Bug 1477720

Summary:	rhosp-director: OSP12: Selinux AVC messages on OC nodes and cannot launch instance when enabled
Product:	Red Hat OpenStack	Reporter:	Alexander Chuzhoy <sasha>
Component:	rhosp-director	Assignee:	Lon Hohberger <lhh>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Alexander Chuzhoy <sasha>
Severity:	high	Docs Contact:
Priority:	urgent
Version:	12.0 (Pike)	CC:	afazekas, agurenko, astupnik, dbecker, emacchi, itbrown, jjoyce, lhh, mburns, morazi, nkinder, ohochman, rhel-osp-director-maint, tvignaud, yobshans
Target Milestone:	ga	Keywords:	AutomationBlocker, Triaged
Target Release:	12.0 (Pike)
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-09-18 20:11:35 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Alexander Chuzhoy 2017-08-02 17:28:04 UTC

rhosp-director: OSP12: Selinux AVC messages on OC nodes 
Environment:
libselinux-2.5-11.el7.x86_64
selinux-policy-targeted-3.13.1-166.el7.noarch
libselinux-python-2.5-11.el7.x86_64
libselinux-utils-2.5-11.el7.x86_64
selinux-policy-3.13.1-166.el7.noarch
ceph-selinux-10.2.7-28.el7cp.x86_64
openstack-selinux-0.8.8-0.20170622195307.74ddc0e.el7ost.noarch
libselinux-ruby-2.5-11.el7.x86_64
container-selinux-2.19-2.1.el7.noarch
openstack-puppet-modules-10.0.0-0.20170315222135.0333c73.el7.1.noarch
openstack-tripleo-heat-templates-7.0.0-0.20170721174554.el7ost.noarch
instack-undercloud-7.1.1-0.20170714211622.el7ost.noarch



Steps to reproduce:
Deploy OSP12
Check audit.log for avc messages.

Result:
type=AVC msg=audit(1501691231.893:201): avc:  denied  { read } for  pid=20741 comm="grep" name="kvm.conf" dev="vda2" ino=97 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501691231.893:202): avc:  denied  { read } for  pid=20741 comm="grep" name="lockd.conf" dev="vda2" ino=96 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501691231.893:203): avc:  denied  { read } for  pid=20741 comm="grep" name="mlx4.conf" dev="vda2" ino=99 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501691231.893:204): avc:  denied  { read } for  pid=20741 comm="grep" name="truescale.conf" dev="vda2" ino=100 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501691231.893:205): avc:  denied  { read } for  pid=20741 comm="grep" name="tuned.conf" dev="vda2" ino=101 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501691231.893:206): avc:  denied  { read } for  pid=20741 comm="grep" name="vhost.conf" dev="vda2" ino=98 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=USER_AVC msg=audit(1501691823.328:1123): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/run/systemd/system/docker-b0ffc486aa3f237e588bea5dc6789209433442d0c79bbb171a7c2e152243d546.scope" cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:container_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1501691823.328:1124): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/run/systemd/system/docker-b0ffc486aa3f237e588bea5dc6789209433442d0c79bbb171a7c2e152243d546.scope" cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:container_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1501692080.561:1554): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/run/systemd/system/docker-74a42c6ae84a7226af84d3bf0525993676624bb748ffc869808d619b6cb74f06.scope" cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:container_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1501692080.561:1555): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/run/systemd/system/docker-74a42c6ae84a7226af84d3bf0525993676624bb748ffc869808d619b6cb74f06.scope" cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:container_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Comment 1 Alexander Chuzhoy 2017-08-02 17:29:28 UTC

Note: The deployment with selinux in OC nodes set to enforced completed successfully.

Comment 2 Alexander Chuzhoy 2017-08-02 17:46:51 UTC

When trying to launch a nova instance on compute the following entries are added:

type=AVC msg=audit(1501695361.139:584): avc:  denied  { search } for  pid=55385 comm="virtlogd" name="54529" dev="proc" ino=1151016 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spc_t:s0 tclass=dir
type=AVC msg=audit(1501695361.140:585): avc:  denied  { search } for  pid=55385 comm="virtlogd" name="54529" dev="proc" ino=1151016 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spc_t:s0 tclass=dir

Comment 3 Alexander Chuzhoy 2017-08-02 17:54:58 UTC

setting selinux to permissive on compute nodes makes it possible to launch nova instance that failes with selinux deny message in comment #2

Comment 4 Alexander Chuzhoy 2017-08-02 17:58:00 UTC

*** Bug 1477324 has been marked as a duplicate of this bug. ***

Comment 6 Alexander Chuzhoy 2017-08-11 17:22:00 UTC

*** Bug 1480673 has been marked as a duplicate of this bug. ***

Comment 7 Lon Hohberger 2017-09-18 20:11:35 UTC

Doesn't seem to reproduce any more after talking with QE.