Bug 1416648

Summary: Wrong SELinux context on panko.log
Product: Red Hat OpenStack Reporter: Yurii Prokulevych <yprokule>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED ERRATA QA Contact: Udi Shkalim <ushkalim>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 11.0 (Ocata)CC: jdanjou, jschluet, lhh, mabaakou, maufart, mburns, mgrepl, nyechiel, pkilambi, srevivo, ssmolyak
Target Milestone: betaKeywords: Triaged
Target Release: 11.0 (Ocata)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.8.5-2.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-17 19:43:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1423496    

Description Yurii Prokulevych 2017-01-26 08:12:09 UTC 
Description of problem:
-----------------------
Log file for Panko is created with wrong SELinux context:

ls -lZ /var/log/panko/
-rw-r--r--. panko panko system_u:object_r:var_log_t:s0   panko.log

Which causes service to reply with 500 code:
--------------------------------------------
[Thu Jan 26 08:05:09.423953 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] mod_wsgi (pid=496346): Target WSGI script '/var/www/cgi-bin/panko/app' cannot be loaded as Python module.
[Thu Jan 26 08:05:09.424019 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] mod_wsgi (pid=496346): Exception occurred processing WSGI script '/var/www/cgi-bin/panko/app'.
[Thu Jan 26 08:05:09.424053 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] Traceback (most recent call last):
[Thu Jan 26 08:05:09.424100 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]   File "/var/www/cgi-bin/panko/app", line 19, in <module>
[Thu Jan 26 08:05:09.424181 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]     application = app.build_wsgi_app(argv=[])
[Thu Jan 26 08:05:09.424195 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]   File "/usr/lib/python2.7/site-packages/panko/api/app.py", line 91, in build_wsgi_app
[Thu Jan 26 08:05:09.424465 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]     return load_app(service.prepare_service(argv=argv))
[Thu Jan 26 08:05:09.424479 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]   File "/usr/lib/python2.7/site-packages/panko/service.py", line 44, in prepare_service
[Thu Jan 26 08:05:09.424500 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]     log.setup(conf, 'panko')
[Thu Jan 26 08:05:09.424510 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]   File "/usr/lib/python2.7/site-packages/oslo_log/log.py", line 269, in setup
[Thu Jan 26 08:05:09.424541 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]     _setup_logging_from_conf(conf, product_name, version)
[Thu Jan 26 08:05:09.424552 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]   File "/usr/lib/python2.7/site-packages/oslo_log/log.py", line 366, in _setup_logging_from_conf
[Thu Jan 26 08:05:09.424715 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]     filelog = file_handler(logpath)
[Thu Jan 26 08:05:09.426496 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]   File "/usr/lib64/python2.7/logging/handlers.py", line 392, in __init__
[Thu Jan 26 08:05:09.426741 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]     logging.FileHandler.__init__(self, filename, mode, encoding, delay)
[Thu Jan 26 08:05:09.426777 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]   File "/usr/lib64/python2.7/logging/__init__.py", line 902, in __init__
[Thu Jan 26 08:05:09.426830 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]     StreamHandler.__init__(self, self._open())
[Thu Jan 26 08:05:09.426872 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]   File "/usr/lib64/python2.7/logging/__init__.py", line 925, in _open
[Thu Jan 26 08:05:09.426909 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]     stream = open(self.baseFilename, self.mode)
[Thu Jan 26 08:05:09.427004 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] IOError: [Errno 13] Permission denied: '/var/log/panko/panko.log'

Setting context to 'httpd_log_t' eliminates the issue


Version-Release number of selected component (if applicable):
-------------------------------------------------------------
openstack-selinux-0.7.13-3.el7ost.noarch
Comment 1 Yurii Prokulevych 2017-01-26 08:14:19 UTC 
ausearch --file /var/log/panko/ 
----
time->Thu Jan 26 07:49:53 2017
type=SYSCALL msg=audit(1485416993.550:148556): arch=c000003e syscall=2 success=no exit=-13 a0=7f0aa000d670 a1=441 a2=1b6 a3=24 items=0 ppid=496330 pid=496396 auid=4294967295 uid=986 gid=983 euid=986 suid=986 fsuid=986 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1485416993.550:148556): avc:  denied  { open } for  pid=496396 comm="httpd" path="/var/log/panko/panko.log" dev="vda2" ino=8426312 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
----
time->Thu Jan 26 07:53:32 2017
type=SYSCALL msg=audit(1485417212.682:149117): arch=c000003e syscall=2 success=no exit=-13 a0=7f0a9c003fd0 a1=441 a2=1b6 a3=24 items=0 ppid=496330 pid=496395 auid=4294967295 uid=986 gid=983 euid=986 suid=986 fsuid=986 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1485417212.682:149117): avc:  denied  { open } for  pid=496395 comm="httpd" path="/var/log/panko/panko.log" dev="vda2" ino=8426312 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
----
time->Thu Jan 26 07:54:18 2017
type=SYSCALL msg=audit(1485417258.802:149230): arch=c000003e syscall=2 success=no exit=-13 a0=7f0aa1732ee0 a1=441 a2=1b6 a3=24 items=0 ppid=496330 pid=496396 auid=4294967295 uid=986 gid=983 euid=986 suid=986 fsuid=986 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1485417258.802:149230): avc:  denied  { open } for  pid=496396 comm="httpd" path="/var/log/panko/panko.log" dev="vda2" ino=8426312 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
----
time->Thu Jan 26 07:54:41 2017
type=SYSCALL msg=audit(1485417281.146:149291): arch=c000003e syscall=2 success=no exit=-13 a0=7f0a9c00dd00 a1=441 a2=1b6 a3=24 items=0 ppid=496330 pid=496395 auid=4294967295 uid=986 gid=983 euid=986 suid=986 fsuid=986 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1485417281.146:149291): avc:  denied  { open } for  pid=496395 comm="httpd" path="/var/log/panko/panko.log" dev="vda2" ino=8426312 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
----
time->Thu Jan 26 08:05:09 2017
type=SYSCALL msg=audit(1485417909.422:150907): arch=c000003e syscall=2 success=no exit=-13 a0=7f0aa1732ee0 a1=441 a2=1b6 a3=24 items=0 ppid=496330 pid=496396 auid=4294967295 uid=986 gid=983 euid=986 suid=986 fsuid=986 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1485417909.422:150907): avc:  denied  { open } for  pid=496396 comm="httpd" path="/var/log/panko/panko.log" dev="vda2" ino=8426312 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
Comment 4 Pradeep Kilambi 2017-02-15 15:57:05 UTC 
Updated the PR and its merged now:

https://github.com/redhat-openstack/openstack-selinux/pull/7
Comment 10 Marek Aufart 2017-03-27 12:22:00 UTC 
See bellow, thanks.

[root@undercloud-0 ~]# ls -lZ /var/log/panko/panko.log
-rw-r--r--. panko panko unconfined_u:object_r:var_log_t:s0 /var/log/panko/panko.log

[root@controller-0 ~]# ls -lZ /var/log/panko/panko.log
-rw-r--r--. panko panko system_u:object_r:var_log_t:s0   /var/log/panko/panko.log
Comment 12 Lon Hohberger 2017-03-29 15:29:36 UTC 
OK:

logging_log_filetrans(httpd_t, httpd_log_t, file)

httpd (apache), when creating log files in var_log_t directories will get them labelled as httpd_log_t. The problem here is that the file is labelled as var_log_t, meaning httpd_t didn't create the file.

Pradeep figure out that panko.log is probably being created by puppet-panko, which would explain the problem.

Either puppet-panko needs to call restorecon, or it needs to not create the log file.
Comment 13 Pradeep Kilambi 2017-03-29 15:30:22 UTC 
part of the issue seems to be that puppet-panko is explicitly creating thsi log. I fixed this in puppet so apache can force create this app.log and has the right context. We still need to fix openstack-selinux to use app.log for panko instead.
Comment 14 Lon Hohberger 2017-03-29 15:34:27 UTC 
https://github.com/redhat-openstack/openstack-selinux/commit/d991d2f07ce20cc910c95c7354217956f4a85482
Comment 18 errata-xmlrpc 2017-05-17 19:43:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1245