Bug 1233063

Summary: rhel-osp-director: overcloud runs with selinux in permissive mode
Product: Red Hat OpenStack Reporter: Ofer Blaut <oblaut>
Component: python-rdomanager-oscpluginAssignee: James Slagle <jslagle>
Status: CLOSED ERRATA QA Contact: Ofer Blaut <oblaut>
Severity: high Docs Contact:
Priority: high    
Version: DirectorCC: calfonso, jslagle, kbasil, mburns, oblaut, ohochman, rhel-osp-director-maint
Target Milestone: gaKeywords: Triaged
Target Release: Director   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-rdomanager-oscplugin-0.0.8-14.el7ost instack-undercloud-2.1.2-7.el7ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-05 13:54:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ofer Blaut 2015-06-18 07:25:31 UTC 
Description of problem:

 selinux is running in permissive mode in over cloud 

[stack@puma33 ~]$ nova list
+--------------------------------------+------------------------+--------+------------+-------------+---------------------+
| ID                                   | Name                   | Status | Task State | Power State | Networks            |
+--------------------------------------+------------------------+--------+------------+-------------+---------------------+
| c938355a-bace-47b8-ab65-45d930ca7501 | overcloud-compute-0    | ACTIVE | -          | Running     | ctlplane=192.0.2.15 |
| 9767ba09-739b-41a2-95a0-9248d0d77ced | overcloud-controller-0 | ACTIVE | -          | Running     | ctlplane=192.0.2.17 |
| fd51d043-6c6c-4c1f-a089-037025ec7cfa | overcloud-controller-1 | ACTIVE | -          | Running     | ctlplane=192.0.2.16 |
| db7a5c5a-9990-4f9a-a472-919a3a284e31 | overcloud-controller-2 | ACTIVE | -          | Running     | ctlplane=192.0.2.18 |
+--------------------------------------+------------------------+--------+------------+-------------+---------------------+
[stack@puma33 ~]$ ssh heat-admin.2.15
Last login: Thu Jun 18 02:26:29 2015 from 192.0.2.1
[heat-admin@overcloud-compute-0 ~]$ sudo sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
[heat-admin@overcloud-compute-0 ~]$ exit
logout
Connection to 192.0.2.15 closed.
[stack@puma33 ~]$ ssh heat-admin.2.16
Last login: Thu Jun 18 02:58:37 2015 from 192.0.2.1
[heat-admin@overcloud-controller-1 ~]$ sudo sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
[heat-admin@overcloud-controller-1 ~]$ 




Version-Release number of selected component (if applicable):

instack-undercloud-2.1.2-1.el7ost.noarch


How reproducible:


Steps to Reproduce:
1. login to overcloud hosts (controllers and computes)
2. check selinux status 
3.

Actual results:


Expected results:


Additional info:
Comment 2 Mike Burns 2015-06-18 09:38:40 UTC 
changing summary -- it's not dependent on HA vs non-HA
Comment 3 James Slagle 2015-06-19 17:12:19 UTC 
fix in both instack-build-images and unified cli
Comment 4 James Slagle 2015-06-24 21:16:53 UTC 
i've manually tested with the images from http://rhos-release.virt.bos.redhat.com/mburns/2015-06-24.1/images/

I edited overcloud-full.qcow2 and set selinux=enforcing and was able to deploy an Overcloud.

python-rdomanager-oscplugin patch: https://review.gerrithub.io/237539
instack-undercloud patch: https://review.gerrithub.io/237540
Comment 6 Omri Hochman 2015-07-02 21:29:14 UTC 
Verified : 
python-rdomanager-oscplugin-0.0.8-18.el7ost.noarch, 
instack-undercloud-2.1.2-11.el7ost.noarch
Comment 8 errata-xmlrpc 2015-08-05 13:54:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2015:1549