Bug 1243039

Summary: Undercloud deployment with SSL fails over SELinux enforcing (over: keepalived)
Product: Red Hat OpenStack Reporter: Omri Hochman <ohochman>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED ERRATA QA Contact: Alexander Chuzhoy <sasha>
Severity: high Docs Contact:
Priority: high    
Version: 7.0 (Kilo)CC: bperkins, calfonso, dwalsh, jschluet, jslagle, kbasil, lhh, mburns, mgrepl, rhel-osp-director-maint, sasha, sclewis, yeylon
Target Milestone: ga   
Target Release: 7.0 (Kilo)   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-selinux-0.6.37-1.el7ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1242660 Environment:
Last Closed: 2015-08-05 13:29:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit.log from permissive run
none
Patch
none
Patch w/ unit test none

Description Omri Hochman 2015-07-14 15:27:58 UTC 
According to comment #3 we have openstack-selinux issue :
---------------------------------------------------------
It looks as though keepalived should transition to systemctl.  However, I'd prefer if keepalived is calling a specific script prior to systemctl that it do that (and then that transition to systemctl) instead.


+++ This bug was initially created as a clone of Bug #1242660 +++

Undercloud deployment with SSL fails over SELinux enforcing ( ssl cert needs to be readable by haproxy.) 


Environment:
-------------
instack-undercloud-2.1.2-19.el7ost.noarch
instack-0.0.7-1.el7ost.noarch
selinux-policy-3.13.1-23.el7_1.7.noarch
selinux-policy-targeted-3.13.1-23.el7_1.7.noarch
libselinux-python-2.2.2-6.el7.x86_64
openstack-selinux-0.6.35-3.el7ost.noarch



Description:
-------------
When attempting to deploy undercloud with SSL and SELinux is enforcing - the unmdercloud deployment fails - it happens becuase ssl cert needs to be readable by haproxy - we should add explicit/specific role for that and not ask the user to switch SELinux to permissive. 

Steps: 
-------
Attempt to deploy udnercloud with SSL (with SELinux in enforcing) 


Results  ( undercloud deployment fails ) :
----------
2015-07-13 17:24:00 - requests.packages.urllib3.connectionpool - INFO - Starting new HTTP connection (1): 192.168.0.1
2015-07-13 17:24:00 - requests.packages.urllib3.connectionpool - INFO - Starting new HTTP connection (1): 192.168.0.1
The following cert files already exist, use --rebuild to remove the existing files before regenerating:
                                                                                                       /etc/keystone/ssl/certs/ca.pem already exists
                                                                                                                                                    /etc/keystone/ssl/private/signing_key.pem already exists
                                              /etc/keystone/ssl/certs/signing_cert.pem already exists
                                                                                                     Connection to 192.168.0.1 closed.
PKI initialization in init-keystone is deprecated and will be removed.
+ openstack role show ResellerAdmin
WARNING: keystoneclient.auth.identity.generic.base Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.
ERROR: openstack Unable to establish connection to https://192.168.0.1:13000/v2.0/tokens
+ openstack role create ResellerAdmin
WARNING: keystoneclient.auth.identity.generic.base Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.
ERROR: openstack Unable to establish connection to https://192.168.0.1:13000/v2.0/tokens
[2015-07-13 17:24:03,732] (os-refresh-config) [ERROR] during post-configure phase. [Command '['dib-run-parts', '/usr/libexec/os-refresh-config/post-configure.d']' returned non-zero exit status 1]

[2015-07-13 17:24:03,733] (os-refresh-config) [ERROR] Aborting...
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 526, in install
    _run_orc(instack_env)
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 461, in _run_orc
    _run_live_command(args, instack_env, 'os-refresh-config')
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 297, in _run_live_command
    raise RuntimeError('%s failed. See log for details.', name)
RuntimeError: ('%s failed. See log for details.', 'os-refresh-config')
ERROR: openstack Command 'instack-install-undercloud' returned non-zero exit status 1
[stack@rhos-compute-node-18 ~]$ sudo cd  /var/log/audit/
 


Audit.log
----------
type=AVC msg=audit(1436822812.309:2362): avc:  denied  { getattr } for  pid=12084 comm="sh" path="/usr/bin/systemctl" dev="dm-1" ino=134473690 scontext=system
_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1436822812.309:2362): arch=c000003e syscall=4 success=no exit=-13 a0=d82ae0 a1=7fffb7123a10 a2=7fffb7123a10 a3=8 items=0 ppid=12083 pid
=12084 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:
keepalived_t:s0 key=(null)
type=AVC msg=audit(1436822814.310:2363): avc:  denied  { getattr } for  pid=12087 comm="sh" path="/usr/bin/systemctl" dev="dm-1" ino=134473690 scontext=system
_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1436822814.310:2363): arch=c000003e syscall=4 success=no exit=-13 a0=17d8ae0 a1=7fff988dca80 a2=7fff988dca80 a3=8 items=0 ppid=12086 pi
d=12087 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r
:keepalived_t:s0 key=(null)
type=AVC msg=audit(1436822816.311:2364): avc:  denied  { getattr } for  pid=12093 comm="sh" path="/usr/bin/systemctl" dev="dm-1" ino=134473690 scontext=system
_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1436822816.311:2364): arch=c000003e syscall=4 success=no exit=-13 a0=abdae0 a1=7fffc9833b60 a2=7fffc9833b60 a3=8 items=0 ppid=12092 pid
=12093 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:
keepalived_t:s0 key=(null)
type=AVC msg=audit(1436822818.312:2365): avc:  denied  { getattr } for  pid=12096 comm="sh" path="/usr/bin/systemctl" dev="dm-1" ino=134473690 scontext=system
_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1436822818.312:2365): arch=c000003e syscall=4 success=no exit=-13 a0=215eae0 a1=7fff133a97f0 a2=7fff133a97f0 a3=8 items=0 ppid=12095 pi
d=12096 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r
:keepalived_t:s0 key=(null)
type=AVC msg=audit(1436822820.313:2366): avc:  denied  { getattr } for  pid=12104 comm="sh" path="/usr/bin/systemctl" dev="dm-1" ino=134473690 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1436822820.313:2366): arch=c000003e syscall=4 success=no exit=-13 a0=1830ae0 a1=7fff90eb2f10 a2=7fff90eb2f10 a3=8 items=0 ppid=12103 pid=12104 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:keepalived_t:s0 key=(null)

--- Additional comment from Omri Hochman on 2015-07-13 17:45:13 EDT ---



--- Additional comment from Lon Hohberger on 2015-07-14 09:08:56 EDT ---

Hi,

We need to understand how keepalived is calling systemctl.  Is this intentional?

--- Additional comment from Lon Hohberger on 2015-07-14 09:15:40 EDT ---

It looks as though keepalived should transition to systemctl.  However, I'd prefer if keepalived is calling a specific script prior to systemctl that it do that (and then that transition to systemctl) instead.
Comment 4 Lon Hohberger 2015-07-15 16:07:59 UTC 
Created attachment 1052381 [details]
audit.log from permissive run
Comment 5 Lon Hohberger 2015-07-15 16:08:18 UTC 
#============= keepalived_t ==============
allow keepalived_t cgroup_t:dir { read search open };
allow keepalived_t cgroup_t:file { read getattr open };
allow keepalived_t init_t:unix_stream_socket connectto;
allow keepalived_t syslogd_var_run_t:dir read;
allow keepalived_t syslogd_var_run_t:file { read getattr open };
allow keepalived_t systemd_systemctl_exec_t:file { read getattr open execute execute_no_trans };
allow keepalived_t tmpfs_t:filesystem getattr;
Comment 7 Daniel Walsh 2015-07-16 17:39:28 UTC 
What Services is keepalived trying to restart?  Any reason that systemd does not do this itself?
Comment 8 Lon Hohberger 2015-07-16 17:50:31 UTC 
Created attachment 1052789 [details]
Patch
Comment 9 Lon Hohberger 2015-07-16 17:53:35 UTC 
Created attachment 1052792 [details]
Patch w/ unit test
Comment 11 Alexander Chuzhoy 2015-07-16 20:40:35 UTC 
Verified: FailedQA

Environment:
openstack-selinux-0.6.36-1.el7ost.noarch


The following is shown in the audit.log when running "openstack undercloud install" with selinux is enforced:
type=USER_AVC msg=audit(1437078679.793:1574): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=-1 uid=0 gid=0 path="/usr/lib/systemd/system/haproxy.service" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:haproxy_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'                          
type=USER_AVC msg=audit(1437078681.794:1580): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=-1 uid=0 gid=0 path="/usr/lib/systemd/system/haproxy.service" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:haproxy_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Comment 12 Lon Hohberger 2015-07-16 20:58:48 UTC 
Patch should be simply allowing this for keepalived:

  systemd_status_all_unit_files
Comment 13 Lon Hohberger 2015-07-16 22:15:34 UTC 
Respinned with a simpler policy that transitions to a keepalived-specific, unconfined domain when executing systemctl from keepalived.  This prevents (presumably) systemd from throwing a USER_AVC when keepalived_t requests status for a service, and is not haproxy-specific.
Comment 14 Lon Hohberger 2015-07-16 22:18:56 UTC 
Dan, the configuration is effectively a 1-node load balancer that uses keepalived to monitor haproxy.  When haproxy is active, keepalived starts to VIPs that then are used by haproxy so haproxy can perform HTTPS termination or plain-hane HTTP forwarding to local openstack services.

I'm not sure why this configuration was chosen over a simpler configuration where systemd monitors/restarts haproxy itself and have the system start the VIPs on startup (obviating the need for keepalived).
Comment 16 Alexander Chuzhoy 2015-07-21 18:18:48 UTC 
Verified:
Environment: instack-undercloud-2.1.2-21.el7ost.noarch

1. Enabled SSL on the undercloud
2. Copied the cert file test.pem to /etc/haproxy dir
3. Edited the undercloud.conf file with "undercloud_service_certificate = /etc/haproxy/test.pem"
4. Ran "openstack undercloud install"


The undercloud deployment completed with no errors.
Comment 18 errata-xmlrpc 2015-08-05 13:29:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2015:1548