Bug 1475871

Summary:

OSP12: unable to run ping as non-root user: ping: socket: Operation not permitted

Product:

Red Hat OpenStack

Reporter:

Marius Cornea <mcornea>

Component:

diskimage-builder

Assignee:

Ben Nemec <bnemec>

Status:

CLOSED ERRATA

QA Contact:

Marius Cornea <mcornea>

Severity:

high

Docs Contact:

Priority:

high

Version:

12.0 (Pike)

CC:

aschultz, christopher_dearborn, dbecker, iwienand, jjoyce, jslagle, mburns, mcornea, morazi, ohochman, rhel-osp-director-maint, smerrow, tvignaud, ykarel

Target Milestone:

Keywords:

Triaged

Target Release:

12.0 (Pike)

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

Fixed In Version:

diskimage-builder-2.9.0-2.el7ost

Doc Type:

If docs needed, set a value

Doc Text:

Story Points:

---

Clone Of:

Clones:

1542211 (view as bug list)

Environment:

Last Closed:

2017-12-13 21:45:43 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

Bug Blocks:

1335596, 1356451, 1394872, 1401639, 1484480, 1542211

Attachments:

Description	Flags
sysctl output	none
audit.log	none

Description Marius Cornea 2017-07-27 13:57:02 UTC

Created attachment 1305395 [details]
sysctl output

Description of problem:
With the rhel 7.4 overcloud images provided by the rhosp-director-images rpm a non-root user cannot use the ping command:

[heat-admin@controller-0 ~]$ ping 4.2.2.2
ping: socket: Operation not permitted

[heat-admin@controller-0 ~]$ stat /usr/bin/ping
  File: ‘/usr/bin/ping’
  Size: 66168     	Blocks: 136        IO Block: 4096   regular file
Device: fc02h/64514d	Inode: 1866893     Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Context: unconfined_u:object_r:ping_exec_t:s0
Access: 2017-07-27 12:10:35.932805586 +0000
Modify: 2017-05-22 08:13:45.000000000 +0000
Change: 2017-07-20 18:08:55.367770119 +0000
 Birth: -

[heat-admin@controller-0 ~]$ sudo grep denied /var/log/audit/audit.log
type=AVC msg=audit(1501157605.122:107): avc:  denied  { read } for  pid=16164 comm="grep" name="kvm.conf" dev="vda2" ino=8409462 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501157605.122:108): avc:  denied  { read } for  pid=16164 comm="grep" name="lockd.conf" dev="vda2" ino=8409458 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501157605.122:109): avc:  denied  { read } for  pid=16164 comm="grep" name="mlx4.conf" dev="vda2" ino=8409460 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501157605.122:110): avc:  denied  { read } for  pid=16164 comm="grep" name="truescale.conf" dev="vda2" ino=8409459 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501157605.122:111): avc:  denied  { read } for  pid=16164 comm="grep" name="tuned.conf" dev="vda2" ino=8409463 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501157605.122:112): avc:  denied  { read } for  pid=16164 comm="grep" name="vhost.conf" dev="vda2" ino=8409461 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501160462.303:4335): avc:  denied  { search } for  pid=229548 comm="local" name="keystone" dev="vda2" ino=13710671 scontext=system_u:system_r:postfix_local_t:s0 tcontext=unconfined_u:object_r:keystone_var_lib_t:s0 tclass=dir
[heat-adm

Version-Release number of selected component (if applicable):
rhosp-director-images-12.0-20170726.1.el7ost.noarch
Linux controller-0 3.10.0-693.el7.x86_64 #1 SMP Thu Jul 6 19:56:57 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux

How reproducible:
100%

Steps to Reproduce:
1. Deploy overcloud with rhel 7.4 overcloud images 
2. SSH to one of the overcloud users as heat-admin users
3. ping an address/hostname

Actual results:
ping: socket: Operation not permitted

Expected results:
ping works

Additional info:

Comment 1 Mike Burns 2017-07-28 15:39:54 UTC

Please provide full audit.log from a permissive run.

If the host is permissive, does ping work?

Also, if you think this is selinux, why is it against rhosp-director and not openstack-selinux?

Comment 2 Alex Schultz 2017-07-28 15:45:48 UTC

It's not selinux related. Using setcap seems to fix it.  

$ sudo setcap 'cap_net_admin,cap_net_raw+ep' /usr/bin/ping

Comment 3 Marius Cornea 2017-07-28 15:50:22 UTC

(In reply to Mike Burns from comment #1)
> Please provide full audit.log from a permissive run.

Attaching audit.log

> If the host is permissive, does ping work?

No, ping doesn't work in permissive modes.

> Also, if you think this is selinux, why is it against rhosp-director and not
> openstack-selinux?

I'm not sure that this is selinux related since I get the same result when switching to permissive. I reported it agains rhosp-director because I'm seeing the issue on the images provided by the rhosp-director. Ping worked fine on a different rhel-7.4 machine, on the undercloud for example.

Comment 4 Marius Cornea 2017-07-28 15:50:59 UTC

Created attachment 1305987 [details]
audit.log

Comment 5 Mike Burns 2017-07-28 18:34:49 UTC

As noted by Alex, running setcap fixes this.  It appears to be any RHEL 7.4 based image.  I've been able to reproduce with OSP 11 and 10 images as well.

I checked our base images used to create the overcloud images and they have the right getcap values set on /bin/ping.  The generated overcloud-full images do not.

Another workaround for this is "yum reinstall iputils"

Comment 6 Lon Hohberger 2017-07-28 18:42:26 UTC

Also those AVCs are not related to ping.

Comment 8 Ben Nemec 2017-07-31 14:49:01 UTC

Wow, this is a blast from the past.  Previously the fix was to tell tar to maintain extended attributes on files: https://review.openstack.org/#/c/125428/

Maybe there's something new in 7.4 that needs to be kept?

Comment 9 Ben Nemec 2017-09-05 15:38:19 UTC

Ugh, sorry.  Didn't mean to clear all the other fields.

Comment 10 Yatin Karel 2017-09-18 10:09:30 UTC

Seen today in rdo phase1 job:- https://ci.centos.org/artifacts/rdo/jenkins-tripleo-quickstart-promote-ocata-rdo_trunk-minimal-248/undercloud/home/stack/overcloud_validate.log.gz

Comment 12 Ben Nemec 2017-11-02 22:59:13 UTC

This should already be fixed in OSP 12.  Moving to ON_QA.

Comment 15 Emilien Macchi 2017-12-05 17:13:46 UTC

*** Bug 1484480 has been marked as a duplicate of this bug. ***

Comment 17 Marius Cornea 2017-12-08 16:07:47 UTC

[heat-admin@controller-0 ~]$ ping 4.2.2.2
PING 4.2.2.2 (4.2.2.2) 56(84) bytes of data.
64 bytes from 4.2.2.2: icmp_seq=1 ttl=53 time=58.7 ms

Comment 20 errata-xmlrpc 2017-12-13 21:45:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462