Bug 1466444

Summary: selinux prevents NFS share from being used as gnocchi backend
Product: Red Hat OpenStack Reporter: Luca Miccini <lmiccini>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED ERRATA QA Contact: Aharon Canan <acanan>
Severity: high Docs Contact:
Priority: high    
Version: 10.0 (Newton)CC: ipilcher, jjoyce, lmiccini, marjones, mburns, mgrepl, oblaut, rhallise, slinaber, srevivo
Target Milestone: z7Keywords: Rebase, Triaged, ZStream
Target Release: 10.0 (Newton)   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-selinux-0.8.11-1.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-27 16:43:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit.log none

Description Luca Miccini 2017-06-29 15:40:04 UTC 
Description of problem:

Gnocchi does not work if /var/lib/gnocchi is a NFS share and selinux is in enforcing mode.

Version-Release number of selected component (if applicable):

osp10

How reproducible:

always

Steps to Reproduce:
1. prepare a nfs share according to:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Managing_Confined_Services-NFS-Configuration_Examples.html

or use a similarly v4.2 capable server.

2. mount the share under /var/lib/gnocchi with the proper context:

172.16.0.1:/gnocchi 	/var/lib/gnocchi	nfs	vers=4.2,context="unconfined_u:object_r:var_lib_t:s0"	0 0

3. restart openstack-gnocchi-* openstack-ceilometer-* httpd

Actual results:

[root@overcloud-controller-0 ~]# openstack metric measures show cpu_util -r 67b123a9-12fb-123a-b9bf-69bfe1234ad9  | grep 300
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator at
 [no address given] to inform them of the time this error occurred,
 and the actions you performed just before this error.</p>
<p>More information about this error may be available
in the server error log.</p>
</body></html>
 (HTTP 500)


# aureport -a
...
654. 06/29/2017 06:17:21 httpd system_u:object_r:httpd_var_lib_t:s0 2 filesystem associate unconfined_u:object_r:var_lib_t:s0 denied 1173
655. 06/29/2017 06:18:59 httpd system_u:object_r:httpd_var_lib_t:s0 2 filesystem associate unconfined_u:object_r:var_lib_t:s0 denied 1280
656. 06/29/2017 06:18:59 httpd system_u:object_r:httpd_var_lib_t:s0 2 filesystem associate unconfined_u:object_r:var_lib_t:s0 denied 1281
657. 06/29/2017 06:19:02 httpd system_u:object_r:httpd_var_lib_t:s0 2 filesystem associate unconfined_u:object_r:var_lib_t:s0 denied 1295
658. 06/29/2017 06:19:02 httpd system_u:object_r:httpd_var_lib_t:s0 2 filesystem associate unconfined_u:object_r:var_lib_t:s0 denied 1294
659. 06/29/2017 06:19:57 httpd system_u:object_r:httpd_var_lib_t:s0 2 filesystem associate unconfined_u:object_r:var_lib_t:s0 denied 1344
660. 06/29/2017 06:19:57 httpd system_u:object_r:httpd_var_lib_t:s0 2 filesystem associate unconfined_u:object_r:var_lib_t:s0 denied 1345
661. 06/29/2017 06:19:57 httpd system_u:object_r:httpd_var_lib_t:s0 2 filesystem associate unconfined_u:object_r:var_lib_t:s0 denied 1346


Expected results:

gnocchi should work as expected (selinux should allow the usage of the NFS share).


Additional info:

here the policy I used as workaround:

[root@overcloud-controller-0 audit]# audit2allow -a -i /var/log/audit/audit.log


#============= httpd_var_lib_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_var_lib_t var_lib_t:filesystem associate;
Comment 1 Mike Burns 2017-06-30 12:41:51 UTC 
Please provide the full audit.log from a run in permissive.  audit2allow does not always choose the right way to handle something like this for all cases.
Comment 2 Luca Miccini 2017-06-30 13:11:22 UTC 
Created attachment 1293221 [details]
audit.log
Comment 3 Lon Hohberger 2017-07-12 16:16:31 UTC 
Are we sure the NFS share for gnocchi should be var_lib_t instead of http_var_lib_t? I think it would work with the mount context as httpd_var_lib_t with no policy changes.
Comment 4 Lon Hohberger 2017-07-12 16:23:40 UTC 
With the context as noted, the above policy module would work assuming no other AVCs.
Comment 5 Mike Burns 2017-08-04 12:22:44 UTC 
adding needinfo for Lon's question
Comment 6 Luca Miccini 2017-08-08 07:57:23 UTC 
(In reply to Lon Hohberger from comment #3)
> Are we sure the NFS share for gnocchi should be var_lib_t instead of
> http_var_lib_t? I think it would work with the mount context as
> httpd_var_lib_t with no policy changes.

Hi Lon,

IIRC I've tried it and it didn't work because of some other component affected by the different context. Sorry if I can't be more precise as I don't have access to that environment anymore. I can try to set something up again once I am back from PTO.
Comment 7 Ian Pilcher 2017-09-20 15:20:25 UTC 
*** Bug 1493275 has been marked as a duplicate of this bug. ***
Comment 8 Lon Hohberger 2017-10-13 19:18:03 UTC 
https://github.com/redhat-openstack/openstack-selinux/commit/ce13ba72c9148791e32d7d54f7ffaf27c88bb76f
Comment 15 errata-xmlrpc 2018-02-27 16:43:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0365