Bug 1532641

Summary: Undercloud installation fails with selinux
Product: Red Hat OpenStack Reporter: Gurenko Alex <agurenko>
Component: instack-undercloudAssignee: Sofer Athlan-Guyot <sathlang>
Status: CLOSED ERRATA QA Contact: Gurenko Alex <agurenko>
Severity: high Docs Contact:
Priority: high    
Version: 13.0 (Queens)CC: aschultz, knylande, mburns, mcornea, rhel-osp-director-maint, sathlang
Target Milestone: betaKeywords: Triaged
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: instack-undercloud-8.1.1-0.20180117134321.el7ost Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-27 13:41:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gurenko Alex 2018-01-09 13:50:19 UTC 
Description of problem: when trying to install RHOS 13, undercloud installation fails.


Version-Release number of selected component (if applicable): 2018-01-03.2 (current latest)


How reproducible: try installing undercloud


Steps to Reproduce:
1. 
2.
3.

Actual results:

2018-01-09 07:35:42,632 INFO: find: '/home/.ssh/': No such file or directory
2018-01-09 07:35:42,633 INFO: + selinux_wrong_permission=
2018-01-09 07:35:42,634 INFO: [2018-01-09 07:35:42,633] (os-refresh-config) [ERROR] during post-configure phase. [Command '['dib-run-parts', '/usr/libexec/os-refresh-config/post-configure.d']' returned non-zero exit status 1]
2018-01-09 07:35:42,634 INFO:
2018-01-09 07:35:42,634 INFO: [2018-01-09 07:35:42,633] (os-refresh-config) [ERROR] Aborting...
2018-01-09 07:35:42,640 DEBUG: An exception occurred
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 1875, in install
    _run_orc(instack_env)
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 1391, in _run_orc
    _run_live_command(args, instack_env, 'os-refresh-config')
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 606, in _run_live_command
    raise RuntimeError('%s failed. See log for details.' % name)
RuntimeError: os-refresh-config failed. See log for details.
2018-01-09 07:35:42,641 ERROR:
#############################################################################
Undercloud install failed.

Reason: os-refresh-config failed. See log for details.

See the previous output for details about what went wrong.  The full install
log can be found at /home/stack/.instack/install-undercloud.log.

#############################################################################


Expected results:

Undercloud installs successfully


Additional info:

[root@undercloud-0 audit]# sealert -a audit.log
100% done
found 1 alerts in audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/lib64/erlang/erts-7.3.1.4/bin/inet_gethost from read access on the file unix.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that inet_gethost should be allowed read access on the unix file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'inet_gethost' --raw | audit2allow -M my-inetgethost
# semodule -i my-inetgethost.pp


Additional Information:
Source Context                system_u:system_r:rabbitmq_t:s0
Target Context                system_u:object_r:proc_net_t:s0
Target Objects                unix [ file ]
Source                        inet_gethost
Source Path                   /usr/lib64/erlang/erts-7.3.1.4/bin/inet_gethost
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           erlang-erts-18.3.4.7-1.el7ost.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-166.el7_4.7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     undercloud-0.redhat.local
Platform                      Linux undercloud-0.redhat.local
                              3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Dec 28
                              14:23:39 EST 2017 x86_64 x86_64
Alert Count                   2
First Seen                    2018-01-09 07:26:30 EST
Last Seen                     2018-01-09 07:26:32 EST
Local ID                      834df1a6-4978-4987-ae91-57e399ddd7bb

Raw Audit Messages
type=AVC msg=audit(1515500792.651:615): avc:  denied  { read } for  pid=13941 comm="inet_gethost" name="unix" dev="proc" ino=4026532003 scontext=system_u:system_r:rabbitmq_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file


type=SYSCALL msg=audit(1515500792.651:615): arch=x86_64 syscall=access success=no exit=EACCES a0=7ffef354f880 a1=4 a2=7ffef354f88e a3=3 items=0 ppid=13940 pid=13941 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=inet_gethost exe=/usr/lib64/erlang/erts-7.3.1.4/bin/inet_gethost subj=system_u:system_r:rabbitmq_t:s0 key=(null)

Hash: inet_gethost,rabbitmq_t,proc_net_t,file,read

setting selinux to permissive allows to pass this stage.
Comment 2 Gurenko Alex 2018-02-15 07:28:45 UTC 
Latest puddle (2018-02-07.4) installs undercloud successfully.
Comment 6 Sofer Athlan-Guyot 2018-06-21 10:45:57 UTC 
No doc text required.
Comment 8 errata-xmlrpc 2018-06-27 13:41:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086