Bug 1393320
Summary: | SELinux boolean deny_execmem crashes CFME installation (container) | ||
---|---|---|---|
Product: | Red Hat CloudForms Management Engine | Reporter: | Akram Ben Aissi <abenaiss> |
Component: | cfme-container | Assignee: | Franco Bladilo <fbladilo> |
Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Einat Pacifici <epacific> |
Severity: | low | Docs Contact: | Red Hat CloudForms Documentation <cloudforms-docs> |
Priority: | low | ||
Version: | 5.6.0 | CC: | abenaiss, bazulay, dajohnso, dwalsh, fbladilo, fweimer, jhardy |
Target Milestone: | GA | ||
Target Release: | cfme-future | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | container | ||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-12-05 15:25:09 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | Container Management | Target Upstream Version: | |
Embargoed: |
Description
Akram Ben Aissi
2016-11-09 10:26:38 UTC
I suspect the ffi ruby library to trigger this. This lib is doing mmap PROT_READ calls which now may be block by deny_execmem In audit.log, I have: type=AVC msg=audit(1478684500.072:110316): avc: denied { execmem } for pid=115750 comm="ruby" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=process Akram, Yes deny_execmem is something that was enabled on recent erratas, ffi seems to have routines to auto-detect selinux but they are probably not working properly inside containers since selinux would appear disabled. This issue is not limited to CFME, it will affect any application attempting to use ruby ffi inside containers. I wonder if this is something we can handle with docker-selinux. I would prefer not to disable this for container types in general. Why not just disable the boolean. Dan, It might be feasible to document and make users actually disable the boolean before attempting to run on docker hosts but this is problematic for Openshift users, as they have no control over the nodes or cluster in general and will prevent them from running unless the cluster admin grant the settings change cluster-wide or labels specially configured nodes for this type of deployments. If this is actually a bug in selinux-policy update then OpenShift should make sure the boolean is turned off within its Ansible Playbooks. Akram, I tested latest version on RHEL 7.2 (upgraded to the latest packages) used selinux-policy-3.13.1-102.el7_3.4 and # getsebool -a | grep deny_execmem deny_execmem --> off And succeeded running the latest docker image. Please specify what version of selinux/docker versions you are using. Closing this bug as the info was not supplied. In case it comes up again please reopen. |