Bug 1560019

Summary: OSP container images do not pass RPM verification check
Product: Red Hat OpenStack Reporter: Alan Bishop <abishop>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED ERRATA QA Contact: Pavel Sedlák <psedlak>
Severity: high Docs Contact:
Priority: high    
Version: 13.0 (Queens)CC: abehl, apevec, bcook, m.andre, mburns, mgrepl, psedlak, srevivo
Target Milestone: betaKeywords: Triaged
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: openstack-selinux-0.8.14-1.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1561022 (view as bug list) Environment:
Last Closed: 2018-06-27 13:48:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Alan Bishop 2018-03-23 18:08:41 UTC
Description of problem:

Base (i.e. unmodified) OSP containers are failing one of the certification
checks enforced by the system our Partners will use to distribute their OSP
container plugins. Our partner's container images won't pass the certification
checks unless the base images pass.

The test that fails is called "rpm_verify_successful" and it ensures all
packages pass the "rpm -V" test. The selinux-policy-targeted RPM fails:

[root@overcloud-controller-0 ~]# docker exec -ti -u root cinder_volume bash
()[root@overcloud-controller-0 /]# stty cols 100
()[root@overcloud-controller-0 /]# rpm -V selinux-policy-targeted
.M.......    /etc/selinux/targeted/active/users_extra

The issue appears to be incorrect permission on the users_extra file, and
if corrected the verification passes:

()[root@overcloud-controller-0 /]# ls -l /etc/selinux/targeted/active/users_extra
-rw-r--r--. 1 root root 101 Mar  6 04:56 /etc/selinux/targeted/active/users_extra
()[root@overcloud-controller-0 /]# chmod 0600 /etc/selinux/targeted/active/users_extra
()[root@overcloud-controller-0 /]# rpm -V selinux-policy-targeted
()[root@overcloud-controller-0 /]# 

I checked a couple of containers (not just cinder) and every one I checked
was affected. This makes me believe the problem lies in the "openstack-base"

I also observe the problem when checking upstream TripleO containers, so
the root cause is likely upstream.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:

Comment 1 Lon Hohberger 2018-03-26 18:53:09 UTC
This is outside of containers - on RHEL 7.5 beta:

[root@localhost ~]# rpm -V selinux-policy-targeted
[root@localhost ~]# ls -lZ /etc/selinux/targeted/active/users_extra
-rw-------. root root unconfined_u:object_r:semanage_store_t:s0 /etc/selinux/targeted/active/users_extra
[root@localhost ~]# semanage port -N -m -p tcp 4444 -t mysqld_port_t
[root@localhost ~]# rpm -V selinux-policy-targeted
.M.......    /etc/selinux/targeted/active/users_extra
[root@localhost ~]# ls -lZ /etc/selinux/targeted/active/users_extra
-rw-r--r--. root root unconfined_u:object_r:semanage_store_t:s0 /etc/selinux/targeted/active/users_extra

Comment 2 Lon Hohberger 2018-03-26 18:55:08 UTC
This can be worked around in openstack-selinux

Comment 3 Lon Hohberger 2018-03-26 18:59:34 UTC
It seems when you alter something with 'semanage', the /etc/selinux/targeted/active/users_extra file is rewritten with the wrong umask.

I suspect we could simply have local_settings.sh use the right umask when installing policies.

Comment 4 Lon Hohberger 2018-03-26 19:26:24 UTC
This reproduces on 7.4, so is not a regression.

Comment 11 Pavel Sedlák 2018-06-14 18:05:12 UTC
In tested installation there is no rpm -V selinux-policy-targeted issue visible in overcloud container:

> [root@controller-0 heat-admin]# docker exec -ti -u root openstack-cinder-volume-docker-0 bash
> ()[root@controller-0 /]# stty cols 100
> ()[root@controller-0 /]# rpm -V selinux-policy-targeted
> ()[root@controller-0 /]# ls -l /etc/selinux/targeted/active/users_extra
> -rw-------. 1 root root 101 Jun 11 20:16 /etc/selinux/targeted/active/users_extra
> ()[root@controller-0 /]# rpm -q selinux-policy-targeted
> selinux-policy-targeted-3.13.1-192.el7_5.3.noarch

Also checked on controller in all containers, where given package is present, resulting with clean output.

Comment 13 errata-xmlrpc 2018-06-27 13:48:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.