Bug 1437684

Summary: apache unable to write out openstack service logs to the /var/log/<service> folder
Product: Red Hat OpenStack Reporter: Alex Schultz <aschultz>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED ERRATA QA Contact: Udi Shkalim <ushkalim>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 12.0 (Pike)CC: mburns, mgrepl, rhallise, srevivo, tvignaud
Target Milestone: gaKeywords: Triaged
Target Release: 12.0 (Pike)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.8.8-0.20170804200925.ad96ed3.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-13 21:22:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Alex Schultz 2017-03-30 21:59:38 UTC 
Description of problem:
when services are run under apache via wsgi, they can no longer write their logs to their /var/log/<service>/ folder.  Most recently, barbican and panko both failed when previous setup to write out /var/log/barbican/api.log and /var/log/panko/api.log. This had previously been working just fine.

Version-Release number of selected component (if applicable):
openstack-selinux-0.7.13-2.el7.noarch

http://logs.openstack.org/13/448213/1/check/gate-puppet-openstack-integration-4-scenario002-tempest-centos-7/cacc415/console.html#_2017-03-29_07_00_05_419563

2017-03-29 07:00:05.419563 | SELinux is preventing /usr/sbin/httpd from open access on the file /var/log/barbican/api.log.
2017-03-29 07:00:05.419570 | 
2017-03-29 07:00:05.419595 | *****  Plugin catchall (100. confidence) suggests   **************************
2017-03-29 07:00:05.419602 | 
2017-03-29 07:00:05.419630 | If you believe that httpd should be allowed open access on the api.log file by default.
2017-03-29 07:00:05.419646 | Then you should report this as a bug.
2017-03-29 07:00:05.419668 | You can generate a local policy module to allow this access.
2017-03-29 07:00:05.419675 | Do
2017-03-29 07:00:05.419691 | allow this access for now by executing:
2017-03-29 07:00:05.419710 | # ausearch -c 'httpd' --raw | audit2allow -M my-httpd
2017-03-29 07:00:05.419723 | # semodule -i my-httpd.pp
2017-03-29 07:00:05.419733 | 
2017-03-29 07:00:05.419740 | 
2017-03-29 07:00:05.419752 | Additional Information:
2017-03-29 07:00:05.419773 | Source Context                system_u:system_r:httpd_t:s0
2017-03-29 07:00:05.419795 | Target Context                unconfined_u:object_r:var_log_t:s0
2017-03-29 07:00:05.419817 | Target Objects                /var/log/barbican/api.log [ file ]
2017-03-29 07:00:05.419832 | Source                        httpd
2017-03-29 07:00:05.419850 | Source Path                   /usr/sbin/httpd
2017-03-29 07:00:05.419866 | Port                          <Unknown>
2017-03-29 07:00:05.419882 | Host                          <Unknown>
2017-03-29 07:00:05.419904 | Source RPM Packages           httpd-2.4.6-45.el7.centos.x86_64
2017-03-29 07:00:05.419917 | Target RPM Packages           
2017-03-29 07:00:05.419941 | Policy RPM                    selinux-policy-3.13.1-102.el7_3.15.noarch
2017-03-29 07:00:05.419956 | Selinux Enabled               True
2017-03-29 07:00:05.419972 | Policy Type                   targeted
2017-03-29 07:00:05.419988 | Enforcing Mode                Permissive
2017-03-29 07:00:05.420017 | Host Name                     centos-7-osic-cloud1-s3700-8148678
2017-03-29 07:00:05.420044 | Platform                      Linux centos-7-osic-cloud1-s3700-8148678
2017-03-29 07:00:05.457354 |                               3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3
2017-03-29 07:00:05.457427 |                               00:04:05 UTC 2017 x86_64 x86_64
2017-03-29 07:00:05.457445 | Alert Count                   1
2017-03-29 07:00:05.457851 | First Seen                    2017-03-29 06:55:03 UTC
2017-03-29 07:00:05.457882 | Last Seen                     2017-03-29 06:55:03 UTC
2017-03-29 07:00:05.457909 | Local ID                      2dd4aa6b-9dde-4c09-b6cb-07cae22b0c61
2017-03-29 07:00:05.457916 | 
2017-03-29 07:00:05.457929 | Raw Audit Messages
2017-03-29 07:00:05.458025 | type=AVC msg=audit(1490770503.768:2446): avc:  denied  { open } for  pid=16990 comm="httpd" path="/var/log/barbican/api.log" dev="vda1" ino=5772151 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
2017-03-29 07:00:05.458039 | 
2017-03-29 07:00:05.458046 | 
2017-03-29 07:00:05.458155 | type=SYSCALL msg=audit(1490770503.768:2446): arch=x86_64 syscall=open success=yes exit=ENOEXEC a0=7f324dc29da0 a1=441 a2=1b6 a3=24 items=0 ppid=16964 pid=16990 auid=4294967295 uid=491 gid=490 euid=491 suid=491 fsuid=491 egid=490 sgid=490 fsgid=490 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
2017-03-29 07:00:05.458164 | 
2017-03-29 07:00:05.458195 | Hash: httpd,httpd_t,var_log_t,file,open
Comment 1 Lon Hohberger 2017-03-31 19:04:34 UTC 
These are going to come in pretty regularly as we switch to Apache.
Comment 2 Lon Hohberger 2017-08-02 15:48:05 UTC 
The problem here is that the log files need to be set individually (in general) to something httpd can read / write.

Not all log files are necessarily written by Apache, so we tend to need to do this individually.
Comment 3 Lon Hohberger 2017-08-04 19:04:45 UTC 
https://github.com/redhat-openstack/openstack-selinux/commit/ad96ed3d459797cc417cdbfaf1a869d4d285f50e

For now, we'll just set a boolean that gives httpd_t access to known openstack types and var_log_t when being used as the OpenStack WSGI server.

Once all OpenStack services have assigned types, we'll drop the use of var_log_t.
Comment 9 errata-xmlrpc 2017-12-13 21:22:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462