Bug 1404108

Summary: avc denied: keepalived, haproxy, httpd, glance-api
Product: [Community] RDO Reporter: Matt Young <matyoung>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED NOTABUG QA Contact: Ofer Blaut <oblaut>
Severity: high Docs Contact:
Priority: unspecified    
Version: trunkCC: amoralej, apevec, bperkins, jschluet, mburns, srevivo
Target Milestone: ---Keywords: AutomationBlocker
Target Release: trunk   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-22 19:22:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
audit log
none
audit2why log none

Description Matt Young 2016-12-13 05:44:34 UTC 
Created attachment 1231036 [details]
audit log

Description of problem:

Current RDO Newton is generating AVC denials that are failing RDO atop RHEL internal CI pipelines.

The RDO jobs are passing because selinux is set to permissive.  audit.log and such is attached from most recent RDO Newton.

Version-Release number of selected component (if applicable):

---

openstack-selinux-0.7.12-1.el7

Most recent green/promoted RDO job:
https://ci.centos.org/job/rdo-delorean-promote-newton/255/

Minimal job (sub-job)
https://ci.centos.org/job/tripleo-quickstart-promote-newton-delorean-minimal/203/

Logs (and attached):

https://ci.centos.org/artifacts/rdo/jenkins-tripleo-quickstart-promote-newton-delorean-minimal-203/undercloud/var/log/audit/

---

How reproducible:

All current newton tripleo-quickstart jobs are exhibiting these.  This is also causing RDO on RHEL internal tests (and likely the next OSP 10 import) to fail during undercloud install.  This is detailed here:

https://review.rdoproject.org/etherpad/p/rdo-internal-issues #72

---

We have tracked this down to having first appeared between

Last hash that worked (without these issues): newton/d8f62f5b006997b210ea0374b8b71fbd63380c6c_bd923c7a

First hash that failed:   newton/f53d6241987bbf6c261069e0a62ebabcc0a83c67_0372e742
Comment 1 Matt Young 2016-12-13 05:49:06 UTC 
Created attachment 1231055 [details]
audit2why log
Comment 2 Alfredo Moralejo 2016-12-20 09:09:49 UTC 
Selinux denials are not present when using CentOS 7.3 with latest openstack-selinux-0.7.13-2. I think this could be closed as notabug.