Bug 1416648
Summary: | Wrong SELinux context on panko.log | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Yurii Prokulevych <yprokule> |
Component: | openstack-selinux | Assignee: | Lon Hohberger <lhh> |
Status: | CLOSED ERRATA | QA Contact: | Udi Shkalim <ushkalim> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 11.0 (Ocata) | CC: | jdanjou, jschluet, lhh, mabaakou, maufart, mburns, mgrepl, nyechiel, pkilambi, srevivo, ssmolyak |
Target Milestone: | beta | Keywords: | Triaged |
Target Release: | 11.0 (Ocata) | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openstack-selinux-0.8.5-2.el7ost | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-05-17 19:43:36 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1423496 |
Description
Yurii Prokulevych
2017-01-26 08:12:09 UTC
ausearch --file /var/log/panko/ ---- time->Thu Jan 26 07:49:53 2017 type=SYSCALL msg=audit(1485416993.550:148556): arch=c000003e syscall=2 success=no exit=-13 a0=7f0aa000d670 a1=441 a2=1b6 a3=24 items=0 ppid=496330 pid=496396 auid=4294967295 uid=986 gid=983 euid=986 suid=986 fsuid=986 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1485416993.550:148556): avc: denied { open } for pid=496396 comm="httpd" path="/var/log/panko/panko.log" dev="vda2" ino=8426312 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file ---- time->Thu Jan 26 07:53:32 2017 type=SYSCALL msg=audit(1485417212.682:149117): arch=c000003e syscall=2 success=no exit=-13 a0=7f0a9c003fd0 a1=441 a2=1b6 a3=24 items=0 ppid=496330 pid=496395 auid=4294967295 uid=986 gid=983 euid=986 suid=986 fsuid=986 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1485417212.682:149117): avc: denied { open } for pid=496395 comm="httpd" path="/var/log/panko/panko.log" dev="vda2" ino=8426312 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file ---- time->Thu Jan 26 07:54:18 2017 type=SYSCALL msg=audit(1485417258.802:149230): arch=c000003e syscall=2 success=no exit=-13 a0=7f0aa1732ee0 a1=441 a2=1b6 a3=24 items=0 ppid=496330 pid=496396 auid=4294967295 uid=986 gid=983 euid=986 suid=986 fsuid=986 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1485417258.802:149230): avc: denied { open } for pid=496396 comm="httpd" path="/var/log/panko/panko.log" dev="vda2" ino=8426312 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file ---- time->Thu Jan 26 07:54:41 2017 type=SYSCALL msg=audit(1485417281.146:149291): arch=c000003e syscall=2 success=no exit=-13 a0=7f0a9c00dd00 a1=441 a2=1b6 a3=24 items=0 ppid=496330 pid=496395 auid=4294967295 uid=986 gid=983 euid=986 suid=986 fsuid=986 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1485417281.146:149291): avc: denied { open } for pid=496395 comm="httpd" path="/var/log/panko/panko.log" dev="vda2" ino=8426312 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file ---- time->Thu Jan 26 08:05:09 2017 type=SYSCALL msg=audit(1485417909.422:150907): arch=c000003e syscall=2 success=no exit=-13 a0=7f0aa1732ee0 a1=441 a2=1b6 a3=24 items=0 ppid=496330 pid=496396 auid=4294967295 uid=986 gid=983 euid=986 suid=986 fsuid=986 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1485417909.422:150907): avc: denied { open } for pid=496396 comm="httpd" path="/var/log/panko/panko.log" dev="vda2" ino=8426312 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file Updated the PR and its merged now: https://github.com/redhat-openstack/openstack-selinux/pull/7 See bellow, thanks. [root@undercloud-0 ~]# ls -lZ /var/log/panko/panko.log -rw-r--r--. panko panko unconfined_u:object_r:var_log_t:s0 /var/log/panko/panko.log [root@controller-0 ~]# ls -lZ /var/log/panko/panko.log -rw-r--r--. panko panko system_u:object_r:var_log_t:s0 /var/log/panko/panko.log OK: logging_log_filetrans(httpd_t, httpd_log_t, file) httpd (apache), when creating log files in var_log_t directories will get them labelled as httpd_log_t. The problem here is that the file is labelled as var_log_t, meaning httpd_t didn't create the file. Pradeep figure out that panko.log is probably being created by puppet-panko, which would explain the problem. Either puppet-panko needs to call restorecon, or it needs to not create the log file. part of the issue seems to be that puppet-panko is explicitly creating thsi log. I fixed this in puppet so apache can force create this app.log and has the right context. We still need to fix openstack-selinux to use app.log for panko instead. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1245 |