Bug 1158394

Summary: keystone-all proccess raised avc denied
Product: [Community] RDO Reporter: Nir Magnezi <nmagnezi>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED EOL QA Contact: Mike Abrams <mabrams>
Severity: high Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: oblaut, srevivo, tfreger
Target Milestone: ---   
Target Release: Juno   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1167073 (view as bug list) Environment:
Last Closed: 2016-05-19 16:05:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1167073    

Description Nir Magnezi 2014-10-29 10:01:10 UTC 
Description of problem:
=======================
Tested with RHEL7.
Used packstack to deploy RDO. Since I run with Permissive mode, I cant tell what functionality breaks.

Version-Release number of selected component (if applicable):
=============================================================
RDO-Juno: openstack-selinux-0.5.19-2.el7ost.noarch

How reproducible:
=================
1/1

Steps to Reproduce:
===================
1. Use packstack to deploy RDO (Used RHEL7)
2. Check /var/log/audit/audit.log

Actual results:
===============
type=AVC msg=audit(1414504423.908:14689): avc:  denied  { signal } for  pid=55983 comm="keystone-all" scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:system_r:keystone_t:s0 tclass=process

Expected results:
=================
no such avc should be expected.

Additional info:
================

SELinux is preventing /usr/bin/python2.7 from using the signal access on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that python2.7 should be allowed signal access on processes labeled keystone_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep keystone-all /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:keystone_t:s0
Target Context                system_u:system_r:keystone_t:s0
Target Objects                 [ process ]
Source                        keystone-all
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           python-2.7.5-16.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-153.el7_0.11.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     nmagnezi-os-cont1
Platform                      Linux nmagnezi-os-cont1
                              3.10.0-123.8.1.el7.x86_64 #1 SMP Mon Aug 11
                              13:37:49 EDT 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-10-28 15:53:43 IST
Last Seen                     2014-10-28 15:53:43 IST
Local ID                      9a8a8cc1-0e37-48d7-bc99-90e7311aac92

Raw Audit Messages
type=AVC msg=audit(1414504423.908:14689): avc:  denied  { signal } for  pid=55983 comm="keystone-all" scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:system_r:keystone_t:s0 tclass=process


type=SYSCALL msg=audit(1414504423.908:14689): arch=x86_64 syscall=kill success=yes exit=0 a0=dac8 a1=f a2=0 a3=7fffcfd28a20 items=0 ppid=1 pid=55983 auid=4294967295 uid=163 gid=163 euid=163 suid=163 fsuid=163 egid=163 sgid=163 fsgid=163 tty=(none) ses=4294967295 comm=keystone-all exe=/usr/bin/python2.7 subj=system_u:system_r:keystone_t:s0 key=(null)

Hash: keystone-all,keystone_t,keystone_t,process,signal
Comment 1 Mike Abrams 2014-10-30 07:16:16 UTC 
Upon running this scenario, the only AVC that exists is here:

[root@lynx01 ~]# grep AVC /var/log/audit/audit.log
type=USER_AVC msg=audit(1414649381.064:23845): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=31)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1414649384.338:23884): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=32)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
[root@lynx01 ~]#

...no 'avc denied' exists.
Comment 2 Nir Magnezi 2014-11-12 12:30:52 UTC 
I just reproduced it again with openstack-selinux-0.5.19-2.el7ost.noarch
Comment 3 Chandan Kumar 2016-05-19 16:05:40 UTC 
This bug is against a Version which has reached End of Life.
If it's still present in supported release (http://releases.openstack.org), please update Version and reopen.