Description of problem:
Need to make significant changes to SElinux policy in order to accommodate glance with solidfire cinder backend
Using newest openstack-selinux from brew:
[root@overcloud-controller-1 ~]# rpm -qa | grep openstack-sel
openstack-selinux-0.8.6-2.el7ost.noarch
Need to run this script to disable all blocking selinux policies:
[stack@director images]$ cat selinux.sh
#!/bin/bash -x
ssh heat-admin.159.25 "sudo yum install setroubleshoot -y"
while `glance --os-image-api-version 1 image-create --container-format bare --disk-format qcow2 --store cinder --progress --file ubuntu-14.04-server-cloudimg-amd64-disk1.img --name test-sf 2>&1 | grep -iq '500 internal'`;do
ssh heat-admin.159.25 "sudo sealert -a /var/log/audit/audit.log 2>/dev/null" >> /tmp/selinux.log
ssh heat-admin.159.25 "sudo sealert -a /var/log/audit/audit.log 2>/dev/null | grep ausearch | sed 's/^#//' | xargs -I {} bash -c 'sudo {}' 2>/dev/null | grep semodule | xargs -I {} bash -c 'sudo {}'"
done
The following policies need to be installed: see attachment
Also, I get this to work once with the script, but then it fails again when it tries to access different block devices:
SELinux is preventing /usr/bin/python2.7 from write access on the blk_file sdg.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that python2.7 should be allowed write access on the sdg blk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'glance-api' --raw | audit2allow -M my-glanceapi
# semodule -i my-glanceapi.pp
Additional Information:
Source Context system_u:system_r:glance_api_t:s0
Target Context system_u:object_r:fixed_disk_device_t:s0
Target Objects sdg [ blk_file ]
Source glance-api
Source Path /usr/bin/python2.7
Port <Unknown>
Host <Unknown>
Source RPM Packages python-2.7.5-48.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-102.el7_3.7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name overcloud-controller-1.localdomain
Platform Linux overcloud-controller-1.localdomain
3.10.0-514.2.2.el7.x86_64 #1 SMP Wed Nov 16
13:15:13 EST 2016 x86_64 x86_64
Alert Count 3
First Seen 2017-05-03 19:20:05 UTC
Last Seen 2017-05-03 19:23:39 UTC
Local ID 791ded87-5adf-41ec-81fe-9ba464a6e1ed
Raw Audit Messages
type=AVC msg=audit(1493839419.340:970800): avc: denied { write } for pid=309367 comm="glance-api" name="sdg" dev="devtmpfs" ino=248221658 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1493839419.340:970800): arch=x86_64 syscall=open success=no exit=EACCES a0=6541290 a1=241 a2=1b6 a3=24 items=0 ppid=309062 pid=309367 auid=4294967295 uid=161 gid=161 euid=161 suid=161 fsuid=161 egid=161 sgid=161 fsgid=161 tty=(none) ses=4294967295 comm=glance-api exe=/usr/bin/python2.7 subj=system_u:system_r:glance_api_t:s0 key=(null)
Hash: glance-api,glance_api_t,fixed_disk_device_t,blk_file,write
--------------------------------------------------------------------------------
SELinux is preventing /usr/bin/python2.7 from execute_no_trans access on the file /usr/sbin/blockdev.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that python2.7 should be allowed execute_no_trans access on the blockdev file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'privsep-helper' --raw | audit2allow -M my-privsephelper
# semodule -i my-privsephelper.pp
Additional Information:
Source Context system_u:system_r:glance_api_t:s0
Target Context unconfined_u:object_r:fsadm_exec_t:s0
Target Objects /usr/sbin/blockdev [ file ]
Source privsep-helper
Source Path /usr/bin/python2.7
Port <Unknown>
Host <Unknown>
Source RPM Packages python-2.7.5-48.el7.x86_64
Target RPM Packages util-linux-2.23.2-33.el7.x86_64
Policy RPM selinux-policy-3.13.1-102.el7_3.7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name overcloud-controller-1.localdomain
Platform Linux overcloud-controller-1.localdomain
3.10.0-514.2.2.el7.x86_64 #1 SMP Wed Nov 16
13:15:13 EST 2016 x86_64 x86_64
Alert Count 4
First Seen 2017-05-03 19:20:08 UTC
Last Seen 2017-05-03 19:23:39 UTC
Local ID b26635bc-075f-4a3e-9604-6933eb6a177b
Raw Audit Messages
type=AVC msg=audit(1493839419.588:970802): avc: denied { execute_no_trans } for pid=688072 comm="privsep-helper" path="/usr/sbin/blockdev" dev="sda2" ino=13125550 scontext=system_u:system_r:glance_api_t:s0 tcontext=unconfined_u:object_r:fsadm_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1493839419.588:970802): arch=x86_64 syscall=execve success=no exit=EACCES a0=249e020 a1=24a0cb0 a2=7fff395cf710 a3=7fff395cd070 items=0 ppid=600880 pid=688072 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=privsep-helper exe=/usr/bin/python2.7 subj=system_u:system_r:glance_api_t:s0 key=(null)
Hash: privsep-helper,glance_api_t,fsadm_exec_t,file,execute_no_trans
--------------------------------------------------------------------------------
SELinux is preventing /usr/sbin/iscsiadm from unlink access on the file 192.168.52.9,3260.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that iscsiadm should be allowed unlink access on the 192.168.52.9,3260 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'iscsiadm' --raw | audit2allow -M my-iscsiadm
# semodule -i my-iscsiadm.pp
Additional Information:
Source Context system_u:system_r:glance_api_t:s0
Target Context system_u:object_r:iscsi_var_lib_t:s0
Target Objects 192.168.52.9,3260 [ file ]
Source iscsiadm
Source Path /usr/sbin/iscsiadm
Port <Unknown>
Host <Unknown>
Source RPM Packages iscsi-initiator-utils-6.2.0.873-35.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-102.el7_3.7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name overcloud-controller-1.localdomain
Platform Linux overcloud-controller-1.localdomain
3.10.0-514.2.2.el7.x86_64 #1 SMP Wed Nov 16
13:15:13 EST 2016 x86_64 x86_64
Alert Count 15
First Seen 2017-05-03 19:20:10 UTC
Last Seen 2017-05-03 19:23:44 UTC
Local ID 2852be15-8f21-4239-a661-549c5bb56d0c
Raw Audit Messages
type=AVC msg=audit(1493839424.705:970827): avc: denied { unlink } for pid=688442 comm="iscsiadm" name="192.168.52.9,3260" dev="sda2" ino=3183513081 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:iscsi_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1493839424.705:970827): arch=x86_64 syscall=unlink success=no exit=EACCES a0=7f625e61bfa0 a1=7ffc383c4c40 a2=7ffc383c4c40 a3=0 items=0 ppid=600880 pid=688442 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=iscsiadm exe=/usr/sbin/iscsiadm subj=system_u:system_r:glance_api_t:s0 key=(null)
Hash: iscsiadm,glance_api_t,iscsi_var_lib_t,file,unlink
yes, I do ;-)
Joke aside, something still doesn't seem to be right with the policies for glance with a cinder backend (although we did have problems with the installation of the latest opesntack-selinux policies, so this probably didn't help, neither).
It looks like there needs to be an ability to execute domain transitions to:
- fsadm_exec_t
- iscsid_exec_t
- sudo_exec_t
^ Need to look more at this one.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHEA-2017:3462
Description of problem: Need to make significant changes to SElinux policy in order to accommodate glance with solidfire cinder backend Using newest openstack-selinux from brew: [root@overcloud-controller-1 ~]# rpm -qa | grep openstack-sel openstack-selinux-0.8.6-2.el7ost.noarch Need to run this script to disable all blocking selinux policies: [stack@director images]$ cat selinux.sh #!/bin/bash -x ssh heat-admin.159.25 "sudo yum install setroubleshoot -y" while `glance --os-image-api-version 1 image-create --container-format bare --disk-format qcow2 --store cinder --progress --file ubuntu-14.04-server-cloudimg-amd64-disk1.img --name test-sf 2>&1 | grep -iq '500 internal'`;do ssh heat-admin.159.25 "sudo sealert -a /var/log/audit/audit.log 2>/dev/null" >> /tmp/selinux.log ssh heat-admin.159.25 "sudo sealert -a /var/log/audit/audit.log 2>/dev/null | grep ausearch | sed 's/^#//' | xargs -I {} bash -c 'sudo {}' 2>/dev/null | grep semodule | xargs -I {} bash -c 'sudo {}'" done The following policies need to be installed: see attachment Also, I get this to work once with the script, but then it fails again when it tries to access different block devices: SELinux is preventing /usr/bin/python2.7 from write access on the blk_file sdg. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python2.7 should be allowed write access on the sdg blk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'glance-api' --raw | audit2allow -M my-glanceapi # semodule -i my-glanceapi.pp Additional Information: Source Context system_u:system_r:glance_api_t:s0 Target Context system_u:object_r:fixed_disk_device_t:s0 Target Objects sdg [ blk_file ] Source glance-api Source Path /usr/bin/python2.7 Port <Unknown> Host <Unknown> Source RPM Packages python-2.7.5-48.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-102.el7_3.7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name overcloud-controller-1.localdomain Platform Linux overcloud-controller-1.localdomain 3.10.0-514.2.2.el7.x86_64 #1 SMP Wed Nov 16 13:15:13 EST 2016 x86_64 x86_64 Alert Count 3 First Seen 2017-05-03 19:20:05 UTC Last Seen 2017-05-03 19:23:39 UTC Local ID 791ded87-5adf-41ec-81fe-9ba464a6e1ed Raw Audit Messages type=AVC msg=audit(1493839419.340:970800): avc: denied { write } for pid=309367 comm="glance-api" name="sdg" dev="devtmpfs" ino=248221658 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file type=SYSCALL msg=audit(1493839419.340:970800): arch=x86_64 syscall=open success=no exit=EACCES a0=6541290 a1=241 a2=1b6 a3=24 items=0 ppid=309062 pid=309367 auid=4294967295 uid=161 gid=161 euid=161 suid=161 fsuid=161 egid=161 sgid=161 fsgid=161 tty=(none) ses=4294967295 comm=glance-api exe=/usr/bin/python2.7 subj=system_u:system_r:glance_api_t:s0 key=(null) Hash: glance-api,glance_api_t,fixed_disk_device_t,blk_file,write -------------------------------------------------------------------------------- SELinux is preventing /usr/bin/python2.7 from execute_no_trans access on the file /usr/sbin/blockdev. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python2.7 should be allowed execute_no_trans access on the blockdev file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'privsep-helper' --raw | audit2allow -M my-privsephelper # semodule -i my-privsephelper.pp Additional Information: Source Context system_u:system_r:glance_api_t:s0 Target Context unconfined_u:object_r:fsadm_exec_t:s0 Target Objects /usr/sbin/blockdev [ file ] Source privsep-helper Source Path /usr/bin/python2.7 Port <Unknown> Host <Unknown> Source RPM Packages python-2.7.5-48.el7.x86_64 Target RPM Packages util-linux-2.23.2-33.el7.x86_64 Policy RPM selinux-policy-3.13.1-102.el7_3.7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name overcloud-controller-1.localdomain Platform Linux overcloud-controller-1.localdomain 3.10.0-514.2.2.el7.x86_64 #1 SMP Wed Nov 16 13:15:13 EST 2016 x86_64 x86_64 Alert Count 4 First Seen 2017-05-03 19:20:08 UTC Last Seen 2017-05-03 19:23:39 UTC Local ID b26635bc-075f-4a3e-9604-6933eb6a177b Raw Audit Messages type=AVC msg=audit(1493839419.588:970802): avc: denied { execute_no_trans } for pid=688072 comm="privsep-helper" path="/usr/sbin/blockdev" dev="sda2" ino=13125550 scontext=system_u:system_r:glance_api_t:s0 tcontext=unconfined_u:object_r:fsadm_exec_t:s0 tclass=file type=SYSCALL msg=audit(1493839419.588:970802): arch=x86_64 syscall=execve success=no exit=EACCES a0=249e020 a1=24a0cb0 a2=7fff395cf710 a3=7fff395cd070 items=0 ppid=600880 pid=688072 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=privsep-helper exe=/usr/bin/python2.7 subj=system_u:system_r:glance_api_t:s0 key=(null) Hash: privsep-helper,glance_api_t,fsadm_exec_t,file,execute_no_trans -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/iscsiadm from unlink access on the file 192.168.52.9,3260. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that iscsiadm should be allowed unlink access on the 192.168.52.9,3260 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'iscsiadm' --raw | audit2allow -M my-iscsiadm # semodule -i my-iscsiadm.pp Additional Information: Source Context system_u:system_r:glance_api_t:s0 Target Context system_u:object_r:iscsi_var_lib_t:s0 Target Objects 192.168.52.9,3260 [ file ] Source iscsiadm Source Path /usr/sbin/iscsiadm Port <Unknown> Host <Unknown> Source RPM Packages iscsi-initiator-utils-6.2.0.873-35.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-102.el7_3.7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name overcloud-controller-1.localdomain Platform Linux overcloud-controller-1.localdomain 3.10.0-514.2.2.el7.x86_64 #1 SMP Wed Nov 16 13:15:13 EST 2016 x86_64 x86_64 Alert Count 15 First Seen 2017-05-03 19:20:10 UTC Last Seen 2017-05-03 19:23:44 UTC Local ID 2852be15-8f21-4239-a661-549c5bb56d0c Raw Audit Messages type=AVC msg=audit(1493839424.705:970827): avc: denied { unlink } for pid=688442 comm="iscsiadm" name="192.168.52.9,3260" dev="sda2" ino=3183513081 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:iscsi_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1493839424.705:970827): arch=x86_64 syscall=unlink success=no exit=EACCES a0=7f625e61bfa0 a1=7ffc383c4c40 a2=7ffc383c4c40 a3=0 items=0 ppid=600880 pid=688442 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=iscsiadm exe=/usr/sbin/iscsiadm subj=system_u:system_r:glance_api_t:s0 key=(null) Hash: iscsiadm,glance_api_t,iscsi_var_lib_t,file,unlink