0-2.el7sat.noarch * rubygem-hammer_cli-0.1.1-12.el7sat.noarch * rubygem-hammer_cli_foreman-0.1.1-16.el7sat.noarch * rubygem-hammer_cli_foreman_tasks-0.0.3-3.el7sat.noarch * rubygem-hammer_cli_import-0.10.2-1.2.el7sat.noarch * rubygem-hammer_cli_katello-0.0.4-14.el7sat.noarch How reproducible: Steps to Reproduce: 1. Install Satellite 6 on RHEL 7 box with setenforce 1 (enforcing) 2. Try to configure openstack as a compute resource and click the Load Tenants button 3. Actual results: Access denied error message Expected results: Additional info: