Bug 1384472
Summary: | /var/lock/iscsi some cases has wrong selinux label | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Attila Fazekas <afazekas> | ||||
Component: | openstack-selinux | Assignee: | Lon Hohberger <lhh> | ||||
Status: | CLOSED ERRATA | QA Contact: | lkuchlan <lkuchlan> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | urgent | ||||||
Version: | 10.0 (Newton) | CC: | agrover, jschluet, lhh, mgrepl, sclewis, srevivo | ||||
Target Milestone: | rc | Keywords: | AutomationBlocker, Triaged | ||||
Target Release: | 10.0 (Newton) | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | openstack-selinux-0.7.12-1.el7ost | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2016-12-14 16:18:41 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Attila Fazekas
2016-10-13 10:58:49 UTC
If the 'Expected results' is not doable (install the /var/lock/iscsi), please reassign this to openstack-selinux. /var/lock/iscsi/ is on a tmpfs the package cannot fix this, moving to openstack-selinux. /var/lock/iscsi is a %ghost file, owned by the package but not installed, because /var/lock is tmpfs, introduced in i-i-utils in bug 656605. File should be still created with the correct selinux context, let's move to openstack-selinux to investigate further. The issue does not happens in tripleo deployed system, (at least not seen so far), it happens with packstack deployed one. The two config may differ for ex. in rootwrap settings. can a restorecon be run after that package is installed with packstack? The file does not exists just after installation, restorecon has nothing to change. [cloud-user@n471jnaio-1 ~]$ sudo restorecon -R -v /var/lock restorecon: Warning no default label for /run/lock/subsys restorecon: Warning no default label for /run/lock/subsys/rhnsd restorecon: Warning no default label for /run/lock/subsys/network [cloud-user@n471jnaio-1 ~]$ ls -lZ /var/lock lrwxrwxrwx. root root system_u:object_r:var_lock_t:s0 /var/lock -> ../run/lock [cloud-user@n471jnaio-1 ~]$ ls -lZ /var/lock/ -rw-r--r--. root root system_u:object_r:kdump_lock_t:s0 kdump drwxrwxr-x. root lock system_u:object_r:lockdev_lock_t:s0 lockdev drwx------. root root system_u:object_r:lvm_lock_t:s0 lvm drwxr-xr-x. root root system_u:object_r:pppd_lock_t:s0 ppp drwxr-xr-x. root root system_u:object_r:var_lock_t:s0 subsys I have two CI job, both expected to do the same setup, one runs less tempest test -> no selinux issue. The other runs more, we have selinux issue. So far failed to connect the issue to particular test case. sudo systemd-tmpfiles --create # also works as expected. What else can touch these files ? What else can be in the background ? I'll try to use some tracer to find out what happening .. $ sudo rm -Rf /var/lock/iscsi/ $ ostestr -r tempest.api.volume.admin.test_volumes_backup.VolumesBackupsAdminV1Test # passes $ sudo ls -lZ /var/lock/iscsi/ -rw-------. root root system_u:object_r:var_lock_t:s0 lock # WRONG after the above test the `ostestr -r minimum` # fails, lock access rejected by selinux. If the ostestr -r minimum would run first, the label would be correct, and even the tempest.api.volume.admin.test_volumes_backup.VolumesBackupsAdminV1Test does not makes it wrong. IMHO even if the lock file is ghost and on tmpfs , the package could have create it at install time (post script), instead of waiting for the next reboot/systemd-tmpfiles to do so. In the tripleo setups we have the nova-compute and the cinder-backup on different nodes so they cannot cause harm to each other, also the iscsi-initiator-utils-iscsiuio is part of the base image, so the lock file will be there at boot time. It is very likely the cinder-bakup service initiated the wrong lock file creation. You can have a wrongly labeled lock file by: $ sudo rm -Rf /var/lock/iscsi/ ; cinder backup-create `cinder create 1 |awk '/ id /{print $4}'` ; sleep 15; sudo ls -lZ /var/lock/iscsi/ +-----------+--------------------------------------+ | Property | Value | +-----------+--------------------------------------+ | id | c067f661-cb4c-44a0-9b5d-9f69768ecfe7 | | name | None | | volume_id | 4cf6980d-75bd-4a1d-831f-e8312e70d784 | +-----------+--------------------------------------+ -rw-------. root root system_u:object_r:var_lock_t:s0 lock "/var/lock/iscsi" is created by a command like "sudo /sbin/iscsiadm iscsiadm -m node -T iqn.2010-10.org.openstack:volume-40837a86-4521-4399-b28d-359e2329f7a9 -p 192.168.1.13:3260" execute by the "/usr/bin/python /bin/privsep-helper --config-file /usr/share/cinder/cinder-dist.conf --config-file /etc/cinder/cinder.conf --privsep_context os_brick.privileged.default --privsep_sock_path /tmp/tmp9D1mmy/privsep.sock" which has system_u:system_r:cinder_backup_t:s0 conext . (The privsep-helper and cinder-backup using a socket for communication.) If I execute the same command myself (cloud-user logged in via ssh), it creates the right lock file. $ sudo rm -Rf /var/lock/iscsi/ $ sudo /sbin/iscsiadm iscsiadm -m node -T iqn.2010-10.org.openstack:volume-40837a86-4521-4399-b28d-359e2329f7a9 -p 192.168.1.13:3260 iscsiadm: No records found $ sudo ls -lZ /var/lock/iscsi/ -rw-------. root root unconfined_u:object_r:iscsi_lock_t:s0 lock $ Looks like the lock file is only wrong when it is created by an iscsiadm command which is executed by the privsep-helper which is under the cinder_backup_t. Created attachment 1216245 [details]
Strace output during command (Gzipped
It's possible a writing a domain transition from cinder_backup_t to iscsi_exec_t will resolve this.
Writing a domain transition resolves this. [cloud-user@9sdolxaio-1 ~(keystone_admin)]$ sudo rm -Rf /var/lock/iscsi/ ; cinder backup-create `cinder create 1 |awk '/ id /{print $4}'` ; sleep 15; sudo ls -lZ /var/lock/iscsi/ +-----------+--------------------------------------+ | Property | Value | +-----------+--------------------------------------+ | id | 980ac436-6bc1-496e-859d-eca70021d44b | | name | None | | volume_id | fc787e59-023d-489b-b74f-2fb55b56ebbc | +-----------+--------------------------------------+ -rw-------. root root system_u:object_r:var_lock_t:s0 lock [cloud-user@9sdolxaio-1 ~(keystone_admin)]$ sudo su [root@9sdolxaio-1 cloud-user(keystone_admin)]# rpm -Uvh openstack-selinux-0.7.11-3.el7ost.noarch.rpm Preparing... ################################# [100%] Updating / installing... 1:openstack-selinux-0.7.11-3.el7ost################################# [ 50%] Full path required for exclude: net:[4026532245]. Full path required for exclude: net:[4026532245]. Full path required for exclude: net:[4026532339]. Full path required for exclude: net:[4026532339]. Full path required for exclude: net:[4026532245]. Full path required for exclude: net:[4026532245]. Full path required for exclude: net:[4026532339]. Full path required for exclude: net:[4026532339]. Full path required for exclude: net:[4026532245]. Full path required for exclude: net:[4026532245]. Full path required for exclude: net:[4026532339]. Full path required for exclude: net:[4026532339]. Full path required for exclude: net:[4026532245]. Full path required for exclude: net:[4026532245]. Full path required for exclude: net:[4026532339]. Full path required for exclude: net:[4026532339]. Full path required for exclude: net:[4026532245]. Full path required for exclude: net:[4026532245]. Full path required for exclude: net:[4026532339]. Full path required for exclude: net:[4026532339]. Cleaning up / removing... 2:openstack-selinux-0.7.11-1.el7ost################################# [100%] [root@9sdolxaio-1 cloud-user(keystone_admin)]# exit [cloud-user@9sdolxaio-1 ~(keystone_admin)]$ sudo rm -Rf /var/lock/iscsi/ ; cinder backup-create `cinder create 1 |awk '/ id /{print $4}'` ; sleep 15; sudo ls -lZ /var/lock/iscsi/ +-----------+--------------------------------------+ | Property | Value | +-----------+--------------------------------------+ | id | 75701d1d-1f5b-49e1-9c33-5317c36ebffa | | name | None | | volume_id | 1e88c1e0-a357-4766-b1e3-999e1fef2334 | +-----------+--------------------------------------+ -rw-------. root root system_u:object_r:iscsi_lock_t:s0 lock Tested using: openstack-selinux-0.7.12-1.el7ost.noarch Verification flow: [stack@undercloud-0 ~]$ sudo ls -ldZ /var/lock/iscsi/ drw-------. root root system_u:object_r:var_lock_t:s0 /var/lock/iscsi/ Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2948.html |