Bug 1349194

Summary:

SELinux on Ceph OSD nodes should be in enforcing mode

Product:

Red Hat OpenStack

Reporter:

Karl Hastings <kazen>

Component:

openstack-tripleo-heat-templates

Assignee:

Giulio Fidente <gfidente>

Status:

CLOSED CURRENTRELEASE

QA Contact:

Yogev Rabl <yrabl>

Severity:

medium

Docs Contact:

Priority:

high

Version:

9.0 (Mitaka)

CC:

arkady_kanevsky, branto, cdevine, christopher_dearborn, david_paterson, gfidente, icolle, jdurgin, joherr, John_walsh, jomurphy, kbader, kdreyer, kschinck, kurt_hey, lhh, mburns, morazi, nlevine, randy_perryman, rhel-osp-director-maint, rsussman, scohen, seb, smerrow, sreichar, srevivo, sumedh_sathaye, tvignaud, wusui

Target Milestone:

async

Target Release:

9.0 (Mitaka)

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

If docs needed, set a value

Doc Text:

Story Points:

---

Clone Of:

1346401

Clones:

1379751 (view as bug list)

Environment:

Last Closed:

2017-02-15 15:56:53 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

1379751, 1379797

Bug Blocks:

1305654

Attachments:

Description	Flags
audit.log for ceph selinux	none

Comment 1 Sean Cohen 2016-07-13 19:18:22 UTC

*** Bug 1346401 has been marked as a duplicate of this bug. ***

Comment 2 Karl Hastings 2016-07-22 15:23:52 UTC

SELinux has been supported on MON and OSD nodes since ceph 1.3.2 according to BZ#1159756 and RHBA-2016:0313.

One important thing to note:  You must install the ceph-selinux rpm.  That rpm contains the policy modules SELinux needs.

ceph-selinux is available from the rhel-7-server-rhceph-1.3-osd-rpms repo on the CDN.

Comment 3 Ken Dreyer (Red Hat) 2016-07-25 15:11:59 UTC

That's correct, SELinux is now supported in enforcing mode in the latest versions of RH Ceph Storage.

Comment 4 seb 2016-07-26 12:40:57 UTC

Karl, does installing this ceph-selinux package solve all of your issues?

Comment 5 Karl Hastings 2016-07-26 17:27:42 UTC

Kurt,

Can you verify that with the ceph-selinux package installed and the proper "ceph_osd_selinux_permissive: false" setting in the Heat template that everything is working as expected.

i.e. SELinux is enabled in enforcing mode and there are no ceph related AVC messages in the audit log.

Comment 6 Kurt Hey 2016-07-26 22:57:49 UTC

It appears to work with the following 2 changes:

1) Added the installation of the ceph-selinux package to the custom overcloud image we create

2) Adding ceph_osd_selinux_permissive: false in the dell-environment.yaml file under:

parameter_defaults:
    CephStorageExtraConfig:


After the overcloud was deployed, sestatus now shows:

[root@r7-13g-cephstorage-2 audit]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Don't know what I am looking for in the audit.log so I have added as an attachment.  I see some AVS denied messages but will let someone at RH take a look.

Comment 7 Kurt Hey 2016-07-26 22:59:25 UTC

Created attachment 1184400 [details]
audit.log for ceph selinux

The audit.log from one of my storage nodes with selinux set to enforcing.

Comment 8 Karl Hastings 2016-07-27 01:32:12 UTC

$ grep AVC audit.log | cut -f13- -d' ' | sort | uniq
comm="restorecon" path="/var/lib/ceph/tmp/ceph-disk.activate.lock" dev="sdy2" ino=51383 scontext=system_u:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
comm="restorecon" path="/var/lib/ceph/tmp/ceph-disk.activate.lock" dev="sdy2" ino=51383 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file


So restorecon runs and tries and fails to update the context on the file /var/lib/ceph/tmp/ceph-disk.activate.lock

I don't think that will cause any problems, but it would be nice to have confirmation by an SELinux or Ceph person.

I'd be curious to see the output of:
ls -laZ /var/lib/ceph/tmp/

Comment 9 Ken Dreyer (Red Hat) 2016-07-27 01:52:09 UTC

(In reply to Karl Hastings from comment #8)
> I don't think that will cause any problems, but it would be nice to have
> confirmation by an SELinux or Ceph person.

Boris, is this something new to fix in RHCS 1.3 / 2?

Comment 11 seb 2016-07-27 09:48:48 UTC

@Karl on another system here's the ouput you asked for:

[root@ceph-osd-01 ~]# ls -laZ /var/lib/ceph/tmp/
drwxr-x---. ceph ceph system_u:object_r:ceph_var_lib_t:s0 .
drwxr-x---. ceph ceph system_u:object_r:ceph_var_lib_t:s0 ..
-rw-r--r--. root root system_u:object_r:ceph_var_lib_t:s0 ceph-disk.activate.lock
-rw-r--r--. root root unconfined_u:object_r:ceph_var_lib_t:s0 ceph-disk.prepare.lock

On this system (CentOS 7.2) ceph-selinux is installed, OSDs are running.
I looked at the audit.log and cannot see the error on /var/lib/ceph/tmp/ceph-disk.activate.lock

Hope that helps.

Comment 13 Kurt Hey 2016-07-29 16:26:32 UTC

Worked with Steve Reichard to determine if the AVC messages we are seeing is ok.  He had me run a few commands to see what labels were being placed on particular files.  

semanage fcontext -l | grep ceph  -> This shows no output.  Should there be?


[root@r7-13g-cephstorage-0 tmp]# ls -la -Z
drwxr-xr-x. root root unconfined_u:object_r:var_lib_t:s0 .
drwxr-xr-x. root root unconfined_u:object_r:var_lib_t:s0 ..
-rw-r--r--. root root system_u:object_r:var_lib_t:s0   ceph-disk.activate.lock
-rw-r--r--. root root system_u:object_r:var_lib_t:s0   ceph-disk.prepare.lock
-rw-r--r--. root root unconfined_u:object_r:var_lib_t:s0 kurt

Version of ceph-selinux on a storage node:

[root@r7-13g-cephstorage-0 tmp]# rpm -qa | grep ceph-selinux
ceph-selinux-0.94.5-14.el7cp.x86_64

Comment 14 Boris Ranto 2016-08-01 12:35:58 UTC

What is the underlying system? Does this fail by any chance on RHEL 7.3? Our re-labelling scripts don't work properly with 7.3 (the SELinux user-space was rebased in 7.3) and this could be related to that. There is the bz1360444 for that.

Comment 15 Kurt Hey 2016-08-01 13:41:55 UTC

It is running RHEL 7.2

Comment 23 Giulio Fidente 2016-09-20 20:00:47 UTC

ceph 1.3.x packages do not pull ceph-selinux as a dependency, while the ceph 2.x packages do

we need to include ceph-selinux explicitly in the list of packages to be installed in the overcloud image for ospd9 (though not in the ospd10 image)

I will move the BZ back into ON_DEV and link the additional submission

Comment 24 Giulio Fidente 2016-09-21 18:12:11 UTC

Karl, we *can* install ceph-selinux explicitly via Director but, should we add ceph-selinux as a dependency also to the 1.3.x Ceph RPMs, as it happens already for the 2.0 RPMs?

Comment 25 Karl Hastings 2016-09-21 18:22:14 UTC

Personally, I hate to muck with rpm dependencies mid release.  My vote would be to add it to the image only.  But I'd defer to someone else if they felt strongly about it.

Comment 26 Ken Dreyer (Red Hat) 2016-09-21 19:01:03 UTC

IIRC this was an explicit decision to not set the hard dependency until RHCS 2.

Comment 30 Thierry Vignaud 2016-09-26 13:31:07 UTC

yes, that would be better.
It can be cloned bug