Bug 1185444
| Summary: | selinux policy updates required for rabbitmq pacemaker resource-agent | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | David Vossel <dvossel> | ||||
| Component: | openstack-selinux | Assignee: | Ryan Hallisey <rhallise> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Leonid Natapov <lnatapov> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 5.0 (RHEL 7) | CC: | aberezin, agk, cluster-maint, cluster-qe, cwolfe, fdinitto, jeckersb, jguiditt, jherrman, lars, lhh, mburns, mgrepl, morazi, nyechiel, ohochman, rhos-maint, sasha, sclewis, srevivo, yeylon | ||||
| Target Milestone: | z1 | Keywords: | TestOnly, ZStream | ||||
| Target Release: | 6.0 (Juno) | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | openstack-selinux-0.6.18-1.el7ost | Doc Type: | Enhancement | ||||
| Doc Text: |
This update introduces the rabbitmq-cluster resource agent for managing clustered RabbitMQ instances with the Pacemaker cluster manager.
|
Story Points: | --- | ||||
| Clone Of: | 1184280 | ||||||
| : | 1185907 (view as bug list) | Environment: | |||||
| Last Closed: | 2015-03-05 18:22:38 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1168755, 1177026, 1184280, 1185907, 1185909 | ||||||
| Attachments: |
|
||||||
allow systemd_logind_t cluster_t:dbus send_msg; this rule really belongs in base policy. type=USER_AVC msg=audit(1422033446.927:1930): pid=593 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.159 spid=591 tpid=3187 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
I've confirmed that this user_AVC is causing things to break. This looks like a base policy issue what do you think Mirek? I filed bugs so that it gets fixed in selinux-policy, but in the meantime I'll build into openstack-selinux. Everything is all set to build in openstack-selinux just need pm-ack. (In reply to Ryan Hallisey from comment #10) > I filed bugs so that it gets fixed in selinux-policy, but in the meantime > I'll build into openstack-selinux. > Everything is all set to build in openstack-selinux just need pm-ack. I tested the scratch build. I can confirm it fixes the issue I encountered while trying to manage rabbitmq with the new pacemaker rabbitmq-cluster resource-agent. -- David Tested with openstack-selinux-0.6.21-1.el7ost.noarch Created HA Neutron deployment with 3 controllers and 2 computes. No rabbitmq errors during the deployment. rabbitmq resource agent is running. We just hit this error with openstack-selinux-0.6.21-1.el7ost.noarch on RHEL 7.0, with rabbitmq-server-3.3.5-3.el7ost.noarch and resource-agents-3.9.5-26.el7_0.7.x86_64:
# audit2allow -a
allow systemd_logind_t cluster_t:dbus send_msg;
# grep 'AVC.*cluster_t' /var/log/audit/audit.log
type=USER_AVC msg=audit(1424358149.668:9594): pid=577 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.2415 spid=574 tpid=25479 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
(In reply to Lars Kellogg-Stedman from comment #17) > We just hit this error with openstack-selinux-0.6.21-1.el7ost.noarch on RHEL > 7.0, with rabbitmq-server-3.3.5-3.el7ost.noarch and > resource-agents-3.9.5-26.el7_0.7.x86_64: > > # audit2allow -a > allow systemd_logind_t cluster_t:dbus send_msg; > > # grep 'AVC.*cluster_t' /var/log/audit/audit.log > type=USER_AVC msg=audit(1424358149.668:9594): pid=577 uid=81 auid=4294967295 > ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 > msg='avc: denied { send_msg } for msgtype=method_return dest=:1.2415 > spid=574 tpid=25479 scontext=system_u:system_r:systemd_logind_t:s0 > tcontext=system_u:system_r:cluster_t:s0 tclass=dbus > exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' I don't see those errors. I am working with resource-agents-3.9.5-40.el7.1.x86_64 You are welcome to move this bug to assign again if you think the problem still exist. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0640.html |
Created attachment 983497 [details] audit-logs Here's the problem. Pacemaker can't manage the rabbitmq-server instance using the new resource-agent created in rhbz#1184280 We need the selinux policy updated to allow the cluster to have permission to manage rabbitmq. I've updated the audit logs during a time period where the pacemaker managed the agent while selinux was set in permissive mode. -- David