Bug 1284672
Summary: | /usr/bin/clustercheck returned 1 instead of one of 0 | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Derek Higgins <derekh> |
Component: | openstack-selinux | Assignee: | Ryan Hallisey <rhallise> |
Status: | CLOSED WORKSFORME | QA Contact: | yeylon <yeylon> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.0 (Kilo) | CC: | lhh, mburns, mgrepl, rhel-osp-director-maint, srevivo, yeylon |
Target Milestone: | z3 | Keywords: | ZStream |
Target Release: | 7.0 (Kilo) | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-12-10 15:06:45 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Derek Higgins
2015-11-23 21:01:42 UTC
These are all fixed with the 'haproxy_connect_any' bool which is already turned on. Verify that with `getsebool haproxy_connect_any`. allow haproxy_t geneve_port_t:tcp_socket name_bind; allow haproxy_t glance_port_t:tcp_socket name_bind; allow haproxy_t glance_registry_port_t:tcp_socket name_bind; allow haproxy_t mysqld_port_t:tcp_socket name_bind; allow haproxy_t neutron_port_t:tcp_socket name_bind; allow haproxy_t osapi_compute_port_t:tcp_socket name_bind; allow haproxy_t redis_port_t:tcp_socket name_bind; allow haproxy_t soundd_port_t:tcp_socket name_bind; allow haproxy_t unreserved_port_t:tcp_socket name_bind; These don't look related. allow NetworkManager_t var_run_t:file read; allow dhcpc_t var_run_t:file { read write }; These are likely the culprit allow mysqld_safe_t cluster_tmp_t:file write; allow mysqld_safe_t cluster_var_lib_t:dir read; type=AVC msg=audit(1448300619.049:156): avc: denied { write } for pid=30790 comm="mysqld_safe" path="/tmp/tmp.3eZRnSANSZ" dev="sda2" ino=26429760 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:cluster_tmp_t:s0 tclass=file Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. type=AVC msg=audit(1448300619.049:156): avc: denied { write } for pid=30790 comm="mysqld_safe" path="/tmp/tmp.3eZRnSANSZ" dev="sda2" ino=26429760 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:cluster_tmp_t:s0 tclass=file Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. type=AVC msg=audit(1448300621.547:157): avc: denied { read } for pid=31659 comm="mysqld_safe" name="cores" dev="sda2" ino=26693278 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=unconfined_u:object_r:cluster_var_lib_t:s0 tclass=dir Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. These AVCs are allowed by this boolean, and 0.6.47 does not change anything behavior-wise: daemons_enable_cluster_mode --> on These are set to on when openstack-selinux is installed. All of those AVCs except the first handful (which do not appear relevant) are handled by 0.6.46. It's almost as if openstack-selinux wasn't installed, or was installed after the AVCs were generated. ignore 0.6.47. I was testing incorrectly. I don't what the issue here is thought. type=AVC msg=audit(1448357287.289:77): avc: denied { read } for pid=574 comm="NetworkManager" name="dhclient-br-ex.pid" dev="tmpfs" ino=30502 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file type=AVC msg=audit(1448357287.289:77): avc: denied { open } for pid=574 comm="NetworkManager" path="/run/dhclient-br-ex.pid" dev="tmpfs" ino=30502 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file type=AVC msg=audit(1448357287.290:78): avc: denied { getattr } for pid=574 comm="NetworkManager" path="/run/dhclient-br-ex.pid" dev="tmpfs" ino=30502 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file type=AVC msg=audit(1448357287.290:79): avc: denied { signal } for pid=574 comm="NetworkManager" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process type=AVC msg=audit(1448357287.291:80): avc: denied { signull } for pid=574 comm="NetworkManager" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process type=AVC msg=audit(1448357287.295:81): avc: denied { unlink } for pid=574 comm="NetworkManager" name="dhclient-br-ex.pid" dev="tmpfs" ino=30502 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file Few others reported by derekh. Something's setting up NetworkManager and/or files incorrectly here. I do think the AVCs Derek noted are valid - just they would not happen with openstack-selinux properly installed. I have to wonder if the image has a broken setup or something? It was an image I generated myself, if others aren't seeing a problem I'm happy to close this based on the assumption my image may have had problems. |